From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5E09C19F28 for ; Wed, 27 Jul 2022 16:37:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238563AbiG0QhB (ORCPT ); Wed, 27 Jul 2022 12:37:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238237AbiG0QfR (ORCPT ); Wed, 27 Jul 2022 12:35:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 311FE56BA9; Wed, 27 Jul 2022 09:27:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CFC2661A08; Wed, 27 Jul 2022 16:27:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE6C3C433D7; Wed, 27 Jul 2022 16:27:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939266; bh=/pJZDdtSjLMYmjrj2iJ114/3Aq098YfIz1ke9k5SAXk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BZKTiLkidI0nE/sgphZ2kqEzQeN1v/JcyZGzUZrl4no7wufuKxbJUSUYhjHNQr6uy 6S1iwHiqWn36f/g8mZhCRyCo3olpw+FBhHR4SaOOqcnUN4xFwgyqJS0k8HViSdkkAh PXnMpfDEvYaO/rvdDem3td8hG2gf2sM08yhZB1Ao= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Fabien Dessenne , Linus Walleij Subject: [PATCH 5.4 01/87] pinctrl: stm32: fix optional IRQ support to gpios Date: Wed, 27 Jul 2022 18:09:54 +0200 Message-Id: <20220727161009.047532692@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Fabien Dessenne commit a1d4ef1adf8bbd302067534ead671a94759687ed upstream. To act as an interrupt controller, a gpio bank relies on the "interrupt-parent" of the pin controller. When this optional "interrupt-parent" misses, do not create any IRQ domain. This fixes a "NULL pointer in stm32_gpio_domain_alloc()" kernel crash when the interrupt-parent =3D property is not declared in the Device Tree. Fixes: 0eb9f683336d ("pinctrl: Add IRQ support to STM32 gpios") Signed-off-by: Fabien Dessenne Link: https://lore.kernel.org/r/20220627142350.742973-1-fabien.dessenne@fos= s.st.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/pinctrl/stm32/pinctrl-stm32.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) --- a/drivers/pinctrl/stm32/pinctrl-stm32.c +++ b/drivers/pinctrl/stm32/pinctrl-stm32.c @@ -1215,15 +1215,17 @@ static int stm32_gpiolib_register_bank(s bank->bank_ioport_nr =3D bank_ioport_nr; spin_lock_init(&bank->lock); =20 - /* create irq hierarchical domain */ - bank->fwnode =3D of_node_to_fwnode(np); + if (pctl->domain) { + /* create irq hierarchical domain */ + bank->fwnode =3D of_node_to_fwnode(np); + + bank->domain =3D irq_domain_create_hierarchy(pctl->domain, 0, STM32_GPIO= _IRQ_LINE, + bank->fwnode, &stm32_gpio_domain_ops, + bank); =20 - bank->domain =3D irq_domain_create_hierarchy(pctl->domain, 0, - STM32_GPIO_IRQ_LINE, bank->fwnode, - &stm32_gpio_domain_ops, bank); - - if (!bank->domain) - return -ENODEV; + if (!bank->domain) + return -ENODEV; + } =20 err =3D gpiochip_add_data(&bank->gpio_chip, bank); if (err) { @@ -1393,6 +1395,8 @@ int stm32_pctl_probe(struct platform_dev pctl->domain =3D stm32_pctrl_get_irq_domain(np); if (IS_ERR(pctl->domain)) return PTR_ERR(pctl->domain); + if (!pctl->domain) + dev_warn(dev, "pinctrl without interrupt support\n"); =20 /* hwspinlock is optional */ hwlock_id =3D of_hwspin_lock_get_id(pdev->dev.of_node, 0); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1E09C04A68 for ; Wed, 27 Jul 2022 16:37:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238971AbiG0QhY (ORCPT ); Wed, 27 Jul 2022 12:37:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238514AbiG0Qfi (ORCPT ); Wed, 27 Jul 2022 12:35:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42B1A4F67C; Wed, 27 Jul 2022 09:27:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3029661A1E; Wed, 27 Jul 2022 16:27:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F991C433C1; Wed, 27 Jul 2022 16:27:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939271; bh=ioKXvpnEvVWDvJvsf5Jhoz5YlsC326vJT2NP/rjUhN4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mGk1FCYp8lxGz1g7F80xZRzyBcdu/6Gr8Vrh9PGGpAxp8+svhZn4aP3YTMNwq06vN Z6o+z4wdf3owPZ/2tP+iClYm/DueoMqdDfUnOsp/4tBP2g/TsFGzD/bTtb1KzTe4ZW WHedHKVBlbBIBrO3hpn4P1p6zba74FwuFD8yqLag= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Dooks , Bin Meng , Palmer Dabbelt Subject: [PATCH 5.4 02/87] riscv: add as-options for modules with assembly compontents Date: Wed, 27 Jul 2022 18:09:55 +0200 Message-Id: <20220727161009.095522278@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ben Dooks commit c1f6eff304e4dfa4558b6a8c6b2d26a91db6c998 upstream. When trying to load modules built for RISC-V which include assembly files the kernel loader errors with "unexpected relocation type 'R_RISCV_ALIGN'" due to R_RISCV_ALIGN relocations being generated by the assembler. The R_RISCV_ALIGN relocations can be removed at the expense of code space by adding -mno-relax to gcc and as. In commit 7a8e7da42250138 ("RISC-V: Fixes to module loading") -mno-relax is added to the build variable KBUILD_CFLAGS_MODULE. See [1] for more info. The issue is that when kbuild builds a .S file, it invokes gcc with the -mno-relax flag, but this is not being passed through to the assembler. Adding -Wa,-mno-relax to KBUILD_AFLAGS_MODULE ensures that the assembler is invoked correctly. This may have now been fixed in gcc[2] and this addition should not stop newer gcc and as from working. [1] https://github.com/riscv/riscv-elf-psabi-doc/issues/183 [2] https://github.com/gcc-mirror/gcc/commit/3b0a7d624e64eeb81e4d5e8c62c46d= 86ef521857 Signed-off-by: Ben Dooks Reviewed-by: Bin Meng Link: https://lore.kernel.org/r/20220529152200.609809-1-ben.dooks@codethink= .co.uk Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module= ") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/riscv/Makefile | 1 + 1 file changed, 1 insertion(+) --- a/arch/riscv/Makefile +++ b/arch/riscv/Makefile @@ -74,6 +74,7 @@ ifeq ($(CONFIG_PERF_EVENTS),y) endif =20 KBUILD_CFLAGS_MODULE +=3D $(call cc-option,-mno-relax) +KBUILD_AFLAGS_MODULE +=3D $(call as-option,-Wa$(comma)-mno-relax) =20 # GCC versions that support the "-mstrict-align" option default to allowing # unaligned accesses. While unaligned accesses are explicitly allowed in = the From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7422BC04A68 for ; Wed, 27 Jul 2022 16:37:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238365AbiG0Qh2 (ORCPT ); Wed, 27 Jul 2022 12:37:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238381AbiG0Qfm (ORCPT ); Wed, 27 Jul 2022 12:35:42 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42E404F67E; Wed, 27 Jul 2022 09:27:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 98A3FB821B8; Wed, 27 Jul 2022 16:27:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F400EC433C1; Wed, 27 Jul 2022 16:27:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939274; bh=ovd6V4NmZ+Qv5MuBP6kCDQrWTrx06853QQqr7hUwoBw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XILHpY9w2unSD3+XAkJ3++ErUDm7Znxt4/xtxCSr960ap1Av6ZZJDJSr/kVTT6T1b 0OJTX29ItEl7dC7C597iFcnvaLB4AOnDJC8cK8Vm+aShKTJi0rv/zlS+5ogsan5qNP LHw8JFF6+d9AvMhMepLuA9YuD7YTeHFZnaq9rVGU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ido Schimmel , Amit Cohen , Nicolas Dichtel , David Ahern , "David S. Miller" Subject: [PATCH 5.4 03/87] mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication Date: Wed, 27 Jul 2022 18:09:56 +0200 Message-Id: <20220727161009.141332848@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ido Schimmel commit e5ec6a2513383fe2ecc2ee3b5f51d97acbbcd4d8 upstream. mlxsw needs to distinguish nexthops with a gateway from connected nexthops in order to write the former to the adjacency table of the device. The check used to rely on the fact that nexthops with a gateway have a 'link' scope whereas connected nexthops have a 'host' scope. This is no longer correct after commit 747c14307214 ("ip: fix dflt addr selection for connected nexthop"). Fix that by instead checking the address family of the gateway IP. This is a more direct way and also consistent with the IPv6 counterpart in mlxsw_sp_rt6_is_gateway(). Cc: stable@vger.kernel.org Fixes: 747c14307214 ("ip: fix dflt addr selection for connected nexthop") Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") Signed-off-by: Ido Schimmel Reviewed-by: Amit Cohen Reviewed-by: Nicolas Dichtel Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c @@ -3871,7 +3871,7 @@ static bool mlxsw_sp_fi_is_gateway(const { const struct fib_nh *nh =3D fib_info_nh(fi, 0); =20 - return nh->fib_nh_scope =3D=3D RT_SCOPE_LINK || + return nh->fib_nh_gw_family || mlxsw_sp_nexthop4_ipip_type(mlxsw_sp, nh, NULL); } From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22F6BC04A68 for ; Wed, 27 Jul 2022 16:38:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238997AbiG0Qi1 (ORCPT ); Wed, 27 Jul 2022 12:38:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238729AbiG0Qhk (ORCPT ); Wed, 27 Jul 2022 12:37:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DA5414D80A; Wed, 27 Jul 2022 09:28:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C430B61662; Wed, 27 Jul 2022 16:27:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CEA94C433D6; Wed, 27 Jul 2022 16:27:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939277; bh=o5uo9H+aQK80HuhfKYBHekHvHmapsv5dz6+d7wV1KCs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UY7SFRpt1ydRyZ8TedtGwRdOL4g4ZfP3SbmDcKKNEIpxqKhvelxvgrYQUjHjupd3r 7DkGoetRfO3IE+dXLN37xKsC+IylFBhYQYyocQH3quZKr0PmqxwOfQtHyozjjpZL7j hAMn5Unkz0r3Sk7QG3RdMc62YfgXWRtZuTFuP6s0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Snowberg , Mimi Zohar , John Haxby , Linus Torvalds Subject: [PATCH 5.4 04/87] lockdown: Fix kexec lockdown bypass with ima policy Date: Wed, 27 Jul 2022 18:09:57 +0200 Message-Id: <20220727161009.182304198@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Snowberg commit 543ce63b664e2c2f9533d089a4664b559c3e6b5b upstream. The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. This LSM may also be used on machines without UEFI. It can also be enabled when UEFI Secure Boot is disabled. One of lockdown's features is to prevent kexec from loading untrusted kernels. Lockdown can be enabled through a bootparam or after the kernel has booted through securityfs. If IMA appraisal is used with the "ima_appraise=3Dlog" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=3Dlog" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. To defeat lockdown, boot without Secure Boot and add ima_appraise=3Dlog to the kernel command line; then: $ echo "integrity" > /sys/kernel/security/lockdown $ echo "appraise func=3DKEXEC_KERNEL_CHECK appraise_type=3Dimasig" > \ /sys/kernel/security/ima/policy $ kexec -ls unsigned-kernel Add a call to verify ima appraisal is set to "enforce" whenever lockdown is enabled. This fixes CVE-2022-21505. Cc: stable@vger.kernel.org Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy= when locked down") Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar Reviewed-by: John Haxby Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- security/integrity/ima/ima_policy.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1542,6 +1542,10 @@ bool ima_appraise_signature(enum kernel_ if (id >=3D READING_MAX_ID) return false; =20 + if (id =3D=3D READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORC= E) + && security_locked_down(LOCKDOWN_KEXEC)) + return false; + func =3D read_idmap[id] ?: FILE_CHECK; =20 rcu_read_lock(); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2744FC04A68 for ; Wed, 27 Jul 2022 16:37:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239008AbiG0Qhd (ORCPT ); Wed, 27 Jul 2022 12:37:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238568AbiG0Qfz (ORCPT ); Wed, 27 Jul 2022 12:35:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C98184F650; Wed, 27 Jul 2022 09:28:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 93F3B619D6; Wed, 27 Jul 2022 16:28:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9B635C433C1; Wed, 27 Jul 2022 16:27:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939280; bh=siGqG7l3TpcM86MFdFURrDC/jDAk8NLgYG+Xpw4GclI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bqMWhJfSoPc4X7EkrPg8rvq8F3fyWLWzsJFvyWPRLix4FC5rQ3uayi9uD1YigDnF5 DXk11DQ/QSlIUiY9ETmFUdN2idHuK9NtTmnx+b/JxUTYOKqnCRzN6WmTngPH1izdOf hdGK7vCQ+udwMJXo1kUqq9iiUmpKLn8MPswIH6JY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Juergen Gross , Demi Marie Obenour , Oleksandr Tyshchenko Subject: [PATCH 5.4 05/87] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Date: Wed, 27 Jul 2022 18:09:58 +0200 Message-Id: <20220727161009.223111489@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Demi Marie Obenour commit 166d3863231667c4f64dee72b77d1102cdfad11f upstream. The error paths of gntdev_mmap() can call unmap_grant_pages() even though not all of the pages have been successfully mapped. This will trigger the WARN_ON()s in __unmap_grant_pages_done(). The number of warnings can be very large; I have observed thousands of lines of warnings in the systemd journal. Avoid this problem by only warning on unmapping failure if the handle being unmapped is not INVALID_GRANT_HANDLE. The handle field of any page that was not successfully mapped will be INVALID_GRANT_HANDLE, so this catches all cases where unmapping can legitimately fail. Fixes: dbe97cff7dd9 ("xen/gntdev: Avoid blocking in unmap_grant_pages()") Cc: stable@vger.kernel.org Suggested-by: Juergen Gross Signed-off-by: Demi Marie Obenour Reviewed-by: Oleksandr Tyshchenko Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220710230522.1563-1-demi@invisiblethingsl= ab.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/xen/gntdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -413,7 +413,8 @@ static void __unmap_grant_pages_done(int unsigned int offset =3D data->unmap_ops - map->unmap_ops; =20 for (i =3D 0; i < data->count; i++) { - WARN_ON(map->unmap_ops[offset+i].status); + WARN_ON(map->unmap_ops[offset+i].status && + map->unmap_ops[offset+i].handle !=3D -1); pr_debug("unmap handle=3D%d st=3D%d\n", map->unmap_ops[offset+i].handle, map->unmap_ops[offset+i].status); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7831C04A68 for ; Wed, 27 Jul 2022 16:37:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238767AbiG0Qhl (ORCPT ); Wed, 27 Jul 2022 12:37:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238671AbiG0QgN (ORCPT ); Wed, 27 Jul 2022 12:36:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4CEC57203; Wed, 27 Jul 2022 09:28:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E7B40B821BF; Wed, 27 Jul 2022 16:28:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 57043C433C1; Wed, 27 Jul 2022 16:28:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939282; bh=2tCyZDBo2+NNN2tEJUrj28tl7DflKJ3dwB9KJBN7mSk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dv15Acuj/boHLuw3rx8kcpcrXdCRRaNk4RaM3x0eX+teVXbL1jbDamlgR4CioLVpE HH3IDNGtdvdvMCA4yXlSOnQJxKFWBo+GDJ4hy0e7/AFnmAIAFa0wcO2/hFcI9GfK34 rlvx+7i5KAZNnxokwR2+quSu/Bv5rJU6O3p1NcWM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jeffrey Hugo , Dexuan Cui , Wei Liu , Carl Vanderlip Subject: [PATCH 5.4 06/87] PCI: hv: Fix multi-MSI to allow more than one MSI vector Date: Wed, 27 Jul 2022 18:09:59 +0200 Message-Id: <20220727161009.262368559@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jeffrey Hugo commit 08e61e861a0e47e5e1a3fb78406afd6b0cea6b6d upstream. If the allocation of multiple MSI vectors for multi-MSI fails in the core PCI framework, the framework will retry the allocation as a single MSI vector, assuming that meets the min_vecs specified by the requesting driver. Hyper-V advertises that multi-MSI is supported, but reuses the VECTOR domain to implement that for x86. The VECTOR domain does not support multi-MSI, so the alloc will always fail and fallback to a single MSI allocation. In short, Hyper-V advertises a capability it does not implement. Hyper-V can support multi-MSI because it coordinates with the hypervisor to map the MSIs in the IOMMU's interrupt remapper, which is something the VECTOR domain does not have. Therefore the fix is simple - copy what the x86 IOMMU drivers (AMD/Intel-IR) do by removing X86_IRQ_ALLOC_CONTIGUOUS_VECTORS after calling the VECTOR domain's pci_msi_prepare(). 5.4 backport - adds the hv_msi_prepare wrapper function. X86_IRQ_ALLOC_TYPE_PCI_MSI changed to X86_IRQ_ALLOC_TYPE_MSI (same value). Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft = Hyper-V VMs") Signed-off-by: Jeffrey Hugo Reviewed-by: Dexuan Cui Link: https://lore.kernel.org/r/1649856981-14649-1-git-send-email-quic_jhug= o@quicinc.com Signed-off-by: Wei Liu Signed-off-by: Carl Vanderlip Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/pci/controller/pci-hyperv.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -1172,6 +1172,21 @@ static void hv_irq_mask(struct irq_data pci_msi_mask_irq(data); } =20 +static int hv_msi_prepare(struct irq_domain *domain, struct device *dev, + int nvec, msi_alloc_info_t *info) +{ + int ret =3D pci_msi_prepare(domain, dev, nvec, info); + + /* + * By using the interrupt remapper in the hypervisor IOMMU, contiguous + * CPU vectors is not needed for multi-MSI + */ + if (info->type =3D=3D X86_IRQ_ALLOC_TYPE_MSI) + info->flags &=3D ~X86_IRQ_ALLOC_CONTIGUOUS_VECTORS; + + return ret; +} + /** * hv_irq_unmask() - "Unmask" the IRQ by setting its current * affinity. @@ -1518,7 +1533,7 @@ static irq_hw_number_t hv_msi_domain_ops =20 static struct msi_domain_ops hv_msi_ops =3D { .get_hwirq =3D hv_msi_domain_ops_get_hwirq, - .msi_prepare =3D pci_msi_prepare, + .msi_prepare =3D hv_msi_prepare, .set_desc =3D pci_msi_set_desc, .msi_free =3D hv_msi_free, }; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33B5AC19F2B for ; Wed, 27 Jul 2022 16:37:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239062AbiG0Qhu (ORCPT ); Wed, 27 Jul 2022 12:37:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47210 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238372AbiG0QgO (ORCPT ); Wed, 27 Jul 2022 12:36:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D92F57209; Wed, 27 Jul 2022 09:28:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A17BDB821BC; Wed, 27 Jul 2022 16:28:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BE2FC433C1; Wed, 27 Jul 2022 16:28:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939285; bh=sEAb8857nDX1S4zPiUu/bn2DuWqrkyYRxLx0ObIrJNA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WFAd2h3rNr1xPhWsbGkVTYOAnqDmNaZOD37UnjiRzaLKc5Ys+mn3NoHvcWqJhQ7tE /r5h0ouC3G98tFQGtTwJ8J0wR4M/yywo+UX33UGR9MVgZbDPjF0of4Ofov8mwAH3V5 p8PAkKzbUSddTOwsaATkwmTvzgSXlQsAlN7eyfjk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jeffrey Hugo , Michael Kelley , Wei Liu , Carl Vanderlip Subject: [PATCH 5.4 07/87] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Date: Wed, 27 Jul 2022 18:10:00 +0200 Message-Id: <20220727161009.304825411@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jeffrey Hugo commit 455880dfe292a2bdd3b4ad6a107299fce610e64b upstream. In the multi-MSI case, hv_arch_irq_unmask() will only operate on the first MSI of the N allocated. This is because only the first msi_desc is cached and it is shared by all the MSIs of the multi-MSI block. This means that hv_arch_irq_unmask() gets the correct address, but the wrong data (always 0). This can break MSIs. Lets assume MSI0 is vector 34 on CPU0, and MSI1 is vector 33 on CPU0. hv_arch_irq_unmask() is called on MSI0. It uses a hypercall to configure the MSI address and data (0) to vector 34 of CPU0. This is correct. Then hv_arch_irq_unmask is called on MSI1. It uses another hypercall to configure the MSI address and data (0) to vector 33 of CPU0. This is wrong, and results in both MSI0 and MSI1 being routed to vector 33. Linux will observe extra instances of MSI1 and no instances of MSI0 despite the endpoint device behaving correctly. For the multi-MSI case, we need unique address and data info for each MSI, but the cached msi_desc does not provide that. However, that information can be gotten from the int_desc cached in the chip_data by compose_msi_msg(). Fix the multi-MSI case to use that cached information instead. Since hv_set_msi_entry_from_desc() is no longer applicable, remove it. 5.4 backport - hv_set_msi_entry_from_desc doesn't exist to be removed. msi_desc replaces msi_entry for location int_desc is written to. Signed-off-by: Jeffrey Hugo Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/1651068453-29588-1-git-send-email-quic_jhug= o@quicinc.com Signed-off-by: Wei Liu Signed-off-by: Carl Vanderlip Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/pci/controller/pci-hyperv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -1202,6 +1202,7 @@ static void hv_irq_unmask(struct irq_dat struct msi_desc *msi_desc =3D irq_data_get_msi_desc(data); struct irq_cfg *cfg =3D irqd_cfg(data); struct retarget_msi_interrupt *params; + struct tran_int_desc *int_desc; struct hv_pcibus_device *hbus; struct cpumask *dest; cpumask_var_t tmp; @@ -1216,6 +1217,7 @@ static void hv_irq_unmask(struct irq_dat pdev =3D msi_desc_to_pci_dev(msi_desc); pbus =3D pdev->bus; hbus =3D container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); + int_desc =3D data->chip_data; =20 spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags); =20 @@ -1223,8 +1225,8 @@ static void hv_irq_unmask(struct irq_dat memset(params, 0, sizeof(*params)); params->partition_id =3D HV_PARTITION_ID_SELF; params->int_entry.source =3D 1; /* MSI(-X) */ - params->int_entry.address =3D msi_desc->msg.address_lo; - params->int_entry.data =3D msi_desc->msg.data; + params->int_entry.address =3D int_desc->address & 0xffffffff; + params->int_entry.data =3D int_desc->data; params->device_id =3D (hbus->hdev->dev_instance.b[5] << 24) | (hbus->hdev->dev_instance.b[4] << 16) | (hbus->hdev->dev_instance.b[7] << 8) | From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D37CC04A68 for ; Wed, 27 Jul 2022 16:38:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238519AbiG0Qix (ORCPT ); Wed, 27 Jul 2022 12:38:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239127AbiG0QiR (ORCPT ); Wed, 27 Jul 2022 12:38:17 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43EBF5727E; Wed, 27 Jul 2022 09:28:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 905EBB821B8; Wed, 27 Jul 2022 16:28:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BADE9C433D6; Wed, 27 Jul 2022 16:28:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939288; bh=IpOo+pRYRlEAnKYKJwilqhsyqDHlsRNa311t/c7HpO4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MAJ0DXHwZUdAZXL9yJlmWIqTH1/gnvwp3WIZc+FvpLcjJxdcx0QxSQoBcV7PZQI7y 54bTGjLeE9xlzi8iuc7kW6Lud7ggpJnkfhv36LlmbQ4wQjv9MMFrlT1Yyjl2DIy2oW tZW9SrCskRlJSshapw/7cvs2VhJYzBO+ByAxGgls= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jeffrey Hugo , Dexuan Cui , Michael Kelley , Wei Liu , Carl Vanderlip Subject: [PATCH 5.4 08/87] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Date: Wed, 27 Jul 2022 18:10:01 +0200 Message-Id: <20220727161009.353713651@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jeffrey Hugo commit b4b77778ecc5bfbd4e77de1b2fd5c1dd3c655f1f upstream. Currently if compose_msi_msg() is called multiple times, it will free any previous IRTE allocation, and generate a new allocation. While nothing prevents this from occurring, it is extraneous when Linux could just reuse the existing allocation and avoid a bunch of overhead. However, when future IRTE allocations operate on blocks of MSIs instead of a single line, freeing the allocation will impact all of the lines. This could cause an issue where an allocation of N MSIs occurs, then some of the lines are retargeted, and finally the allocation is freed/reallocated. The freeing of the allocation removes all of the configuration for the entire block, which requires all the lines to be retargeted, which might not happen since some lines might already be unmasked/active. Signed-off-by: Jeffrey Hugo Reviewed-by: Dexuan Cui Tested-by: Dexuan Cui Tested-by: Michael Kelley Link: https://lore.kernel.org/r/1652282582-21595-1-git-send-email-quic_jhug= o@quicinc.com Signed-off-by: Wei Liu Signed-off-by: Carl Vanderlip Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/pci/controller/pci-hyperv.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -1387,6 +1387,15 @@ static void hv_compose_msi_msg(struct ir u32 size; int ret; =20 + /* Reuse the previous allocation */ + if (data->chip_data) { + int_desc =3D data->chip_data; + msg->address_hi =3D int_desc->address >> 32; + msg->address_lo =3D int_desc->address & 0xffffffff; + msg->data =3D int_desc->data; + return; + } + pdev =3D msi_desc_to_pci_dev(irq_data_get_msi_desc(data)); dest =3D irq_data_get_effective_affinity_mask(data); pbus =3D pdev->bus; @@ -1395,13 +1404,6 @@ static void hv_compose_msi_msg(struct ir if (!hpdev) goto return_null_message; =20 - /* Free any previous message that might have already been composed. */ - if (data->chip_data) { - int_desc =3D data->chip_data; - data->chip_data =3D NULL; - hv_int_desc_free(hpdev, int_desc); - } - int_desc =3D kzalloc(sizeof(*int_desc), GFP_ATOMIC); if (!int_desc) goto drop_reference; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF71AC19F2B for ; Wed, 27 Jul 2022 16:38:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239085AbiG0QiA (ORCPT ); Wed, 27 Jul 2022 12:38:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238535AbiG0Qg7 (ORCPT ); Wed, 27 Jul 2022 12:36:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D08057230; Wed, 27 Jul 2022 09:28:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E685F617F2; Wed, 27 Jul 2022 16:28:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB10CC433D6; Wed, 27 Jul 2022 16:28:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939291; bh=YfmTqNI3tTK0SChiA4BqqgiN/t5quimciEuF2M5o5Yo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eXETW20jywI65LWCAOFtCqufh9jhMJt/bhUJY4GZHUklumZCZMSeCR3YVkOsgybpv lKve5l3qzidkXJPEGxsdT5Da9WLs6SqGO0n0bNrXzYgauFDxlQqgTTcWGSNa6K/BpH fnHJdmyi+4dLzZEWJqwrhSO4YcdMKkr+Bp8NfDxU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Dexuan Cui , Jeffrey Hugo , Michael Kelley , Wei Liu , Carl Vanderlip Subject: [PATCH 5.4 09/87] PCI: hv: Fix interrupt mapping for multi-MSI Date: Wed, 27 Jul 2022 18:10:02 +0200 Message-Id: <20220727161009.393555877@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jeffrey Hugo commit a2bad844a67b1c7740bda63e87453baf63c3a7f7 upstream. According to Dexuan, the hypervisor folks beleive that multi-msi allocations are not correct. compose_msi_msg() will allocate multi-msi one by one. However, multi-msi is a block of related MSIs, with alignment requirements. In order for the hypervisor to allocate properly aligned and consecutive entries in the IOMMU Interrupt Remapping Table, there should be a single mapping request that requests all of the multi-msi vectors in one shot. Dexuan suggests detecting the multi-msi case and composing a single request related to the first MSI. Then for the other MSIs in the same block, use the cached information. This appears to be viable, so do it. 5.4 backport - add hv_msi_get_int_vector helper function. Fixed merge conflict due to delivery_mode name change (APIC_DELIVERY_MODE_FIXED is the value given to dest_Fixed). Removed unused variable in hv_compose_msi_msg. Fixed reference to msi_desc->pci to point to the same is_msix variable. Removed changes to compose_msi_req_v3 since it doesn't exist yet. Suggested-by: Dexuan Cui Signed-off-by: Jeffrey Hugo Reviewed-by: Dexuan Cui Tested-by: Michael Kelley Link: https://lore.kernel.org/r/1652282599-21643-1-git-send-email-quic_jhug= o@quicinc.com Signed-off-by: Wei Liu Signed-off-by: Carl Vanderlip Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/pci/controller/pci-hyperv.c | 61 +++++++++++++++++++++++++++++++= ----- 1 file changed, 53 insertions(+), 8 deletions(-) --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -1110,6 +1110,10 @@ static void hv_int_desc_free(struct hv_p u8 buffer[sizeof(struct pci_delete_interrupt)]; } ctxt; =20 + if (!int_desc->vector_count) { + kfree(int_desc); + return; + } memset(&ctxt, 0, sizeof(ctxt)); int_pkt =3D (struct pci_delete_interrupt *)&ctxt.pkt.message; int_pkt->message_type.type =3D @@ -1172,6 +1176,13 @@ static void hv_irq_mask(struct irq_data pci_msi_mask_irq(data); } =20 +static unsigned int hv_msi_get_int_vector(struct irq_data *data) +{ + struct irq_cfg *cfg =3D irqd_cfg(data); + + return cfg->vector; +} + static int hv_msi_prepare(struct irq_domain *domain, struct device *dev, int nvec, msi_alloc_info_t *info) { @@ -1313,12 +1324,12 @@ static void hv_pci_compose_compl(void *c =20 static u32 hv_compose_msi_req_v1( struct pci_create_interrupt *int_pkt, struct cpumask *affinity, - u32 slot, u8 vector) + u32 slot, u8 vector, u8 vector_count) { int_pkt->message_type.type =3D PCI_CREATE_INTERRUPT_MESSAGE; int_pkt->wslot.slot =3D slot; int_pkt->int_desc.vector =3D vector; - int_pkt->int_desc.vector_count =3D 1; + int_pkt->int_desc.vector_count =3D vector_count; int_pkt->int_desc.delivery_mode =3D dest_Fixed; =20 /* @@ -1332,14 +1343,14 @@ static u32 hv_compose_msi_req_v1( =20 static u32 hv_compose_msi_req_v2( struct pci_create_interrupt2 *int_pkt, struct cpumask *affinity, - u32 slot, u8 vector) + u32 slot, u8 vector, u8 vector_count) { int cpu; =20 int_pkt->message_type.type =3D PCI_CREATE_INTERRUPT_MESSAGE2; int_pkt->wslot.slot =3D slot; int_pkt->int_desc.vector =3D vector; - int_pkt->int_desc.vector_count =3D 1; + int_pkt->int_desc.vector_count =3D vector_count; int_pkt->int_desc.delivery_mode =3D dest_Fixed; =20 /* @@ -1367,7 +1378,6 @@ static u32 hv_compose_msi_req_v2( */ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) { - struct irq_cfg *cfg =3D irqd_cfg(data); struct hv_pcibus_device *hbus; struct hv_pci_dev *hpdev; struct pci_bus *pbus; @@ -1376,6 +1386,8 @@ static void hv_compose_msi_msg(struct ir unsigned long flags; struct compose_comp_ctxt comp; struct tran_int_desc *int_desc; + struct msi_desc *msi_desc; + u8 vector, vector_count; struct { struct pci_packet pci_pkt; union { @@ -1396,7 +1408,8 @@ static void hv_compose_msi_msg(struct ir return; } =20 - pdev =3D msi_desc_to_pci_dev(irq_data_get_msi_desc(data)); + msi_desc =3D irq_data_get_msi_desc(data); + pdev =3D msi_desc_to_pci_dev(msi_desc); dest =3D irq_data_get_effective_affinity_mask(data); pbus =3D pdev->bus; hbus =3D container_of(pbus->sysdata, struct hv_pcibus_device, sysdata); @@ -1408,6 +1421,36 @@ static void hv_compose_msi_msg(struct ir if (!int_desc) goto drop_reference; =20 + if (!msi_desc->msi_attrib.is_msix && msi_desc->nvec_used > 1) { + /* + * If this is not the first MSI of Multi MSI, we already have + * a mapping. Can exit early. + */ + if (msi_desc->irq !=3D data->irq) { + data->chip_data =3D int_desc; + int_desc->address =3D msi_desc->msg.address_lo | + (u64)msi_desc->msg.address_hi << 32; + int_desc->data =3D msi_desc->msg.data + + (data->irq - msi_desc->irq); + msg->address_hi =3D msi_desc->msg.address_hi; + msg->address_lo =3D msi_desc->msg.address_lo; + msg->data =3D int_desc->data; + put_pcichild(hpdev); + return; + } + /* + * The vector we select here is a dummy value. The correct + * value gets sent to the hypervisor in unmask(). This needs + * to be aligned with the count, and also not zero. Multi-msi + * is powers of 2 up to 32, so 32 will always work here. + */ + vector =3D 32; + vector_count =3D msi_desc->nvec_used; + } else { + vector =3D hv_msi_get_int_vector(data); + vector_count =3D 1; + } + memset(&ctxt, 0, sizeof(ctxt)); init_completion(&comp.comp_pkt.host_event); ctxt.pci_pkt.completion_func =3D hv_pci_compose_compl; @@ -1418,14 +1461,16 @@ static void hv_compose_msi_msg(struct ir size =3D hv_compose_msi_req_v1(&ctxt.int_pkts.v1, dest, hpdev->desc.win_slot.slot, - cfg->vector); + vector, + vector_count); break; =20 case PCI_PROTOCOL_VERSION_1_2: size =3D hv_compose_msi_req_v2(&ctxt.int_pkts.v2, dest, hpdev->desc.win_slot.slot, - cfg->vector); + vector, + vector_count); break; =20 default: From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D0A3C3F6B0 for ; Wed, 27 Jul 2022 16:38:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239152AbiG0QiV (ORCPT ); Wed, 27 Jul 2022 12:38:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238379AbiG0Qhg (ORCPT ); Wed, 27 Jul 2022 12:37:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D6F94F6B7; Wed, 27 Jul 2022 09:28:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 574AFB821A6; Wed, 27 Jul 2022 16:27:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEDE6C433D7; Wed, 27 Jul 2022 16:27:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939269; bh=WtF9BKyztuDudarIy8lWa8uBbyXGJ5Wc6Q/lzCzgqR8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DS17Fi1yGp4eNpQEp0DI8T0qW6A9qwfw/9nXE6BOuKVyinBMQCI2EOrEXij93JFY9 Eds7+shP+wYuUALflsXQjzrVtR8NSCt8+MlCbamXDLZ12uB+YKfDCzw0k7jVvt4BEG QXtf+InspiSUTJ4V1bqxqfi/G12q9BWNIRcHLv2o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable , =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= , =?UTF-8?q?Pali=20Roh=C3=A1r?= Subject: [PATCH 5.4 10/87] serial: mvebu-uart: correctly report configured baudrate value Date: Wed, 27 Jul 2022 18:10:03 +0200 Message-Id: <20220727161009.434828786@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pali Roh=C3=A1r commit 4f532c1e25319e42996ec18a1f473fd50c8e575d upstream. Functions tty_termios_encode_baud_rate() and uart_update_timeout() should be called with the baudrate value which was set to hardware. Linux then report exact values via ioctl(TCGETS2) to userspace. Change mvebu_uart_baud_rate_set() function to return baudrate value which was set to hardware and propagate this value to above mentioned functions. With this change userspace would see precise value in termios c_ospeed field. Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Cc: stable Reviewed-by: Ilpo J=C3=A4rvinen Signed-off-by: Pali Roh=C3=A1r Link: https://lore.kernel.org/r/20220628100922.10717-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/tty/serial/mvebu-uart.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) --- a/drivers/tty/serial/mvebu-uart.c +++ b/drivers/tty/serial/mvebu-uart.c @@ -443,13 +443,13 @@ static void mvebu_uart_shutdown(struct u } } =20 -static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int b= aud) +static unsigned int mvebu_uart_baud_rate_set(struct uart_port *port, unsig= ned int baud) { unsigned int d_divisor, m_divisor; u32 brdv, osamp; =20 if (!port->uartclk) - return -EOPNOTSUPP; + return 0; =20 /* * The baudrate is derived from the UART clock thanks to two divisors: @@ -473,7 +473,7 @@ static int mvebu_uart_baud_rate_set(stru osamp &=3D ~OSAMP_DIVISORS_MASK; writel(osamp, port->membase + UART_OSAMP); =20 - return 0; + return DIV_ROUND_CLOSEST(port->uartclk, d_divisor * m_divisor); } =20 static void mvebu_uart_set_termios(struct uart_port *port, @@ -510,15 +510,11 @@ static void mvebu_uart_set_termios(struc max_baud =3D 230400; =20 baud =3D uart_get_baud_rate(port, termios, old, min_baud, max_baud); - if (mvebu_uart_baud_rate_set(port, baud)) { - /* No clock available, baudrate cannot be changed */ - if (old) - baud =3D uart_get_baud_rate(port, old, NULL, - min_baud, max_baud); - } else { - tty_termios_encode_baud_rate(termios, baud, baud); - uart_update_timeout(port, termios->c_cflag, baud); - } + baud =3D mvebu_uart_baud_rate_set(port, baud); + + /* In case baudrate cannot be changed, report previous old value */ + if (baud =3D=3D 0 && old) + baud =3D tty_termios_baud_rate(old); =20 /* Only the following flag changes are supported */ if (old) { @@ -529,6 +525,11 @@ static void mvebu_uart_set_termios(struc termios->c_cflag |=3D CS8; } =20 + if (baud !=3D 0) { + tty_termios_encode_baud_rate(termios, baud, baud); + uart_update_timeout(port, termios->c_cflag, baud); + } + spin_unlock_irqrestore(&port->lock, flags); } =20 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC051C04A68 for ; Wed, 27 Jul 2022 16:42:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239519AbiG0Qmd (ORCPT ); Wed, 27 Jul 2022 12:42:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239590AbiG0Qlw (ORCPT ); Wed, 27 Jul 2022 12:41:52 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ABDE5B7BE; Wed, 27 Jul 2022 09:29:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id A83D4CE22FE; Wed, 27 Jul 2022 16:29:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1316C433C1; Wed, 27 Jul 2022 16:29:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939389; bh=UjxZAk7k9pMqhRRjQXpw7vtqX5SDNcwJryCCR9a2Fd8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Hs+Kdlcknb3Jwq0gi4goHR/8COtllEmbNvfMn78Uw7248d4VoD0DqELvW470QA0SG fVZIxaO5+0k6ej87FgijGUyMLGRuOJi3JlvLpkmTMvZ+zsNJMoNAk3gV8Ok4fefKCf wVpkbpTW+V9X3mL5m4RMYAIVZSklZ6TjbIPGCM3A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangyu Hua , Steffen Klassert , Sasha Levin Subject: [PATCH 5.4 11/87] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Date: Wed, 27 Jul 2022 18:10:04 +0200 Message-Id: <20220727161009.470491139@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hangyu Hua [ Upstream commit f85daf0e725358be78dfd208dea5fd665d8cb901 ] xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols =3D=3D 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols =3D 0 in xfrm_expand_policies()'s error path. Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing = flows") Signed-off-by: Hangyu Hua Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/xfrm/xfrm_policy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3ecb77c58c44..28a8cdef8e51 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2679,8 +2679,10 @@ static int xfrm_expand_policies(const struct flowi *= fl, u16 family, *num_xfrms =3D 0; return 0; } - if (IS_ERR(pols[0])) + if (IS_ERR(pols[0])) { + *num_pols =3D 0; return PTR_ERR(pols[0]); + } =20 *num_xfrms =3D pols[0]->xfrm_nr; =20 @@ -2695,6 +2697,7 @@ static int xfrm_expand_policies(const struct flowi *f= l, u16 family, if (pols[1]) { if (IS_ERR(pols[1])) { xfrm_pols_put(pols, *num_pols); + *num_pols =3D 0; return PTR_ERR(pols[1]); } (*num_pols)++; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 555ADC3F6B0 for ; Wed, 27 Jul 2022 16:38:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239020AbiG0QiR (ORCPT ); Wed, 27 Jul 2022 12:38:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238978AbiG0Qh1 (ORCPT ); Wed, 27 Jul 2022 12:37:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF51C4D4C6; Wed, 27 Jul 2022 09:28:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 4EBF3B821C6; Wed, 27 Jul 2022 16:28:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 90DCFC433D6; Wed, 27 Jul 2022 16:28:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939296; bh=jsF4LpQm777PxNt5/h+cNChfYSEvUrbp0KZNEszQamk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fje+8hyT/turBQv0zYzffwl5sD8bODcydM1zrSfBLr/fzNdJ+zb5rl6XICb0sNF8H m/P1D5bUgrD0Yaz3uIdATtXYLdbCiT4r499u/sNq6PbiGLD0XHlbqGGcC3hwtHgDJV HUocuAwB5BVTR8B58S130CKJTfpi4dqY8ESi3Bu8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miaoqian Lin , Linus Walleij , Sebastian Reichel , Sasha Levin Subject: [PATCH 5.4 12/87] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Date: Wed, 27 Jul 2022 18:10:05 +0200 Message-Id: <20220727161009.505251459@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Miaoqian Lin [ Upstream commit 80192eff64eee9b3bc0594a47381937b94b9d65a ] of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 0e545f57b708 ("power: reset: driver for the Versatile syscon reboot") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/power/reset/arm-versatile-reboot.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/res= et/arm-versatile-reboot.c index 08d0a07b58ef..c7624d7611a7 100644 --- a/drivers/power/reset/arm-versatile-reboot.c +++ b/drivers/power/reset/arm-versatile-reboot.c @@ -146,6 +146,7 @@ static int __init versatile_reboot_probe(void) versatile_reboot_type =3D (enum versatile_reboot)reboot_id->data; =20 syscon_regmap =3D syscon_node_to_regmap(np); + of_node_put(np); if (IS_ERR(syscon_regmap)) return PTR_ERR(syscon_regmap); =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ED72C04A68 for ; Wed, 27 Jul 2022 16:39:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239194AbiG0Qjy (ORCPT ); Wed, 27 Jul 2022 12:39:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239370AbiG0QjN (ORCPT ); Wed, 27 Jul 2022 12:39:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCB725A2D2; Wed, 27 Jul 2022 09:28:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5F444B821A6; Wed, 27 Jul 2022 16:28:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C602CC433C1; Wed, 27 Jul 2022 16:28:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939328; bh=fZCRhPWBOFQUBqV5FF//jX1LfJGFpbtLedILZSXCl8U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qmi6dzNKf6OSxCEqJQb+bl02DlNWkf2WxwSfOHFNT5PDLMQY1LhWZCYsnzYX3QP4S 81geYRO94Fkn+txAyN2ju5PQIuuGFT0M8sGfBFwIdT5FUV0DDlYhu/IM58tz3QOf8a 5SXFXvsWiSVoTXB6dIy/RRbgsDMuihNNzI2J+Z/U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hacash Robot , William Dean , Linus Walleij , Sasha Levin Subject: [PATCH 5.4 13/87] pinctrl: ralink: Check for null return of devm_kcalloc Date: Wed, 27 Jul 2022 18:10:06 +0200 Message-Id: <20220727161009.535088850@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: William Dean [ Upstream commit c3b821e8e406d5650e587b7ac624ac24e9b780a8 ] Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.". Fixes: a86854d0c599b ("treewide: devm_kzalloc() -> devm_kcalloc()") Reported-by: Hacash Robot Signed-off-by: William Dean Link: https://lore.kernel.org/r/20220710154922.2610876-1-williamsukatube@16= 3.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/stag= ing/mt7621-pinctrl/pinctrl-rt2880.c index 0ba4e4e070a9..7cfbdfb10e23 100644 --- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c +++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c @@ -267,6 +267,8 @@ static int rt2880_pinmux_pins(struct rt2880_priv *p) p->func[i]->pin_count, sizeof(int), GFP_KERNEL); + if (!p->func[i]->pins) + return -ENOMEM; for (j =3D 0; j < p->func[i]->pin_count; j++) p->func[i]->pins[j] =3D p->func[i]->pin_first + j; =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66BEEC04A68 for ; Wed, 27 Jul 2022 16:41:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239391AbiG0Ql2 (ORCPT ); Wed, 27 Jul 2022 12:41:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239083AbiG0Qkt (ORCPT ); Wed, 27 Jul 2022 12:40:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E687950719; Wed, 27 Jul 2022 09:29:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4279061A1E; Wed, 27 Jul 2022 16:29:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4B44BC433D6; Wed, 27 Jul 2022 16:29:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939358; bh=YijPZ68MmYjmvGcAtKwKig+KpthlQqiRwWCwNSrBIk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZRoU+TUYClnLQ5qt3Qt8/c9yw6qs6BO5HeidLTWJaOHfbCMARc8BHLqgOUh1pR95b 7nGWwHJ+f9aii3QCFyEnTB14ZHigyksFM9gWK//4dgDY2kdi8bw12BhhtZuYB/oANx i+NRYQq9EHRHnvxtdXztCABGavQbFWwZAM5rj/4o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yang Jihong , "Peter Zijlstra (Intel)" , Sasha Levin Subject: [PATCH 5.4 14/87] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Date: Wed, 27 Jul 2022 18:10:07 +0200 Message-Id: <20220727161009.585995386@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Peter Zijlstra [ Upstream commit 68e3c69803dada336893640110cb87221bb01dcf ] Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest =3D true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress. Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole") Reported-by: Yang Jihong Signed-off-by: Peter Zijlstra (Intel) Tested-by: Yang Jihong Link: https://lkml.kernel.org/r/YsQ3jm2GR38SW7uD@worktop.programming.kicks-= ass.net Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- kernel/events/core.c | 45 ++++++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 8336dcb2bd43..0a54780e0942 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5819,10 +5819,10 @@ static int perf_mmap(struct file *file, struct vm_a= rea_struct *vma) =20 if (!atomic_inc_not_zero(&event->rb->mmap_count)) { /* - * Raced against perf_mmap_close() through - * perf_event_set_output(). Try again, hope for better - * luck. + * Raced against perf_mmap_close(); remove the + * event and try again. */ + ring_buffer_attach(event, NULL); mutex_unlock(&event->mmap_mutex); goto again; } @@ -10763,14 +10763,25 @@ static int perf_copy_attr(struct perf_event_attr = __user *uattr, goto out; } =20 +static void mutex_lock_double(struct mutex *a, struct mutex *b) +{ + if (b < a) + swap(a, b); + + mutex_lock(a); + mutex_lock_nested(b, SINGLE_DEPTH_NESTING); +} + static int perf_event_set_output(struct perf_event *event, struct perf_event *output_= event) { struct ring_buffer *rb =3D NULL; int ret =3D -EINVAL; =20 - if (!output_event) + if (!output_event) { + mutex_lock(&event->mmap_mutex); goto set; + } =20 /* don't allow circular references */ if (event =3D=3D output_event) @@ -10808,8 +10819,15 @@ perf_event_set_output(struct perf_event *event, st= ruct perf_event *output_event) event->pmu !=3D output_event->pmu) goto out; =20 + /* + * Hold both mmap_mutex to serialize against perf_mmap_close(). Since + * output_event is already on rb->event_list, and the list iteration + * restarts after every removal, it is guaranteed this new event is + * observed *OR* if output_event is already removed, it's guaranteed we + * observe !rb->mmap_count. + */ + mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex); set: - mutex_lock(&event->mmap_mutex); /* Can't redirect output if we've got an active mmap() */ if (atomic_read(&event->mmap_count)) goto unlock; @@ -10819,6 +10837,12 @@ perf_event_set_output(struct perf_event *event, st= ruct perf_event *output_event) rb =3D ring_buffer_get(output_event); if (!rb) goto unlock; + + /* did we race against perf_mmap_close() */ + if (!atomic_read(&rb->mmap_count)) { + ring_buffer_put(rb); + goto unlock; + } } =20 ring_buffer_attach(event, rb); @@ -10826,20 +10850,13 @@ perf_event_set_output(struct perf_event *event, s= truct perf_event *output_event) ret =3D 0; unlock: mutex_unlock(&event->mmap_mutex); + if (output_event) + mutex_unlock(&output_event->mmap_mutex); =20 out: return ret; } =20 -static void mutex_lock_double(struct mutex *a, struct mutex *b) -{ - if (b < a) - swap(a, b); - - mutex_lock(a); - mutex_lock_nested(b, SINGLE_DEPTH_NESTING); -} - static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id) { bool nmi_safe =3D false; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32B4BC19F2B for ; Wed, 27 Jul 2022 16:41:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238736AbiG0Ql4 (ORCPT ); Wed, 27 Jul 2022 12:41:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239145AbiG0QlI (ORCPT ); Wed, 27 Jul 2022 12:41:08 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32D924E623; Wed, 27 Jul 2022 09:29:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9192BB821BC; Wed, 27 Jul 2022 16:29:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B33DBC433C1; Wed, 27 Jul 2022 16:29:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939372; bh=Ie/6QvGoxKNOLhlHGeLDcRr4cP1nWvy+w+noycFWjNg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PXwVE7OdmypK5bWlPyLSTDNfQsxsrER6X9JNcK7XAySXry9EuzCc0uAmht2ztSrav kf6rsbELy1wwPf++7ZICYmGmX45go73hbwjk6m1l37ozWQJW8nK2GatYIEY3E7SD9o Oo9hcbUVed0tC+cLByuwbwyDRAqFBaO4p0w7AoTo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lennert Buytenhek , Naama Meir , Sasha Neftin , Tony Nguyen , Sasha Levin Subject: [PATCH 5.4 15/87] igc: Reinstate IGC_REMOVED logic and implement it properly Date: Wed, 27 Jul 2022 18:10:08 +0200 Message-Id: <20220727161009.617339738@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Lennert Buytenhek [ Upstream commit 7c1ddcee5311f3315096217881d2dbe47cc683f9 ] The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors: u32 igc_rd32(struct igc_hw *hw, u32 reg) { u8 __iomem *hw_addr =3D READ_ONCE(hw->hw_addr); u32 value =3D 0; if (IGC_REMOVED(hw_addr)) return ~value; value =3D readl(&hw_addr[reg]); /* reads should not return all F's */ if (!(~value) && (!reg || !(~readl(hw_addr)))) hw->hw_addr =3D NULL; return value; } And: #define wr32(reg, val) \ do { \ u8 __iomem *hw_addr =3D READ_ONCE((hw)->hw_addr); \ if (!IGC_REMOVED(hw_addr)) \ writel((val), &hw_addr[(reg)]); \ } while (0) E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows: #define E1000_REMOVED(h) unlikely(!(h)) These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards. However, the IGC_REMOVED macro was not originally implemented: #ifndef IGC_REMOVED #define IGC_REMOVED(a) (0) #endif /* IGC_REMOVED */ This led to the IGC_REMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer. This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and implements IGC_REMOVED the way it is done for igb, by checking for the unlikely() case of hw_addr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter. Fixes: 146740f9abc4 ("igc: Add support for PF") Signed-off-by: Lennert Buytenhek Tested-by: Naama Meir Acked-by: Sasha Neftin Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/intel/igc/igc_regs.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/intel/igc/igc_regs.h b/drivers/net/ethern= et/intel/igc/igc_regs.h index 50d7c04dccf5..7bc7d7618fe1 100644 --- a/drivers/net/ethernet/intel/igc/igc_regs.h +++ b/drivers/net/ethernet/intel/igc/igc_regs.h @@ -236,4 +236,6 @@ do { \ =20 #define array_rd32(reg, offset) (igc_rd32(hw, (reg) + ((offset) << 2))) =20 +#define IGC_REMOVED(h) unlikely(!(h)) + #endif --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D71EC04A68 for ; Wed, 27 Jul 2022 16:42:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239281AbiG0Ql7 (ORCPT ); Wed, 27 Jul 2022 12:41:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239122AbiG0QlP (ORCPT ); Wed, 27 Jul 2022 12:41:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E36C251429; Wed, 27 Jul 2022 09:29:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5C55CB821BA; Wed, 27 Jul 2022 16:29:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A70C7C433D6; Wed, 27 Jul 2022 16:29:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939375; bh=CRrSIL4P0svdiiR+e0jcJwxpGu2VL7VEQG0U7nfZTjs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WtP6eZH75Ei/4yHidbTq3LDg+tsv22NYeL+z2QFAtVJrHCceJZPV7KfUBRJJXj05e h6K0saWDwbtGs0LrrNiwNYbfp+sFV2bYuESh6BrEDBtQLGb935nurp+XolZHNmPRXG cGOATgeHcKLPc71T0+mB2tLmVPtkCNk5aRBZL/Lo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 16/87] ip: Fix data-races around sysctl_ip_no_pmtu_disc. Date: Wed, 27 Jul 2022 18:10:09 +0200 Message-Id: <20220727161009.659742989@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 0968d2a441bf6afb551fd99e60fa65ed67068963 ] While reading sysctl_ip_no_pmtu_disc, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/af_inet.c | 2 +- net/ipv4/icmp.c | 2 +- net/ipv6/af_inet6.c | 2 +- net/xfrm/xfrm_state.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 9ab73fcc7411..06153386776d 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -337,7 +337,7 @@ static int inet_create(struct net *net, struct socket *= sock, int protocol, inet->hdrincl =3D 1; } =20 - if (net->ipv4.sysctl_ip_no_pmtu_disc) + if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) inet->pmtudisc =3D IP_PMTUDISC_DONT; else inet->pmtudisc =3D IP_PMTUDISC_WANT; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 9bc01411be4c..b44f51e404ae 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -886,7 +886,7 @@ static bool icmp_unreach(struct sk_buff *skb) * values please see * Documentation/networking/ip-sysctl.txt */ - switch (net->ipv4.sysctl_ip_no_pmtu_disc) { + switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) { default: net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n", &iph->daddr); diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 942da168f18f..56f396ecc26b 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -222,7 +222,7 @@ static int inet6_create(struct net *net, struct socket = *sock, int protocol, inet->mc_list =3D NULL; inet->rcv_tos =3D 0; =20 - if (net->ipv4.sysctl_ip_no_pmtu_disc) + if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) inet->pmtudisc =3D IP_PMTUDISC_DONT; else inet->pmtudisc =3D IP_PMTUDISC_WANT; diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 268bba29bb60..bee1a8143d75 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2488,7 +2488,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init= _replay, bool offload) int err; =20 if (family =3D=3D AF_INET && - xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc) + READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) x->props.flags |=3D XFRM_STATE_NOPMTUDISC; =20 err =3D -EPROTONOSUPPORT; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E073C19F2B for ; Wed, 27 Jul 2022 16:42:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239762AbiG0QmE (ORCPT ); Wed, 27 Jul 2022 12:42:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239452AbiG0QlY (ORCPT ); Wed, 27 Jul 2022 12:41:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1A5E5B068; Wed, 27 Jul 2022 09:29:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 63EF361A1E; Wed, 27 Jul 2022 16:29:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 70A64C433C1; Wed, 27 Jul 2022 16:29:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939377; bh=BWlv9WhHqHjZUjHfPVXIuG4fj36+jf4NC1pmkcWguiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dfxPRgXb+yYKXf8KMChbaHjcr3OYL1E0vzWvnfsgzv0IjIYS4uS2Eqwwb+3vgI45M +VxUpl07H7eMZLEDx8MzQjT58WOS3QA+p2iKmxf46gA2aVxA8+UdbDXub6X94XykXX qdLhcdf5tV3TQ0M/B1ab9IAjIS1my9HajnNy+rc0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 17/87] ip: Fix data-races around sysctl_ip_fwd_use_pmtu. Date: Wed, 27 Jul 2022 18:10:10 +0200 Message-Id: <20220727161009.708989076@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 60c158dc7b1f0558f6cadd5b50d0386da0000d50 ] While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: f87c10a8aa1e ("ipv4: introduce ip_dst_mtu_maybe_forward and protect = forwarding path against pmtu spoofing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/ip.h | 2 +- net/ipv4/route.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index 3f3ea86b2173..21fc0a29a8d4 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -442,7 +442,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(con= st struct dst_entry *dst, struct net *net =3D dev_net(dst->dev); unsigned int mtu; =20 - if (net->ipv4.sysctl_ip_fwd_use_pmtu || + if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) || ip_mtu_locked(dst) || !forwarding) return dst_mtu(dst); diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 9280e5087159..7004e379c325 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1423,7 +1423,7 @@ u32 ip_mtu_from_fib_result(struct fib_result *res, __= be32 daddr) struct fib_info *fi =3D res->fi; u32 mtu =3D 0; =20 - if (dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu || + if (READ_ONCE(dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu) || fi->fib_metrics->metrics[RTAX_LOCK - 1] & (1 << RTAX_MTU)) mtu =3D fi->fib_mtu; =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB8CEC04A68 for ; Wed, 27 Jul 2022 16:42:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239773AbiG0QmH (ORCPT ); Wed, 27 Jul 2022 12:42:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239650AbiG0Ql0 (ORCPT ); Wed, 27 Jul 2022 12:41:26 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97E4550065; Wed, 27 Jul 2022 09:29:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 543E961A39; Wed, 27 Jul 2022 16:29:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 598A8C433D6; Wed, 27 Jul 2022 16:29:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939380; bh=zn1DvGNYVtngREh6xi9YBPcN/170vf2Wj6zm10SnjFE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jY6yapUBe4hCSeNrmbAM1uOD+SfehjDMamAEtM3byLOM/urL9xcm9GXJdgpZcCVtV uwnPY/xIu2ekKdQuPSakHEAm1eAZjLtLEvCi7i8eeySCCYkGLWPMcnUUQ0Y1jUCOWX jXljpOBU6TcibeAoPN8wJTjme2chbrNK9ba83umI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 18/87] ip: Fix data-races around sysctl_ip_nonlocal_bind. Date: Wed, 27 Jul 2022 18:10:11 +0200 Message-Id: <20220727161009.757058892@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 289d3b21fb0bfc94c4e98f10635bba1824e5f83c ] While reading sysctl_ip_nonlocal_bind, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/inet_sock.h | 2 +- net/sctp/protocol.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 34c4436fd18f..40f92f5a3047 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h @@ -375,7 +375,7 @@ static inline bool inet_get_convert_csum(struct sock *s= k) static inline bool inet_can_nonlocal_bind(struct net *net, struct inet_sock *inet) { - return net->ipv4.sysctl_ip_nonlocal_bind || + return READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind) || inet->freebind || inet->transparent; } =20 diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index bb370a7948f4..363a64c12414 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -358,7 +358,7 @@ static int sctp_v4_available(union sctp_addr *addr, str= uct sctp_sock *sp) if (addr->v4.sin_addr.s_addr !=3D htonl(INADDR_ANY) && ret !=3D RTN_LOCAL && !sp->inet.freebind && - !net->ipv4.sysctl_ip_nonlocal_bind) + !READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind)) return 0; =20 if (ipv6_only_sock(sctp_opt2sk(sp))) --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8664CC04A68 for ; Wed, 27 Jul 2022 16:42:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239660AbiG0QmS (ORCPT ); Wed, 27 Jul 2022 12:42:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239631AbiG0Qlg (ORCPT ); Wed, 27 Jul 2022 12:41:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A5F95B06B; Wed, 27 Jul 2022 09:29:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4B9F261A39; Wed, 27 Jul 2022 16:29:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F1BFC433D6; Wed, 27 Jul 2022 16:29:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939383; bh=QnJWWJokVEQTlFbsgEPyg0LjyFVVkCoMgMdLQdFzu3E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ygqyBzPHabcXOatu9O9p65/2aP8wwRD2W1c66Xe9OYGbSLpkW39LyiAEdTYTfMvYf DxKIUtW4Y6lZonXsNRhxCpifLxn0OXhC5JidLn19QSa6Y//hhPAqv5cdFVdqrPyx7i 7Uo62nAg7RrJwVhqJwDM7T8/Y4sNcGaadETrKJg4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 19/87] ip: Fix a data-race around sysctl_fwmark_reflect. Date: Wed, 27 Jul 2022 18:10:12 +0200 Message-Id: <20220727161009.797981561@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 85d0b4dbd74b95cc492b1f4e34497d3f894f5d9a ] While reading sysctl_fwmark_reflect, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/ip.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/ip.h b/include/net/ip.h index 21fc0a29a8d4..db841ab388c0 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -381,7 +381,7 @@ void ipfrag_init(void); void ip_static_sysctl_init(void); =20 #define IP4_REPLY_MARK(net, mark) \ - ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0) + (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0) =20 static inline bool ip_is_fragment(const struct iphdr *iph) { --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD53EC04A68 for ; Wed, 27 Jul 2022 16:42:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239720AbiG0Qm0 (ORCPT ); Wed, 27 Jul 2022 12:42:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239240AbiG0Qlj (ORCPT ); Wed, 27 Jul 2022 12:41:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 231DC5B7A0; Wed, 27 Jul 2022 09:29:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AFB64B821BC; Wed, 27 Jul 2022 16:29:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19AF4C433C1; Wed, 27 Jul 2022 16:29:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939386; bh=V0ufKcihEuhpCTK1oLhFFDvtxYa5zEyVxGoDNHTiRSM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sfybvKxZTw6fxNN1ESyAi4xzXmmEQlXU/LsCa9ySTW3dGESYR0Gp6nJzlo+BnByDJ jzsoF8fcO/FYNUJeqRNt5tOKNVq3SAK3mepR3mAnaxGueSUVyMcdAeiYXtlxlXbta7 Q0ACg+EkXaWbsK0xiYo/88USXYuRj72SBYU7Ofxg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 20/87] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. Date: Wed, 27 Jul 2022 18:10:13 +0200 Message-Id: <20220727161009.838154557@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 1a0008f9df59451d0a17806c1ee1a19857032fa8 ] While reading sysctl_tcp_fwmark_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/inet_sock.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 40f92f5a3047..58db7c69c146 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h @@ -107,7 +107,8 @@ static inline struct inet_request_sock *inet_rsk(const = struct request_sock *sk) =20 static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff = *skb) { - if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept) + if (!sk->sk_mark && + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)) return skb->mark; =20 return sk->sk_mark; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D836C19F2B for ; Wed, 27 Jul 2022 16:39:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238339AbiG0Qj1 (ORCPT ); Wed, 27 Jul 2022 12:39:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238309AbiG0Qio (ORCPT ); Wed, 27 Jul 2022 12:38:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B96B5A147; Wed, 27 Jul 2022 09:28:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BFEFE61A27; Wed, 27 Jul 2022 16:28:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AD9DCC433D6; Wed, 27 Jul 2022 16:28:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939300; bh=JJwXE2uuDQBhp8piRLGooJ/OOMu+3+Uj85axSnmkwYM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=00NS7EsQwGmhTYE1HSAbqtZmYP+vIt2PSIqsRBrjW18AaN8R76UJmpOSqcW0qAN1V crZsBqYtyLffq6LRyHTbaez0Ma2zDBlQ2R3EW8BsqaUSnUJ517PCl/8UznIBc4U6kD XdEoL1UZrYNyEJwC2Ru4Vg9hgIETHMngH9MqGwzk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 21/87] tcp: Fix data-races around sysctl_tcp_mtu_probing. Date: Wed, 27 Jul 2022 18:10:14 +0200 Message-Id: <20220727161009.881148835@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit f47d00e077e7d61baf69e46dde3210c886360207 ] While reading sysctl_tcp_mtu_probing, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5d424d5a674f ("[TCP]: MTU probing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- net/ipv4/tcp_timer.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 739fc69cdcc6..5ac81c4f076d 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1537,7 +1537,7 @@ void tcp_mtup_init(struct sock *sk) struct inet_connection_sock *icsk =3D inet_csk(sk); struct net *net =3D sock_net(sk); =20 - icsk->icsk_mtup.enabled =3D net->ipv4.sysctl_tcp_mtu_probing > 1; + icsk->icsk_mtup.enabled =3D READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) >= 1; icsk->icsk_mtup.search_high =3D tp->rx_opt.mss_clamp + sizeof(struct tcph= dr) + icsk->icsk_af_ops->net_header_len; icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_ba= se_mss); diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index fa2ae96ecdc4..57fa707e9e98 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -163,7 +163,7 @@ static void tcp_mtu_probing(struct inet_connection_sock= *icsk, struct sock *sk) int mss; =20 /* Black hole detection */ - if (!net->ipv4.sysctl_tcp_mtu_probing) + if (!READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing)) return; =20 if (!icsk->icsk_mtup.enabled) { --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EB6AC04A68 for ; Wed, 27 Jul 2022 16:39:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237598AbiG0Qjs (ORCPT ); Wed, 27 Jul 2022 12:39:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239153AbiG0QjA (ORCPT ); Wed, 27 Jul 2022 12:39:00 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87BA44C63C; Wed, 27 Jul 2022 09:28:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7FEDC619FD; Wed, 27 Jul 2022 16:28:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8B892C433C1; Wed, 27 Jul 2022 16:28:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939302; bh=MoYEj7eAG+6DjitY8iEdsOqKj5O7i39pKXTevkVBEgs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=giGcAc4VGeEkENfNPF2fmOYs8kXYx/Op7T8DSm6aYdaxDIF/+BIvq0bGS2sVWVeha 5vriFdzEb+u01D0cQzKz6sk+v7cI/A7yCGf6h26sz7rD3nvd0JYkiccjVVoeAq8uMN gKuDslnCeDVFpm3G0G/q6iX1Jve2dEzleyzgtvaU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 22/87] tcp: Fix data-races around sysctl_tcp_base_mss. Date: Wed, 27 Jul 2022 18:10:15 +0200 Message-Id: <20220727161009.919908958@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 88d78bc097cd8ebc6541e93316c9d9bf651b13e8 ] While reading sysctl_tcp_base_mss, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5d424d5a674f ("[TCP]: MTU probing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- net/ipv4/tcp_timer.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 5ac81c4f076d..b84bedf2804a 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1540,7 +1540,7 @@ void tcp_mtup_init(struct sock *sk) icsk->icsk_mtup.enabled =3D READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) >= 1; icsk->icsk_mtup.search_high =3D tp->rx_opt.mss_clamp + sizeof(struct tcph= dr) + icsk->icsk_af_ops->net_header_len; - icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_ba= se_mss); + icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, READ_ONCE(net->ipv4.sys= ctl_tcp_base_mss)); icsk->icsk_mtup.probe_size =3D 0; if (icsk->icsk_mtup.enabled) icsk->icsk_mtup.probe_timestamp =3D tcp_jiffies32; diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 57fa707e9e98..0c3ee2aa244f 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -171,7 +171,7 @@ static void tcp_mtu_probing(struct inet_connection_sock= *icsk, struct sock *sk) icsk->icsk_mtup.probe_timestamp =3D tcp_jiffies32; } else { mss =3D tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; - mss =3D min(net->ipv4.sysctl_tcp_base_mss, mss); + mss =3D min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss); mss =3D max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor); mss =3D max(mss, net->ipv4.sysctl_tcp_min_snd_mss); icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, mss); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89BB4C04A68 for ; Wed, 27 Jul 2022 16:38:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238632AbiG0Qik (ORCPT ); Wed, 27 Jul 2022 12:38:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238931AbiG0QiB (ORCPT ); Wed, 27 Jul 2022 12:38:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C9E757206; Wed, 27 Jul 2022 09:28:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4E375619D6; Wed, 27 Jul 2022 16:28:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5A9BCC433D6; Wed, 27 Jul 2022 16:28:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939305; bh=OYJJJx9RYWDm60BM5+qoCBIC/9TeiaV9YhQBCOoW37U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v+jj0cYdrTq6AyeiO0wE56HnCOGVWmVLHa5ttso3f0quxuv+/hWfbNpJjx9rJvAvj K6RkGarwByiyEq4UnqGbAKnK8lsEk7wsHDM0uZlGTCbMcQv/N/yoTj3NhZB4ypc532 wHGMAf6jg1edR+VujoGeiNu/PddrfMvf65iybzsI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 23/87] tcp: Fix data-races around sysctl_tcp_min_snd_mss. Date: Wed, 27 Jul 2022 18:10:16 +0200 Message-Id: <20220727161009.959774666@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 78eb166cdefcc3221c8c7c1e2d514e91a2eb5014 ] While reading sysctl_tcp_min_snd_mss, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5f3e2bf008c2 ("tcp: add tcp_min_snd_mss sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 3 ++- net/ipv4/tcp_timer.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index b84bedf2804a..7c0b96319fc0 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1494,7 +1494,8 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, i= nt pmtu) mss_now -=3D icsk->icsk_ext_hdr_len; =20 /* Then reserve room for full set of TCP options and 8 bytes of data */ - mss_now =3D max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss); + mss_now =3D max(mss_now, + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss)); return mss_now; } =20 diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 0c3ee2aa244f..0460c5deee3f 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -173,7 +173,7 @@ static void tcp_mtu_probing(struct inet_connection_sock= *icsk, struct sock *sk) mss =3D tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; mss =3D min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss); mss =3D max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor); - mss =3D max(mss, net->ipv4.sysctl_tcp_min_snd_mss); + mss =3D max(mss, READ_ONCE(net->ipv4.sysctl_tcp_min_snd_mss)); icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, mss); } tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2ED63C04A68 for ; Wed, 27 Jul 2022 16:40:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239380AbiG0QkM (ORCPT ); Wed, 27 Jul 2022 12:40:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239589AbiG0QjU (ORCPT ); Wed, 27 Jul 2022 12:39:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46F295005D; Wed, 27 Jul 2022 09:28:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 03ED1619FF; Wed, 27 Jul 2022 16:28:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0E311C433D7; Wed, 27 Jul 2022 16:28:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939308; bh=c4SmNGB0sRDDaEoM2NEHpYGli5ogoDdY1dHqExV2Ru8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uCLi4cMD0G3t15CyYuMwqE0DfukGkpCiDO4rbOIuQmmN2X3ohA1ystlrq3iee+aYO OcCJjn89RuEjRd8G7gbDVFSvlacmuU6bdsYitSK5YQccyEDGOMZuu9XPwS70styOZv i+a+h6YPoLHba5bDaGo163hU8Qi6TWwC9+DznY44= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 24/87] tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. Date: Wed, 27 Jul 2022 18:10:17 +0200 Message-Id: <20220727161010.006453319@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 8e92d4423615a5257d0d871fc067aa561f597deb ] While reading sysctl_tcp_mtu_probe_floor, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: c04b79b6cfd7 ("tcp: add new tcp_mtu_probe_floor sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_timer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 0460c5deee3f..c48aeaef3ec7 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -172,7 +172,7 @@ static void tcp_mtu_probing(struct inet_connection_sock= *icsk, struct sock *sk) } else { mss =3D tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; mss =3D min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss); - mss =3D max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor); + mss =3D max(mss, READ_ONCE(net->ipv4.sysctl_tcp_mtu_probe_floor)); mss =3D max(mss, READ_ONCE(net->ipv4.sysctl_tcp_min_snd_mss)); icsk->icsk_mtup.search_low =3D tcp_mss_to_mtu(sk, mss); } --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B17ADC04A68 for ; Wed, 27 Jul 2022 16:39:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238899AbiG0QjC (ORCPT ); Wed, 27 Jul 2022 12:39:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239155AbiG0Qib (ORCPT ); Wed, 27 Jul 2022 12:38:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 472205926B; Wed, 27 Jul 2022 09:28:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 74C4CB821A6; Wed, 27 Jul 2022 16:28:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D2F9FC433D6; Wed, 27 Jul 2022 16:28:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939311; bh=8KEZlxPKxQ3tmzEQHpD6PsGQTPZLI4RZcLqnq0HbwFY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U5riwf1hq5AJ5Q5MdZXRf/Uvjw3edFg/AtxU7n4z8lzTwe5huowtNzr4wo+XPW2EX 0UCE3iOVi0s6C3pOqPAR6lc38TiRC/n2cI7Ykr2VSkZ9dTyEvLkSe2e0MurviVKXlK bV5Hmbhenjkzoll/KH0t7WwhgCQxHuQ8kIWkkriQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 25/87] tcp: Fix a data-race around sysctl_tcp_probe_threshold. Date: Wed, 27 Jul 2022 18:10:18 +0200 Message-Id: <20220727161010.055996775@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 92c0aa4175474483d6cf373314343d4e624e882a ] While reading sysctl_tcp_probe_threshold, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6b58e0a5f32d ("ipv4: Use binary search to choose tcp PMTU probe_size= ") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 7c0b96319fc0..e60cb69d00a4 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2134,7 +2134,7 @@ static int tcp_mtu_probe(struct sock *sk) * probing process by not resetting search range to its orignal. */ if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) || - interval < net->ipv4.sysctl_tcp_probe_threshold) { + interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) { /* Check whether enough time has elaplased for * another round of probing. */ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFDC7C04A68 for ; Wed, 27 Jul 2022 16:39:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238870AbiG0Qje (ORCPT ); Wed, 27 Jul 2022 12:39:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238650AbiG0Qiu (ORCPT ); Wed, 27 Jul 2022 12:38:50 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B2325A14A; Wed, 27 Jul 2022 09:28:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6DC48B821BB; Wed, 27 Jul 2022 16:28:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8E4C5C433D6; Wed, 27 Jul 2022 16:28:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939314; bh=5GHE/e7Ntqnouf+Cb62K8sm2eIabSeUPpWmxBNe+FyM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qLVJiclxRh1NH+BumeEiyEJQNJPqthwmMZ70tR5BH5hF9TQPldxyvN2jDhHJ0XYKi iuKBZ8H5oxqSBOAisLLLPXZqcNgHzJsFLjBNvWnMWNWwxkVWWAg1S2OTlfvDglaZ2y gAVPXpMIyIkj7nUUqLSeCyL6KSQep5hLgNENJNS8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 26/87] tcp: Fix a data-race around sysctl_tcp_probe_interval. Date: Wed, 27 Jul 2022 18:10:19 +0200 Message-Id: <20220727161010.096766557@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 2a85388f1d94a9f8b5a529118a2c5eaa0520d85c ] While reading sysctl_tcp_probe_interval, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 05cbc0db03e8 ("ipv4: Create probe timer for tcp PMTU as per RFC4821") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index e60cb69d00a4..9bfe6965b873 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2052,7 +2052,7 @@ static inline void tcp_mtu_check_reprobe(struct sock = *sk) u32 interval; s32 delta; =20 - interval =3D net->ipv4.sysctl_tcp_probe_interval; + interval =3D READ_ONCE(net->ipv4.sysctl_tcp_probe_interval); delta =3D tcp_jiffies32 - icsk->icsk_mtup.probe_timestamp; if (unlikely(delta >=3D interval * HZ)) { int mss =3D tcp_current_mss(sk); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B004CC04A68 for ; Wed, 27 Jul 2022 16:39:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239041AbiG0Qjo (ORCPT ); Wed, 27 Jul 2022 12:39:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239043AbiG0Qix (ORCPT ); Wed, 27 Jul 2022 12:38:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 480085A152; Wed, 27 Jul 2022 09:28:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8B94DB821BC; Wed, 27 Jul 2022 16:28:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D21B6C433C1; Wed, 27 Jul 2022 16:28:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939317; bh=HDQlZl209yb3N5mcFkuwfVpZiduu9n6n/X73yCLOr4w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xmC5vs6s20mRGIkUt956iE51pb6rKnY+usrHe+T8EiMucYCSK4NSrl9d/YYtI2ot9 +YKgVa1FqFFbehCRixyKEfU/Vh8nGKElsJsQZE7vTQfDBGKrrw3J73tuyQG4d6FEuQ 6qsJo5pfxuE0dUHuZycIcsW6fQrjT3TsLC7aEkUM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Robert Hancock , Shubhrajyoti Datta , Michal Simek , Wolfram Sang , Sasha Levin Subject: [PATCH 5.4 27/87] i2c: cadence: Change large transfer count reset logic to be unconditional Date: Wed, 27 Jul 2022 18:10:20 +0200 Message-Id: <20220727161010.128877012@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Robert Hancock [ Upstream commit 4ca8ca873d454635c20d508261bfc0081af75cf8 ] Problems were observed on the Xilinx ZynqMP platform with large I2C reads. When a read of 277 bytes was performed, the controller NAKed the transfer after only 252 bytes were transferred and returned an ENXIO error on the transfer. There is some code in cdns_i2c_master_isr to handle this case by resetting the transfer count in the controller before it reaches 0, to allow larger transfers to work, but it was conditional on the CDNS_I2C_BROKEN_HOLD_BIT quirk being set on the controller, and ZynqMP uses the r1p14 version of the core where this quirk is not being set. The requirement to do this to support larger reads seems like an inherently required workaround due to the core only having an 8-bit transfer size register, so it does not appear that this should be conditional on the broken HOLD bit quirk which is used elsewhere in the driver. Remove the dependency on the CDNS_I2C_BROKEN_HOLD_BIT for this transfer size reset logic to fix this problem. Fixes: 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq Ultr= ascale+ MPSoC") Signed-off-by: Robert Hancock Reviewed-by: Shubhrajyoti Datta Acked-by: Michal Simek Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/i2c/busses/i2c-cadence.c | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cade= nce.c index 3a1bdc75275f..8750e444f449 100644 --- a/drivers/i2c/busses/i2c-cadence.c +++ b/drivers/i2c/busses/i2c-cadence.c @@ -198,9 +198,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *i= d, bool hold_wrkaround) */ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) { - unsigned int isr_status, avail_bytes, updatetx; + unsigned int isr_status, avail_bytes; unsigned int bytes_to_send; - bool hold_quirk; + bool updatetx; struct cdns_i2c *id =3D ptr; /* Signal completion only after everything is updated */ int done_flag =3D 0; @@ -219,11 +219,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) * Check if transfer size register needs to be updated again for a * large data receive operation. */ - updatetx =3D 0; - if (id->recv_count > id->curr_recv_count) - updatetx =3D 1; - - hold_quirk =3D (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx; + updatetx =3D id->recv_count > id->curr_recv_count; =20 /* When receiving, handle data interrupt and completion interrupt */ if (id->p_recv_buf && @@ -246,7 +242,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) id->recv_count--; id->curr_recv_count--; =20 - if (cdns_is_holdquirk(id, hold_quirk)) + if (cdns_is_holdquirk(id, updatetx)) break; } =20 @@ -257,7 +253,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) * maintain transfer size non-zero while performing a large * receive operation. */ - if (cdns_is_holdquirk(id, hold_quirk)) { + if (cdns_is_holdquirk(id, updatetx)) { /* wait while fifo is full */ while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) !=3D (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH)) @@ -279,22 +275,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr) CDNS_I2C_XFER_SIZE_OFFSET); id->curr_recv_count =3D id->recv_count; } - } else if (id->recv_count && !hold_quirk && - !id->curr_recv_count) { - - /* Set the slave address in address register*/ - cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK, - CDNS_I2C_ADDR_OFFSET); - - if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) { - cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE, - CDNS_I2C_XFER_SIZE_OFFSET); - id->curr_recv_count =3D CDNS_I2C_TRANSFER_SIZE; - } else { - cdns_i2c_writereg(id->recv_count, - CDNS_I2C_XFER_SIZE_OFFSET); - id->curr_recv_count =3D id->recv_count; - } } =20 /* Clear hold (if not repeated start) and signal completion */ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31150C04A68 for ; Wed, 27 Jul 2022 16:39:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238966AbiG0Qji (ORCPT ); Wed, 27 Jul 2022 12:39:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239130AbiG0Qiy (ORCPT ); Wed, 27 Jul 2022 12:38:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D760250062; Wed, 27 Jul 2022 09:28:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3AC06B821CA; Wed, 27 Jul 2022 16:28:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C879C433C1; Wed, 27 Jul 2022 16:28:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939319; bh=yp/pb7KUR+K/mKCaiDaXhO7Onv98a9lWavXvVVFNjjc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cv4k2unjbz0d4N0wRDhJuedDQvmM2BsY+I/vTnxsG0vPXYBGw3gnxMo+nksKoxfzS g5DWHvW6iBmzOcHlscSOPmPDEBhhTZT7OKS4nAcy9U/SoQvt2i1kbqBz2tQmQmY4a6 t9EwtNIEyDTp4E9a4r3eA94OQXQC5g4XUARxjgzQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Cedric Wassenaar , Junxiao Chang , Florian Fainelli , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 28/87] net: stmmac: fix dma queue left shift overflow issue Date: Wed, 27 Jul 2022 18:10:21 +0200 Message-Id: <20220727161010.177774563@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Junxiao Chang [ Upstream commit 613b065ca32e90209024ec4a6bb5ca887ee70980 ] When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8= e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_cor= e.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003= -intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.= 15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=3D216195 Reported-by: Cedric Wassenaar Signed-off-by: Junxiao Chang Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/ne= t/ethernet/stmicro/stmmac/dwmac4_core.c index 66e60c7e9850..c440b192ec71 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c @@ -215,6 +215,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *= hw, u32 queue, u32 chan) if (queue =3D=3D 0 || queue =3D=3D 4) { value &=3D ~MTL_RXQ_DMA_Q04MDMACH_MASK; value |=3D MTL_RXQ_DMA_Q04MDMACH(chan); + } else if (queue > 4) { + value &=3D ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4); + value |=3D MTL_RXQ_DMA_QXMDMACH(chan, queue - 4); } else { value &=3D ~MTL_RXQ_DMA_QXMDMACH_MASK(queue); value |=3D MTL_RXQ_DMA_QXMDMACH(chan, queue); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AA7AC04A68 for ; Wed, 27 Jul 2022 16:40:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239449AbiG0Qkf (ORCPT ); Wed, 27 Jul 2022 12:40:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239408AbiG0QkO (ORCPT ); Wed, 27 Jul 2022 12:40:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 305755A8BD; Wed, 27 Jul 2022 09:29:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3D55A619D6; Wed, 27 Jul 2022 16:28:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A444C433D6; Wed, 27 Jul 2022 16:28:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939322; bh=yGjclRpTTnLqDZq3ND41LUVC58mz1G5Iu0o1J/Ct7w8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E2VzBTWUjWeRNvaMM4d2vhN2E5ik39NU0oGgAPmP9WnbALYC2+chPqeDuS+LcqxHJ 8aNows3nCGYRwGZ5gtAGR9z2IU19HypgLhbbcl0oPD1XNPVZd+5sVyqlNiV4zfbqJ3 YBpxNOFt7idc5+/v4/cNgg1k9YFhxZqCVyjyj8eo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maxim Mikityanskiy , Tariq Toukan , Jakub Kicinski , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 29/87] net/tls: Fix race in TLS device down flow Date: Wed, 27 Jul 2022 18:10:22 +0200 Message-Id: <20220727161010.217002253@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Tariq Toukan [ Upstream commit f08d8c1bb97c48f24a82afaa2fd8c140f8d3da8b ] Socket destruction flow and tls_device_down function sync against each other using tls_device_lock and the context refcount, to guarantee the device resources are freed via tls_dev_del() by the end of tls_device_down. In the following unfortunate flow, this won't happen: - refcount is decreased to zero in tls_device_sk_destruct. - tls_device_down starts, skips the context as refcount is zero, going all the way until it flushes the gc work, and returns without freeing the device resources. - only then, tls_device_queue_ctx_destruction is called, queues the gc work and frees the context's device resources. Solve it by decreasing the refcount in the socket's destruction flow under the tls_device_lock, for perfect synchronization. This does not slow down the common likely destructor flow, in which both the refcount is decreased and the spinlock is acquired, anyway. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Reviewed-by: Maxim Mikityanskiy Signed-off-by: Tariq Toukan Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/tls/tls_device.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index abb93f7343c5..2c3cf47d730b 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -94,13 +94,16 @@ static void tls_device_queue_ctx_destruction(struct tls= _context *ctx) unsigned long flags; =20 spin_lock_irqsave(&tls_device_lock, flags); + if (unlikely(!refcount_dec_and_test(&ctx->refcount))) + goto unlock; + list_move_tail(&ctx->list, &tls_device_gc_list); =20 /* schedule_work inside the spinlock * to make sure tls_device_down waits for that work. */ schedule_work(&tls_device_gc_work); - +unlock: spin_unlock_irqrestore(&tls_device_lock, flags); } =20 @@ -191,8 +194,7 @@ static void tls_device_sk_destruct(struct sock *sk) clean_acked_data_disable(inet_csk(sk)); } =20 - if (refcount_dec_and_test(&tls_ctx->refcount)) - tls_device_queue_ctx_destruction(tls_ctx); + tls_device_queue_ctx_destruction(tls_ctx); } =20 void tls_device_free_resources_tx(struct sock *sk) --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91369C04A68 for ; Wed, 27 Jul 2022 16:39:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239161AbiG0Qjv (ORCPT ); Wed, 27 Jul 2022 12:39:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239341AbiG0QjM (ORCPT ); Wed, 27 Jul 2022 12:39:12 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 430105A17A; Wed, 27 Jul 2022 09:28:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 04DC661A1B; Wed, 27 Jul 2022 16:28:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 123A2C433B5; Wed, 27 Jul 2022 16:28:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939325; bh=HRJLnCZvgqlS5n6E+XUwDVFty5BxsGXl+icR2zlYEhs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BkfUWDqhdQySwzxQ2tY4NP94HIrK8mhExqAwdRBGiD7ez7yXVYTTET3Tx5lJXOlsI zzQUkMSNq6BasURo8vCwJryf4Ah0udxpYSu4eodJdFDNzT+O5pn/HhBFeenWZmxJM4 +6ezl99oAr72ca2LF95SjYp19vOGJseYFdV+xj+g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 30/87] igmp: Fix data-races around sysctl_igmp_llm_reports. Date: Wed, 27 Jul 2022 18:10:23 +0200 Message-Id: <20220727161010.264957270@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit f6da2267e71106474fbc0943dc24928b9cb79119 ] While reading sysctl_igmp_llm_reports, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. This test can be packed into a helper, so such changes will be in the follow-up series after net is merged into net-next. if (ipv4_is_local_multicast(pmc->multiaddr) && !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) Fixes: df2cf4a78e48 ("IGMP: Inhibit reports for local multicast groups") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/igmp.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index cac2fdd08df0..7cd444d75c3d 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -469,7 +469,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, st= ruct ip_mc_list *pmc, =20 if (pmc->multiaddr =3D=3D IGMP_ALL_HOSTS) return skb; - if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm= _reports) + if (ipv4_is_local_multicast(pmc->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return skb; =20 mtu =3D READ_ONCE(dev->mtu); @@ -595,7 +596,7 @@ static int igmpv3_send_report(struct in_device *in_dev,= struct ip_mc_list *pmc) if (pmc->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(pmc->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; spin_lock_bh(&pmc->lock); if (pmc->sfcount[MCAST_EXCLUDE]) @@ -738,7 +739,8 @@ static int igmp_send_report(struct in_device *in_dev, s= truct ip_mc_list *pmc, if (type =3D=3D IGMPV3_HOST_MEMBERSHIP_REPORT) return igmpv3_send_report(in_dev, pmc); =20 - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) + if (ipv4_is_local_multicast(group) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return 0; =20 if (type =3D=3D IGMP_HOST_LEAVE_MESSAGE) @@ -922,7 +924,8 @@ static bool igmp_heard_report(struct in_device *in_dev,= __be32 group) =20 if (group =3D=3D IGMP_ALL_HOSTS) return false; - if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports) + if (ipv4_is_local_multicast(group) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return false; =20 rcu_read_lock(); @@ -1047,7 +1050,7 @@ static bool igmp_heard_query(struct in_device *in_dev= , struct sk_buff *skb, if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(im->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; spin_lock_bh(&im->lock); if (im->tm_running) @@ -1298,7 +1301,8 @@ static void __igmp_group_dropped(struct ip_mc_list *i= m, gfp_t gfp) #ifdef CONFIG_IP_MULTICAST if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) return; - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_= reports) + if (ipv4_is_local_multicast(im->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return; =20 reporter =3D im->reporter; @@ -1340,7 +1344,8 @@ static void igmp_group_added(struct ip_mc_list *im) #ifdef CONFIG_IP_MULTICAST if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) return; - if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_= reports) + if (ipv4_is_local_multicast(im->multiaddr) && + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) return; =20 if (in_dev->dead) @@ -1644,7 +1649,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_= dev) if (im->multiaddr =3D=3D IGMP_ALL_HOSTS) continue; if (ipv4_is_local_multicast(im->multiaddr) && - !net->ipv4.sysctl_igmp_llm_reports) + !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) continue; =20 /* a failover is happening and switches --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 755B2C04A68 for ; Wed, 27 Jul 2022 16:40:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239322AbiG0QkD (ORCPT ); Wed, 27 Jul 2022 12:40:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239488AbiG0QjR (ORCPT ); Wed, 27 Jul 2022 12:39:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9334B5A2F4; Wed, 27 Jul 2022 09:28:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BA4EF619FD; Wed, 27 Jul 2022 16:28:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 890B0C433B5; Wed, 27 Jul 2022 16:28:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939331; bh=nvdpweDSvH25oGsOsk++jLEIfRIAZLkJciKbzP7y+4Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fytYhCy5v5FM/hJ7vmM5bjU+A6MCeL2wKiCKi1Lkdx6dx8dr7pnwxALtlvZLMt4w0 4NPDhJaGl14F0o1VF47uTkwcMgaIYSzlAk2vh36tY/dXkOeCM4mLHvCULFXtSTJCHu 0/UrOJ+OwbCwNqOyspl1+U7cNJH1/WXb1gXr3jPo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 31/87] igmp: Fix a data-race around sysctl_igmp_max_memberships. Date: Wed, 27 Jul 2022 18:10:24 +0200 Message-Id: <20220727161010.305028034@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 6305d821e3b9b5379d348528e5b5faf316383bc2 ] While reading sysctl_igmp_max_memberships, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/igmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 7cd444d75c3d..660b41040c77 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -2199,7 +2199,7 @@ static int __ip_mc_join_group(struct sock *sk, struct= ip_mreqn *imr, count++; } err =3D -ENOBUFS; - if (count >=3D net->ipv4.sysctl_igmp_max_memberships) + if (count >=3D READ_ONCE(net->ipv4.sysctl_igmp_max_memberships)) goto done; iml =3D sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL); if (!iml) --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CDB4C19F28 for ; Wed, 27 Jul 2022 16:41:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239589AbiG0QlE (ORCPT ); Wed, 27 Jul 2022 12:41:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239364AbiG0Qkb (ORCPT ); Wed, 27 Jul 2022 12:40:31 -0400 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0415501B2; Wed, 27 Jul 2022 09:29:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 81ADDCE2306; Wed, 27 Jul 2022 16:28:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7E182C433C1; Wed, 27 Jul 2022 16:28:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939333; bh=qfc80PjfPEUearY1dyeeFB41M0gukcu/UQMDhEj44sM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M2Z8teRVaVXywboH2VNCRgq+lw39I4CbljU0Dw6lBGIsmlqMlktdhy2z1N8z10MIp rLSN+/tqrklu4MFp9jtYFCCU6rKdxl/wn+eZEonIWma9nKRlofDkZz2FQEjupeF6v0 W8Ugs4E4G16+M6kUhsnG/k3qAYTn4IQL3rHiHzbg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 32/87] tcp: Fix data-races around sysctl_tcp_syncookies. Date: Wed, 27 Jul 2022 18:10:25 +0200 Message-Id: <20220727161010.353268949@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit f2e383b5bb6bbc60a0b94b87b3e49a2b1aefd11e ] While reading sysctl_tcp_syncookies, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/core/filter.c | 4 ++-- net/ipv4/syncookies.c | 3 ++- net/ipv4/tcp_input.c | 20 ++++++++++++-------- net/ipv6/syncookies.c | 3 ++- 4 files changed, 18 insertions(+), 12 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 75f53b5e6389..72bf78032f45 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5839,7 +5839,7 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk= , void *, iph, u32, iph_len if (sk->sk_protocol !=3D IPPROTO_TCP || sk->sk_state !=3D TCP_LISTEN) return -EINVAL; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) return -EINVAL; =20 if (!th->ack || th->rst || th->syn) @@ -5914,7 +5914,7 @@ BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, = void *, iph, u32, iph_len, if (sk->sk_protocol !=3D IPPROTO_TCP || sk->sk_state !=3D TCP_LISTEN) return -EINVAL; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies)) return -ENOENT; =20 if (!th->syn || th->ack || th->fin || th->rst) diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index 6811174ad518..f1cbf8911844 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -297,7 +297,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk= _buff *skb) struct flowi4 fl4; u32 tsoff =3D 0; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || + !th->ack || th->rst) goto out; =20 if (tcp_synq_no_recent_overflow(sk)) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 0808110451a0..85204903b2fa 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6530,11 +6530,14 @@ static bool tcp_syn_flood_action(const struct sock = *sk, const char *proto) { struct request_sock_queue *queue =3D &inet_csk(sk)->icsk_accept_queue; const char *msg =3D "Dropping request"; - bool want_cookie =3D false; struct net *net =3D sock_net(sk); + bool want_cookie =3D false; + u8 syncookies; + + syncookies =3D READ_ONCE(net->ipv4.sysctl_tcp_syncookies); =20 #ifdef CONFIG_SYN_COOKIES - if (net->ipv4.sysctl_tcp_syncookies) { + if (syncookies) { msg =3D "Sending cookies"; want_cookie =3D true; __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES); @@ -6542,8 +6545,7 @@ static bool tcp_syn_flood_action(const struct sock *s= k, const char *proto) #endif __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP); =20 - if (!queue->synflood_warned && - net->ipv4.sysctl_tcp_syncookies !=3D 2 && + if (!queue->synflood_warned && syncookies !=3D 2 && xchg(&queue->synflood_warned, 1) =3D=3D 0) net_info_ratelimited("%s: Possible SYN flooding on port %d. %s. Check S= NMP counters.\n", proto, sk->sk_num, msg); @@ -6578,7 +6580,7 @@ u16 tcp_get_syncookie_mss(struct request_sock_ops *rs= k_ops, struct tcp_sock *tp =3D tcp_sk(sk); u16 mss; =20 - if (sock_net(sk)->ipv4.sysctl_tcp_syncookies !=3D 2 && + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) !=3D 2 && !inet_csk_reqsk_queue_is_full(sk)) return 0; =20 @@ -6612,13 +6614,15 @@ int tcp_conn_request(struct request_sock_ops *rsk_o= ps, bool want_cookie =3D false; struct dst_entry *dst; struct flowi fl; + u8 syncookies; + + syncookies =3D READ_ONCE(net->ipv4.sysctl_tcp_syncookies); =20 /* TW buckets are converted to open requests without * limitations, they conserve resources and peer is * evidently real one. */ - if ((net->ipv4.sysctl_tcp_syncookies =3D=3D 2 || - inet_csk_reqsk_queue_is_full(sk)) && !isn) { + if ((syncookies =3D=3D 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) { want_cookie =3D tcp_syn_flood_action(sk, rsk_ops->slab_name); if (!want_cookie) goto drop; @@ -6669,7 +6673,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, =20 if (!want_cookie && !isn) { /* Kill the following clause, if you dislike this way. */ - if (!net->ipv4.sysctl_tcp_syncookies && + if (!syncookies && (net->ipv4.sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) < (net->ipv4.sysctl_max_syn_backlog >> 2)) && !tcp_peer_is_proven(req, dst)) { diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c index 37ab254f7b92..7e5550546594 100644 --- a/net/ipv6/syncookies.c +++ b/net/ipv6/syncookies.c @@ -141,7 +141,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk= _buff *skb) __u8 rcv_wscale; u32 tsoff =3D 0; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || + !th->ack || th->rst) goto out; =20 if (tcp_synq_no_recent_overflow(sk)) --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48F22C19F28 for ; Wed, 27 Jul 2022 16:41:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239125AbiG0QlI (ORCPT ); Wed, 27 Jul 2022 12:41:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239368AbiG0Qkb (ORCPT ); Wed, 27 Jul 2022 12:40:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFD6950700; Wed, 27 Jul 2022 09:29:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C994FB821A6; Wed, 27 Jul 2022 16:28:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 38007C433D6; Wed, 27 Jul 2022 16:28:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939336; bh=t3CnBmcD+LT6G1iHkSIuNBXTyq8RhYimYHocL13RKE0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mQzo90KASdi/XnPfEjACqO+8zsB3zakZYWXlywcj0Gz9FeLQksK6Fbfo+QlCDrEJk DxtCplBLSMM6NiRFcUNGQs/O076Vx3p005+9exg3AdAkPJebo/JfXT+uRX0TOSXRHv 1RGkCke7HrFrO62wlP45Iqd0E392AMAt/yotoALk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 33/87] tcp: Fix data-races around sysctl_tcp_reordering. Date: Wed, 27 Jul 2022 18:10:26 +0200 Message-Id: <20220727161010.397413838@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 46778cd16e6a5ad1b2e3a91f6c057c907379418e ] While reading sysctl_tcp_reordering, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp.c | 2 +- net/ipv4/tcp_input.c | 10 +++++++--- net/ipv4/tcp_metrics.c | 3 ++- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 4815cf72569e..790246011fff 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -437,7 +437,7 @@ void tcp_init_sock(struct sock *sk) tp->snd_cwnd_clamp =3D ~0; tp->mss_cache =3D TCP_MSS_DEFAULT; =20 - tp->reordering =3D sock_net(sk)->ipv4.sysctl_tcp_reordering; + tp->reordering =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering); tcp_assign_congestion_control(sk); =20 tp->tsoffset =3D 0; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 85204903b2fa..fbdb5de29a97 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -1994,6 +1994,7 @@ void tcp_enter_loss(struct sock *sk) struct tcp_sock *tp =3D tcp_sk(sk); struct net *net =3D sock_net(sk); bool new_recovery =3D icsk->icsk_ca_state < TCP_CA_Recovery; + u8 reordering; =20 tcp_timeout_mark_lost(sk); =20 @@ -2014,10 +2015,12 @@ void tcp_enter_loss(struct sock *sk) /* Timeout in disordered state after receiving substantial DUPACKs * suggests that the degree of reordering is over-estimated. */ + reordering =3D READ_ONCE(net->ipv4.sysctl_tcp_reordering); if (icsk->icsk_ca_state <=3D TCP_CA_Disorder && - tp->sacked_out >=3D net->ipv4.sysctl_tcp_reordering) + tp->sacked_out >=3D reordering) tp->reordering =3D min_t(unsigned int, tp->reordering, - net->ipv4.sysctl_tcp_reordering); + reordering); + tcp_set_ca_state(sk, TCP_CA_Loss); tp->high_seq =3D tp->snd_nxt; tcp_ecn_queue_cwr(tp); @@ -3319,7 +3322,8 @@ static inline bool tcp_may_raise_cwnd(const struct so= ck *sk, const int flag) * new SACK or ECE mark may first advance cwnd here and later reduce * cwnd in tcp_fastretrans_alert() based on more states. */ - if (tcp_sk(sk)->reordering > sock_net(sk)->ipv4.sysctl_tcp_reordering) + if (tcp_sk(sk)->reordering > + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering)) return flag & FLAG_FORWARD_PROGRESS; =20 return flag & FLAG_DATA_ACKED; diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c index c4848e7a0aad..9a7d8a599857 100644 --- a/net/ipv4/tcp_metrics.c +++ b/net/ipv4/tcp_metrics.c @@ -425,7 +425,8 @@ void tcp_update_metrics(struct sock *sk) if (!tcp_metric_locked(tm, TCP_METRIC_REORDERING)) { val =3D tcp_metric_get(tm, TCP_METRIC_REORDERING); if (val < tp->reordering && - tp->reordering !=3D net->ipv4.sysctl_tcp_reordering) + tp->reordering !=3D + READ_ONCE(net->ipv4.sysctl_tcp_reordering)) tcp_metric_set(tm, TCP_METRIC_REORDERING, tp->reordering); } --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 526C0C19F2B for ; Wed, 27 Jul 2022 16:40:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239467AbiG0QkY (ORCPT ); Wed, 27 Jul 2022 12:40:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238729AbiG0Qj2 (ORCPT ); Wed, 27 Jul 2022 12:39:28 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37A755A2D6; Wed, 27 Jul 2022 09:29:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A686EB821C8; Wed, 27 Jul 2022 16:29:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7543C433C1; Wed, 27 Jul 2022 16:28:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939339; bh=8p7JnuXE9u0JMF/wryTpy0J+AHjq54jUbxHU1zH7/Fo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0/i2s2Z1pyoRdufFwKyG8LwJDz7WRt3iDD6dxBElVmiDpAqq5axWf5aANzmCWGnc2 K6Tdq1GgD+THoM36PaakxZD+ec9AQpQ02LP3Wrj94MKDZPNTSEeQICVO1tAkY3FAwa xK1vyP/6CTB0SXpNiZM7mzxhLhc8KceXIBHjUAkI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 34/87] tcp: Fix data-races around some timeout sysctl knobs. Date: Wed, 27 Jul 2022 18:10:27 +0200 Message-Id: <20220727161010.445073647@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 39e24435a776e9de5c6dd188836cf2523547804b ] While reading these sysctl knobs, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - tcp_retries1 - tcp_retries2 - tcp_orphan_retries - tcp_fin_timeout Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/tcp.h | 3 ++- net/ipv4/tcp.c | 2 +- net/ipv4/tcp_output.c | 2 +- net/ipv4/tcp_timer.c | 10 +++++----- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 65be8bd1f0f4..96dae0937998 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1465,7 +1465,8 @@ static inline u32 keepalive_time_elapsed(const struct= tcp_sock *tp) =20 static inline int tcp_fin_time(const struct sock *sk) { - int fin_timeout =3D tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp= _fin_timeout; + int fin_timeout =3D tcp_sk(sk)->linger2 ? : + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout); const int rto =3D inet_csk(sk)->icsk_rto; =20 if (fin_timeout < (rto << 2) - (rto >> 1)) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 790246011fff..333d221e0717 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3466,7 +3466,7 @@ static int do_tcp_getsockopt(struct sock *sk, int lev= el, case TCP_LINGER2: val =3D tp->linger2; if (val >=3D 0) - val =3D (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ; + val =3D (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; break; case TCP_DEFER_ACCEPT: val =3D retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 9bfe6965b873..8b602a202acb 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3847,7 +3847,7 @@ void tcp_send_probe0(struct sock *sk) =20 icsk->icsk_probes_out++; if (err <=3D 0) { - if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2) + if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2)) icsk->icsk_backoff++; timeout =3D tcp_probe0_when(sk, TCP_RTO_MAX); } else { diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index c48aeaef3ec7..26da44e196ed 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -143,7 +143,7 @@ static int tcp_out_of_resources(struct sock *sk, bool d= o_reset) */ static int tcp_orphan_retries(struct sock *sk, bool alive) { - int retries =3D sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be z= ero. */ + int retries =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); = /* May be zero. */ =20 /* We know from an ICMP that something is wrong. */ if (sk->sk_err_soft && !alive) @@ -245,7 +245,7 @@ static int tcp_write_timeout(struct sock *sk) retry_until =3D icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retr= ies; expired =3D icsk->icsk_retransmits >=3D retry_until; } else { - if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) { + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), = 0)) { /* Black hole detection */ tcp_mtu_probing(icsk, sk); =20 @@ -254,7 +254,7 @@ static int tcp_write_timeout(struct sock *sk) sk_rethink_txhash(sk); } =20 - retry_until =3D net->ipv4.sysctl_tcp_retries2; + retry_until =3D READ_ONCE(net->ipv4.sysctl_tcp_retries2); if (sock_flag(sk, SOCK_DEAD)) { const bool alive =3D icsk->icsk_rto < TCP_RTO_MAX; =20 @@ -381,7 +381,7 @@ static void tcp_probe_timer(struct sock *sk) msecs_to_jiffies(icsk->icsk_user_timeout)) goto abort; =20 - max_probes =3D sock_net(sk)->ipv4.sysctl_tcp_retries2; + max_probes =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2); if (sock_flag(sk, SOCK_DEAD)) { const bool alive =3D inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_M= AX; =20 @@ -580,7 +580,7 @@ void tcp_retransmit_timer(struct sock *sk) } inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX); - if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0)) + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + = 1, 0)) __sk_dst_reset(sk); =20 out:; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE6E8C19F28 for ; Wed, 27 Jul 2022 16:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239404AbiG0Qkb (ORCPT ); Wed, 27 Jul 2022 12:40:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239267AbiG0Qj6 (ORCPT ); Wed, 27 Jul 2022 12:39:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1E3D5A2E1; Wed, 27 Jul 2022 09:29:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 902A0619FF; Wed, 27 Jul 2022 16:29:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9B90FC433D6; Wed, 27 Jul 2022 16:29:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939342; bh=hIyq/tvHoqeUfw029S6sg871jl0PvQrhEjvANFwJBWY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XQXDa+pryaCPe+W8QM1H8XYqsuNgWlcZ/SvMQYTyMO3fsbUaAAb1d/iN6nJrfkLq7 ZQTFIAt5Z/Bw/eAtWCFb7aU4yrltrwfhr2KtKP5y3UGlpigTNt1z/06aOh1FGcqkhH IhikwnGT3TohHg+HermwqJJgt641NF//JEPqyM9I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 35/87] tcp: Fix a data-race around sysctl_tcp_notsent_lowat. Date: Wed, 27 Jul 2022 18:10:28 +0200 Message-Id: <20220727161010.484414536@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 55be873695ed8912eb77ff46d1d1cadf028bd0f3 ] While reading sysctl_tcp_notsent_lowat, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/tcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 96dae0937998..eb984ec22f22 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1947,7 +1947,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 = saddr, __be32 daddr); static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) { struct net *net =3D sock_net((struct sock *)tp); - return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat; + return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); } =20 /* @wake is one when sk_stream_write_space() calls us. --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1460C04A68 for ; Wed, 27 Jul 2022 16:41:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239418AbiG0QlM (ORCPT ); Wed, 27 Jul 2022 12:41:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238535AbiG0Qke (ORCPT ); Wed, 27 Jul 2022 12:40:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A255501A1; Wed, 27 Jul 2022 09:29:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DFCE7B821B7; Wed, 27 Jul 2022 16:29:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 530B5C433C1; Wed, 27 Jul 2022 16:29:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939344; bh=/ciaY/hwux9z8FoKIievm1p7/Dd8DlPPouRdBKJ9vhE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SgM7g5ysa4C2j55KWwUbJlmLGQYQ/cLULGQmgSrJJqzzUEJgH44ukp1RiViWP5Ft8 Qwh0nGmLfFSm9pREJprKZeD5HQ2MPW8h2oYcRBpLJSWIsvemjZ33G6iAQKRm6hV0tl fdlG4WhWYxjQO+yGq2oc5PUGqUNmzODwcHq8DgcY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 36/87] tcp: Fix a data-race around sysctl_tcp_tw_reuse. Date: Wed, 27 Jul 2022 18:10:29 +0200 Message-Id: <20220727161010.514233407@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit cbfc6495586a3f09f6f07d9fb3c7cafe807e3c55 ] While reading sysctl_tcp_tw_reuse, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_ipv4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 72fe93ace7d7..b95e1a3487c8 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -105,10 +105,10 @@ static u32 tcp_v4_init_ts_off(const struct net *net, = const struct sk_buff *skb) =20 int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) { + int reuse =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse); const struct inet_timewait_sock *tw =3D inet_twsk(sktw); const struct tcp_timewait_sock *tcptw =3D tcp_twsk(sktw); struct tcp_sock *tp =3D tcp_sk(sk); - int reuse =3D sock_net(sk)->ipv4.sysctl_tcp_tw_reuse; =20 if (reuse =3D=3D 2) { /* Still does not detect *everything* that goes through --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D04D4C04A68 for ; Wed, 27 Jul 2022 16:40:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239092AbiG0Qku (ORCPT ); Wed, 27 Jul 2022 12:40:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238617AbiG0QkW (ORCPT ); Wed, 27 Jul 2022 12:40:22 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B7E650183; Wed, 27 Jul 2022 09:29:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2444861A24; Wed, 27 Jul 2022 16:29:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 090D5C433C1; Wed, 27 Jul 2022 16:29:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939347; bh=vtGg6SI/q50xKoMLxFbsX/Do7BdAGDv3823ufYQsLdI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A0YZFp+EOmAIziIN42oO5NX0ddcqsO56RKBVcFWu9uI0OepsdrDNumfB5MjXyYCsg Br9VAqSCDd2bWJ5L/ziz1R8UqJp2ZmbgEuFssJf7FuHbeaMtSh51wasHpyI8btzXx3 +0J9pl4SVFg8XxNHpElTb2fC8oYtWp18mV+efyy4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 37/87] tcp: Fix data-races around sysctl_max_syn_backlog. Date: Wed, 27 Jul 2022 18:10:30 +0200 Message-Id: <20220727161010.553776187@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 79539f34743d3e14cc1fa6577d326a82cc64d62f ] While reading sysctl_max_syn_backlog, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index fbdb5de29a97..c1f26603cd2c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6676,10 +6676,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_o= ps, goto drop_and_free; =20 if (!want_cookie && !isn) { + int max_syn_backlog =3D READ_ONCE(net->ipv4.sysctl_max_syn_backlog); + /* Kill the following clause, if you dislike this way. */ if (!syncookies && - (net->ipv4.sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) < - (net->ipv4.sysctl_max_syn_backlog >> 2)) && + (max_syn_backlog - inet_csk_reqsk_queue_len(sk) < + (max_syn_backlog >> 2)) && !tcp_peer_is_proven(req, dst)) { /* Without syncookies last quarter of * backlog is filled with destinations, --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00A44C19F2B for ; Wed, 27 Jul 2022 16:41:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239617AbiG0QlQ (ORCPT ); Wed, 27 Jul 2022 12:41:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239518AbiG0Qkq (ORCPT ); Wed, 27 Jul 2022 12:40:46 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9BFE5070F; Wed, 27 Jul 2022 09:29:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BD5C8B821BA; Wed, 27 Jul 2022 16:29:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0F65C433D6; Wed, 27 Jul 2022 16:29:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939350; bh=Z4UYzcGRaTnpq6XWlbuB7/PvmXxFujGotKImP9Tflyo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ArwhYsGC0Hnlg6HI7gB6JweHRaBeFJhoJ6mKn/2cQEUpNX+6gd3BDUj4ylGYQZf5V Hhcc6Gp8nGPnu+5dlDA7Dt9CelTCGY2Qx3XlFo5YXOq8tFXGJVgC0nfa7i/W+AjcfK OwTiQcGirDnCSKGaPDkFsIOfPne5asnoJ/k71p2g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , Yuchung Cheng , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 38/87] tcp: Fix data-races around sysctl_tcp_fastopen. Date: Wed, 27 Jul 2022 18:10:31 +0200 Message-Id: <20220727161010.592613490@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 5a54213318c43f4009ae158347aa6016e3b9b55a ] While reading sysctl_tcp_fastopen, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 2100c8d2d9db ("net-tcp: Fast Open base") Signed-off-by: Kuniyuki Iwashima Acked-by: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/af_inet.c | 2 +- net/ipv4/tcp.c | 6 ++++-- net/ipv4/tcp_fastopen.c | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 06153386776d..d61ca7be6eda 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -219,7 +219,7 @@ int inet_listen(struct socket *sock, int backlog) * because the socket was in TCP_LISTEN state previously but * was shutdown() rather than close(). */ - tcp_fastopen =3D sock_net(sk)->ipv4.sysctl_tcp_fastopen; + tcp_fastopen =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); if ((tcp_fastopen & TFO_SERVER_WO_SOCKOPT1) && (tcp_fastopen & TFO_SERVER_ENABLE) && !inet_csk(sk)->icsk_accept_queue.fastopenq.max_qlen) { diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 333d221e0717..4b31f6e9ec61 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1148,7 +1148,8 @@ static int tcp_sendmsg_fastopen(struct sock *sk, stru= ct msghdr *msg, struct sockaddr *uaddr =3D msg->msg_name; int err, flags; =20 - if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) || + if (!(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & + TFO_CLIENT_ENABLE) || (uaddr && msg->msg_namelen >=3D sizeof(uaddr->sa_family) && uaddr->sa_family =3D=3D AF_UNSPEC)) return -EOPNOTSUPP; @@ -3127,7 +3128,8 @@ static int do_tcp_setsockopt(struct sock *sk, int lev= el, case TCP_FASTOPEN_CONNECT: if (val > 1 || val < 0) { err =3D -EINVAL; - } else if (net->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) { + } else if (READ_ONCE(net->ipv4.sysctl_tcp_fastopen) & + TFO_CLIENT_ENABLE) { if (sk->sk_state =3D=3D TCP_CLOSE) tp->fastopen_connect =3D val; else diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index a5ec77a5ad6f..21705b2ddaff 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -349,7 +349,7 @@ static bool tcp_fastopen_no_cookie(const struct sock *s= k, const struct dst_entry *dst, int flag) { - return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) || + return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) || tcp_sk(sk)->fastopen_no_cookie || (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE)); } @@ -364,7 +364,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct s= k_buff *skb, const struct dst_entry *dst) { bool syn_data =3D TCP_SKB_CB(skb)->end_seq !=3D TCP_SKB_CB(skb)->seq + 1; - int tcp_fastopen =3D sock_net(sk)->ipv4.sysctl_tcp_fastopen; + int tcp_fastopen =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen); struct tcp_fastopen_cookie valid_foc =3D { .len =3D -1 }; struct sock *child; int ret =3D 0; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FBEBC04A68 for ; Wed, 27 Jul 2022 16:41:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239473AbiG0Qk6 (ORCPT ); Wed, 27 Jul 2022 12:40:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239486AbiG0Qka (ORCPT ); Wed, 27 Jul 2022 12:40:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9AB94501AC; Wed, 27 Jul 2022 09:29:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 676D5B821C2; Wed, 27 Jul 2022 16:29:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B98F8C433D6; Wed, 27 Jul 2022 16:29:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939353; bh=tgPNGXPOkBAd7r6Ni+4X8q4Ck+twZNZSzRrprPQ2w5s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ludhTKWYbEbcIDM3LbK682452e9JMna5wHqJC+Fgy7q1/8HLNXw82RBUZGURguPTz 9nys4vGmIUVFguEoa+AgkDYVYbS+UcaQRAoz+9pLMlseCpzHe7vsm7ilCuz8EfXaNp uWxxvfQwgO/2rdTiENbwzFeRincMvSEwhYCMxdkg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Przemyslaw Patynowski , Jesse Brandeburg , Konrad Jankowski , Tony Nguyen , Sasha Levin Subject: [PATCH 5.4 39/87] iavf: Fix handling of dummy receive descriptors Date: Wed, 27 Jul 2022 18:10:32 +0200 Message-Id: <20220727161010.640531326@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Przemyslaw Patynowski [ Upstream commit a9f49e0060301a9bfebeca76739158d0cf91cdf6 ] Fix memory leak caused by not handling dummy receive descriptor properly. iavf_get_rx_buffer now sets the rx_buffer return value for dummy receive descriptors. Without this patch, when the hardware writes a dummy descriptor, iavf would not free the page allocated for the previous receive buffer. This is an unlikely event but can still happen. [Jesse: massaged commit message] Fixes: efa14c398582 ("iavf: allow null RX descriptors") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jesse Brandeburg Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/intel/iavf/iavf_txrx.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethe= rnet/intel/iavf/iavf_txrx.c index 7a30d5d5ef53..c6905d1b6182 100644 --- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c +++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c @@ -1263,11 +1263,10 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(st= ruct iavf_ring *rx_ring, { struct iavf_rx_buffer *rx_buffer; =20 - if (!size) - return NULL; - rx_buffer =3D &rx_ring->rx_bi[rx_ring->next_to_clean]; prefetchw(rx_buffer->page); + if (!size) + return rx_buffer; =20 /* we are reusing so sync this buffer for CPU use */ dma_sync_single_range_for_cpu(rx_ring->dev, --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7416BC04A68 for ; Wed, 27 Jul 2022 16:41:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239405AbiG0QlC (ORCPT ); Wed, 27 Jul 2022 12:41:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239363AbiG0Qkb (ORCPT ); Wed, 27 Jul 2022 12:40:31 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C008B501AE; Wed, 27 Jul 2022 09:29:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6B231619FF; Wed, 27 Jul 2022 16:29:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76CC8C433D6; Wed, 27 Jul 2022 16:29:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939355; bh=5AXRbgbAlR8mXXL/6o4SYWYsIuY2c56h7/LdvuOFNFA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FRFIJ0xRGjKEdeez5M6Ut4I68erQeNNE0GHyA57vVMUg4pNsAUTkViAkykylNZChj VtN+V7lY7oRp0dxv2uHGu7E8sLIBziYW10vgtNfIM/LR5af9JcPAVJQraMjQcCKer7 gCXR3JvC/0w4mu3+Ws1RntDLHBZoivU4NBdHojxM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dawid Lukwinski , Jan Sokolowski , Konrad Jankowski , Tony Nguyen , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 40/87] i40e: Fix erroneous adapter reinitialization during recovery process Date: Wed, 27 Jul 2022 18:10:33 +0200 Message-Id: <20220727161010.669552423@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Dawid Lukwinski [ Upstream commit f838a63369818faadec4ad1736cfbd20ab5da00e ] Fix an issue when driver incorrectly detects state of recovery process and erroneously reinitializes interrupts, which results in a kernel error and call trace message. The issue was caused by a combination of two factors: 1. Assuming the EMP reset issued after completing firmware recovery means the whole recovery process is complete. 2. Erroneous reinitialization of interrupt vector after detecting the above mentioned EMP reset. Fixes (1) by changing how recovery state change is detected and (2) by adjusting the conditional expression to ensure using proper interrupt reinitialization method, depending on the situation. Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support") Signed-off-by: Dawid Lukwinski Signed-off-by: Jan Sokolowski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220715214542.2968762-1-anthony.l.nguyen@i= ntel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/intel/i40e/i40e_main.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethe= rnet/intel/i40e/i40e_main.c index 05442bbc218c..0610d344fdbf 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -10068,7 +10068,7 @@ static int i40e_reset(struct i40e_pf *pf) **/ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquir= ed) { - int old_recovery_mode_bit =3D test_bit(__I40E_RECOVERY_MODE, pf->state); + const bool is_recovery_mode_reported =3D i40e_check_recovery_mode(pf); struct i40e_vsi *vsi =3D pf->vsi[pf->lan_vsi]; struct i40e_hw *hw =3D &pf->hw; i40e_status ret; @@ -10076,13 +10076,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool= reinit, bool lock_acquired) int v; =20 if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && - i40e_check_recovery_mode(pf)) { + is_recovery_mode_reported) i40e_set_ethtool_ops(pf->vsi[pf->lan_vsi]->netdev); - } =20 if (test_bit(__I40E_DOWN, pf->state) && - !test_bit(__I40E_RECOVERY_MODE, pf->state) && - !old_recovery_mode_bit) + !test_bit(__I40E_RECOVERY_MODE, pf->state)) goto clear_recovery; dev_dbg(&pf->pdev->dev, "Rebuilding internal switch\n"); =20 @@ -10109,13 +10107,12 @@ static void i40e_rebuild(struct i40e_pf *pf, bool= reinit, bool lock_acquired) * accordingly with regard to resources initialization * and deinitialization */ - if (test_bit(__I40E_RECOVERY_MODE, pf->state) || - old_recovery_mode_bit) { + if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { if (i40e_get_capabilities(pf, i40e_aqc_opc_list_func_capabilities)) goto end_unlock; =20 - if (test_bit(__I40E_RECOVERY_MODE, pf->state)) { + if (is_recovery_mode_reported) { /* we're staying in recovery mode so we'll reinitialize * misc vector here */ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FA74C19F28 for ; Wed, 27 Jul 2022 16:41:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239511AbiG0Qld (ORCPT ); Wed, 27 Jul 2022 12:41:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239220AbiG0Qkv (ORCPT ); Wed, 27 Jul 2022 12:40:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 495D0501AF; Wed, 27 Jul 2022 09:29:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E693A619D6; Wed, 27 Jul 2022 16:29:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 040B0C433C1; Wed, 27 Jul 2022 16:29:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939361; bh=dPxgH9y0o0iFn7kD59PJoQLyk0FOuT+iG7XyVTWrSGo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EyVpecaEM4g7njJuW/hxWEMirR8WlmoGUPMhEa1B0vbhQFkZUHNEF6QKRcuyQk2jF 33RrfH7ZzPxZcXnh5eNco4h2z60vD7oB0zOyDtEcZ+9+vgrbF6xqSYrwAGTQTOXYf7 SO9+N8apVwwNExpefrurvg1B7b8OmEDOoMPc2AEg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Skajewski , Marek Szlosek , Tony Nguyen , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 41/87] ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero Date: Wed, 27 Jul 2022 18:10:34 +0200 Message-Id: <20220727161010.708548924@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Piotr Skajewski [ Upstream commit 1e53834ce541d4fe271cdcca7703e50be0a44f8a ] It is possible to disable VFs while the PF driver is processing requests from the VF driver. This can result in a panic. BUG: unable to handle kernel paging request at 000000000000106c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- - Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 RIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe] Code: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff 01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 <41> 80 7c 24 4c 00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a RSP: 0018:ffffb337869f8df8 EFLAGS: 00010002 RAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006 RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780 R10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020 R13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80 FS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? ttwu_do_wakeup+0x19/0x140 ? try_to_wake_up+0x1cd/0x550 ? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf] ixgbe_msix_other+0x17e/0x310 [ixgbe] __handle_irq_event_percpu+0x40/0x180 handle_irq_event_percpu+0x30/0x80 handle_irq_event+0x36/0x53 handle_edge_irq+0x82/0x190 handle_irq+0x1c/0x30 do_IRQ+0x49/0xd0 common_interrupt+0xf/0xf This can be eventually be reproduced with the following script: while : do echo 63 > /sys/class/net//device/sriov_numvfs sleep 1 echo 0 > /sys/class/net//device/sriov_numvfs sleep 1 done Add lock when disabling SR-IOV to prevent process VF mailbox communication. Fixes: d773d1310625 ("ixgbe: Fix memory leak when SR-IOV VFs are direct ass= igned") Signed-off-by: Piotr Skajewski Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220715214456.2968711-1-anthony.l.nguyen@i= ntel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +++ drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/etherne= t/intel/ixgbe/ixgbe.h index 39e73ad60352..fa49ef2afde5 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h @@ -773,6 +773,7 @@ struct ixgbe_adapter { #ifdef CONFIG_IXGBE_IPSEC struct ixgbe_ipsec *ipsec; #endif /* CONFIG_IXGBE_IPSEC */ + spinlock_t vfs_lock; }; =20 static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter) diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/et= hernet/intel/ixgbe/ixgbe_main.c index 8a894e5d923f..f8aa1a0b89c5 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c @@ -6396,6 +6396,9 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapte= r, /* n-tuple support exists, always init our spinlock */ spin_lock_init(&adapter->fdir_perfect_lock); =20 + /* init spinlock to avoid concurrency of VF resources */ + spin_lock_init(&adapter->vfs_lock); + #ifdef CONFIG_IXGBE_DCB ixgbe_init_dcb(adapter); #endif diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/e= thernet/intel/ixgbe/ixgbe_sriov.c index cf5c2b9465eb..0e73e3b1af19 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c @@ -204,10 +204,13 @@ void ixgbe_enable_sriov(struct ixgbe_adapter *adapter= , unsigned int max_vfs) int ixgbe_disable_sriov(struct ixgbe_adapter *adapter) { unsigned int num_vfs =3D adapter->num_vfs, vf; + unsigned long flags; int rss; =20 + spin_lock_irqsave(&adapter->vfs_lock, flags); /* set num VFs to 0 to prevent access to vfinfo */ adapter->num_vfs =3D 0; + spin_unlock_irqrestore(&adapter->vfs_lock, flags); =20 /* put the reference to all of the vf devices */ for (vf =3D 0; vf < num_vfs; ++vf) { @@ -1305,8 +1308,10 @@ static void ixgbe_rcv_ack_from_vf(struct ixgbe_adapt= er *adapter, u32 vf) void ixgbe_msg_task(struct ixgbe_adapter *adapter) { struct ixgbe_hw *hw =3D &adapter->hw; + unsigned long flags; u32 vf; =20 + spin_lock_irqsave(&adapter->vfs_lock, flags); for (vf =3D 0; vf < adapter->num_vfs; vf++) { /* process any reset requests */ if (!ixgbe_check_for_rst(hw, vf)) @@ -1320,6 +1325,7 @@ void ixgbe_msg_task(struct ixgbe_adapter *adapter) if (!ixgbe_check_for_ack(hw, vf)) ixgbe_rcv_ack_from_vf(adapter, vf); } + spin_unlock_irqrestore(&adapter->vfs_lock, flags); } =20 void ixgbe_disable_tx_rx(struct ixgbe_adapter *adapter) --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 166A2C04A68 for ; Wed, 27 Jul 2022 16:41:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239662AbiG0Qlj (ORCPT ); Wed, 27 Jul 2022 12:41:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239221AbiG0Qkv (ORCPT ); Wed, 27 Jul 2022 12:40:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EADDF5140A; Wed, 27 Jul 2022 09:29:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C210E619CB; Wed, 27 Jul 2022 16:29:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD695C433C1; Wed, 27 Jul 2022 16:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939364; bh=ReCbA0I7f/QWMMwN7Z40JHNUBCBF6sIrguLmZ2hyXRc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XA+sWQpri9IsLoHITrzmWuAsFRv5lggoijCDQVwkYdvVa3fsVKoTRPY2o89geFKuY E4ppXba6pp7pKU/KmK1xTisCPWzhSDV8VHm0ha+l2DsbYpvET4+fDeLgjyNexBPtDG BecBFR1RimznKv6kFnHQMCR9UarZyX2RxNbrm0lA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Haibo Chen , Andy Shevchenko , Bartosz Golaszewski , Sasha Levin Subject: [PATCH 5.4 42/87] gpio: pca953x: only use single read/write for No AI mode Date: Wed, 27 Jul 2022 18:10:35 +0200 Message-Id: <20220727161010.755473777@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Haibo Chen [ Upstream commit db8edaa09d7461ec08672a92a2eef63d5882bb79 ] For the device use NO AI mode(not support auto address increment), only use the single read/write when config the regmap. We meet issue on PCA9557PW on i.MX8QXP/DXL evk board, this device do not support AI mode, but when do the regmap sync, regmap will sync 3 byte data to register 1, logically this means write first data to register 1, write second data to register 2, write third data to register 3. But this device do not support AI mode, finally, these three data write only into register 1 one by one. the reault is the value of register 1 alway equal to the latest data, here is the third data, no operation happened on register 2 and register 3. This is not what we expect. Fixes: 49427232764d ("gpio: pca953x: Perform basic regmap conversion") Signed-off-by: Haibo Chen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/gpio/gpio-pca953x.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c index 54da66d02b0e..317f54f19477 100644 --- a/drivers/gpio/gpio-pca953x.c +++ b/drivers/gpio/gpio-pca953x.c @@ -379,6 +379,9 @@ static const struct regmap_config pca953x_i2c_regmap = =3D { .reg_bits =3D 8, .val_bits =3D 8, =20 + .use_single_read =3D true, + .use_single_write =3D true, + .readable_reg =3D pca953x_readable_register, .writeable_reg =3D pca953x_writeable_register, .volatile_reg =3D pca953x_volatile_register, --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 871E1C3F6B0 for ; Wed, 27 Jul 2022 16:41:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239486AbiG0Qlo (ORCPT ); Wed, 27 Jul 2022 12:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239330AbiG0Qk5 (ORCPT ); Wed, 27 Jul 2022 12:40:57 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80B255B062; Wed, 27 Jul 2022 09:29:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 213DFB821BA; Wed, 27 Jul 2022 16:29:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E660C433C1; Wed, 27 Jul 2022 16:29:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939366; bh=z/7Dwzp/pcp1h+43vzTvCGwafd0md7/M+daIXot7BJ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TbFGDAIBh8PXmOEaHWXJyIWkeG0WdKr4appfLsP14c7KSM9pU9x44AkjM1aEQJG1Z +a7oIuTDCkLZKByq32GZ8MpOfLsKj5kGAj/kp52i7ARcLsZ5Pb2JNZAmmzI74OZwZl eby712vtBp91Z2XhbWaqNcjnaU+TN2pQ6pPDD7Bs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hristo Venev , Paolo Abeni , Sasha Levin Subject: [PATCH 5.4 43/87] be2net: Fix buffer overflow in be_get_module_eeprom Date: Wed, 27 Jul 2022 18:10:36 +0200 Message-Id: <20220727161010.797200232@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hristo Venev [ Upstream commit d7241f679a59cfe27f92cb5c6272cb429fb1f7ec ] be_cmd_read_port_transceiver_data assumes that it is given a buffer that is at least PAGE_DATA_LEN long, or twice that if the module supports SFF 8472. However, this is not always the case. Fix this by passing the desired offset and length to be_cmd_read_port_transceiver_data so that we only copy the bytes once. Fixes: e36edd9d26cf ("be2net: add ethtool "-m" option support") Signed-off-by: Hristo Venev Link: https://lore.kernel.org/r/20220716085134.6095-1-hristo@venev.name Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/emulex/benet/be_cmds.c | 10 +++--- drivers/net/ethernet/emulex/benet/be_cmds.h | 2 +- .../net/ethernet/emulex/benet/be_ethtool.c | 31 ++++++++++++------- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethe= rnet/emulex/benet/be_cmds.c index 649c5c429bd7..1288b5e3d220 100644 --- a/drivers/net/ethernet/emulex/benet/be_cmds.c +++ b/drivers/net/ethernet/emulex/benet/be_cmds.c @@ -2287,7 +2287,7 @@ int be_cmd_get_beacon_state(struct be_adapter *adapte= r, u8 port_num, u32 *state) =20 /* Uses sync mcc */ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, - u8 page_num, u8 *data) + u8 page_num, u32 off, u32 len, u8 *data) { struct be_dma_mem cmd; struct be_mcc_wrb *wrb; @@ -2321,10 +2321,10 @@ int be_cmd_read_port_transceiver_data(struct be_ada= pter *adapter, req->port =3D cpu_to_le32(adapter->hba_port_num); req->page_num =3D cpu_to_le32(page_num); status =3D be_mcc_notify_wait(adapter); - if (!status) { + if (!status && len > 0) { struct be_cmd_resp_port_type *resp =3D cmd.va; =20 - memcpy(data, resp->page_data, PAGE_DATA_LEN); + memcpy(data, resp->page_data + off, len); } err: mutex_unlock(&adapter->mcc_lock); @@ -2415,7 +2415,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapte= r) int status; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { switch (adapter->phy.interface_type) { case PHY_TYPE_QSFP: @@ -2440,7 +2440,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter) int status; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { strlcpy(adapter->phy.vendor_name, page_data + SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1); diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethe= rnet/emulex/benet/be_cmds.h index c30d6d6f0f3a..9e17d6a7ab8c 100644 --- a/drivers/net/ethernet/emulex/benet/be_cmds.h +++ b/drivers/net/ethernet/emulex/benet/be_cmds.h @@ -2427,7 +2427,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapte= r, u8 port_num, u8 beacon, int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num, u32 *state); int be_cmd_read_port_transceiver_data(struct be_adapter *adapter, - u8 page_num, u8 *data); + u8 page_num, u32 off, u32 len, u8 *data); int be_cmd_query_cable_type(struct be_adapter *adapter); int be_cmd_query_sfp_info(struct be_adapter *adapter); int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *= cmd, diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/e= thernet/emulex/benet/be_ethtool.c index 5bb5abf99588..7cc1f41971c5 100644 --- a/drivers/net/ethernet/emulex/benet/be_ethtool.c +++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c @@ -1339,7 +1339,7 @@ static int be_get_module_info(struct net_device *netd= ev, return -EOPNOTSUPP; =20 status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - page_data); + 0, PAGE_DATA_LEN, page_data); if (!status) { if (!page_data[SFP_PLUS_SFF_8472_COMP]) { modinfo->type =3D ETH_MODULE_SFF_8079; @@ -1357,25 +1357,32 @@ static int be_get_module_eeprom(struct net_device *= netdev, { struct be_adapter *adapter =3D netdev_priv(netdev); int status; + u32 begin, end; =20 if (!check_privilege(adapter, MAX_PRIVILEGES)) return -EOPNOTSUPP; =20 - status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, - data); - if (status) - goto err; + begin =3D eeprom->offset; + end =3D eeprom->offset + eeprom->len; + + if (begin < PAGE_DATA_LEN) { + status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin, + min_t(u32, end, PAGE_DATA_LEN) - begin, + data); + if (status) + goto err; + + data +=3D PAGE_DATA_LEN - begin; + begin =3D PAGE_DATA_LEN; + } =20 - if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) { - status =3D be_cmd_read_port_transceiver_data(adapter, - TR_PAGE_A2, - data + - PAGE_DATA_LEN); + if (end > PAGE_DATA_LEN) { + status =3D be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2, + begin - PAGE_DATA_LEN, + end - begin, data); if (status) goto err; } - if (eeprom->offset) - memcpy(data, data + eeprom->offset, eeprom->len); err: return be_cmd_status(status); } --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C210C04A68 for ; Wed, 27 Jul 2022 16:41:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239427AbiG0Qlt (ORCPT ); Wed, 27 Jul 2022 12:41:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239570AbiG0QlA (ORCPT ); Wed, 27 Jul 2022 12:41:00 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 382AC5140C; Wed, 27 Jul 2022 09:29:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D2443B821BD; Wed, 27 Jul 2022 16:29:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F6E9C433C1; Wed, 27 Jul 2022 16:29:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939369; bh=Lk+Blne/blYZaB0qzZO5oWNuvyqkY7TzTtvAIAIPXgs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AlIjts3Fk/Umj1Pk5ZBZhWE8P5OKnZbxcYTe+FAP+VtjaNjzbiy+r9rureqVnoCzh UAMa1RKkAjXry66KK0vqn5qDCFeeOozsmjVsNbXcvbG3RYaKGsPHyp3JO4UMIn3gTm 3x2qKu+iUHuLTQ0S5c554lQEtIx2N7PL3UvelcZU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 44/87] ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. Date: Wed, 27 Jul 2022 18:10:37 +0200 Message-Id: <20220727161010.838337691@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 87507bcb4f5de16bb419e9509d874f4db6c0ad0f ] While reading sysctl_fib_multipath_use_neigh, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: a6db4494d218 ("net: ipv4: Consider failed nexthops in multipath rout= es") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/fib_semantics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index 16fe03461563..28da0443f3e9 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c @@ -2209,7 +2209,7 @@ void fib_select_multipath(struct fib_result *res, int= hash) } =20 change_nexthops(fi) { - if (net->ipv4.sysctl_fib_multipath_use_neigh) { + if (READ_ONCE(net->ipv4.sysctl_fib_multipath_use_neigh)) { if (!fib_good_nh(nexthop_nh)) continue; if (!first) { --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44D8EC04A68 for ; Wed, 27 Jul 2022 16:46:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240440AbiG0QqY (ORCPT ); Wed, 27 Jul 2022 12:46:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240176AbiG0QpL (ORCPT ); Wed, 27 Jul 2022 12:45:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D19195F9B3; Wed, 27 Jul 2022 09:31:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 23280B821C2; Wed, 27 Jul 2022 16:31:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F2F8C433D6; Wed, 27 Jul 2022 16:31:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939485; bh=ljxSfJEmWLh3FCXueOr70/5vy8YC0vANe67kfev0fKs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XJw8beJ0zSDXepzCZgfineEx8ooG5Nm09TYHUR1PL2YlOgkmP+rgqOirsaj303N0T 4TzGwhmfy071AhxNMCryGhxqvFA3weOWEXIvSDT+nJiRQErdF8CakNnKy5Aos/Vls9 tlz8pYvTLzSxBah7SG4/Xksr460aI9fAuWZbuErM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 45/87] udp: Fix a data-race around sysctl_udp_l3mdev_accept. Date: Wed, 27 Jul 2022 18:10:38 +0200 Message-Id: <20220727161010.877370593@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 3d72bb4188c708bb16758c60822fc4dda7a95174 ] While reading sysctl_udp_l3mdev_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 63a6fff353d0 ("net: Avoid receiving packets with an l3mdev on unboun= d UDP sockets") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/udp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/udp.h b/include/net/udp.h index 9787a42f7ed3..e66854e767dc 100644 --- a/include/net/udp.h +++ b/include/net/udp.h @@ -252,7 +252,7 @@ static inline bool udp_sk_bound_dev_eq(struct net *net,= int bound_dev_if, int dif, int sdif) { #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) - return inet_bound_dev_eq(!!net->ipv4.sysctl_udp_l3mdev_accept, + return inet_bound_dev_eq(!!READ_ONCE(net->ipv4.sysctl_udp_l3mdev_accept), bound_dev_if, dif, sdif); #else return inet_bound_dev_eq(true, bound_dev_if, dif, sdif); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 875F7C3F6B0 for ; Wed, 27 Jul 2022 16:42:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238729AbiG0Qmj (ORCPT ); Wed, 27 Jul 2022 12:42:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239347AbiG0Ql5 (ORCPT ); Wed, 27 Jul 2022 12:41:57 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 703555C350; Wed, 27 Jul 2022 09:29:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8EA38B821BA; Wed, 27 Jul 2022 16:29:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CE09AC433C1; Wed, 27 Jul 2022 16:29:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939392; bh=uyDTREJbtNBDmD1T4MTKrTcWDyNCmCMU8UnYKD6I3bw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PI2IQxhbGokYFtmJxQYXQ2vv2g5ulKOIg2UEbiAtoHXULkx8JdLyK5bq1/c7s9Rqd nCY2wbTXe05mWHIFKc/DqvkXafUeKvI7MdmDoX3hOQ4dx5LL9ZppANq/gI/zIzvGYv YcjKqQQUZnXBf+fj2/tjuibEryjViWT17bMrEhjM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 46/87] tcp: Fix data-races around sysctl knobs related to SYN option. Date: Wed, 27 Jul 2022 18:10:39 +0200 Message-Id: <20220727161010.908503926@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 3666f666e99600518ab20982af04a078bbdad277 ] While reading these knobs, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - tcp_sack - tcp_window_scaling - tcp_timestamps Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/crypto/chelsio/chtls/chtls_cm.c | 6 +++--- net/core/secure_seq.c | 4 ++-- net/ipv4/syncookies.c | 6 +++--- net/ipv4/tcp_input.c | 6 +++--- net/ipv4/tcp_output.c | 10 +++++----- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chels= io/chtls/chtls_cm.c index 82b76df43ae5..3b79bcd03e7b 100644 --- a/drivers/crypto/chelsio/chtls/chtls_cm.c +++ b/drivers/crypto/chelsio/chtls/chtls_cm.c @@ -1103,8 +1103,8 @@ static struct sock *chtls_recv_sock(struct sock *lsk, csk->sndbuf =3D newsk->sk_sndbuf; csk->smac_idx =3D ((struct port_info *)netdev_priv(ndev))->smt_idx; RCV_WSCALE(tp) =3D select_rcv_wscale(tcp_full_space(newsk), - sock_net(newsk)-> - ipv4.sysctl_tcp_window_scaling, + READ_ONCE(sock_net(newsk)-> + ipv4.sysctl_tcp_window_scaling), tp->window_clamp); neigh_release(n); inet_inherit_port(&tcp_hashinfo, lsk, newsk); @@ -1235,7 +1235,7 @@ static void chtls_pass_accept_request(struct sock *sk, chtls_set_req_addr(oreq, iph->daddr, iph->saddr); ip_dsfield =3D ipv4_get_dsfield(iph); if (req->tcpopt.wsf <=3D 14 && - sock_net(sk)->ipv4.sysctl_tcp_window_scaling) { + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { inet_rsk(oreq)->wscale_ok =3D 1; inet_rsk(oreq)->snd_wscale =3D req->tcpopt.wsf; } diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c index a1867c65ac63..6d86506e315f 100644 --- a/net/core/secure_seq.c +++ b/net/core/secure_seq.c @@ -65,7 +65,7 @@ u32 secure_tcpv6_ts_off(const struct net *net, .daddr =3D *(struct in6_addr *)daddr, }; =20 - if (net->ipv4.sysctl_tcp_timestamps !=3D 1) + if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) !=3D 1) return 0; =20 ts_secret_init(); @@ -121,7 +121,7 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); #ifdef CONFIG_INET u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr) { - if (net->ipv4.sysctl_tcp_timestamps !=3D 1) + if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) !=3D 1) return 0; =20 ts_secret_init(); diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index f1cbf8911844..3f6c9514c7a9 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -243,12 +243,12 @@ bool cookie_timestamp_decode(const struct net *net, return true; } =20 - if (!net->ipv4.sysctl_tcp_timestamps) + if (!READ_ONCE(net->ipv4.sysctl_tcp_timestamps)) return false; =20 tcp_opt->sack_ok =3D (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0; =20 - if (tcp_opt->sack_ok && !net->ipv4.sysctl_tcp_sack) + if (tcp_opt->sack_ok && !READ_ONCE(net->ipv4.sysctl_tcp_sack)) return false; =20 if ((options & TS_OPT_WSCALE_MASK) =3D=3D TS_OPT_WSCALE_MASK) @@ -257,7 +257,7 @@ bool cookie_timestamp_decode(const struct net *net, tcp_opt->wscale_ok =3D 1; tcp_opt->snd_wscale =3D options & TS_OPT_WSCALE_MASK; =20 - return net->ipv4.sysctl_tcp_window_scaling !=3D 0; + return READ_ONCE(net->ipv4.sysctl_tcp_window_scaling) !=3D 0; } EXPORT_SYMBOL(cookie_timestamp_decode); =20 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index c1f26603cd2c..28df6c3feb3f 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3906,7 +3906,7 @@ void tcp_parse_options(const struct net *net, break; case TCPOPT_WINDOW: if (opsize =3D=3D TCPOLEN_WINDOW && th->syn && - !estab && net->ipv4.sysctl_tcp_window_scaling) { + !estab && READ_ONCE(net->ipv4.sysctl_tcp_window_scaling)) { __u8 snd_wscale =3D *(__u8 *)ptr; opt_rx->wscale_ok =3D 1; if (snd_wscale > TCP_MAX_WSCALE) { @@ -3922,7 +3922,7 @@ void tcp_parse_options(const struct net *net, case TCPOPT_TIMESTAMP: if ((opsize =3D=3D TCPOLEN_TIMESTAMP) && ((estab && opt_rx->tstamp_ok) || - (!estab && net->ipv4.sysctl_tcp_timestamps))) { + (!estab && READ_ONCE(net->ipv4.sysctl_tcp_timestamps)))) { opt_rx->saw_tstamp =3D 1; opt_rx->rcv_tsval =3D get_unaligned_be32(ptr); opt_rx->rcv_tsecr =3D get_unaligned_be32(ptr + 4); @@ -3930,7 +3930,7 @@ void tcp_parse_options(const struct net *net, break; case TCPOPT_SACK_PERM: if (opsize =3D=3D TCPOLEN_SACK_PERM && th->syn && - !estab && net->ipv4.sysctl_tcp_sack) { + !estab && READ_ONCE(net->ipv4.sysctl_tcp_sack)) { opt_rx->sack_ok =3D TCP_SACK_SEEN; tcp_sack_reset(opt_rx); } diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 8b602a202acb..5cc345c4006e 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -620,18 +620,18 @@ static unsigned int tcp_syn_options(struct sock *sk, = struct sk_buff *skb, opts->mss =3D tcp_advertise_mss(sk); remaining -=3D TCPOLEN_MSS_ALIGNED; =20 - if (likely(sock_net(sk)->ipv4.sysctl_tcp_timestamps && !*md5)) { + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps) && !*md5))= { opts->options |=3D OPTION_TS; opts->tsval =3D tcp_skb_timestamp(skb) + tp->tsoffset; opts->tsecr =3D tp->rx_opt.ts_recent; remaining -=3D TCPOLEN_TSTAMP_ALIGNED; } - if (likely(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) { + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling))) { opts->ws =3D tp->rx_opt.rcv_wscale; opts->options |=3D OPTION_WSCALE; remaining -=3D TCPOLEN_WSCALE_ALIGNED; } - if (likely(sock_net(sk)->ipv4.sysctl_tcp_sack)) { + if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_sack))) { opts->options |=3D OPTION_SACK_ADVERTISE; if (unlikely(!(OPTION_TS & opts->options))) remaining -=3D TCPOLEN_SACKPERM_ALIGNED; @@ -3407,7 +3407,7 @@ static void tcp_connect_init(struct sock *sk) * See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT. */ tp->tcp_header_len =3D sizeof(struct tcphdr); - if (sock_net(sk)->ipv4.sysctl_tcp_timestamps) + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps)) tp->tcp_header_len +=3D TCPOLEN_TSTAMP_ALIGNED; =20 #ifdef CONFIG_TCP_MD5SIG @@ -3443,7 +3443,7 @@ static void tcp_connect_init(struct sock *sk) tp->advmss - (tp->rx_opt.ts_recent_stamp ? tp->tcp_header_len - size= of(struct tcphdr) : 0), &tp->rcv_wnd, &tp->window_clamp, - sock_net(sk)->ipv4.sysctl_tcp_window_scaling, + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling), &rcv_wscale, rcv_wnd); =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C471C19F28 for ; Wed, 27 Jul 2022 16:44:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235821AbiG0Qoo (ORCPT ); Wed, 27 Jul 2022 12:44:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43882 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239879AbiG0Qnn (ORCPT ); Wed, 27 Jul 2022 12:43:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDD255D0E3; Wed, 27 Jul 2022 09:30:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6BC5761A55; Wed, 27 Jul 2022 16:30:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 48F53C433D6; Wed, 27 Jul 2022 16:30:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939423; bh=jN76glgLg76fpSC8BmLDBgVCmpV2XuZmWzCxAT1uP3s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S+2GjVnB3ZmXL7LYcP/JmXAjeQ6VbImu4qgCR0Em1UW+myATaUtAlMrIErXCrvdeA knB6QypRXiPTf55a52PSArsdvgb2ZVy7xYPhHXbcDvRTCJYWQvw8G/2YcjcfpHqANn MM7BOesgd75JsayUc2dIa4JWVO7b6/kP1Tm0QnSg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 47/87] tcp: Fix a data-race around sysctl_tcp_early_retrans. Date: Wed, 27 Jul 2022 18:10:40 +0200 Message-Id: <20220727161010.956863929@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 52e65865deb6a36718a463030500f16530eaab74 ] While reading sysctl_tcp_early_retrans, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: eed530b6c676 ("tcp: early retransmit") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 5cc345c4006e..72ee1fca0501 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2509,7 +2509,7 @@ bool tcp_schedule_loss_probe(struct sock *sk, bool ad= vancing_rto) if (rcu_access_pointer(tp->fastopen_rsk)) return false; =20 - early_retrans =3D sock_net(sk)->ipv4.sysctl_tcp_early_retrans; + early_retrans =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_early_retrans); /* Schedule a loss probe in 2*RTT for SACK capable connections * not in loss recovery, that are either limited by cwnd or application. */ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16184C04A68 for ; Wed, 27 Jul 2022 16:45:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239570AbiG0Qpb (ORCPT ); Wed, 27 Jul 2022 12:45:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240280AbiG0QoP (ORCPT ); Wed, 27 Jul 2022 12:44:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E8CB2DB; Wed, 27 Jul 2022 09:30:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9F9C4B821C5; Wed, 27 Jul 2022 16:30:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 14304C433C1; Wed, 27 Jul 2022 16:30:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939454; bh=ogdpYql1/PZgtWlueFCk1S1UTn53QIdYTmXoyTpukf8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q/4e14jTmVgM8oCBFtIIpPZOc+Lpnb8W+w9OFdDgJ5P4jKOlR/a+Bw0qrHdiA512V kAFcgnNb/5lCBKCoeol7iBeHo0zYrNBD2bV/SXywgWJoBOh7gdfg8yUMwyBhBbkxki AcTxzv1x/r2La2tvdoBiYwvu5RmLIA32MuY5SL4A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 48/87] tcp: Fix data-races around sysctl_tcp_recovery. Date: Wed, 27 Jul 2022 18:10:41 +0200 Message-Id: <20220727161010.995412934@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit e7d2ef837e14a971a05f60ea08c47f3fed1a36e4 ] While reading sysctl_tcp_recovery, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 4f41b1c58a32 ("tcp: use RACK to detect losses") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 3 ++- net/ipv4/tcp_recovery.c | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 28df6c3feb3f..2f57c365ebd5 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -1950,7 +1950,8 @@ static inline void tcp_init_undo(struct tcp_sock *tp) =20 static bool tcp_is_rack(const struct sock *sk) { - return sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION; + return READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & + TCP_RACK_LOSS_DETECTION; } =20 /* If we detect SACK reneging, forget all SACK information diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c index 8757bb6cb1d9..22ec8dcc1428 100644 --- a/net/ipv4/tcp_recovery.c +++ b/net/ipv4/tcp_recovery.c @@ -33,7 +33,8 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk) return 0; =20 if (tp->sacked_out >=3D tp->reordering && - !(sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_NO_DUPTHRESH)) + !(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & + TCP_RACK_NO_DUPTHRESH)) return 0; } =20 @@ -204,7 +205,8 @@ void tcp_rack_update_reo_wnd(struct sock *sk, struct ra= te_sample *rs) { struct tcp_sock *tp =3D tcp_sk(sk); =20 - if (sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_STATIC_REO_WND || + if ((READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) & + TCP_RACK_STATIC_REO_WND) || !rs->prior_delivered) return; =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C61CC04A68 for ; Wed, 27 Jul 2022 16:45:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240348AbiG0Qpl (ORCPT ); Wed, 27 Jul 2022 12:45:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240462AbiG0Qo2 (ORCPT ); Wed, 27 Jul 2022 12:44:28 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2260651A3B; Wed, 27 Jul 2022 09:31:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9E34BB821BE; Wed, 27 Jul 2022 16:31:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF398C433D6; Wed, 27 Jul 2022 16:31:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939468; bh=xDorO/C3ElwiBLmXQmAIT9qsfde0KxyKSDyPqNa8N5s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AnJpSbq928Qa3d6wmMtYjjFoOYM2/Fdabp3EQzPGn/bfJ6fmbkfqaNnk7jG29LrAz E6GiUtJlnPzs3pIDJCerWmtUrAIlC2MVqw2LtoBQaD7myUZ8DOSnE8y392TyYPa4wS ollHe8Iug/GFG8dWgqtxKWvGqCVot0CjJcBSIhv0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 49/87] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. Date: Wed, 27 Jul 2022 18:10:42 +0200 Message-Id: <20220727161011.044246395@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 7c6f2a86ca590d5187a073d987e9599985fb1c7c ] While reading sysctl_tcp_thin_linear_timeouts, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 36e31b0af587 ("net: TCP thin linear timeouts") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_timer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 26da44e196ed..a0107eb02ae4 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -569,7 +569,7 @@ void tcp_retransmit_timer(struct sock *sk) * linear-timeout retransmissions into a black hole */ if (sk->sk_state =3D=3D TCP_ESTABLISHED && - (tp->thin_lto || net->ipv4.sysctl_tcp_thin_linear_timeouts) && + (tp->thin_lto || READ_ONCE(net->ipv4.sysctl_tcp_thin_linear_timeouts)= ) && tcp_stream_is_thin(tp) && icsk->icsk_retransmits <=3D TCP_THIN_LINEAR_RETRIES) { icsk->icsk_backoff =3D 0; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 756E7C04A68 for ; Wed, 27 Jul 2022 16:46:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240394AbiG0Qp6 (ORCPT ); Wed, 27 Jul 2022 12:45:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43068 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240484AbiG0Qo3 (ORCPT ); Wed, 27 Jul 2022 12:44:29 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21AF552447; Wed, 27 Jul 2022 09:31:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AFFC2B821C2; Wed, 27 Jul 2022 16:31:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DA8DAC433C1; Wed, 27 Jul 2022 16:31:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939471; bh=B3sJuDz8JKCCHdebYVp43xh6OlmonYf9crjFVu7HnJk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FgjuW24PCBRx/5BAOVZ33pw75HfVGHItxg86F0vubXthf6opq0qP8Agba7UueNIJO 7IMNNcn87AbCb1kIG3berODMBdYqYpgejoHddcxojBn41LxgXFdYvYPTmxOC9E61Uc vfehaFvfR20LtSVB1+8+xJHEBoSGJfZzLDiZYu0o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 50/87] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. Date: Wed, 27 Jul 2022 18:10:43 +0200 Message-Id: <20220727161011.091709543@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 4845b5713ab18a1bb6e31d1fbb4d600240b8b691 ] While reading sysctl_tcp_slow_start_after_idle, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 35089bb203f4 ("[TCP]: Add tcp_slow_start_after_idle sysctl.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/tcp.h | 4 ++-- net/ipv4/tcp_output.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index eb984ec22f22..aaf1d5d5a13b 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1373,8 +1373,8 @@ static inline void tcp_slow_start_after_idle_check(st= ruct sock *sk) struct tcp_sock *tp =3D tcp_sk(sk); s32 delta; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle || tp->packets_o= ut || - ca_ops->cong_control) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) || + tp->packets_out || ca_ops->cong_control) return; delta =3D tcp_jiffies32 - tp->lsndtime; if (delta > inet_csk(sk)->icsk_rto) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 72ee1fca0501..5d9a1a498a18 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1673,7 +1673,7 @@ static void tcp_cwnd_validate(struct sock *sk, bool i= s_cwnd_limited) if (tp->packets_out > tp->snd_cwnd_used) tp->snd_cwnd_used =3D tp->packets_out; =20 - if (sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle && + if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) && (s32)(tcp_jiffies32 - tp->snd_cwnd_stamp) >=3D inet_csk(sk)->icsk_rt= o && !ca_ops->cong_control) tcp_cwnd_application_limited(sk); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B1BDC04A68 for ; Wed, 27 Jul 2022 16:46:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240401AbiG0QqE (ORCPT ); Wed, 27 Jul 2022 12:46:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240509AbiG0Qob (ORCPT ); Wed, 27 Jul 2022 12:44:31 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 855635F110; Wed, 27 Jul 2022 09:31:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0363061A39; Wed, 27 Jul 2022 16:31:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 08706C433D6; Wed, 27 Jul 2022 16:31:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939474; bh=13RiAq2LeTI+XWlG9cn39gAKHDTZwrE6XL+Hm4O2hfQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bK1Gstok0x80cb0cV+h4UvYH8bA9TJBqmDZH17rvnGWtzDpdoS++Voyw8rjUfFRPV NPRVJTWQ0llNDdMLcbIaYzJoMVvMRhPvCBo3PuY9FVow95YAPvQesnvmcpHWI1hO4F vHwFCCqoMzG9Q1SORn9krK/3MwNqS1e+qRmnbA3Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 51/87] tcp: Fix a data-race around sysctl_tcp_retrans_collapse. Date: Wed, 27 Jul 2022 18:10:44 +0200 Message-Id: <20220727161011.138419746@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 1a63cb91f0c2fcdeced6d6edee8d1d886583d139 ] While reading sysctl_tcp_retrans_collapse, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 5d9a1a498a18..97f29ece3800 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2871,7 +2871,7 @@ static void tcp_retrans_try_collapse(struct sock *sk,= struct sk_buff *to, struct sk_buff *skb =3D to, *tmp; bool first =3D true; =20 - if (!sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse) + if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse)) return; if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN) return; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFD63C19F28 for ; Wed, 27 Jul 2022 16:46:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240054AbiG0QqG (ORCPT ); Wed, 27 Jul 2022 12:46:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240542AbiG0Qoe (ORCPT ); Wed, 27 Jul 2022 12:44:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E5D65F126; Wed, 27 Jul 2022 09:31:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AEB17B821BB; Wed, 27 Jul 2022 16:31:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED622C433D7; Wed, 27 Jul 2022 16:31:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939477; bh=MgDAVwHqk/bTuTyeMYiez8QgXE2YFR7Af+OisOCuVhM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JXG1733+B4xT8vtx8Mw1bqPckivuCf1AIj+BLMjP7mNl4U9aZ0J11HG2plTzjBwWG +Mqr5e3DcrUXo1PXt78KjvllDnRUUgvsQPdkmWV/I0cgWvZoes3yw7HbDkKFWQiNrm S+55sS32WAFUTQSbOF8DMnbAmC5fZRREWUwkom7g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 52/87] tcp: Fix a data-race around sysctl_tcp_stdurg. Date: Wed, 27 Jul 2022 18:10:45 +0200 Message-Id: <20220727161011.177086291@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 4e08ed41cb1194009fc1a916a59ce3ed4afd77cd ] While reading sysctl_tcp_stdurg, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 2f57c365ebd5..f9884956aa13 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -5356,7 +5356,7 @@ static void tcp_check_urg(struct sock *sk, const stru= ct tcphdr *th) struct tcp_sock *tp =3D tcp_sk(sk); u32 ptr =3D ntohs(th->urg_ptr); =20 - if (ptr && !sock_net(sk)->ipv4.sysctl_tcp_stdurg) + if (ptr && !READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_stdurg)) ptr--; ptr +=3D ntohl(th->seq); =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55612C04A68 for ; Wed, 27 Jul 2022 16:46:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240416AbiG0QqI (ORCPT ); Wed, 27 Jul 2022 12:46:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234818AbiG0Qoo (ORCPT ); Wed, 27 Jul 2022 12:44:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5980C5F132; Wed, 27 Jul 2022 09:31:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BCA4D61A55; Wed, 27 Jul 2022 16:31:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB1D5C433D6; Wed, 27 Jul 2022 16:31:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939480; bh=HMtYHDKma7W4GvRL3TPWZL0Kan+4zTlL5aUsBcYctGY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wafkcrCZp5Ls3dbP26mhXs8+ZA9JuWgiFkoiNSTlwmIYzyULTUd3ihDITio0UHk6P 7PlHV5M494GAjd3WkIo7uE1IfHtEP4wP2NwU5P30JzP4YlMW5+fOsIyz4YMV5Rbmkm QIGcOsIZeoq6L958RAZL2FfUc+j5ffUkDNtJ/1nE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 53/87] tcp: Fix a data-race around sysctl_tcp_rfc1337. Date: Wed, 27 Jul 2022 18:10:46 +0200 Message-Id: <20220727161011.221866056@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 0b484c91911e758e53656d570de58c2ed81ec6f2 ] While reading sysctl_tcp_rfc1337, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_minisocks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index 9b038cb0a43d..324f43fadb37 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -180,7 +180,7 @@ tcp_timewait_state_process(struct inet_timewait_sock *t= w, struct sk_buff *skb, * Oh well... nobody has a sufficient solution to this * protocol bug yet. */ - if (twsk_net(tw)->ipv4.sysctl_tcp_rfc1337 =3D=3D 0) { + if (!READ_ONCE(twsk_net(tw)->ipv4.sysctl_tcp_rfc1337)) { kill: inet_twsk_deschedule_put(tw); return TCP_TW_SUCCESS; --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 398E1C04A68 for ; Wed, 27 Jul 2022 16:46:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240423AbiG0QqL (ORCPT ); Wed, 27 Jul 2022 12:46:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239849AbiG0Qou (ORCPT ); Wed, 27 Jul 2022 12:44:50 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAC4A5F986; Wed, 27 Jul 2022 09:31:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8CB5861A38; Wed, 27 Jul 2022 16:31:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A6BBC433C1; Wed, 27 Jul 2022 16:31:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939483; bh=5sBIDrAeZCj2hefEhVNQeE//wJyI0ZVlN15c+IC1zaQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e2YbXtlCjksN+zW+xwIlKa8pDXTeZe7fg2umwWdzrqgq077JAbrqGwYs3q9SWyIJ9 HLZZ8lKDnu4hKNIrF6QX2HHdHt+1vbGAk2mPsmQIYnqxSZsNwfNNIx/GIVaBz1/irA wLi2xl1GQTb/gctOMUf8adYGqUdybC7JxAKQ2D1U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 54/87] tcp: Fix data-races around sysctl_tcp_max_reordering. Date: Wed, 27 Jul 2022 18:10:47 +0200 Message-Id: <20220727161011.260536841@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit a11e5b3e7a59fde1a90b0eaeaa82320495cf8cae ] While reading sysctl_tcp_max_reordering, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: dca145ffaa8d ("tcp: allow for bigger reordering level") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index f9884956aa13..c151c4dd4ae6 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -905,7 +905,7 @@ static void tcp_check_sack_reordering(struct sock *sk, = const u32 low_seq, tp->undo_marker ? tp->undo_retrans : 0); #endif tp->reordering =3D min_t(u32, (metric + mss - 1) / mss, - sock_net(sk)->ipv4.sysctl_tcp_max_reordering); + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); } =20 /* This exciting event is worth to be remembered. 8) */ @@ -1886,7 +1886,7 @@ static void tcp_check_reno_reordering(struct sock *sk= , const int addend) return; =20 tp->reordering =3D min_t(u32, tp->packets_out + addend, - sock_net(sk)->ipv4.sysctl_tcp_max_reordering); + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)); tp->reord_seen++; NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER); } --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 357BFC19F2B for ; Wed, 27 Jul 2022 16:42:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239873AbiG0Qmp (ORCPT ); Wed, 27 Jul 2022 12:42:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239220AbiG0QmP (ORCPT ); Wed, 27 Jul 2022 12:42:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 148D75C357; Wed, 27 Jul 2022 09:29:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id DF5B261A39; Wed, 27 Jul 2022 16:29:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BE92EC433D6; Wed, 27 Jul 2022 16:29:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939395; bh=HBTuDHmlNIq/Hz/znquvPZXH2RPXYA59ZP/S06U5vHs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fCFlkXne+xvJ4NpRvMhL4G2jqN2oRS8kmNmYqJCBwCFpb0IYaHmsGPbHScLtwLMlP tnU4xovbf+XrwJ6lMdhdgtUPsy5SowECoow7VAQI4QTKEhsFdBO4loLzOkNmWFKgMp 1/5IW7jO6uqS84AICYHj2PSxlfZmZxxtrn2wvwWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lukas Wunner , Marc Kleine-Budde , Mark Brown Subject: [PATCH 5.4 55/87] spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers Date: Wed, 27 Jul 2022 18:10:48 +0200 Message-Id: <20220727161011.295157882@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Marc Kleine-Budde commit 4ceaa684459d414992acbefb4e4c31f2dfc50641 upstream. In case a IRQ based transfer times out the bcm2835_spi_handle_err() function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") the TX and RX DMA transfers are unconditionally canceled, leading to NULL pointer derefs if ctlr->dma_tx or ctlr->dma_rx are not set. Fix the NULL pointer deref by checking that ctlr->dma_tx and ctlr->dma_rx are valid pointers before accessing them. Fixes: 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") Cc: Lukas Wunner Signed-off-by: Marc Kleine-Budde Link: https://lore.kernel.org/r/20220719072234.2782764-1-mkl@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/spi/spi-bcm2835.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/spi/spi-bcm2835.c +++ b/drivers/spi/spi-bcm2835.c @@ -1159,10 +1159,14 @@ static void bcm2835_spi_handle_err(struc struct bcm2835_spi *bs =3D spi_controller_get_devdata(ctlr); =20 /* if an error occurred and we have an active dma, then terminate */ - dmaengine_terminate_sync(ctlr->dma_tx); - bs->tx_dma_active =3D false; - dmaengine_terminate_sync(ctlr->dma_rx); - bs->rx_dma_active =3D false; + if (ctlr->dma_tx) { + dmaengine_terminate_sync(ctlr->dma_tx); + bs->tx_dma_active =3D false; + } + if (ctlr->dma_rx) { + dmaengine_terminate_sync(ctlr->dma_rx); + bs->rx_dma_active =3D false; + } bcm2835_spi_undo_prologue(bs); =20 /* and reset */ From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7034C04A68 for ; Wed, 27 Jul 2022 16:42:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239631AbiG0Qmx (ORCPT ); Wed, 27 Jul 2022 12:42:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239669AbiG0QmS (ORCPT ); Wed, 27 Jul 2022 12:42:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 845A45C368; Wed, 27 Jul 2022 09:29:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A2DB261A1E; Wed, 27 Jul 2022 16:29:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B18EAC433C1; Wed, 27 Jul 2022 16:29:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939398; bh=Ptp8f9ez5kMPmK7FFCiOYpyQIN2l2mkSWZa8q1gwRqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VswefJ+yu/ePIyXq8sMKXLcdBB2sHvy1LFCvRlSTMLCtvz956W+0ymbCeR3eUPDKJ 5bJMr8Id+DjF3PU3f2E0cq/sQA4tb75/p7EGf4HO+uO2absYLkDgEfTp362nOpOAOf nVD51Eic2m03t6XOa2sO+BWNkxwmqOM6jr82gUy4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wang Cheng , syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com, David Rientjes , Vlastimil Babka , Andrew Morton Subject: [PATCH 5.4 56/87] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Date: Wed, 27 Jul 2022 18:10:49 +0200 Message-Id: <20220727161011.332184136@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Wang Cheng commit 018160ad314d75b1409129b2247b614a9f35894c upstream. mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOL_LOCAL. Check pol->mode before access pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c). BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 mpol_rebind_policy mm/mempolicy.c:352 [inline] mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline] cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline] cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write fs/read_write.c:503 [inline] vfs_write+0x1318/0x2030 fs/read_write.c:590 ksys_write+0x28b/0x510 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] slab_alloc mm/slub.c:3259 [inline] kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264 mpol_new mm/mempolicy.c:293 [inline] do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853 kernel_set_mempolicy mm/mempolicy.c:1504 [inline] __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline] __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507 __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae KMSAN: uninit-value in mpol_rebind_task (2) https://syzkaller.appspot.com/bug?id=3Dd6eb90f952c2a5de9ea718a1b873c55cb13b= 59dc This patch seems to fix below bug too. KMSAN: uninit-value in mpol_rebind_mm (2) https://syzkaller.appspot.com/bug?id=3Df2fecd0d7013f54ec4162f60743a2b28df40= 926b The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy(). When syzkaller reproducer runs to the beginning of mpol_new(), mpol_new() mm/mempolicy.c do_mbind() mm/mempolicy.c kernel_mbind() mm/mempolicy.c `mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags` is 0. Then mode =3D MPOL_LOCAL; ... policy->mode =3D mode; policy->flags =3D flags; will be executed. So in mpol_set_nodemask(), mpol_set_nodemask() mm/mempolicy.c do_mbind() kernel_mbind() pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized, which will be accessed in mpol_rebind_policy(). Link: https://lkml.kernel.org/r/20220512123428.fq3wofedp6oiotd4@ppc.localdo= main Signed-off-by: Wang Cheng Reported-by: Tested-by: Cc: David Rientjes Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- mm/mempolicy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -348,7 +348,7 @@ static void mpol_rebind_preferred(struct */ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *ne= wmask) { - if (!pol) + if (!pol || pol->mode =3D=3D MPOL_LOCAL) return; if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FCA2C04A68 for ; Wed, 27 Jul 2022 16:42:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239721AbiG0Qm5 (ORCPT ); Wed, 27 Jul 2022 12:42:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239715AbiG0QmY (ORCPT ); Wed, 27 Jul 2022 12:42:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BD0D5C37A; Wed, 27 Jul 2022 09:30:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6FA04619FD; Wed, 27 Jul 2022 16:30:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7A585C433C1; Wed, 27 Jul 2022 16:30:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939400; bh=bEhIf7cld2niPZDZbI/nEIeJ8wE5plv3kEKkLMSzO7w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ky/VLzMqp09RHaFLcgt5Xp8brs1EEPNjq1dmg3Yroh4Jlo06y49VRaPWXkideDeCH 0VgVZI1sbBofCTMvHLOaw17XNnghcDvi++WJcaJEKBrsxIrBZoooSwWcEQHIgvAD8c 10XRYLBDvswyW/z+XGgCaIJjRQTJzLpl58jqJnTs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Eric Dumazet , Daniel Borkmann Subject: [PATCH 5.4 57/87] bpf: Make sure mac_header was set before using it Date: Wed, 27 Jul 2022 18:10:50 +0200 Message-Id: <20220727161011.377354790@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Eric Dumazet commit 0326195f523a549e0a9d7fd44c70b26fd7265090 upstream. Classic BPF has a way to load bytes starting from the mac header. Some skbs do not have a mac header, and skb_mac_header() in this case is returning a pointer that 65535 bytes after skb->head. Existing range check in bpf_internal_load_pointer_neg_helper() was properly kicking and no illegal access was happening. New sanity check in skb_mac_header() is firing, so we need to avoid it. WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header in= clude/linux/skbuff.h:2785 [inline] WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load= _pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Modules linked in: CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-008= 65-g4874fb9484be #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 06/29/2022 RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline] RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.= c:74 Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 = 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 9= 6 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41 RSP: 0018:ffffc9000309f668 EFLAGS: 00010216 RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000 RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003 RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004 R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000 FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_skb_load_helper_32 net/core/filter.c:276 [inline] bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264 Fixes: f9aefd6b2aa3 ("net: warn if mac header was not set") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.c= om Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- kernel/bpf/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -64,11 +64,13 @@ void *bpf_internal_load_pointer_neg_help { u8 *ptr =3D NULL; =20 - if (k >=3D SKF_NET_OFF) + if (k >=3D SKF_NET_OFF) { ptr =3D skb_network_header(skb) + k - SKF_NET_OFF; - else if (k >=3D SKF_LL_OFF) + } else if (k >=3D SKF_LL_OFF) { + if (unlikely(!skb_mac_header_was_set(skb))) + return NULL; ptr =3D skb_mac_header(skb) + k - SKF_LL_OFF; - + } if (ptr >=3D skb->head && ptr + size <=3D skb_tail_pointer(skb)) return ptr; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E35AC19F2B for ; Wed, 27 Jul 2022 16:43:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239798AbiG0QnS (ORCPT ); Wed, 27 Jul 2022 12:43:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239732AbiG0Qms (ORCPT ); Wed, 27 Jul 2022 12:42:48 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D5DAB91; Wed, 27 Jul 2022 09:30:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 11565B821BA; Wed, 27 Jul 2022 16:30:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4755AC433D6; Wed, 27 Jul 2022 16:30:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939403; bh=550IkI61ovCTlTtHGJVVtYH6bZgDjq0SDAiIBPV6FZo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g93hh0D30tS8hNLZlIOI7cxIRIDMdR8g5p8rXlxWxb//ErrZKwWHXxrfn3/rnQhhn 6wBi0Gd/xFqB+Ix3k5LwurEc0Yp9nHSRzNvI1Q8g85ILVkVnYvjYbMIco4NumxWeNU G/I9mdq3VmH0w+It44dUxh4z1BTL0ZT30dKLMKbI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Aring , David Teigland , Sasha Levin Subject: [PATCH 5.4 58/87] dlm: fix pending remove if msg allocation fails Date: Wed, 27 Jul 2022 18:10:51 +0200 Message-Id: <20220727161011.415794656@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Alexander Aring [ Upstream commit ba58995909b5098ca4003af65b0ccd5a8d13dd25 ] This patch unsets ls_remove_len and ls_remove_name if a message allocation of a remove messages fails. In this case we never send a remove message out but set the per ls ls_remove_len ls_remove_name variable for a pending remove. Unset those variable should indicate possible waiters in wait_pending_remove() that no pending remove is going on at this moment. Cc: stable@vger.kernel.org Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- fs/dlm/lock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index 4ae8becdb51d..9165bf56c6e8 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c @@ -4067,13 +4067,14 @@ static void send_repeat_remove(struct dlm_ls *ls, c= har *ms_name, int len) rv =3D _create_message(ls, sizeof(struct dlm_message) + len, dir_nodeid, DLM_MSG_REMOVE, &ms, &mh); if (rv) - return; + goto out; =20 memcpy(ms->m_extra, name, len); ms->m_hash =3D hash; =20 send_message(mh, ms); =20 +out: spin_lock(&ls->ls_remove_spin); ls->ls_remove_len =3D 0; memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN); --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FC97C04A68 for ; Wed, 27 Jul 2022 16:43:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239590AbiG0QnZ (ORCPT ); Wed, 27 Jul 2022 12:43:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238617AbiG0QnG (ORCPT ); Wed, 27 Jul 2022 12:43:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 030EEBE25; Wed, 27 Jul 2022 09:30:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D3B28B821B7; Wed, 27 Jul 2022 16:30:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F85EC433C1; Wed, 27 Jul 2022 16:30:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939406; bh=irEaGC7QiScJXaA0VzHAwDN1ja0oXUlRZ6DH/Viu7J8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dHxzNwrqoQV3ZmsNEC12VetOAZ+PpIvNPCSxcWvZvcaab6igWPxXYy3YDj3Ec9Mj7 E4EUJhs1NVTxSxOTDGIvzKpHZeS7mCDOjgQxFFb7NhDrnPYulKxSGTROFs8f2xRur1 b5MZgge+y9SR+HhKT0RibrIXg78yeKaGRMsFMQ2E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, GUO Zihua , Stable@vger.kernel.org, Mimi Zohar , Sasha Levin Subject: [PATCH 5.4 59/87] ima: remove the IMA_TEMPLATE Kconfig option Date: Wed, 27 Jul 2022 18:10:52 +0200 Message-Id: <20220727161011.457961979@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: GUO Zihua [ Upstream commit 891163adf180bc369b2f11c9dfce6d2758d2a5bd ] The original 'ima' measurement list template contains a hash, defined as 20 bytes, and a null terminated pathname, limited to 255 characters. Other measurement list templates permit both larger hashes and longer pathnames. When the "ima" template is configured as the default, a new measurement list template (ima_template=3D) must be specified before specifying a larger hash algorithm (ima_hash=3D) on the boot command line. To avoid this boot command line ordering issue, remove the legacy "ima" template configuration option, allowing it to still be specified on the boot command line. The root cause of this issue is that during the processing of ima_hash, we would try to check whether the hash algorithm is compatible with the template. If the template is not set at the moment we do the check, we check the algorithm against the configured default template. If the default template is "ima", then we reject any hash algorithm other than sha1 and md5. For example, if the compiled default template is "ima", and the default algorithm is sha1 (which is the current default). In the cmdline, we put in "ima_hash=3Dsha256 ima_template=3Dima-ng". The expected behavior would be that ima starts with ima-ng as the template and sha256 as the hash algorithm. However, during the processing of "ima_hash=3D", "ima_template=3D" has not been processed yet, and hash_setup would check the configured hash algorithm against the compiled default: ima, and reject sha256. So at the end, the hash algorithm that is actually used will be sha1. With template "ima" removed from the configured default, we ensure that the default tempalte would at least be "ima-ng" which allows for basically any hash algorithm. This change would not break the algorithm compatibility checks for IMA. Fixes: 4286587dccd43 ("ima: add Kconfig default measurement list template") Signed-off-by: GUO Zihua Cc: Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- security/integrity/ima/Kconfig | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 748f3ee27b23..44b3315f3235 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -69,10 +69,9 @@ choice hash, defined as 20 bytes, and a null terminated pathname, limited to 255 characters. The 'ima-ng' measurement list template permits both larger hash digests and longer - pathnames. + pathnames. The configured default template can be replaced + by specifying "ima_template=3D" on the boot command line. =20 - config IMA_TEMPLATE - bool "ima" config IMA_NG_TEMPLATE bool "ima-ng (default)" config IMA_SIG_TEMPLATE @@ -82,7 +81,6 @@ endchoice config IMA_DEFAULT_TEMPLATE string depends on IMA - default "ima" if IMA_TEMPLATE default "ima-ng" if IMA_NG_TEMPLATE default "ima-sig" if IMA_SIG_TEMPLATE =20 @@ -102,15 +100,15 @@ choice =20 config IMA_DEFAULT_HASH_SHA256 bool "SHA256" - depends on CRYPTO_SHA256=3Dy && !IMA_TEMPLATE + depends on CRYPTO_SHA256=3Dy =20 config IMA_DEFAULT_HASH_SHA512 bool "SHA512" - depends on CRYPTO_SHA512=3Dy && !IMA_TEMPLATE + depends on CRYPTO_SHA512=3Dy =20 config IMA_DEFAULT_HASH_WP512 bool "WP512" - depends on CRYPTO_WP512=3Dy && !IMA_TEMPLATE + depends on CRYPTO_WP512=3Dy endchoice =20 config IMA_DEFAULT_HASH --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EA74C04A68 for ; Wed, 27 Jul 2022 16:43:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239999AbiG0Qnb (ORCPT ); Wed, 27 Jul 2022 12:43:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239939AbiG0QnL (ORCPT ); Wed, 27 Jul 2022 12:43:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A01DDF40; Wed, 27 Jul 2022 09:30:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C5C76B821BD; Wed, 27 Jul 2022 16:30:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1278C433D6; Wed, 27 Jul 2022 16:30:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939409; bh=rl9oJJkvn58x9noV5z8eu/TMj6YowMSKLx4zoR0DB/w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VV1LiiJvvhHExWd7tErduCYu5qzfbTURMzgqd/EQEIiXajjk8jxIS3aF6prtUPxx5 XKtmbkHEebyrDAO/WXNqNpncITdwMA6h2s9UXkSwzLIUpGG+m6MopB2jxf3BjT462b enwrCQI0tTp7yq8qM7h3F/LmBMJsCF+/dqB5ZsxE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 60/87] locking/refcount: Define constants for saturation and max refcount values Date: Wed, 27 Jul 2022 18:10:53 +0200 Message-Id: <20220727161011.488299605@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 23e6b169c9917fbd77534f8c5f378cb073f548bd ] The REFCOUNT_FULL implementation uses a different saturation point than the x86 implementation, which means that the shared refcount code in lib/refcount.c (e.g. refcount_dec_not_one()) needs to be aware of the difference. Rather than duplicate the definitions from the lkdtm driver, instead move them into and update all references accordingly. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-2-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/misc/lkdtm/refcount.c | 8 -------- include/linux/refcount.h | 10 +++++++++- lib/refcount.c | 37 +++++++++++++++++++---------------- 3 files changed, 29 insertions(+), 26 deletions(-) diff --git a/drivers/misc/lkdtm/refcount.c b/drivers/misc/lkdtm/refcount.c index 0a146b32da13..abf3b7c1f686 100644 --- a/drivers/misc/lkdtm/refcount.c +++ b/drivers/misc/lkdtm/refcount.c @@ -6,14 +6,6 @@ #include "lkdtm.h" #include =20 -#ifdef CONFIG_REFCOUNT_FULL -#define REFCOUNT_MAX (UINT_MAX - 1) -#define REFCOUNT_SATURATED UINT_MAX -#else -#define REFCOUNT_MAX INT_MAX -#define REFCOUNT_SATURATED (INT_MIN / 2) -#endif - static void overflow_check(refcount_t *ref) { switch (refcount_read(ref)) { diff --git a/include/linux/refcount.h b/include/linux/refcount.h index e28cce21bad6..79f62e8d2256 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -4,6 +4,7 @@ =20 #include #include +#include #include =20 struct mutex; @@ -12,7 +13,7 @@ struct mutex; * struct refcount_t - variant of atomic_t specialized for reference counts * @refs: atomic_t counter field * - * The counter saturates at UINT_MAX and will not move once + * The counter saturates at REFCOUNT_SATURATED and will not move once * there. This avoids wrapping the counter and causing 'spurious' * use-after-free bugs. */ @@ -56,6 +57,9 @@ extern void refcount_dec_checked(refcount_t *r); =20 #ifdef CONFIG_REFCOUNT_FULL =20 +#define REFCOUNT_MAX (UINT_MAX - 1) +#define REFCOUNT_SATURATED UINT_MAX + #define refcount_add_not_zero refcount_add_not_zero_checked #define refcount_add refcount_add_checked =20 @@ -68,6 +72,10 @@ extern void refcount_dec_checked(refcount_t *r); #define refcount_dec refcount_dec_checked =20 #else + +#define REFCOUNT_MAX INT_MAX +#define REFCOUNT_SATURATED (INT_MIN / 2) + # ifdef CONFIG_ARCH_HAS_REFCOUNT # include # else diff --git a/lib/refcount.c b/lib/refcount.c index 6e904af0fb3e..48b78a423d7d 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -5,8 +5,8 @@ * The interface matches the atomic_t interface (to aid in porting) but on= ly * provides the few functions one should use for reference counting. * - * It differs in that the counter saturates at UINT_MAX and will not move = once - * there. This avoids wrapping the counter and causing 'spurious' + * It differs in that the counter saturates at REFCOUNT_SATURATED and will= not + * move once there. This avoids wrapping the counter and causing 'spurious' * use-after-free issues. * * Memory ordering rules are slightly relaxed wrt regular atomic_t functio= ns @@ -48,7 +48,7 @@ * @i: the value to add to the refcount * @r: the refcount * - * Will saturate at UINT_MAX and WARN. + * Will saturate at REFCOUNT_SATURATED and WARN. * * Provides no memory ordering, it is assumed the caller has guaranteed the * object memory to be stable (RCU, etc.). It does provide a control depen= dency @@ -69,16 +69,17 @@ bool refcount_add_not_zero_checked(unsigned int i, refc= ount_t *r) if (!val) return false; =20 - if (unlikely(val =3D=3D UINT_MAX)) + if (unlikely(val =3D=3D REFCOUNT_SATURATED)) return true; =20 new =3D val + i; if (new < val) - new =3D UINT_MAX; + new =3D REFCOUNT_SATURATED; =20 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); =20 - WARN_ONCE(new =3D=3D UINT_MAX, "refcount_t: saturated; leaking memory.\n"= ); + WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, + "refcount_t: saturated; leaking memory.\n"); =20 return true; } @@ -89,7 +90,7 @@ EXPORT_SYMBOL(refcount_add_not_zero_checked); * @i: the value to add to the refcount * @r: the refcount * - * Similar to atomic_add(), but will saturate at UINT_MAX and WARN. + * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WA= RN. * * Provides no memory ordering, it is assumed the caller has guaranteed the * object memory to be stable (RCU, etc.). It does provide a control depen= dency @@ -110,7 +111,8 @@ EXPORT_SYMBOL(refcount_add_checked); * refcount_inc_not_zero_checked - increment a refcount unless it is 0 * @r: the refcount to increment * - * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WAR= N. + * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURAT= ED + * and WARN. * * Provides no memory ordering, it is assumed the caller has guaranteed the * object memory to be stable (RCU, etc.). It does provide a control depen= dency @@ -133,7 +135,8 @@ bool refcount_inc_not_zero_checked(refcount_t *r) =20 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); =20 - WARN_ONCE(new =3D=3D UINT_MAX, "refcount_t: saturated; leaking memory.\n"= ); + WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, + "refcount_t: saturated; leaking memory.\n"); =20 return true; } @@ -143,7 +146,7 @@ EXPORT_SYMBOL(refcount_inc_not_zero_checked); * refcount_inc_checked - increment a refcount * @r: the refcount to increment * - * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN. + * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WA= RN. * * Provides no memory ordering, it is assumed the caller already has a * reference on the object. @@ -164,7 +167,7 @@ EXPORT_SYMBOL(refcount_inc_checked); * * Similar to atomic_dec_and_test(), but it will WARN, return false and * ultimately leak on underflow and will fail to decrement when saturated - * at UINT_MAX. + * at REFCOUNT_SATURATED. * * Provides release memory ordering, such that prior loads and stores are = done * before, and provides an acquire ordering on success such that free() @@ -182,7 +185,7 @@ bool refcount_sub_and_test_checked(unsigned int i, refc= ount_t *r) unsigned int new, val =3D atomic_read(&r->refs); =20 do { - if (unlikely(val =3D=3D UINT_MAX)) + if (unlikely(val =3D=3D REFCOUNT_SATURATED)) return false; =20 new =3D val - i; @@ -207,7 +210,7 @@ EXPORT_SYMBOL(refcount_sub_and_test_checked); * @r: the refcount * * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to - * decrement when saturated at UINT_MAX. + * decrement when saturated at REFCOUNT_SATURATED. * * Provides release memory ordering, such that prior loads and stores are = done * before, and provides an acquire ordering on success such that free() @@ -226,7 +229,7 @@ EXPORT_SYMBOL(refcount_dec_and_test_checked); * @r: the refcount * * Similar to atomic_dec(), it will WARN on underflow and fail to decrement - * when saturated at UINT_MAX. + * when saturated at REFCOUNT_SATURATED. * * Provides release memory ordering, such that prior loads and stores are = done * before. @@ -277,7 +280,7 @@ bool refcount_dec_not_one(refcount_t *r) unsigned int new, val =3D atomic_read(&r->refs); =20 do { - if (unlikely(val =3D=3D UINT_MAX)) + if (unlikely(val =3D=3D REFCOUNT_SATURATED)) return true; =20 if (val =3D=3D 1) @@ -302,7 +305,7 @@ EXPORT_SYMBOL(refcount_dec_not_one); * @lock: the mutex to be locked * * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and f= ail - * to decrement when saturated at UINT_MAX. + * to decrement when saturated at REFCOUNT_SATURATED. * * Provides release memory ordering, such that prior loads and stores are = done * before, and provides a control dependency such that free() must come af= ter. @@ -333,7 +336,7 @@ EXPORT_SYMBOL(refcount_dec_and_mutex_lock); * @lock: the spinlock to be locked * * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to - * decrement when saturated at UINT_MAX. + * decrement when saturated at REFCOUNT_SATURATED. * * Provides release memory ordering, such that prior loads and stores are = done * before, and provides a control dependency such that free() must come af= ter. --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C708DC04A68 for ; Wed, 27 Jul 2022 16:43:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240045AbiG0Qnf (ORCPT ); Wed, 27 Jul 2022 12:43:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239761AbiG0QnP (ORCPT ); Wed, 27 Jul 2022 12:43:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 096365072E; Wed, 27 Jul 2022 09:30:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A8343B821C8; Wed, 27 Jul 2022 16:30:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D5751C433D6; Wed, 27 Jul 2022 16:30:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939412; bh=4n3VmcxWedC1r5TGuxLLFmXPpspP/C7qwPpncEwq+aU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=goowL7LZcG0X5Upud81b7xmsz4Jh6owBihXOBhEk9XCpBKJWFkpq57BWCBvjYzv8/ fJjA75FF8koyEdhO8LIZI5pALOlp4IvP1FZQx69F+kQPmL9OgRSZ4qd7rIoawiQTdk SysmjncRjiSAwsk3rOkg0683c5mf5FGAl4wYTFCY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 61/87] locking/refcount: Ensure integer operands are treated as signed Date: Wed, 27 Jul 2022 18:10:54 +0200 Message-Id: <20220727161011.522539778@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 97a1420adf0cdf0cf6f41bab0b2acf658c96b94b ] In preparation for changing the saturation point of REFCOUNT_FULL to INT_MIN/2, change the type of integer operands passed into the API from 'unsigned int' to 'int' so that we can avoid casting during comparisons when we don't want to fall foul of C integral conversion rules for signed and unsigned types. Since the kernel is compiled with '-fno-strict-overflow', we don't need to worry about the UB introduced by signed overflow here. Furthermore, we're already making heavy use of the atomic_t API, which operates exclusively on signed types. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-3-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 14 +++++++------- lib/refcount.c | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index 79f62e8d2256..89066a1471dd 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -28,7 +28,7 @@ typedef struct refcount_struct { * @r: the refcount * @n: value to which the refcount will be set */ -static inline void refcount_set(refcount_t *r, unsigned int n) +static inline void refcount_set(refcount_t *r, int n) { atomic_set(&r->refs, n); } @@ -44,13 +44,13 @@ static inline unsigned int refcount_read(const refcount= _t *r) return atomic_read(&r->refs); } =20 -extern __must_check bool refcount_add_not_zero_checked(unsigned int i, ref= count_t *r); -extern void refcount_add_checked(unsigned int i, refcount_t *r); +extern __must_check bool refcount_add_not_zero_checked(int i, refcount_t *= r); +extern void refcount_add_checked(int i, refcount_t *r); =20 extern __must_check bool refcount_inc_not_zero_checked(refcount_t *r); extern void refcount_inc_checked(refcount_t *r); =20 -extern __must_check bool refcount_sub_and_test_checked(unsigned int i, ref= count_t *r); +extern __must_check bool refcount_sub_and_test_checked(int i, refcount_t *= r); =20 extern __must_check bool refcount_dec_and_test_checked(refcount_t *r); extern void refcount_dec_checked(refcount_t *r); @@ -79,12 +79,12 @@ extern void refcount_dec_checked(refcount_t *r); # ifdef CONFIG_ARCH_HAS_REFCOUNT # include # else -static inline __must_check bool refcount_add_not_zero(unsigned int i, refc= ount_t *r) +static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) { return atomic_add_unless(&r->refs, i, 0); } =20 -static inline void refcount_add(unsigned int i, refcount_t *r) +static inline void refcount_add(int i, refcount_t *r) { atomic_add(i, &r->refs); } @@ -99,7 +99,7 @@ static inline void refcount_inc(refcount_t *r) atomic_inc(&r->refs); } =20 -static inline __must_check bool refcount_sub_and_test(unsigned int i, refc= ount_t *r) +static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) { return atomic_sub_and_test(i, &r->refs); } diff --git a/lib/refcount.c b/lib/refcount.c index 48b78a423d7d..719b0bc42ab1 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -61,7 +61,7 @@ * * Return: false if the passed refcount is 0, true otherwise */ -bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r) +bool refcount_add_not_zero_checked(int i, refcount_t *r) { unsigned int new, val =3D atomic_read(&r->refs); =20 @@ -101,7 +101,7 @@ EXPORT_SYMBOL(refcount_add_not_zero_checked); * cases, refcount_inc(), or one of its variants, should instead be used to * increment a reference count. */ -void refcount_add_checked(unsigned int i, refcount_t *r) +void refcount_add_checked(int i, refcount_t *r) { WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on = 0; use-after-free.\n"); } @@ -180,7 +180,7 @@ EXPORT_SYMBOL(refcount_inc_checked); * * Return: true if the resulting refcount is 0, false otherwise */ -bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r) +bool refcount_sub_and_test_checked(int i, refcount_t *r) { unsigned int new, val =3D atomic_read(&r->refs); =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9319C19F2B for ; Wed, 27 Jul 2022 16:43:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240017AbiG0Qnd (ORCPT ); Wed, 27 Jul 2022 12:43:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239758AbiG0QnO (ORCPT ); Wed, 27 Jul 2022 12:43:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EEAE501A9; Wed, 27 Jul 2022 09:30:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C513561A09; Wed, 27 Jul 2022 16:30:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A57CBC433D7; Wed, 27 Jul 2022 16:30:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939415; bh=OUyJl/ofS2R449IpCtlkGA3fwfuxpMJvO0sO5mKjdLw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b9zCi7rMpq6PrYMnvD1+M/T+QwWLVEysWobJzNDv8OaS1vuVFe7vphA2KgSvdDH3Q aOvpq1/EK2vWNEvwBGJsuR5lhaHuq26Knc6i9OAlqEmlcUbrkCJ17d+dPFcHd6yJ45 +d4b2x/dby+MtJ/RcU3e5c11AakXOILfV5yEOSgM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 62/87] locking/refcount: Remove unused refcount_*_checked() variants Date: Wed, 27 Jul 2022 18:10:55 +0200 Message-Id: <20220727161011.561064175@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 7221762c48c6bbbcc6cc51d8b803c06930215e34 ] The full-fat refcount implementation is exposed via a set of functions suffixed with "_checked()", the idea being that code can choose to use the more expensive, yet more secure implementation on a case-by-case basis. In reality, this hasn't happened, so with a grand total of zero users, let's remove the checked variants for now by simply dropping the suffix and predicating the out-of-line functions on CONFIG_REFCOUNT_FULL=3Dy. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-4-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 25 ++++++------------- lib/refcount.c | 54 +++++++++++++++++++++------------------- 2 files changed, 36 insertions(+), 43 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index 89066a1471dd..edd505d1a23b 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -44,32 +44,21 @@ static inline unsigned int refcount_read(const refcount= _t *r) return atomic_read(&r->refs); } =20 -extern __must_check bool refcount_add_not_zero_checked(int i, refcount_t *= r); -extern void refcount_add_checked(int i, refcount_t *r); - -extern __must_check bool refcount_inc_not_zero_checked(refcount_t *r); -extern void refcount_inc_checked(refcount_t *r); - -extern __must_check bool refcount_sub_and_test_checked(int i, refcount_t *= r); - -extern __must_check bool refcount_dec_and_test_checked(refcount_t *r); -extern void refcount_dec_checked(refcount_t *r); - #ifdef CONFIG_REFCOUNT_FULL =20 #define REFCOUNT_MAX (UINT_MAX - 1) #define REFCOUNT_SATURATED UINT_MAX =20 -#define refcount_add_not_zero refcount_add_not_zero_checked -#define refcount_add refcount_add_checked +extern __must_check bool refcount_add_not_zero(int i, refcount_t *r); +extern void refcount_add(int i, refcount_t *r); =20 -#define refcount_inc_not_zero refcount_inc_not_zero_checked -#define refcount_inc refcount_inc_checked +extern __must_check bool refcount_inc_not_zero(refcount_t *r); +extern void refcount_inc(refcount_t *r); =20 -#define refcount_sub_and_test refcount_sub_and_test_checked +extern __must_check bool refcount_sub_and_test(int i, refcount_t *r); =20 -#define refcount_dec_and_test refcount_dec_and_test_checked -#define refcount_dec refcount_dec_checked +extern __must_check bool refcount_dec_and_test(refcount_t *r); +extern void refcount_dec(refcount_t *r); =20 #else =20 diff --git a/lib/refcount.c b/lib/refcount.c index 719b0bc42ab1..a2f670998cee 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -43,8 +43,10 @@ #include #include =20 +#ifdef CONFIG_REFCOUNT_FULL + /** - * refcount_add_not_zero_checked - add a value to a refcount unless it is 0 + * refcount_add_not_zero - add a value to a refcount unless it is 0 * @i: the value to add to the refcount * @r: the refcount * @@ -61,7 +63,7 @@ * * Return: false if the passed refcount is 0, true otherwise */ -bool refcount_add_not_zero_checked(int i, refcount_t *r) +bool refcount_add_not_zero(int i, refcount_t *r) { unsigned int new, val =3D atomic_read(&r->refs); =20 @@ -83,10 +85,10 @@ bool refcount_add_not_zero_checked(int i, refcount_t *r) =20 return true; } -EXPORT_SYMBOL(refcount_add_not_zero_checked); +EXPORT_SYMBOL(refcount_add_not_zero); =20 /** - * refcount_add_checked - add a value to a refcount + * refcount_add - add a value to a refcount * @i: the value to add to the refcount * @r: the refcount * @@ -101,14 +103,14 @@ EXPORT_SYMBOL(refcount_add_not_zero_checked); * cases, refcount_inc(), or one of its variants, should instead be used to * increment a reference count. */ -void refcount_add_checked(int i, refcount_t *r) +void refcount_add(int i, refcount_t *r) { - WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on = 0; use-after-free.\n"); + WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-a= fter-free.\n"); } -EXPORT_SYMBOL(refcount_add_checked); +EXPORT_SYMBOL(refcount_add); =20 /** - * refcount_inc_not_zero_checked - increment a refcount unless it is 0 + * refcount_inc_not_zero - increment a refcount unless it is 0 * @r: the refcount to increment * * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURAT= ED @@ -120,7 +122,7 @@ EXPORT_SYMBOL(refcount_add_checked); * * Return: true if the increment was successful, false otherwise */ -bool refcount_inc_not_zero_checked(refcount_t *r) +bool refcount_inc_not_zero(refcount_t *r) { unsigned int new, val =3D atomic_read(&r->refs); =20 @@ -140,10 +142,10 @@ bool refcount_inc_not_zero_checked(refcount_t *r) =20 return true; } -EXPORT_SYMBOL(refcount_inc_not_zero_checked); +EXPORT_SYMBOL(refcount_inc_not_zero); =20 /** - * refcount_inc_checked - increment a refcount + * refcount_inc - increment a refcount * @r: the refcount to increment * * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WA= RN. @@ -154,14 +156,14 @@ EXPORT_SYMBOL(refcount_inc_not_zero_checked); * Will WARN if the refcount is 0, as this represents a possible use-after= -free * condition. */ -void refcount_inc_checked(refcount_t *r) +void refcount_inc(refcount_t *r) { - WARN_ONCE(!refcount_inc_not_zero_checked(r), "refcount_t: increment on 0;= use-after-free.\n"); + WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-aft= er-free.\n"); } -EXPORT_SYMBOL(refcount_inc_checked); +EXPORT_SYMBOL(refcount_inc); =20 /** - * refcount_sub_and_test_checked - subtract from a refcount and test if it= is 0 + * refcount_sub_and_test - subtract from a refcount and test if it is 0 * @i: amount to subtract from the refcount * @r: the refcount * @@ -180,7 +182,7 @@ EXPORT_SYMBOL(refcount_inc_checked); * * Return: true if the resulting refcount is 0, false otherwise */ -bool refcount_sub_and_test_checked(int i, refcount_t *r) +bool refcount_sub_and_test(int i, refcount_t *r) { unsigned int new, val =3D atomic_read(&r->refs); =20 @@ -203,10 +205,10 @@ bool refcount_sub_and_test_checked(int i, refcount_t = *r) return false; =20 } -EXPORT_SYMBOL(refcount_sub_and_test_checked); +EXPORT_SYMBOL(refcount_sub_and_test); =20 /** - * refcount_dec_and_test_checked - decrement a refcount and test if it is 0 + * refcount_dec_and_test - decrement a refcount and test if it is 0 * @r: the refcount * * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to @@ -218,14 +220,14 @@ EXPORT_SYMBOL(refcount_sub_and_test_checked); * * Return: true if the resulting refcount is 0, false otherwise */ -bool refcount_dec_and_test_checked(refcount_t *r) +bool refcount_dec_and_test(refcount_t *r) { - return refcount_sub_and_test_checked(1, r); + return refcount_sub_and_test(1, r); } -EXPORT_SYMBOL(refcount_dec_and_test_checked); +EXPORT_SYMBOL(refcount_dec_and_test); =20 /** - * refcount_dec_checked - decrement a refcount + * refcount_dec - decrement a refcount * @r: the refcount * * Similar to atomic_dec(), it will WARN on underflow and fail to decrement @@ -234,11 +236,13 @@ EXPORT_SYMBOL(refcount_dec_and_test_checked); * Provides release memory ordering, such that prior loads and stores are = done * before. */ -void refcount_dec_checked(refcount_t *r) +void refcount_dec(refcount_t *r) { - WARN_ONCE(refcount_dec_and_test_checked(r), "refcount_t: decrement hit 0;= leaking memory.\n"); + WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking= memory.\n"); } -EXPORT_SYMBOL(refcount_dec_checked); +EXPORT_SYMBOL(refcount_dec); + +#endif /* CONFIG_REFCOUNT_FULL */ =20 /** * refcount_dec_if_one - decrement a refcount if it is 1 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81354C04A68 for ; Wed, 27 Jul 2022 16:43:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239240AbiG0Qny (ORCPT ); Wed, 27 Jul 2022 12:43:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239588AbiG0QnR (ORCPT ); Wed, 27 Jul 2022 12:43:17 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CCE25C96F; Wed, 27 Jul 2022 09:30:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2F234B821C2; Wed, 27 Jul 2022 16:30:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6398BC433D6; Wed, 27 Jul 2022 16:30:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939417; bh=demC+PeDmYDZI8/HOpE7owCl91LVUslvTxYxl8V8ZFs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WCcXdW03BKbuJ/oF+i4cezcXKTeQ89SXHSYGvAG/hB08oWz99lODERP2dTUFiydoI KytySlI6kDsn8Ch3Kdvg8TSZwCBsgDHT96jwudYa54/L/g5MiH+eUJ6vgn1T9UAeYm Mwjacax8LSO2GrZBUugOqu/8D5jDPNW3MsPxfRG4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 63/87] locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the header Date: Wed, 27 Jul 2022 18:10:56 +0200 Message-Id: <20220727161011.601518877@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 77e9971c79c29542ab7dd4140f9343bf2ff36158 ] In an effort to improve performance of the REFCOUNT_FULL implementation, move the bulk of its functions into linux/refcount.h. This allows them to be inlined in the same way as if they had been provided via CONFIG_ARCH_HAS_REFCOUNT. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-5-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 237 ++++++++++++++++++++++++++++++++++++-- lib/refcount.c | 238 +-------------------------------------- 2 files changed, 229 insertions(+), 246 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index edd505d1a23b..e719b5b1220e 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -45,22 +45,241 @@ static inline unsigned int refcount_read(const refcoun= t_t *r) } =20 #ifdef CONFIG_REFCOUNT_FULL +#include =20 #define REFCOUNT_MAX (UINT_MAX - 1) #define REFCOUNT_SATURATED UINT_MAX =20 -extern __must_check bool refcount_add_not_zero(int i, refcount_t *r); -extern void refcount_add(int i, refcount_t *r); +/* + * Variant of atomic_t specialized for reference counts. + * + * The interface matches the atomic_t interface (to aid in porting) but on= ly + * provides the few functions one should use for reference counting. + * + * It differs in that the counter saturates at REFCOUNT_SATURATED and will= not + * move once there. This avoids wrapping the counter and causing 'spurious' + * use-after-free issues. + * + * Memory ordering rules are slightly relaxed wrt regular atomic_t functio= ns + * and provide only what is strictly required for refcounts. + * + * The increments are fully relaxed; these will not provide ordering. The + * rationale is that whatever is used to obtain the object we're increasin= g the + * reference count on will provide the ordering. For locked data structure= s, + * its the lock acquire, for RCU/lockless data structures its the dependent + * load. + * + * Do note that inc_not_zero() provides a control dependency which will or= der + * future stores against the inc, this ensures we'll never modify the obje= ct + * if we did not in fact acquire a reference. + * + * The decrements will provide release order, such that all the prior load= s and + * stores will be issued before, it also provides a control dependency, wh= ich + * will order us against the subsequent free(). + * + * The control dependency is against the load of the cmpxchg (ll/sc) that + * succeeded. This means the stores aren't fully ordered, but this is fine + * because the 1->0 transition indicates no concurrency. + * + * Note that the allocator is responsible for ordering things between free= () + * and alloc(). + * + * The decrements dec_and_test() and sub_and_test() also provide acquire + * ordering on success. + * + */ + +/** + * refcount_add_not_zero - add a value to a refcount unless it is 0 + * @i: the value to add to the refcount + * @r: the refcount + * + * Will saturate at REFCOUNT_SATURATED and WARN. + * + * Provides no memory ordering, it is assumed the caller has guaranteed the + * object memory to be stable (RCU, etc.). It does provide a control depen= dency + * and thereby orders future stores. See the comment on top. + * + * Use of this function is not recommended for the normal reference counti= ng + * use case in which references are taken and released one at a time. In = these + * cases, refcount_inc(), or one of its variants, should instead be used to + * increment a reference count. + * + * Return: false if the passed refcount is 0, true otherwise + */ +static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) +{ + unsigned int new, val =3D atomic_read(&r->refs); + + do { + if (!val) + return false; + + if (unlikely(val =3D=3D REFCOUNT_SATURATED)) + return true; + + new =3D val + i; + if (new < val) + new =3D REFCOUNT_SATURATED; + + } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); + + WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, + "refcount_t: saturated; leaking memory.\n"); + + return true; +} + +/** + * refcount_add - add a value to a refcount + * @i: the value to add to the refcount + * @r: the refcount + * + * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WA= RN. + * + * Provides no memory ordering, it is assumed the caller has guaranteed the + * object memory to be stable (RCU, etc.). It does provide a control depen= dency + * and thereby orders future stores. See the comment on top. + * + * Use of this function is not recommended for the normal reference counti= ng + * use case in which references are taken and released one at a time. In = these + * cases, refcount_inc(), or one of its variants, should instead be used to + * increment a reference count. + */ +static inline void refcount_add(int i, refcount_t *r) +{ + WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-a= fter-free.\n"); +} + +/** + * refcount_inc_not_zero - increment a refcount unless it is 0 + * @r: the refcount to increment + * + * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURAT= ED + * and WARN. + * + * Provides no memory ordering, it is assumed the caller has guaranteed the + * object memory to be stable (RCU, etc.). It does provide a control depen= dency + * and thereby orders future stores. See the comment on top. + * + * Return: true if the increment was successful, false otherwise + */ +static inline __must_check bool refcount_inc_not_zero(refcount_t *r) +{ + unsigned int new, val =3D atomic_read(&r->refs); + + do { + new =3D val + 1; =20 -extern __must_check bool refcount_inc_not_zero(refcount_t *r); -extern void refcount_inc(refcount_t *r); + if (!val) + return false; =20 -extern __must_check bool refcount_sub_and_test(int i, refcount_t *r); + if (unlikely(!new)) + return true; =20 -extern __must_check bool refcount_dec_and_test(refcount_t *r); -extern void refcount_dec(refcount_t *r); + } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); + + WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, + "refcount_t: saturated; leaking memory.\n"); + + return true; +} + +/** + * refcount_inc - increment a refcount + * @r: the refcount to increment + * + * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WA= RN. + * + * Provides no memory ordering, it is assumed the caller already has a + * reference on the object. + * + * Will WARN if the refcount is 0, as this represents a possible use-after= -free + * condition. + */ +static inline void refcount_inc(refcount_t *r) +{ + WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-aft= er-free.\n"); +} + +/** + * refcount_sub_and_test - subtract from a refcount and test if it is 0 + * @i: amount to subtract from the refcount + * @r: the refcount + * + * Similar to atomic_dec_and_test(), but it will WARN, return false and + * ultimately leak on underflow and will fail to decrement when saturated + * at REFCOUNT_SATURATED. + * + * Provides release memory ordering, such that prior loads and stores are = done + * before, and provides an acquire ordering on success such that free() + * must come after. + * + * Use of this function is not recommended for the normal reference counti= ng + * use case in which references are taken and released one at a time. In = these + * cases, refcount_dec(), or one of its variants, should instead be used to + * decrement a reference count. + * + * Return: true if the resulting refcount is 0, false otherwise + */ +static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) +{ + unsigned int new, val =3D atomic_read(&r->refs); + + do { + if (unlikely(val =3D=3D REFCOUNT_SATURATED)) + return false; + + new =3D val - i; + if (new > val) { + WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); + return false; + } + + } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); + + if (!new) { + smp_acquire__after_ctrl_dep(); + return true; + } + return false; + +} + +/** + * refcount_dec_and_test - decrement a refcount and test if it is 0 + * @r: the refcount + * + * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to + * decrement when saturated at REFCOUNT_SATURATED. + * + * Provides release memory ordering, such that prior loads and stores are = done + * before, and provides an acquire ordering on success such that free() + * must come after. + * + * Return: true if the resulting refcount is 0, false otherwise + */ +static inline __must_check bool refcount_dec_and_test(refcount_t *r) +{ + return refcount_sub_and_test(1, r); +} + +/** + * refcount_dec - decrement a refcount + * @r: the refcount + * + * Similar to atomic_dec(), it will WARN on underflow and fail to decrement + * when saturated at REFCOUNT_SATURATED. + * + * Provides release memory ordering, such that prior loads and stores are = done + * before. + */ +static inline void refcount_dec(refcount_t *r) +{ + WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking= memory.\n"); +} =20 -#else +#else /* CONFIG_REFCOUNT_FULL */ =20 #define REFCOUNT_MAX INT_MAX #define REFCOUNT_SATURATED (INT_MIN / 2) @@ -103,7 +322,7 @@ static inline void refcount_dec(refcount_t *r) atomic_dec(&r->refs); } # endif /* !CONFIG_ARCH_HAS_REFCOUNT */ -#endif /* CONFIG_REFCOUNT_FULL */ +#endif /* !CONFIG_REFCOUNT_FULL */ =20 extern __must_check bool refcount_dec_if_one(refcount_t *r); extern __must_check bool refcount_dec_not_one(refcount_t *r); diff --git a/lib/refcount.c b/lib/refcount.c index a2f670998cee..3a534fbebdcc 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -1,41 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 /* - * Variant of atomic_t specialized for reference counts. - * - * The interface matches the atomic_t interface (to aid in porting) but on= ly - * provides the few functions one should use for reference counting. - * - * It differs in that the counter saturates at REFCOUNT_SATURATED and will= not - * move once there. This avoids wrapping the counter and causing 'spurious' - * use-after-free issues. - * - * Memory ordering rules are slightly relaxed wrt regular atomic_t functio= ns - * and provide only what is strictly required for refcounts. - * - * The increments are fully relaxed; these will not provide ordering. The - * rationale is that whatever is used to obtain the object we're increasin= g the - * reference count on will provide the ordering. For locked data structure= s, - * its the lock acquire, for RCU/lockless data structures its the dependent - * load. - * - * Do note that inc_not_zero() provides a control dependency which will or= der - * future stores against the inc, this ensures we'll never modify the obje= ct - * if we did not in fact acquire a reference. - * - * The decrements will provide release order, such that all the prior load= s and - * stores will be issued before, it also provides a control dependency, wh= ich - * will order us against the subsequent free(). - * - * The control dependency is against the load of the cmpxchg (ll/sc) that - * succeeded. This means the stores aren't fully ordered, but this is fine - * because the 1->0 transition indicates no concurrency. - * - * Note that the allocator is responsible for ordering things between free= () - * and alloc(). - * - * The decrements dec_and_test() and sub_and_test() also provide acquire - * ordering on success. - * + * Out-of-line refcount functions common to all refcount implementations. */ =20 #include @@ -43,207 +8,6 @@ #include #include =20 -#ifdef CONFIG_REFCOUNT_FULL - -/** - * refcount_add_not_zero - add a value to a refcount unless it is 0 - * @i: the value to add to the refcount - * @r: the refcount - * - * Will saturate at REFCOUNT_SATURATED and WARN. - * - * Provides no memory ordering, it is assumed the caller has guaranteed the - * object memory to be stable (RCU, etc.). It does provide a control depen= dency - * and thereby orders future stores. See the comment on top. - * - * Use of this function is not recommended for the normal reference counti= ng - * use case in which references are taken and released one at a time. In = these - * cases, refcount_inc(), or one of its variants, should instead be used to - * increment a reference count. - * - * Return: false if the passed refcount is 0, true otherwise - */ -bool refcount_add_not_zero(int i, refcount_t *r) -{ - unsigned int new, val =3D atomic_read(&r->refs); - - do { - if (!val) - return false; - - if (unlikely(val =3D=3D REFCOUNT_SATURATED)) - return true; - - new =3D val + i; - if (new < val) - new =3D REFCOUNT_SATURATED; - - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); - - WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, - "refcount_t: saturated; leaking memory.\n"); - - return true; -} -EXPORT_SYMBOL(refcount_add_not_zero); - -/** - * refcount_add - add a value to a refcount - * @i: the value to add to the refcount - * @r: the refcount - * - * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WA= RN. - * - * Provides no memory ordering, it is assumed the caller has guaranteed the - * object memory to be stable (RCU, etc.). It does provide a control depen= dency - * and thereby orders future stores. See the comment on top. - * - * Use of this function is not recommended for the normal reference counti= ng - * use case in which references are taken and released one at a time. In = these - * cases, refcount_inc(), or one of its variants, should instead be used to - * increment a reference count. - */ -void refcount_add(int i, refcount_t *r) -{ - WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-a= fter-free.\n"); -} -EXPORT_SYMBOL(refcount_add); - -/** - * refcount_inc_not_zero - increment a refcount unless it is 0 - * @r: the refcount to increment - * - * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURAT= ED - * and WARN. - * - * Provides no memory ordering, it is assumed the caller has guaranteed the - * object memory to be stable (RCU, etc.). It does provide a control depen= dency - * and thereby orders future stores. See the comment on top. - * - * Return: true if the increment was successful, false otherwise - */ -bool refcount_inc_not_zero(refcount_t *r) -{ - unsigned int new, val =3D atomic_read(&r->refs); - - do { - new =3D val + 1; - - if (!val) - return false; - - if (unlikely(!new)) - return true; - - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); - - WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, - "refcount_t: saturated; leaking memory.\n"); - - return true; -} -EXPORT_SYMBOL(refcount_inc_not_zero); - -/** - * refcount_inc - increment a refcount - * @r: the refcount to increment - * - * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WA= RN. - * - * Provides no memory ordering, it is assumed the caller already has a - * reference on the object. - * - * Will WARN if the refcount is 0, as this represents a possible use-after= -free - * condition. - */ -void refcount_inc(refcount_t *r) -{ - WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-aft= er-free.\n"); -} -EXPORT_SYMBOL(refcount_inc); - -/** - * refcount_sub_and_test - subtract from a refcount and test if it is 0 - * @i: amount to subtract from the refcount - * @r: the refcount - * - * Similar to atomic_dec_and_test(), but it will WARN, return false and - * ultimately leak on underflow and will fail to decrement when saturated - * at REFCOUNT_SATURATED. - * - * Provides release memory ordering, such that prior loads and stores are = done - * before, and provides an acquire ordering on success such that free() - * must come after. - * - * Use of this function is not recommended for the normal reference counti= ng - * use case in which references are taken and released one at a time. In = these - * cases, refcount_dec(), or one of its variants, should instead be used to - * decrement a reference count. - * - * Return: true if the resulting refcount is 0, false otherwise - */ -bool refcount_sub_and_test(int i, refcount_t *r) -{ - unsigned int new, val =3D atomic_read(&r->refs); - - do { - if (unlikely(val =3D=3D REFCOUNT_SATURATED)) - return false; - - new =3D val - i; - if (new > val) { - WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); - return false; - } - - } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); - - if (!new) { - smp_acquire__after_ctrl_dep(); - return true; - } - return false; - -} -EXPORT_SYMBOL(refcount_sub_and_test); - -/** - * refcount_dec_and_test - decrement a refcount and test if it is 0 - * @r: the refcount - * - * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to - * decrement when saturated at REFCOUNT_SATURATED. - * - * Provides release memory ordering, such that prior loads and stores are = done - * before, and provides an acquire ordering on success such that free() - * must come after. - * - * Return: true if the resulting refcount is 0, false otherwise - */ -bool refcount_dec_and_test(refcount_t *r) -{ - return refcount_sub_and_test(1, r); -} -EXPORT_SYMBOL(refcount_dec_and_test); - -/** - * refcount_dec - decrement a refcount - * @r: the refcount - * - * Similar to atomic_dec(), it will WARN on underflow and fail to decrement - * when saturated at REFCOUNT_SATURATED. - * - * Provides release memory ordering, such that prior loads and stores are = done - * before. - */ -void refcount_dec(refcount_t *r) -{ - WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking= memory.\n"); -} -EXPORT_SYMBOL(refcount_dec); - -#endif /* CONFIG_REFCOUNT_FULL */ - /** * refcount_dec_if_one - decrement a refcount if it is 1 * @r: the refcount --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41CEDC04A68 for ; Wed, 27 Jul 2022 16:44:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239669AbiG0QoA (ORCPT ); Wed, 27 Jul 2022 12:44:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239732AbiG0QnT (ORCPT ); Wed, 27 Jul 2022 12:43:19 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2F715C97C; Wed, 27 Jul 2022 09:30:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5A48661A24; Wed, 27 Jul 2022 16:30:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32264C433C1; Wed, 27 Jul 2022 16:30:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939420; bh=TpoqrBRFC0+2LkYOEAle4ckco5W4UsJldDv8v4posFA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hS/j4OUkoXXGm96JsAcwMzmqkKqSE8XUcukXEx5XM8Mj5WntVkaMzZsacHz5oXZfp Cy45LVVivwhBFUZpJHHOxsoakTcq4JzsVOBrXJ057fB2x9mA9S72NaQ0g0BEIR+tAt R6PEt0LYvxI77Tf/IMNjYeD7BY/7lvtBvJUv5stU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Jan Glauber , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 64/87] locking/refcount: Improve performance of generic REFCOUNT_FULL code Date: Wed, 27 Jul 2022 18:10:57 +0200 Message-Id: <20220727161011.640999417@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit dcb786493f3e48da3272b710028d42ec608cfda1 ] Rewrite the generic REFCOUNT_FULL implementation so that the saturation point is moved to INT_MIN / 2. This allows us to defer the sanity checks until after the atomic operation, which removes many uses of cmpxchg() in favour of atomic_fetch_{add,sub}(). Some crude perf results obtained from lkdtm show substantially less overhead, despite the checking: $ perf stat -r 3 -B -- echo {ATOMIC,REFCOUNT}_TIMING >/sys/kernel/debug/pr= ovoke-crash/DIRECT # arm64 ATOMIC_TIMING: 46.50451 +- 0.00134 se= conds time elapsed ( +- 0.00% ) REFCOUNT_TIMING (REFCOUNT_FULL, mainline): 77.57522 +- 0.00982 se= conds time elapsed ( +- 0.01% ) REFCOUNT_TIMING (REFCOUNT_FULL, this series): 48.7181 +- 0.0256 se= conds time elapsed ( +- 0.05% ) # x86 ATOMIC_TIMING: 31.6225 +- 0.0776 seco= nds time elapsed ( +- 0.25% ) REFCOUNT_TIMING (!REFCOUNT_FULL, mainline/x86 asm): 31.6689 +- 0.0901 seco= nds time elapsed ( +- 0.28% ) REFCOUNT_TIMING (REFCOUNT_FULL, mainline): 53.203 +- 0.138 seco= nds time elapsed ( +- 0.26% ) REFCOUNT_TIMING (REFCOUNT_FULL, this series): 31.7408 +- 0.0486 seco= nds time elapsed ( +- 0.15% ) Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Tested-by: Jan Glauber Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-6-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 131 ++++++++++++++++++++++----------------- 1 file changed, 75 insertions(+), 56 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index e719b5b1220e..e3b218d669ce 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -47,8 +47,8 @@ static inline unsigned int refcount_read(const refcount_t= *r) #ifdef CONFIG_REFCOUNT_FULL #include =20 -#define REFCOUNT_MAX (UINT_MAX - 1) -#define REFCOUNT_SATURATED UINT_MAX +#define REFCOUNT_MAX INT_MAX +#define REFCOUNT_SATURATED (INT_MIN / 2) =20 /* * Variant of atomic_t specialized for reference counts. @@ -56,9 +56,47 @@ static inline unsigned int refcount_read(const refcount_= t *r) * The interface matches the atomic_t interface (to aid in porting) but on= ly * provides the few functions one should use for reference counting. * - * It differs in that the counter saturates at REFCOUNT_SATURATED and will= not - * move once there. This avoids wrapping the counter and causing 'spurious' - * use-after-free issues. + * Saturation semantics + * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + * + * refcount_t differs from atomic_t in that the counter saturates at + * REFCOUNT_SATURATED and will not move once there. This avoids wrapping t= he + * counter and causing 'spurious' use-after-free issues. In order to avoid= the + * cost associated with introducing cmpxchg() loops into all of the satura= ting + * operations, we temporarily allow the counter to take on an unchecked va= lue + * and then explicitly set it to REFCOUNT_SATURATED on detecting that unde= rflow + * or overflow has occurred. Although this is racy when multiple threads + * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly + * equidistant from 0 and INT_MAX we minimise the scope for error: + * + * INT_MAX REFCOUNT_SATURATED UINT_MAX + * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_= ffff) + * +--------------------------------+----------------+----------------+ + * <---------- bad value! ----------> + * + * (in a signed view of the world, the "bad value" range corresponds to + * a negative counter value). + * + * As an example, consider a refcount_inc() operation that causes the coun= ter + * to overflow: + * + * int old =3D atomic_fetch_add_relaxed(r); + * // old is INT_MAX, refcount now INT_MIN (0x8000_0000) + * if (old < 0) + * atomic_set(r, REFCOUNT_SATURATED); + * + * If another thread also performs a refcount_inc() operation between the = two + * atomic operations, then the count will continue to edge closer to 0. If= it + * reaches a value of 1 before /any/ of the threads reset it to the satura= ted + * value, then a concurrent refcount_dec_and_test() may erroneously free t= he + * underlying object. Given the precise timing details involved with the + * round-robin scheduling of each thread manipulating the refcount and the= need + * to hit the race multiple times in succession, there doesn't appear to b= e a + * practical avenue of attack even if using refcount_add() operations with + * larger increments. + * + * Memory ordering + * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * * Memory ordering rules are slightly relaxed wrt regular atomic_t functio= ns * and provide only what is strictly required for refcounts. @@ -109,25 +147,19 @@ static inline unsigned int refcount_read(const refcou= nt_t *r) */ static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) { - unsigned int new, val =3D atomic_read(&r->refs); + int old =3D refcount_read(r); =20 do { - if (!val) - return false; - - if (unlikely(val =3D=3D REFCOUNT_SATURATED)) - return true; - - new =3D val + i; - if (new < val) - new =3D REFCOUNT_SATURATED; + if (!old) + break; + } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); =20 - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); - - WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, - "refcount_t: saturated; leaking memory.\n"); + if (unlikely(old < 0 || old + i < 0)) { + refcount_set(r, REFCOUNT_SATURATED); + WARN_ONCE(1, "refcount_t: saturated; leaking memory.\n"); + } =20 - return true; + return old; } =20 /** @@ -148,7 +180,13 @@ static inline __must_check bool refcount_add_not_zero(= int i, refcount_t *r) */ static inline void refcount_add(int i, refcount_t *r) { - WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-a= fter-free.\n"); + int old =3D atomic_fetch_add_relaxed(i, &r->refs); + + WARN_ONCE(!old, "refcount_t: addition on 0; use-after-free.\n"); + if (unlikely(old <=3D 0 || old + i <=3D 0)) { + refcount_set(r, REFCOUNT_SATURATED); + WARN_ONCE(old, "refcount_t: saturated; leaking memory.\n"); + } } =20 /** @@ -166,23 +204,7 @@ static inline void refcount_add(int i, refcount_t *r) */ static inline __must_check bool refcount_inc_not_zero(refcount_t *r) { - unsigned int new, val =3D atomic_read(&r->refs); - - do { - new =3D val + 1; - - if (!val) - return false; - - if (unlikely(!new)) - return true; - - } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); - - WARN_ONCE(new =3D=3D REFCOUNT_SATURATED, - "refcount_t: saturated; leaking memory.\n"); - - return true; + return refcount_add_not_zero(1, r); } =20 /** @@ -199,7 +221,7 @@ static inline __must_check bool refcount_inc_not_zero(r= efcount_t *r) */ static inline void refcount_inc(refcount_t *r) { - WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-aft= er-free.\n"); + refcount_add(1, r); } =20 /** @@ -224,26 +246,19 @@ static inline void refcount_inc(refcount_t *r) */ static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) { - unsigned int new, val =3D atomic_read(&r->refs); - - do { - if (unlikely(val =3D=3D REFCOUNT_SATURATED)) - return false; + int old =3D atomic_fetch_sub_release(i, &r->refs); =20 - new =3D val - i; - if (new > val) { - WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); - return false; - } - - } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); - - if (!new) { + if (old =3D=3D i) { smp_acquire__after_ctrl_dep(); return true; } - return false; =20 + if (unlikely(old < 0 || old - i < 0)) { + refcount_set(r, REFCOUNT_SATURATED); + WARN_ONCE(1, "refcount_t: underflow; use-after-free.\n"); + } + + return false; } =20 /** @@ -276,9 +291,13 @@ static inline __must_check bool refcount_dec_and_test(= refcount_t *r) */ static inline void refcount_dec(refcount_t *r) { - WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking= memory.\n"); -} + int old =3D atomic_fetch_sub_release(1, &r->refs); =20 + if (unlikely(old <=3D 1)) { + refcount_set(r, REFCOUNT_SATURATED); + WARN_ONCE(1, "refcount_t: decrement hit 0; leaking memory.\n"); + } +} #else /* CONFIG_REFCOUNT_FULL */ =20 #define REFCOUNT_MAX INT_MAX --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27D4CC19F2B for ; Wed, 27 Jul 2022 16:44:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239761AbiG0Qos (ORCPT ); Wed, 27 Jul 2022 12:44:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239559AbiG0Qnp (ORCPT ); Wed, 27 Jul 2022 12:43:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C70A63D9; Wed, 27 Jul 2022 09:30:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 46854619FD; Wed, 27 Jul 2022 16:30:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25C01C433C1; Wed, 27 Jul 2022 16:30:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939426; bh=Qvf14IuKv1RKcZRvldurAQZascnOvDT/URMan2bY5GM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pyAz1WW/x61kyU9H2mgEdLHWBMjmJ8oqx/VFXTbx2oIdFETtIeDrjND2J9a38ww3B QjqO5dWt9DpNS3Hn6DHs+7CITJ18aBInHKlPX9apIGyfLcEgjHlSb8NQJjD8nzQBS0 xsZdWS9KxyRv5GrqbC6hi0h5xqoc7LDjPSapH4wc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 65/87] locking/refcount: Move saturation warnings out of line Date: Wed, 27 Jul 2022 18:10:58 +0200 Message-Id: <20220727161011.681761418@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 1eb085d94256aaa69b00cf5a86e3c5f5bb2bc460 ] Having the refcount saturation and warnings inline bloats the text, despite the fact that these paths should never be executed in normal operation. Move the refcount saturation and warnings out of line to reduce the image size when refcount_t checking is enabled. Relative to an x86_64 defconfig, the sizes reported by bloat-o-meter are: # defconfig+REFCOUNT_FULL, inline saturation (i.e. before this patch) Total: Before=3D14762076, After=3D14915442, chg +1.04% # defconfig+REFCOUNT_FULL, out-of-line saturation (i.e. after this patch) Total: Before=3D14762076, After=3D14835497, chg +0.50% A side-effect of this change is that we now only get one warning per refcount saturation type, rather than one per problematic call-site. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-7-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 39 ++++++++++++++++++++------------------- lib/refcount.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 19 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index e3b218d669ce..1cd0a876a789 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -23,6 +23,16 @@ typedef struct refcount_struct { =20 #define REFCOUNT_INIT(n) { .refs =3D ATOMIC_INIT(n), } =20 +enum refcount_saturation_type { + REFCOUNT_ADD_NOT_ZERO_OVF, + REFCOUNT_ADD_OVF, + REFCOUNT_ADD_UAF, + REFCOUNT_SUB_UAF, + REFCOUNT_DEC_LEAK, +}; + +void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t= ); + /** * refcount_set - set a refcount's value * @r: the refcount @@ -154,10 +164,8 @@ static inline __must_check bool refcount_add_not_zero(= int i, refcount_t *r) break; } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); =20 - if (unlikely(old < 0 || old + i < 0)) { - refcount_set(r, REFCOUNT_SATURATED); - WARN_ONCE(1, "refcount_t: saturated; leaking memory.\n"); - } + if (unlikely(old < 0 || old + i < 0)) + refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); =20 return old; } @@ -182,11 +190,10 @@ static inline void refcount_add(int i, refcount_t *r) { int old =3D atomic_fetch_add_relaxed(i, &r->refs); =20 - WARN_ONCE(!old, "refcount_t: addition on 0; use-after-free.\n"); - if (unlikely(old <=3D 0 || old + i <=3D 0)) { - refcount_set(r, REFCOUNT_SATURATED); - WARN_ONCE(old, "refcount_t: saturated; leaking memory.\n"); - } + if (unlikely(!old)) + refcount_warn_saturate(r, REFCOUNT_ADD_UAF); + else if (unlikely(old < 0 || old + i < 0)) + refcount_warn_saturate(r, REFCOUNT_ADD_OVF); } =20 /** @@ -253,10 +260,8 @@ static inline __must_check bool refcount_sub_and_test(= int i, refcount_t *r) return true; } =20 - if (unlikely(old < 0 || old - i < 0)) { - refcount_set(r, REFCOUNT_SATURATED); - WARN_ONCE(1, "refcount_t: underflow; use-after-free.\n"); - } + if (unlikely(old < 0 || old - i < 0)) + refcount_warn_saturate(r, REFCOUNT_SUB_UAF); =20 return false; } @@ -291,12 +296,8 @@ static inline __must_check bool refcount_dec_and_test(= refcount_t *r) */ static inline void refcount_dec(refcount_t *r) { - int old =3D atomic_fetch_sub_release(1, &r->refs); - - if (unlikely(old <=3D 1)) { - refcount_set(r, REFCOUNT_SATURATED); - WARN_ONCE(1, "refcount_t: decrement hit 0; leaking memory.\n"); - } + if (unlikely(atomic_fetch_sub_release(1, &r->refs) <=3D 1)) + refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); } #else /* CONFIG_REFCOUNT_FULL */ =20 diff --git a/lib/refcount.c b/lib/refcount.c index 3a534fbebdcc..8b7e249c0e10 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -8,6 +8,34 @@ #include #include =20 +#define REFCOUNT_WARN(str) WARN_ONCE(1, "refcount_t: " str ".\n") + +void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t) +{ + refcount_set(r, REFCOUNT_SATURATED); + + switch (t) { + case REFCOUNT_ADD_NOT_ZERO_OVF: + REFCOUNT_WARN("saturated; leaking memory"); + break; + case REFCOUNT_ADD_OVF: + REFCOUNT_WARN("saturated; leaking memory"); + break; + case REFCOUNT_ADD_UAF: + REFCOUNT_WARN("addition on 0; use-after-free"); + break; + case REFCOUNT_SUB_UAF: + REFCOUNT_WARN("underflow; use-after-free"); + break; + case REFCOUNT_DEC_LEAK: + REFCOUNT_WARN("decrement hit 0; leaking memory"); + break; + default: + REFCOUNT_WARN("unknown saturation event!?"); + } +} +EXPORT_SYMBOL(refcount_warn_saturate); + /** * refcount_dec_if_one - decrement a refcount if it is 1 * @r: the refcount --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6698C19F2C for ; Wed, 27 Jul 2022 16:44:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239889AbiG0Qox (ORCPT ); Wed, 27 Jul 2022 12:44:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43114 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235476AbiG0Qnt (ORCPT ); Wed, 27 Jul 2022 12:43:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE5A81C12C; Wed, 27 Jul 2022 09:30:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D45FAB821BE; Wed, 27 Jul 2022 16:30:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04E5AC433C1; Wed, 27 Jul 2022 16:30:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939429; bh=exjTbktyQ2L4qT7er/q8xnaoToLGPnYfi4azjwuWwgg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VY7p758gGcuC0bzJlPL+QbaMVE3akIZvepNOAJN9RXeXpDQHcXkVQBbE3bz4hERDm gHUbh4DqzR6tukVXrc+TpEvkRSrgUJjBAN2YyFfzFaNkkYhhYEYgjUSF9Cn/2sF/Tc UUc9jPAyz2rpxmYCy7M1aKx7LU89oOhk3mXTp7Ls= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 66/87] locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions Date: Wed, 27 Jul 2022 18:10:59 +0200 Message-Id: <20220727161011.721547216@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit 65b008552469f1c37f5e06e0016924502e40b4f5 ] The definitions of REFCOUNT_MAX and REFCOUNT_SATURATED are the same, regardless of CONFIG_REFCOUNT_FULL, so consolidate them into a single pair of definitions. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Reviewed-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-8-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/refcount.h | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/include/linux/refcount.h b/include/linux/refcount.h index 1cd0a876a789..757d4630115c 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -22,6 +22,8 @@ typedef struct refcount_struct { } refcount_t; =20 #define REFCOUNT_INIT(n) { .refs =3D ATOMIC_INIT(n), } +#define REFCOUNT_MAX INT_MAX +#define REFCOUNT_SATURATED (INT_MIN / 2) =20 enum refcount_saturation_type { REFCOUNT_ADD_NOT_ZERO_OVF, @@ -57,9 +59,6 @@ static inline unsigned int refcount_read(const refcount_t= *r) #ifdef CONFIG_REFCOUNT_FULL #include =20 -#define REFCOUNT_MAX INT_MAX -#define REFCOUNT_SATURATED (INT_MIN / 2) - /* * Variant of atomic_t specialized for reference counts. * @@ -300,10 +299,6 @@ static inline void refcount_dec(refcount_t *r) refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); } #else /* CONFIG_REFCOUNT_FULL */ - -#define REFCOUNT_MAX INT_MAX -#define REFCOUNT_SATURATED (INT_MIN / 2) - # ifdef CONFIG_ARCH_HAS_REFCOUNT # include # else --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23F30C04A68 for ; Wed, 27 Jul 2022 16:45:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239971AbiG0Qo5 (ORCPT ); Wed, 27 Jul 2022 12:44:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239803AbiG0Qn6 (ORCPT ); Wed, 27 Jul 2022 12:43:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 247E120191; Wed, 27 Jul 2022 09:30:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0C77761A51; Wed, 27 Jul 2022 16:30:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D728AC433C1; Wed, 27 Jul 2022 16:30:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939432; bh=140xiridclUT8U66+YtY7xSGo9l8D28WAJ/uiCFQf+U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aZKOiYjexpX7forINftORVoGXx3uXJIB88YqZg8l2EDAuFJlwZ3Sro2RrtcK2Tc5x RV+bEPn4HwnAMEo915o2mCbvvHo/DRqL/v4xaA6BSOwkxouEUSo8nHWbmDSv2rijqC HsuWy/s8YpzfF8HoWbN4J16lFa2/qMGZ+M4aHVv4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Will Deacon , Ard Biesheuvel , Kees Cook , Hanjun Guo , Ard Biesheuvel , Elena Reshetova , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Sasha Levin Subject: [PATCH 5.4 67/87] locking/refcount: Consolidate implementations of refcount_t Date: Wed, 27 Jul 2022 18:11:00 +0200 Message-Id: <20220727161011.752079571@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Will Deacon [ Upstream commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca ] The generic implementation of refcount_t should be good enough for everybody, so remove ARCH_HAS_REFCOUNT and REFCOUNT_FULL entirely, leaving the generic implementation enabled unconditionally. Signed-off-by: Will Deacon Reviewed-by: Ard Biesheuvel Acked-by: Kees Cook Tested-by: Hanjun Guo Cc: Ard Biesheuvel Cc: Elena Reshetova Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/20191121115902.2551-9-will@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/Kconfig | 21 ---- arch/arm/Kconfig | 1 - arch/arm64/Kconfig | 1 - arch/s390/configs/debug_defconfig | 1 - arch/x86/Kconfig | 1 - arch/x86/include/asm/asm.h | 6 -- arch/x86/include/asm/refcount.h | 126 ----------------------- arch/x86/mm/extable.c | 49 --------- drivers/gpu/drm/i915/Kconfig.debug | 1 - include/linux/refcount.h | 158 +++++++++++------------------ lib/refcount.c | 2 +- 11 files changed, 59 insertions(+), 308 deletions(-) delete mode 100644 arch/x86/include/asm/refcount.h diff --git a/arch/Kconfig b/arch/Kconfig index a8df66e64544..2219a07dca1e 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -915,27 +915,6 @@ config STRICT_MODULE_RWX config ARCH_HAS_PHYS_TO_DMA bool =20 -config ARCH_HAS_REFCOUNT - bool - help - An architecture selects this when it has implemented refcount_t - using open coded assembly primitives that provide an optimized - refcount_t implementation, possibly at the expense of some full - refcount state checks of CONFIG_REFCOUNT_FULL=3Dy. - - The refcount overflow check behavior, however, must be retained. - Catching overflows is the primary security concern for protecting - against bugs in reference counts. - -config REFCOUNT_FULL - bool "Perform full reference count validation at the expense of speed" - help - Enabling this switches the refcounting infrastructure from a fast - unchecked atomic_t implementation to a fully state checked - implementation, which can be (slightly) slower but provides protections - against various use-after-free conditions that can be used in - security flaw exploits. - config HAVE_ARCH_COMPILER_H bool help diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index a1622b9290fd..a4364cce85f8 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -119,7 +119,6 @@ config ARM select OLD_SIGSUSPEND3 select PCI_SYSCALL if PCI select PERF_USE_VMALLOC - select REFCOUNT_FULL select RTC_LIB select SYS_SUPPORTS_APM_EMULATION # Above selects are sorted alphabetically; please add new ones diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a1a828ca188c..6b73143f0cf8 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -181,7 +181,6 @@ config ARM64 select PCI_SYSCALL if PCI select POWER_RESET select POWER_SUPPLY - select REFCOUNT_FULL select SPARSE_IRQ select SWIOTLB select SYSCTL_EXCEPTION_TRACE diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_de= fconfig index 38d64030aacf..2e60c80395ab 100644 --- a/arch/s390/configs/debug_defconfig +++ b/arch/s390/configs/debug_defconfig @@ -62,7 +62,6 @@ CONFIG_OPROFILE=3Dm CONFIG_KPROBES=3Dy CONFIG_JUMP_LABEL=3Dy CONFIG_STATIC_KEYS_SELFTEST=3Dy -CONFIG_REFCOUNT_FULL=3Dy CONFIG_LOCK_EVENT_COUNTS=3Dy CONFIG_MODULES=3Dy CONFIG_MODULE_FORCE_LOAD=3Dy diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index c6c71592f6e4..6002252692af 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -73,7 +73,6 @@ config X86 select ARCH_HAS_PMEM_API if X86_64 select ARCH_HAS_PTE_DEVMAP if X86_64 select ARCH_HAS_PTE_SPECIAL - select ARCH_HAS_REFCOUNT select ARCH_HAS_UACCESS_FLUSHCACHE if X86_64 select ARCH_HAS_UACCESS_MCSAFE if X86_64 && X86_MCE select ARCH_HAS_SET_MEMORY diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h index 1b563f9167ea..cd339b88d5d4 100644 --- a/arch/x86/include/asm/asm.h +++ b/arch/x86/include/asm/asm.h @@ -141,9 +141,6 @@ # define _ASM_EXTABLE_EX(from, to) \ _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) =20 -# define _ASM_EXTABLE_REFCOUNT(from, to) \ - _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) - # define _ASM_NOKPROBE(entry) \ .pushsection "_kprobe_blacklist","aw" ; \ _ASM_ALIGN ; \ @@ -172,9 +169,6 @@ # define _ASM_EXTABLE_EX(from, to) \ _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext) =20 -# define _ASM_EXTABLE_REFCOUNT(from, to) \ - _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount) - /* For C file, we already have NOKPROBE_SYMBOL macro */ #endif =20 diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcoun= t.h deleted file mode 100644 index 232f856e0db0..000000000000 --- a/arch/x86/include/asm/refcount.h +++ /dev/null @@ -1,126 +0,0 @@ -#ifndef __ASM_X86_REFCOUNT_H -#define __ASM_X86_REFCOUNT_H -/* - * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from - * PaX/grsecurity. - */ -#include -#include - -/* - * This is the first portion of the refcount error handling, which lives in - * .text.unlikely, and is jumped to from the CPU flag check (in the - * following macros). This saves the refcount value location into CX for - * the exception handler to use (in mm/extable.c), and then triggers the - * central refcount exception. The fixup address for the exception points - * back to the regular execution flow in .text. - */ -#define _REFCOUNT_EXCEPTION \ - ".pushsection .text..refcount\n" \ - "111:\tlea %[var], %%" _ASM_CX "\n" \ - "112:\t" ASM_UD2 "\n" \ - ASM_UNREACHABLE \ - ".popsection\n" \ - "113:\n" \ - _ASM_EXTABLE_REFCOUNT(112b, 113b) - -/* Trigger refcount exception if refcount result is negative. */ -#define REFCOUNT_CHECK_LT_ZERO \ - "js 111f\n\t" \ - _REFCOUNT_EXCEPTION - -/* Trigger refcount exception if refcount result is zero or negative. */ -#define REFCOUNT_CHECK_LE_ZERO \ - "jz 111f\n\t" \ - REFCOUNT_CHECK_LT_ZERO - -/* Trigger refcount exception unconditionally. */ -#define REFCOUNT_ERROR \ - "jmp 111f\n\t" \ - _REFCOUNT_EXCEPTION - -static __always_inline void refcount_add(unsigned int i, refcount_t *r) -{ - asm volatile(LOCK_PREFIX "addl %1,%0\n\t" - REFCOUNT_CHECK_LT_ZERO - : [var] "+m" (r->refs.counter) - : "ir" (i) - : "cc", "cx"); -} - -static __always_inline void refcount_inc(refcount_t *r) -{ - asm volatile(LOCK_PREFIX "incl %0\n\t" - REFCOUNT_CHECK_LT_ZERO - : [var] "+m" (r->refs.counter) - : : "cc", "cx"); -} - -static __always_inline void refcount_dec(refcount_t *r) -{ - asm volatile(LOCK_PREFIX "decl %0\n\t" - REFCOUNT_CHECK_LE_ZERO - : [var] "+m" (r->refs.counter) - : : "cc", "cx"); -} - -static __always_inline __must_check -bool refcount_sub_and_test(unsigned int i, refcount_t *r) -{ - bool ret =3D GEN_BINARY_SUFFIXED_RMWcc(LOCK_PREFIX "subl", - REFCOUNT_CHECK_LT_ZERO, - r->refs.counter, e, "er", i, "cx"); - - if (ret) { - smp_acquire__after_ctrl_dep(); - return true; - } - - return false; -} - -static __always_inline __must_check bool refcount_dec_and_test(refcount_t = *r) -{ - bool ret =3D GEN_UNARY_SUFFIXED_RMWcc(LOCK_PREFIX "decl", - REFCOUNT_CHECK_LT_ZERO, - r->refs.counter, e, "cx"); - - if (ret) { - smp_acquire__after_ctrl_dep(); - return true; - } - - return false; -} - -static __always_inline __must_check -bool refcount_add_not_zero(unsigned int i, refcount_t *r) -{ - int c, result; - - c =3D atomic_read(&(r->refs)); - do { - if (unlikely(c =3D=3D 0)) - return false; - - result =3D c + i; - - /* Did we try to increment from/to an undesirable state? */ - if (unlikely(c < 0 || c =3D=3D INT_MAX || result < c)) { - asm volatile(REFCOUNT_ERROR - : : [var] "m" (r->refs.counter) - : "cc", "cx"); - break; - } - - } while (!atomic_try_cmpxchg(&(r->refs), &c, result)); - - return c !=3D 0; -} - -static __always_inline __must_check bool refcount_inc_not_zero(refcount_t = *r) -{ - return refcount_add_not_zero(1, r); -} - -#endif diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index 4d75bc656f97..30bb0bd3b1b8 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -44,55 +44,6 @@ __visible bool ex_handler_fault(const struct exception_t= able_entry *fixup, } EXPORT_SYMBOL_GPL(ex_handler_fault); =20 -/* - * Handler for UD0 exception following a failed test against the - * result of a refcount inc/dec/add/sub. - */ -__visible bool ex_handler_refcount(const struct exception_table_entry *fix= up, - struct pt_regs *regs, int trapnr, - unsigned long error_code, - unsigned long fault_addr) -{ - /* First unconditionally saturate the refcount. */ - *(int *)regs->cx =3D INT_MIN / 2; - - /* - * Strictly speaking, this reports the fixup destination, not - * the fault location, and not the actually overflowing - * instruction, which is the instruction before the "js", but - * since that instruction could be a variety of lengths, just - * report the location after the overflow, which should be close - * enough for finding the overflow, as it's at least back in - * the function, having returned from .text.unlikely. - */ - regs->ip =3D ex_fixup_addr(fixup); - - /* - * This function has been called because either a negative refcount - * value was seen by any of the refcount functions, or a zero - * refcount value was seen by refcount_dec(). - * - * If we crossed from INT_MAX to INT_MIN, OF (Overflow Flag: result - * wrapped around) will be set. Additionally, seeing the refcount - * reach 0 will set ZF (Zero Flag: result was zero). In each of - * these cases we want a report, since it's a boundary condition. - * The SF case is not reported since it indicates post-boundary - * manipulations below zero or above INT_MAX. And if none of the - * flags are set, something has gone very wrong, so report it. - */ - if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_ZF)) { - bool zero =3D regs->flags & X86_EFLAGS_ZF; - - refcount_error_report(regs, zero ? "hit zero" : "overflow"); - } else if ((regs->flags & X86_EFLAGS_SF) =3D=3D 0) { - /* Report if none of OF, ZF, nor SF are set. */ - refcount_error_report(regs, "unexpected saturation"); - } - - return true; -} -EXPORT_SYMBOL(ex_handler_refcount); - /* * Handler for when we fail to restore a task's FPU state. We should neve= r get * here because the FPU state of a task using the FPU (task->thread.fpu.st= ate) diff --git a/drivers/gpu/drm/i915/Kconfig.debug b/drivers/gpu/drm/i915/Kcon= fig.debug index 41c8e39a73ba..e4f03fcb125e 100644 --- a/drivers/gpu/drm/i915/Kconfig.debug +++ b/drivers/gpu/drm/i915/Kconfig.debug @@ -21,7 +21,6 @@ config DRM_I915_DEBUG depends on DRM_I915 select DEBUG_FS select PREEMPT_COUNT - select REFCOUNT_FULL select I2C_CHARDEV select STACKDEPOT select DRM_DP_AUX_CHARDEV diff --git a/include/linux/refcount.h b/include/linux/refcount.h index 757d4630115c..0ac50cf62d06 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -1,64 +1,4 @@ /* SPDX-License-Identifier: GPL-2.0 */ -#ifndef _LINUX_REFCOUNT_H -#define _LINUX_REFCOUNT_H - -#include -#include -#include -#include - -struct mutex; - -/** - * struct refcount_t - variant of atomic_t specialized for reference counts - * @refs: atomic_t counter field - * - * The counter saturates at REFCOUNT_SATURATED and will not move once - * there. This avoids wrapping the counter and causing 'spurious' - * use-after-free bugs. - */ -typedef struct refcount_struct { - atomic_t refs; -} refcount_t; - -#define REFCOUNT_INIT(n) { .refs =3D ATOMIC_INIT(n), } -#define REFCOUNT_MAX INT_MAX -#define REFCOUNT_SATURATED (INT_MIN / 2) - -enum refcount_saturation_type { - REFCOUNT_ADD_NOT_ZERO_OVF, - REFCOUNT_ADD_OVF, - REFCOUNT_ADD_UAF, - REFCOUNT_SUB_UAF, - REFCOUNT_DEC_LEAK, -}; - -void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t= ); - -/** - * refcount_set - set a refcount's value - * @r: the refcount - * @n: value to which the refcount will be set - */ -static inline void refcount_set(refcount_t *r, int n) -{ - atomic_set(&r->refs, n); -} - -/** - * refcount_read - get a refcount's value - * @r: the refcount - * - * Return: the refcount's value - */ -static inline unsigned int refcount_read(const refcount_t *r) -{ - return atomic_read(&r->refs); -} - -#ifdef CONFIG_REFCOUNT_FULL -#include - /* * Variant of atomic_t specialized for reference counts. * @@ -136,6 +76,64 @@ static inline unsigned int refcount_read(const refcount= _t *r) * */ =20 +#ifndef _LINUX_REFCOUNT_H +#define _LINUX_REFCOUNT_H + +#include +#include +#include +#include +#include + +struct mutex; + +/** + * struct refcount_t - variant of atomic_t specialized for reference counts + * @refs: atomic_t counter field + * + * The counter saturates at REFCOUNT_SATURATED and will not move once + * there. This avoids wrapping the counter and causing 'spurious' + * use-after-free bugs. + */ +typedef struct refcount_struct { + atomic_t refs; +} refcount_t; + +#define REFCOUNT_INIT(n) { .refs =3D ATOMIC_INIT(n), } +#define REFCOUNT_MAX INT_MAX +#define REFCOUNT_SATURATED (INT_MIN / 2) + +enum refcount_saturation_type { + REFCOUNT_ADD_NOT_ZERO_OVF, + REFCOUNT_ADD_OVF, + REFCOUNT_ADD_UAF, + REFCOUNT_SUB_UAF, + REFCOUNT_DEC_LEAK, +}; + +void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t= ); + +/** + * refcount_set - set a refcount's value + * @r: the refcount + * @n: value to which the refcount will be set + */ +static inline void refcount_set(refcount_t *r, int n) +{ + atomic_set(&r->refs, n); +} + +/** + * refcount_read - get a refcount's value + * @r: the refcount + * + * Return: the refcount's value + */ +static inline unsigned int refcount_read(const refcount_t *r) +{ + return atomic_read(&r->refs); +} + /** * refcount_add_not_zero - add a value to a refcount unless it is 0 * @i: the value to add to the refcount @@ -298,46 +296,6 @@ static inline void refcount_dec(refcount_t *r) if (unlikely(atomic_fetch_sub_release(1, &r->refs) <=3D 1)) refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); } -#else /* CONFIG_REFCOUNT_FULL */ -# ifdef CONFIG_ARCH_HAS_REFCOUNT -# include -# else -static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) -{ - return atomic_add_unless(&r->refs, i, 0); -} - -static inline void refcount_add(int i, refcount_t *r) -{ - atomic_add(i, &r->refs); -} - -static inline __must_check bool refcount_inc_not_zero(refcount_t *r) -{ - return atomic_add_unless(&r->refs, 1, 0); -} - -static inline void refcount_inc(refcount_t *r) -{ - atomic_inc(&r->refs); -} - -static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) -{ - return atomic_sub_and_test(i, &r->refs); -} - -static inline __must_check bool refcount_dec_and_test(refcount_t *r) -{ - return atomic_dec_and_test(&r->refs); -} - -static inline void refcount_dec(refcount_t *r) -{ - atomic_dec(&r->refs); -} -# endif /* !CONFIG_ARCH_HAS_REFCOUNT */ -#endif /* !CONFIG_REFCOUNT_FULL */ =20 extern __must_check bool refcount_dec_if_one(refcount_t *r); extern __must_check bool refcount_dec_not_one(refcount_t *r); diff --git a/lib/refcount.c b/lib/refcount.c index 8b7e249c0e10..ebac8b7d15a7 100644 --- a/lib/refcount.c +++ b/lib/refcount.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 /* - * Out-of-line refcount functions common to all refcount implementations. + * Out-of-line refcount functions. */ =20 #include --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC854C19F2B for ; Wed, 27 Jul 2022 16:45:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240050AbiG0QpA (ORCPT ); Wed, 27 Jul 2022 12:45:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240121AbiG0QoI (ORCPT ); Wed, 27 Jul 2022 12:44:08 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9239A51A24; Wed, 27 Jul 2022 09:30:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 70C56B821C5; Wed, 27 Jul 2022 16:30:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CCB8FC433D6; Wed, 27 Jul 2022 16:30:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939435; bh=AJqytMV64rUASa1fC+FJDWlVKl+qrP5oT4VUCR05xaY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RPyvm3ySCXJqroclLKKHCyK4KsAcDeryglq7EthZiQhTG03kheqU6PTdf3xBKtGc2 D1WkrRUiKfAh8gT3w6IZZgr1iZMP+MuUgQysH2DNGe3/U9WAeVQkW38WyxuP/a7SJb 0HIDhrYM3LZb/jEpCeypaeBvu8dWaOgaMi40VFOQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro , Sasha Levin Subject: [PATCH 5.4 68/87] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Date: Wed, 27 Jul 2022 18:11:01 +0200 Message-Id: <20220727161011.803180178@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Al Viro [ Upstream commit 4b842e4e25b12951fa10dedb4bc16bc47e3b850c ] Very few call sites where that would be triggered remain, and none of those is anywhere near hot enough to bother. Signed-off-by: Al Viro Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/x86/include/asm/uaccess.h | 12 ---- arch/x86/include/asm/uaccess_32.h | 27 -------- arch/x86/include/asm/uaccess_64.h | 108 +----------------------------- 3 files changed, 2 insertions(+), 145 deletions(-) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 61d93f062a36..a19effb98fdc 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -378,18 +378,6 @@ do { \ : "=3Dr" (err), ltype(x) \ : "m" (__m(addr)), "i" (errret), "0" (err)) =20 -#define __get_user_asm_nozero(x, addr, err, itype, rtype, ltype, errret) \ - asm volatile("\n" \ - "1: mov"itype" %2,%"rtype"1\n" \ - "2:\n" \ - ".section .fixup,\"ax\"\n" \ - "3: mov %3,%0\n" \ - " jmp 2b\n" \ - ".previous\n" \ - _ASM_EXTABLE_UA(1b, 3b) \ - : "=3Dr" (err), ltype(x) \ - : "m" (__m(addr)), "i" (errret), "0" (err)) - /* * This doesn't do __uaccess_begin/end - the exception handling * around it must do that. diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uacce= ss_32.h index ba2dc1930630..388a40660c7b 100644 --- a/arch/x86/include/asm/uaccess_32.h +++ b/arch/x86/include/asm/uaccess_32.h @@ -23,33 +23,6 @@ raw_copy_to_user(void __user *to, const void *from, unsi= gned long n) static __always_inline unsigned long raw_copy_from_user(void *to, const void __user *from, unsigned long n) { - if (__builtin_constant_p(n)) { - unsigned long ret; - - switch (n) { - case 1: - ret =3D 0; - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u8 *)to, from, ret, - "b", "b", "=3Dq", 1); - __uaccess_end(); - return ret; - case 2: - ret =3D 0; - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u16 *)to, from, ret, - "w", "w", "=3Dr", 2); - __uaccess_end(); - return ret; - case 4: - ret =3D 0; - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u32 *)to, from, ret, - "l", "k", "=3Dr", 4); - __uaccess_end(); - return ret; - } - } return __copy_user_ll(to, (__force const void *)from, n); } =20 diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uacce= ss_64.h index 5cd1caa8bc65..bc10e3dc64fe 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -65,117 +65,13 @@ copy_to_user_mcsafe(void *to, const void *from, unsign= ed len) static __always_inline __must_check unsigned long raw_copy_from_user(void *dst, const void __user *src, unsigned long size) { - int ret =3D 0; - - if (!__builtin_constant_p(size)) - return copy_user_generic(dst, (__force void *)src, size); - switch (size) { - case 1: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u8 *)dst, (u8 __user *)src, - ret, "b", "b", "=3Dq", 1); - __uaccess_end(); - return ret; - case 2: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u16 *)dst, (u16 __user *)src, - ret, "w", "w", "=3Dr", 2); - __uaccess_end(); - return ret; - case 4: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u32 *)dst, (u32 __user *)src, - ret, "l", "k", "=3Dr", 4); - __uaccess_end(); - return ret; - case 8: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, - ret, "q", "", "=3Dr", 8); - __uaccess_end(); - return ret; - case 10: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, - ret, "q", "", "=3Dr", 10); - if (likely(!ret)) - __get_user_asm_nozero(*(u16 *)(8 + (char *)dst), - (u16 __user *)(8 + (char __user *)src), - ret, "w", "w", "=3Dr", 2); - __uaccess_end(); - return ret; - case 16: - __uaccess_begin_nospec(); - __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src, - ret, "q", "", "=3Dr", 16); - if (likely(!ret)) - __get_user_asm_nozero(*(u64 *)(8 + (char *)dst), - (u64 __user *)(8 + (char __user *)src), - ret, "q", "", "=3Dr", 8); - __uaccess_end(); - return ret; - default: - return copy_user_generic(dst, (__force void *)src, size); - } + return copy_user_generic(dst, (__force void *)src, size); } =20 static __always_inline __must_check unsigned long raw_copy_to_user(void __user *dst, const void *src, unsigned long size) { - int ret =3D 0; - - if (!__builtin_constant_p(size)) - return copy_user_generic((__force void *)dst, src, size); - switch (size) { - case 1: - __uaccess_begin(); - __put_user_asm(*(u8 *)src, (u8 __user *)dst, - ret, "b", "b", "iq", 1); - __uaccess_end(); - return ret; - case 2: - __uaccess_begin(); - __put_user_asm(*(u16 *)src, (u16 __user *)dst, - ret, "w", "w", "ir", 2); - __uaccess_end(); - return ret; - case 4: - __uaccess_begin(); - __put_user_asm(*(u32 *)src, (u32 __user *)dst, - ret, "l", "k", "ir", 4); - __uaccess_end(); - return ret; - case 8: - __uaccess_begin(); - __put_user_asm(*(u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 8); - __uaccess_end(); - return ret; - case 10: - __uaccess_begin(); - __put_user_asm(*(u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 10); - if (likely(!ret)) { - asm("":::"memory"); - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst, - ret, "w", "w", "ir", 2); - } - __uaccess_end(); - return ret; - case 16: - __uaccess_begin(); - __put_user_asm(*(u64 *)src, (u64 __user *)dst, - ret, "q", "", "er", 16); - if (likely(!ret)) { - asm("":::"memory"); - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst, - ret, "q", "", "er", 8); - } - __uaccess_end(); - return ret; - default: - return copy_user_generic((__force void *)dst, src, size); - } + return copy_user_generic((__force void *)dst, src, size); } =20 static __always_inline __must_check --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67166C19F2C for ; Wed, 27 Jul 2022 16:45:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240231AbiG0QpG (ORCPT ); Wed, 27 Jul 2022 12:45:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240144AbiG0QoJ (ORCPT ); Wed, 27 Jul 2022 12:44:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11CC99FDB; Wed, 27 Jul 2022 09:30:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8E6CA61A24; Wed, 27 Jul 2022 16:30:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9886AC433C1; Wed, 27 Jul 2022 16:30:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939438; bh=j4gFqz2+AZhseKpgjUD2DF/jrkEfbT3tUCKaJr/8GTA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b2HfZtIWblQfstJbnfVJwu+6r9FeNfucpH/a6s1A+Mu4SORWQTpgkI2wt7rT2MwP4 xvs3rfGwR5diggeSmTdd2fpcN/ndwqA+4Ol/sED1IQbLIhygB3xrOmpWPKA3KA3Klu PohCynF0aAxVT9ZwMcvp/GFOYD8azU+muZ14OH4k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Peter Zijlstra (Intel)" , Sean Christopherson , Paolo Bonzini , Sasha Levin Subject: [PATCH 5.4 69/87] x86/uaccess: Implement macros for CMPXCHG on user addresses Date: Wed, 27 Jul 2022 18:11:02 +0200 Message-Id: <20220727161011.854462551@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Peter Zijlstra [ Upstream commit 989b5db215a2f22f89d730b607b071d964780f10 ] Add support for CMPXCHG loops on userspace addresses. Provide both an "unsafe" version for tight loops that do their own uaccess begin/end, as well as a "safe" version for use cases where the CMPXCHG is not buried in a loop, e.g. KVM will resume the guest instead of looping when emulation of a guest atomic accesses fails the CMPXCHG. Provide 8-byte versions for 32-bit kernels so that KVM can do CMPXCHG on guest PAE PTEs, which are accessed via userspace addresses. Guard the asm_volatile_goto() variation with CC_HAS_ASM_GOTO_TIED_OUTPUT, the "+m" constraint fails on some compilers that otherwise support CC_HAS_ASM_GOTO_OUTPUT. Cc: stable@vger.kernel.org Signed-off-by: Peter Zijlstra (Intel) Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Message-Id: <20220202004945.2540433-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/x86/include/asm/uaccess.h | 142 +++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a19effb98fdc..865795e2355e 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -441,6 +441,103 @@ __pu_label: \ __builtin_expect(__gu_err, 0); \ }) =20 +#ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT +#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ + bool success; \ + __typeof__(_ptr) _old =3D (__typeof__(_ptr))(_pold); \ + __typeof__(*(_ptr)) __old =3D *_old; \ + __typeof__(*(_ptr)) __new =3D (_new); \ + asm_volatile_goto("\n" \ + "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ + _ASM_EXTABLE_UA(1b, %l[label]) \ + : CC_OUT(z) (success), \ + [ptr] "+m" (*_ptr), \ + [old] "+a" (__old) \ + : [new] ltype (__new) \ + : "memory" \ + : label); \ + if (unlikely(!success)) \ + *_old =3D __old; \ + likely(success); }) + +#ifdef CONFIG_X86_32 +#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ + bool success; \ + __typeof__(_ptr) _old =3D (__typeof__(_ptr))(_pold); \ + __typeof__(*(_ptr)) __old =3D *_old; \ + __typeof__(*(_ptr)) __new =3D (_new); \ + asm_volatile_goto("\n" \ + "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ + _ASM_EXTABLE_UA(1b, %l[label]) \ + : CC_OUT(z) (success), \ + "+A" (__old), \ + [ptr] "+m" (*_ptr) \ + : "b" ((u32)__new), \ + "c" ((u32)((u64)__new >> 32)) \ + : "memory" \ + : label); \ + if (unlikely(!success)) \ + *_old =3D __old; \ + likely(success); }) +#endif // CONFIG_X86_32 +#else // !CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT +#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \ + int __err =3D 0; \ + bool success; \ + __typeof__(_ptr) _old =3D (__typeof__(_ptr))(_pold); \ + __typeof__(*(_ptr)) __old =3D *_old; \ + __typeof__(*(_ptr)) __new =3D (_new); \ + asm volatile("\n" \ + "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\ + CC_SET(z) \ + "2:\n" \ + _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, \ + %[errout]) \ + : CC_OUT(z) (success), \ + [errout] "+r" (__err), \ + [ptr] "+m" (*_ptr), \ + [old] "+a" (__old) \ + : [new] ltype (__new) \ + : "memory", "cc"); \ + if (unlikely(__err)) \ + goto label; \ + if (unlikely(!success)) \ + *_old =3D __old; \ + likely(success); }) + +#ifdef CONFIG_X86_32 +/* + * Unlike the normal CMPXCHG, hardcode ECX for both success/fail and error. + * There are only six GPRs available and four (EAX, EBX, ECX, and EDX) are + * hardcoded by CMPXCHG8B, leaving only ESI and EDI. If the compiler uses + * both ESI and EDI for the memory operand, compilation will fail if the e= rror + * is an input+output as there will be no register available for input. + */ +#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \ + int __result; \ + __typeof__(_ptr) _old =3D (__typeof__(_ptr))(_pold); \ + __typeof__(*(_ptr)) __old =3D *_old; \ + __typeof__(*(_ptr)) __new =3D (_new); \ + asm volatile("\n" \ + "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \ + "mov $0, %%ecx\n\t" \ + "setz %%cl\n" \ + "2:\n" \ + _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %%ecx) \ + : [result]"=3Dc" (__result), \ + "+A" (__old), \ + [ptr] "+m" (*_ptr) \ + : "b" ((u32)__new), \ + "c" ((u32)((u64)__new >> 32)) \ + : "memory", "cc"); \ + if (unlikely(__result < 0)) \ + goto label; \ + if (unlikely(!__result)) \ + *_old =3D __old; \ + likely(__result); }) +#endif // CONFIG_X86_32 +#endif // CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT + /* FIXME: this hack is definitely wrong -AK */ struct __large_struct { unsigned long buf[100]; }; #define __m(x) (*(struct __large_struct __user *)(x)) @@ -722,6 +819,51 @@ do { \ if (unlikely(__gu_err)) goto err_label; \ } while (0) =20 +extern void __try_cmpxchg_user_wrong_size(void); + +#ifndef CONFIG_X86_32 +#define __try_cmpxchg64_user_asm(_ptr, _oldp, _nval, _label) \ + __try_cmpxchg_user_asm("q", "r", (_ptr), (_oldp), (_nval), _label) +#endif + +/* + * Force the pointer to u to match the size expected by the asm help= er. + * clang/LLVM compiles all cases and only discards the unused paths after + * processing errors, which breaks i386 if the pointer is an 8-byte value. + */ +#define unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ + bool __ret; \ + __chk_user_ptr(_ptr); \ + switch (sizeof(*(_ptr))) { \ + case 1: __ret =3D __try_cmpxchg_user_asm("b", "q", \ + (__force u8 *)(_ptr), (_oldp), \ + (_nval), _label); \ + break; \ + case 2: __ret =3D __try_cmpxchg_user_asm("w", "r", \ + (__force u16 *)(_ptr), (_oldp), \ + (_nval), _label); \ + break; \ + case 4: __ret =3D __try_cmpxchg_user_asm("l", "r", \ + (__force u32 *)(_ptr), (_oldp), \ + (_nval), _label); \ + break; \ + case 8: __ret =3D __try_cmpxchg64_user_asm((__force u64 *)(_ptr), (_oldp)= ,\ + (_nval), _label); \ + break; \ + default: __try_cmpxchg_user_wrong_size(); \ + } \ + __ret; }) + +/* "Returns" 0 on success, 1 on failure, -EFAULT if the access faults. */ +#define __try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \ + int __ret =3D -EFAULT; \ + __uaccess_begin_nospec(); \ + __ret =3D !unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label); \ +_label: \ + __uaccess_end(); \ + __ret; \ + }) + /* * We want the unsafe accessors to always be inlined and use * the error labels - thus the macro games. --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2317EC19F28 for ; Wed, 27 Jul 2022 16:45:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240181AbiG0QpD (ORCPT ); Wed, 27 Jul 2022 12:45:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240152AbiG0QoJ (ORCPT ); Wed, 27 Jul 2022 12:44:09 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A47345FCF; Wed, 27 Jul 2022 09:30:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 25558B821BC; Wed, 27 Jul 2022 16:30:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 45820C433C1; Wed, 27 Jul 2022 16:30:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939440; bh=FOFblN+8rHzafB95Zu3FHcxg7fSjHHCQPRX6hJ/tA2g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iciO1cqRec+JwB7wIfM5q1XWeAaQTgYvktdEb60BN0ENpBneGpWvk8T00xt5iDAZt KDyNlLDJ2cx/6w9tSIsKzpV/sNPjMRk2FZ3ZtgllgZDzqYrQP4bzXEfEzs8Lv5/vE1 HKBLffvVBEWGdEWeTi/pTRMyoSdx5/3fbso4A2ys= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michel Lespinasse , Andrew Morton , Daniel Jordan , Davidlohr Bueso , Laurent Dufour , Vlastimil Babka , Peter Zijlstra , Matthew Wilcox , Liam Howlett , Jerome Glisse , David Rientjes , Hugh Dickins , Ying Han , Jason Gunthorpe , John Hubbard , Linus Torvalds , Sasha Levin Subject: [PATCH 5.4 70/87] mmap locking API: initial implementation as rwsem wrappers Date: Wed, 27 Jul 2022 18:11:03 +0200 Message-Id: <20220727161011.904986942@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Michel Lespinasse [ Upstream commit 9740ca4e95b43b91a4a848694a20d01ba6818f7b ] This patch series adds a new mmap locking API replacing the existing mmap_sem lock and unlocks. Initially the API is just implemente in terms of inlined rwsem calls, so it doesn't provide any new functionality. There are two justifications for the new API: - At first, it provides an easy hooking point to instrument mmap_sem locking latencies independently of any other rwsems. - In the future, it may be a starting point for replacing the rwsem implementation with a different one, such as range locks. This is something that is being explored, even though there is no wide concensus about this possible direction yet. (see https://patchwork.kernel.org/cover/11401483/) This patch (of 12): This change wraps the existing mmap_sem related rwsem calls into a new mmap locking API. There are two justifications for the new API: - At first, it provides an easy hooking point to instrument mmap_sem locking latencies independently of any other rwsems. - In the future, it may be a starting point for replacing the rwsem implementation with a different one, such as range locks. Signed-off-by: Michel Lespinasse Signed-off-by: Andrew Morton Reviewed-by: Daniel Jordan Reviewed-by: Davidlohr Bueso Reviewed-by: Laurent Dufour Reviewed-by: Vlastimil Babka Cc: Peter Zijlstra Cc: Matthew Wilcox Cc: Liam Howlett Cc: Jerome Glisse Cc: David Rientjes Cc: Hugh Dickins Cc: Ying Han Cc: Jason Gunthorpe Cc: John Hubbard Cc: Michel Lespinasse Link: http://lkml.kernel.org/r/20200520052908.204642-1-walken@google.com Link: http://lkml.kernel.org/r/20200520052908.204642-2-walken@google.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/mm.h | 1 + include/linux/mmap_lock.h | 54 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 include/linux/mmap_lock.h diff --git a/include/linux/mm.h b/include/linux/mm.h index c125fea49752..d35c29d322d8 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h new file mode 100644 index 000000000000..97ac53b66052 --- /dev/null +++ b/include/linux/mmap_lock.h @@ -0,0 +1,54 @@ +#ifndef _LINUX_MMAP_LOCK_H +#define _LINUX_MMAP_LOCK_H + +static inline void mmap_init_lock(struct mm_struct *mm) +{ + init_rwsem(&mm->mmap_sem); +} + +static inline void mmap_write_lock(struct mm_struct *mm) +{ + down_write(&mm->mmap_sem); +} + +static inline int mmap_write_lock_killable(struct mm_struct *mm) +{ + return down_write_killable(&mm->mmap_sem); +} + +static inline bool mmap_write_trylock(struct mm_struct *mm) +{ + return down_write_trylock(&mm->mmap_sem) !=3D 0; +} + +static inline void mmap_write_unlock(struct mm_struct *mm) +{ + up_write(&mm->mmap_sem); +} + +static inline void mmap_write_downgrade(struct mm_struct *mm) +{ + downgrade_write(&mm->mmap_sem); +} + +static inline void mmap_read_lock(struct mm_struct *mm) +{ + down_read(&mm->mmap_sem); +} + +static inline int mmap_read_lock_killable(struct mm_struct *mm) +{ + return down_read_killable(&mm->mmap_sem); +} + +static inline bool mmap_read_trylock(struct mm_struct *mm) +{ + return down_read_trylock(&mm->mmap_sem) !=3D 0; +} + +static inline void mmap_read_unlock(struct mm_struct *mm) +{ + up_read(&mm->mmap_sem); +} + +#endif /* _LINUX_MMAP_LOCK_H */ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D681C04A68 for ; Wed, 27 Jul 2022 16:45:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240241AbiG0QpJ (ORCPT ); Wed, 27 Jul 2022 12:45:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240176AbiG0QoJ (ORCPT ); Wed, 27 Jul 2022 12:44:09 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 112DEB7C4; Wed, 27 Jul 2022 09:30:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C31D2B821A6; Wed, 27 Jul 2022 16:30:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 337E2C433D6; Wed, 27 Jul 2022 16:30:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939443; bh=ipqvfurvud+lMyLBk/chtqVr6crzPrl2bGSbppjjn8c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UatOLxUva8485giQfU2OwL/uVH7jLDCifO5lmO+3yieiEXhJKpA0YD0s3Sv8qMQsM qNIad5d4YF+DaYVdPtI/vzXwcvqhuC1XXtAa3mkcI78csEZqluuMy3KMZHrPxY2x5H 595ewxxPbWg8AanpyahRhdvInj36orsIUrQJJD2I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thomas Gleixner , Borislav Petkov , Sasha Levin Subject: [PATCH 5.4 71/87] x86/mce: Deduplicate exception handling Date: Wed, 27 Jul 2022 18:11:04 +0200 Message-Id: <20220727161011.945541383@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Thomas Gleixner [ Upstream commit e42404afc4ca856c48f1e05752541faa3587c472 ] Prepare code for further simplification. No functional change. Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20210908132525.096452100@linutronix.de Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/x86/kernel/cpu/mce/core.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c index 8a2b8e791314..9b98a7d8ac60 100644 --- a/arch/x86/kernel/cpu/mce/core.c +++ b/arch/x86/kernel/cpu/mce/core.c @@ -397,13 +397,16 @@ static int msr_to_offset(u32 msr) return -1; } =20 -__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *= fixup, - struct pt_regs *regs, int trapnr, - unsigned long error_code, - unsigned long fault_addr) +static void ex_handler_msr_mce(struct pt_regs *regs, bool wrmsr) { - pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", - (unsigned int)regs->cx, regs->ip, (void *)regs->ip); + if (wrmsr) { + pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at= rIP: 0x%lx (%pS)\n", + (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, + regs->ip, (void *)regs->ip); + } else { + pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", + (unsigned int)regs->cx, regs->ip, (void *)regs->ip); + } =20 show_stack_regs(regs); =20 @@ -411,7 +414,14 @@ __visible bool ex_handler_rdmsr_fault(const struct exc= eption_table_entry *fixup, =20 while (true) cpu_relax(); +} =20 +__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *= fixup, + struct pt_regs *regs, int trapnr, + unsigned long error_code, + unsigned long fault_addr) +{ + ex_handler_msr_mce(regs, false); return true; } =20 @@ -447,17 +457,7 @@ __visible bool ex_handler_wrmsr_fault(const struct exc= eption_table_entry *fixup, unsigned long error_code, unsigned long fault_addr) { - pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at = rIP: 0x%lx (%pS)\n", - (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, - regs->ip, (void *)regs->ip); - - show_stack_regs(regs); - - panic("MCA architectural violation!\n"); - - while (true) - cpu_relax(); - + ex_handler_msr_mce(regs, true); return true; } =20 --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 113EAC04A68 for ; Wed, 27 Jul 2022 16:45:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240254AbiG0QpN (ORCPT ); Wed, 27 Jul 2022 12:45:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240193AbiG0QoK (ORCPT ); Wed, 27 Jul 2022 12:44:10 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA6E75D0FD; Wed, 27 Jul 2022 09:30:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7AC89B821BD; Wed, 27 Jul 2022 16:30:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E15E5C433C1; Wed, 27 Jul 2022 16:30:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939446; bh=jmwZE7fZT0yS5jlppOJsyv5VuU2LGt3H7AUTFK/9IZg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZlCSIoUwyBnPKnbBwSHOAJNmqMREvpTQFTMrFy7Ep3tFS+o4gLLcnhfXYewB2Gu6Z 3U5NYyTjkkwAPN4dgOfJmZygKOf46GaPQjklNcLFon4CG00TeRee2eYQXbayNe7hn1 uj8jFZf5YgPcg9V5/LtFZPPUeV6OZ7OMEQ0z6uoE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Peter Zijlstra (Intel)" , Josh Poimboeuf , Sasha Levin Subject: [PATCH 5.4 72/87] bitfield.h: Fix "type of reg too small for mask" test Date: Wed, 27 Jul 2022 18:11:05 +0200 Message-Id: <20220727161011.987192720@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Peter Zijlstra [ Upstream commit bff8c3848e071d387d8b0784dc91fa49cd563774 ] The test: 'mask > (typeof(_reg))~0ull' only works correctly when both sides are unsigned, consider: - 0xff000000 vs (int)~0ull - 0x000000ff vs (int)~0ull Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Josh Poimboeuf Link: https://lore.kernel.org/r/20211110101324.950210584@infradead.org Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/linux/bitfield.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h index 4c0224ff0a14..4f1c0f8e1bb0 100644 --- a/include/linux/bitfield.h +++ b/include/linux/bitfield.h @@ -41,6 +41,22 @@ =20 #define __bf_shf(x) (__builtin_ffsll(x) - 1) =20 +#define __scalar_type_to_unsigned_cases(type) \ + unsigned type: (unsigned type)0, \ + signed type: (unsigned type)0 + +#define __unsigned_scalar_typeof(x) typeof( \ + _Generic((x), \ + char: (unsigned char)0, \ + __scalar_type_to_unsigned_cases(char), \ + __scalar_type_to_unsigned_cases(short), \ + __scalar_type_to_unsigned_cases(int), \ + __scalar_type_to_unsigned_cases(long), \ + __scalar_type_to_unsigned_cases(long long), \ + default: (x))) + +#define __bf_cast_unsigned(type, x) ((__unsigned_scalar_typeof(type))(x)) + #define __BF_FIELD_CHECK(_mask, _reg, _val, _pfx) \ ({ \ BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask), \ @@ -49,7 +65,8 @@ BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ? \ ~((_mask) >> __bf_shf(_mask)) & (_val) : 0, \ _pfx "value too large for the field"); \ - BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull, \ + BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) > \ + __bf_cast_unsigned(_reg, ~0ull), \ _pfx "type of reg too small for mask"); \ __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) + \ (1ULL << __bf_shf(_mask))); \ --=20 2.35.1 From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49345C04A68 for ; Wed, 27 Jul 2022 16:45:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240290AbiG0QpQ (ORCPT ); Wed, 27 Jul 2022 12:45:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240212AbiG0QoM (ORCPT ); Wed, 27 Jul 2022 12:44:12 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14063BC06; Wed, 27 Jul 2022 09:30:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 97D18619FD; Wed, 27 Jul 2022 16:30:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A6111C433D7; Wed, 27 Jul 2022 16:30:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939449; bh=0nPcMk7X2zRWW6IEONlkgBKjawbM0P/bEPivCLl7JwM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R0bLRql+90Ym3LF+bTVxOQ+Ly7ruLKS6FS4eI7Dmdcshn24QfQkHO5S/7PAmYm9yq XC1tgLQ8A/lbGawh26Djck7TG/djGGSY7pugBLnpQuvyRYHElZ3L9XlLTfLj2cGWj8 3VJyMP0Fx0eA5ExnydGsvZa0P2Cfipi1F9ncEQJw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Takashi Iwai Subject: [PATCH 5.4 73/87] ALSA: memalloc: Align buffer allocations in page size Date: Wed, 27 Jul 2022 18:11:06 +0200 Message-Id: <20220727161012.026313331@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai commit 5c1733e33c888a3cb7f576564d8ad543d5ad4a9e upstream. Currently the standard memory allocator (snd_dma_malloc_pages*()) passes the byte size to allocate as is. Most of the backends allocates real pages, hence the actual allocations are aligned in page size. However, the genalloc doesn't seem assuring the size alignment, hence it may result in the access outside the buffer when the whole memory pages are exposed via mmap. For avoiding such inconsistencies, this patch makes the allocation size always to be aligned in page size. Note that, after this change, snd_dma_buffer.bytes field contains the aligned size, not the originally requested size. This value is also used for releasing the pages in return. Reviewed-by: Lars-Peter Clausen Link: https://lore.kernel.org/r/20201218145625.2045-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- sound/core/memalloc.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/core/memalloc.c +++ b/sound/core/memalloc.c @@ -124,6 +124,7 @@ int snd_dma_alloc_pages(int type, struct if (WARN_ON(!device)) return -EINVAL; =20 + size =3D PAGE_ALIGN(size); dmab->dev.type =3D type; dmab->dev.dev =3D device; dmab->bytes =3D 0; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA5C6C04A68 for ; Wed, 27 Jul 2022 16:45:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239448AbiG0Qpu (ORCPT ); Wed, 27 Jul 2022 12:45:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240206AbiG0QoM (ORCPT ); Wed, 27 Jul 2022 12:44:12 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCDA45E305; Wed, 27 Jul 2022 09:30:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 490A9619BF; Wed, 27 Jul 2022 16:30:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 59EAAC433D6; Wed, 27 Jul 2022 16:30:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939451; bh=MOCVpztG29Nt42exOx0JADtWROu433VsUJTiTZsPNxc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QS9rRA0xu1xYCsFq/NIS8XCAgiXokg3uZIc8Sgntwba6jOld0u64/9/B5RJ1QsEgV LLw8AKYQFyP9KDdEKMgoHAlmloJCMdSaL2gTxcyO67/VygxRy8x6PaoS5V3slqMiuT u5kWdNcoXftiNQNmySpyzftV5ky5NaStQ7Xc2bps= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 74/87] Bluetooth: Add bt_skb_sendmsg helper Date: Wed, 27 Jul 2022 18:11:07 +0200 Message-Id: <20220727161012.064176451@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 38f64f650dc0e44c146ff88d15a7339efa325918 upstream. bt_skb_sendmsg helps takes care of allocation the skb and copying the the contents of msg over to the skb while checking for possible errors so it should be safe to call it without holding lock_sock. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/bluetooth/bluetooth.h | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -370,6 +370,34 @@ out: return NULL; } =20 +/* Shall not be called with lock_sock held */ +static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk, + struct msghdr *msg, + size_t len, size_t mtu, + size_t headroom, size_t tailroom) +{ + struct sk_buff *skb; + size_t size =3D min_t(size_t, len, mtu); + int err; + + skb =3D bt_skb_send_alloc(sk, size + headroom + tailroom, + msg->msg_flags & MSG_DONTWAIT, &err); + if (!skb) + return ERR_PTR(err); + + skb_reserve(skb, headroom); + skb_tailroom_reserve(skb, mtu, tailroom); + + if (!copy_from_iter_full(skb_put(skb, size), size, &msg->msg_iter)) { + kfree_skb(skb); + return ERR_PTR(-EFAULT); + } + + skb->priority =3D sk->sk_priority; + + return skb; +} + int bt_to_errno(u16 code); =20 void hci_sock_set_flag(struct sock *sk, int nr); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D948C04A68 for ; Wed, 27 Jul 2022 16:45:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240298AbiG0Qp1 (ORCPT ); Wed, 27 Jul 2022 12:45:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240294AbiG0QoQ (ORCPT ); Wed, 27 Jul 2022 12:44:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 736535E311; Wed, 27 Jul 2022 09:30:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AB5FB619CF; Wed, 27 Jul 2022 16:30:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BAF2DC433C1; Wed, 27 Jul 2022 16:30:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939457; bh=Wvw7I+nGSwocAWbyQDmTKOy9jcP8+ZoXNRue2rb7Ycg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rbwxRsy+gPunKe3jkmJvyBuZjF0G9ZNUFkfBuHQbPggGNaQgXGVXQBJTlrgJM0hm9 1mnBAw9rvoHJ8NyJ9G18+OhCeOqYYq/+lV5sGeImNrB4jouofadYtTJyFcEQxyaMGr PWVLqV6nah/Q63JZYdoIhksRyCP9FBrPGueXPcZs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 75/87] Bluetooth: Add bt_skb_sendmmsg helper Date: Wed, 27 Jul 2022 18:11:08 +0200 Message-Id: <20220727161012.104704033@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 97e4e80299844bb5f6ce5a7540742ffbffae3d97 upstream. This works similarly to bt_skb_sendmsg but can split the msg into multiple skb fragments which is useful for stream sockets. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/bluetooth/bluetooth.h | 38 +++++++++++++++++++++++++++++++++= +++++ 1 file changed, 38 insertions(+) --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -398,6 +398,44 @@ static inline struct sk_buff *bt_skb_sen return skb; } =20 +/* Similar to bt_skb_sendmsg but can split the msg into multiple fragments + * accourding to the MTU. + */ +static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, + struct msghdr *msg, + size_t len, size_t mtu, + size_t headroom, size_t tailroom) +{ + struct sk_buff *skb, **frag; + + skb =3D bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); + if (IS_ERR_OR_NULL(skb)) + return skb; + + len -=3D skb->len; + if (!len) + return skb; + + /* Add remaining data over MTU as continuation fragments */ + frag =3D &skb_shinfo(skb)->frag_list; + while (len) { + struct sk_buff *tmp; + + tmp =3D bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); + if (IS_ERR_OR_NULL(tmp)) { + kfree_skb(skb); + return tmp; + } + + len -=3D tmp->len; + + *frag =3D tmp; + frag =3D &(*frag)->next; + } + + return skb; +} + int bt_to_errno(u16 code); =20 void hci_sock_set_flag(struct sock *sk, int nr); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E289C04A68 for ; Wed, 27 Jul 2022 16:45:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240387AbiG0Qpx (ORCPT ); Wed, 27 Jul 2022 12:45:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240341AbiG0QoT (ORCPT ); Wed, 27 Jul 2022 12:44:19 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A660ABF44; Wed, 27 Jul 2022 09:31:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2EDF0B821BE; Wed, 27 Jul 2022 16:31:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 90998C4314A; Wed, 27 Jul 2022 16:30:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939460; bh=tS+ar2byvGXQkV54OvZ4Jwy6/JT/BUmN8BRsenhz6fA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=i43/pN0DFIIdDQ/2EQqMuJS3QLSXyye6nbD1lg5iuQjNnVpQWf4KS9yocXsTlVI4k aPYrRHtttHx0dTD6CTHnTDq7wYJiGTPgpxU9nYmNXN2QBACPh1/XxkxGga19AzYjlB LlHkLabnpB5JyNBKNtV9bPAdwE5Krh4w8FoPni8Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 76/87] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Date: Wed, 27 Jul 2022 18:11:09 +0200 Message-Id: <20220727161012.153598073@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 0771cbb3b97d3c1d68eecd7f00055f599954c34e upstream. This makes use of bt_skb_sendmsg instead of allocating a different buffer to be used with memcpy_from_msg which cause one extra copy. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/bluetooth/sco.c | 34 +++++++++++----------------------- 1 file changed, 11 insertions(+), 23 deletions(-) --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -279,27 +279,19 @@ static int sco_connect(struct hci_dev *h return err; } =20 -static int sco_send_frame(struct sock *sk, void *buf, int len, - unsigned int msg_flags) +static int sco_send_frame(struct sock *sk, struct sk_buff *skb) { struct sco_conn *conn =3D sco_pi(sk)->conn; - struct sk_buff *skb; - int err; =20 /* Check outgoing MTU */ - if (len > conn->mtu) + if (skb->len > conn->mtu) return -EINVAL; =20 - BT_DBG("sk %p len %d", sk, len); - - skb =3D bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); - if (!skb) - return err; + BT_DBG("sk %p len %d", sk, skb->len); =20 - memcpy(skb_put(skb, len), buf, len); hci_send_sco(conn->hcon, skb); =20 - return len; + return skb->len; } =20 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb) @@ -715,7 +707,7 @@ static int sco_sock_sendmsg(struct socke size_t len) { struct sock *sk =3D sock->sk; - void *buf; + struct sk_buff *skb; int err; =20 BT_DBG("sock %p, sk %p", sock, sk); @@ -727,24 +719,20 @@ static int sco_sock_sendmsg(struct socke if (msg->msg_flags & MSG_OOB) return -EOPNOTSUPP; =20 - buf =3D kmalloc(len, GFP_KERNEL); - if (!buf) - return -ENOMEM; - - if (memcpy_from_msg(buf, msg, len)) { - kfree(buf); - return -EFAULT; - } + skb =3D bt_skb_sendmsg(sk, msg, len, len, 0, 0); + if (IS_ERR_OR_NULL(skb)) + return PTR_ERR(skb); =20 lock_sock(sk); =20 if (sk->sk_state =3D=3D BT_CONNECTED) - err =3D sco_send_frame(sk, buf, len, msg->msg_flags); + err =3D sco_send_frame(sk, skb); else err =3D -ENOTCONN; =20 release_sock(sk); - kfree(buf); + if (err) + kfree_skb(skb); return err; } From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3651DC04A68 for ; Wed, 27 Jul 2022 16:45:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240325AbiG0Qpe (ORCPT ); Wed, 27 Jul 2022 12:45:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42426 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240371AbiG0QoV (ORCPT ); Wed, 27 Jul 2022 12:44:21 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FDA61C129; Wed, 27 Jul 2022 09:31:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5954061A24; Wed, 27 Jul 2022 16:31:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 625A2C433C1; Wed, 27 Jul 2022 16:31:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939462; bh=bFaCTNfL1lzbtcicnm51lbv1Qy3ofyJYMwpu0XKTRIA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cfY9T9El78GCFUx8WaiSuTt9OAkvtMlaZ+NMikXXS+TZELo+F1qjc4PsCdpNUMWZx Q+odAOm2XG4pF9ueYEhY5mb+k+git07+Lga8szvSwwqj52Nb1ScgxOeWxd+kucNqKr bSIV2xbT59QXZk3X87IbSfKcHCcJdr2lgujKk8ko= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 77/87] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Date: Wed, 27 Jul 2022 18:11:10 +0200 Message-Id: <20220727161012.193306231@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 81be03e026dc0c16dc1c64e088b2a53b73caa895 upstream. This makes use of bt_skb_sendmmsg instead using memcpy_from_msg which is not considered safe to be used when lock_sock is held. Also make rfcomm_dlc_send handle skb with fragments and queue them all atomically. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/bluetooth/rfcomm/core.c | 50 +++++++++++++++++++++++++++++++++++++--= ----- net/bluetooth/rfcomm/sock.c | 50 ++++++++++-----------------------------= ----- 2 files changed, 55 insertions(+), 45 deletions(-) --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -553,22 +553,58 @@ struct rfcomm_dlc *rfcomm_dlc_exists(bda return dlc; } =20 +static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) +{ + int len =3D frag->len; + + BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); + + if (len > d->mtu) + return -EINVAL; + + rfcomm_make_uih(frag, d->addr); + __skb_queue_tail(&d->tx_queue, frag); + + return len; +} + int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) { - int len =3D skb->len; + unsigned long flags; + struct sk_buff *frag, *next; + int len; =20 if (d->state !=3D BT_CONNECTED) return -ENOTCONN; =20 - BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); + frag =3D skb_shinfo(skb)->frag_list; + skb_shinfo(skb)->frag_list =3D NULL; =20 - if (len > d->mtu) - return -EINVAL; + /* Queue all fragments atomically. */ + spin_lock_irqsave(&d->tx_queue.lock, flags); + + len =3D rfcomm_dlc_send_frag(d, skb); + if (len < 0 || !frag) + goto unlock; + + for (; frag; frag =3D next) { + int ret; + + next =3D frag->next; + + ret =3D rfcomm_dlc_send_frag(d, frag); + if (ret < 0) { + kfree_skb(frag); + goto unlock; + } + + len +=3D ret; + } =20 - rfcomm_make_uih(skb, d->addr); - skb_queue_tail(&d->tx_queue, skb); +unlock: + spin_unlock_irqrestore(&d->tx_queue.lock, flags); =20 - if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) + if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) rfcomm_schedule(); return len; } --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -578,47 +578,21 @@ static int rfcomm_sock_sendmsg(struct so lock_sock(sk); =20 sent =3D bt_sock_wait_ready(sk, msg->msg_flags); - if (sent) - goto done; - - while (len) { - size_t size =3D min_t(size_t, len, d->mtu); - int err; - - skb =3D sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, - msg->msg_flags & MSG_DONTWAIT, &err); - if (!skb) { - if (sent =3D=3D 0) - sent =3D err; - break; - } - skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE); - - err =3D memcpy_from_msg(skb_put(skb, size), msg, size); - if (err) { - kfree_skb(skb); - if (sent =3D=3D 0) - sent =3D err; - break; - } - - skb->priority =3D sk->sk_priority; - - err =3D rfcomm_dlc_send(d, skb); - if (err < 0) { - kfree_skb(skb); - if (sent =3D=3D 0) - sent =3D err; - break; - } - - sent +=3D size; - len -=3D size; - } =20 -done: release_sock(sk); =20 + if (sent) + return sent; + + skb =3D bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, + RFCOMM_SKB_TAIL_RESERVE); + if (IS_ERR_OR_NULL(skb)) + return PTR_ERR(skb); + + sent =3D rfcomm_dlc_send(d, skb); + if (sent < 0) + kfree_skb(skb); + return sent; } From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA2A5C04A68 for ; Wed, 27 Jul 2022 16:45:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240335AbiG0Qpj (ORCPT ); Wed, 27 Jul 2022 12:45:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240436AbiG0QoZ (ORCPT ); Wed, 27 Jul 2022 12:44:25 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 954515F103; Wed, 27 Jul 2022 09:31:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D513EB821BD; Wed, 27 Jul 2022 16:31:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32AE6C433D6; Wed, 27 Jul 2022 16:31:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939465; bh=u7bKTBJfAOMOZ9/sDoWY4Vi6VndC+6DTovQ/pdYctDU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xfMrcu2w7G5rU6DV3LWdtulVdA3quYkAAeVO3YRwxtzZSk8sp8kalBE1l7Kyt5hz0 cHvdUS8LFSugjj59Zws7jiX91iyxyBNzUHlDW9IJDV22Cot9isb56W9OpcJ59C3LiA Z7w5ItckCFfBKtnTGjeLOf0XoRwk6WzILKpxLZdQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Tedd Ho-Jeong An , Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 78/87] Bluetooth: Fix passing NULL to PTR_ERR Date: Wed, 27 Jul 2022 18:11:11 +0200 Message-Id: <20220727161012.233338716@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 266191aa8d14b84958aaeb5e96ee4e97839e3d87 upstream. Passing NULL to PTR_ERR will result in 0 (success), also since the likes of bt_skb_sendmsg does never return NULL it is safe to replace the instances of IS_ERR_OR_NULL with IS_ERR when checking its return. Reported-by: Dan Carpenter Tested-by: Tedd Ho-Jeong An Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/bluetooth/bluetooth.h | 2 +- net/bluetooth/rfcomm/sock.c | 2 +- net/bluetooth/sco.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -422,7 +422,7 @@ static inline struct sk_buff *bt_skb_sen struct sk_buff *tmp; =20 tmp =3D bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); - if (IS_ERR_OR_NULL(tmp)) { + if (IS_ERR(tmp)) { kfree_skb(skb); return tmp; } --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -586,7 +586,7 @@ static int rfcomm_sock_sendmsg(struct so =20 skb =3D bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE, RFCOMM_SKB_TAIL_RESERVE); - if (IS_ERR_OR_NULL(skb)) + if (IS_ERR(skb)) return PTR_ERR(skb); =20 sent =3D rfcomm_dlc_send(d, skb); --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -720,7 +720,7 @@ static int sco_sock_sendmsg(struct socke return -EOPNOTSUPP; =20 skb =3D bt_skb_sendmsg(sk, msg, len, len, 0, 0); - if (IS_ERR_OR_NULL(skb)) + if (IS_ERR(skb)) return PTR_ERR(skb); =20 lock_sock(sk); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49035C19F2B for ; Wed, 27 Jul 2022 16:47:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240445AbiG0Qro (ORCPT ); Wed, 27 Jul 2022 12:47:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240114AbiG0Qq4 (ORCPT ); Wed, 27 Jul 2022 12:46:56 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0FD552DCA; Wed, 27 Jul 2022 09:31:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 52D27B821BC; Wed, 27 Jul 2022 16:31:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 932F8C433C1; Wed, 27 Jul 2022 16:31:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939512; bh=UOpROHzo/X7Rd+9/tzUGSTkx8KnfLTdzuVsBE7Rw9Vs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sCEzQY2xDafzN0LxhCnJ5AECCpB1gZyZKfBWNI7Ei9SOAIxWfJB6FFHlN3NlKkEkE TOfSzhO8EB5avBk98WJTgOFxwze/EpuA8LwJ/unVXIKtBz39Wz4LNvyoOTo4bJu9Nr IG9an1zLhrF8fgw5LpddcMGxfuNGsS81MeFXw5YU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tedd Ho-Jeong An , Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 79/87] Bluetooth: SCO: Fix sco_send_frame returning skb->len Date: Wed, 27 Jul 2022 18:11:12 +0200 Message-Id: <20220727161012.273423762@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 037ce005af6b8a3e40ee07c6e9266c8997e6a4d6 upstream. The skb in modified by hci_send_sco which pushes SCO headers thus changing skb->len causing sco_sock_sendmsg to fail. Fixes: 0771cbb3b97d ("Bluetooth: SCO: Replace use of memcpy_from_msg with b= t_skb_sendmsg") Tested-by: Tedd Ho-Jeong An Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/bluetooth/sco.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -282,16 +282,17 @@ static int sco_connect(struct hci_dev *h static int sco_send_frame(struct sock *sk, struct sk_buff *skb) { struct sco_conn *conn =3D sco_pi(sk)->conn; + int len =3D skb->len; =20 /* Check outgoing MTU */ - if (skb->len > conn->mtu) + if (len > conn->mtu) return -EINVAL; =20 - BT_DBG("sk %p len %d", sk, skb->len); + BT_DBG("sk %p len %d", sk, len); =20 hci_send_sco(conn->hcon, skb); =20 - return skb->len; + return len; } =20 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb) @@ -731,7 +732,8 @@ static int sco_sock_sendmsg(struct socke err =3D -ENOTCONN; =20 release_sock(sk); - if (err) + + if (err < 0) kfree_skb(skb); return err; } From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37798C04A68 for ; Wed, 27 Jul 2022 16:46:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237968AbiG0Qqa (ORCPT ); Wed, 27 Jul 2022 12:46:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240292AbiG0Qp1 (ORCPT ); Wed, 27 Jul 2022 12:45:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 318455F9B8; Wed, 27 Jul 2022 09:31:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B7D4D61A39; Wed, 27 Jul 2022 16:31:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E7D0C433D6; Wed, 27 Jul 2022 16:31:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939489; bh=TX+Sdx7vNb92kNhrkYvV7Qs/pncP26B1lxcQyV/riF4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wpc5UJCw3JgZl678cP6ICwNIUiLNcP5IlhW+YtpW8zvr8L6iTksLKCMoM77MwPrDH EBzYg4k8g8mNtCoQYfzKTHpPTTCs1SufTfEVaow8yetEDAwKaIx/VrAF5xVFN07+FJ z6NFIujv/tbDvhbrtIJp48ag7s4EGA2Dvkp/b3KU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Menzel , Luiz Augusto von Dentz , Marcel Holtmann , Harshit Mogalapalli Subject: [PATCH 5.4 80/87] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Date: Wed, 27 Jul 2022 18:11:13 +0200 Message-Id: <20220727161012.318635744@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit 29fb608396d6a62c1b85acc421ad7a4399085b9f upstream. Since bt_skb_sendmmsg can be used with the likes of SOCK_STREAM it shall return the partial chunks it could allocate instead of freeing everything as otherwise it can cause problems like bellow. Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg wit= h bt_skb_sendmmsg") Reported-by: Paul Menzel Link: https://lore.kernel.org/r/d7206e12-1b99-c3be-84f4-df22af427ef5@molgen= .mpg.de BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=3D215594 Signed-off-by: Luiz Augusto von Dentz Tested-by: Paul Menzel (Nokia N9 (MeeGo/Harmattan) Signed-off-by: Marcel Holtmann Cc: Harshit Mogalapalli Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/bluetooth/bluetooth.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -423,8 +423,7 @@ static inline struct sk_buff *bt_skb_sen =20 tmp =3D bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom); if (IS_ERR(tmp)) { - kfree_skb(skb); - return tmp; + return skb; } =20 len -=3D tmp->len; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0842C04A68 for ; Wed, 27 Jul 2022 16:46:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240452AbiG0Qqp (ORCPT ); Wed, 27 Jul 2022 12:46:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240375AbiG0Qpr (ORCPT ); Wed, 27 Jul 2022 12:45:47 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D020B5FADC; Wed, 27 Jul 2022 09:31:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 4131BB821BB; Wed, 27 Jul 2022 16:31:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 99EB0C433D6; Wed, 27 Jul 2022 16:31:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939492; bh=nUv+h/EUkaR55wIdNw5/QvZ3wmR8Hsx3O2sYlliQHDY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2lIZp4rOsfCOJYUkfXlF2HztJQL01HWtHKNhS29PQojH258rZ6OQEjjXkD2TefhD8 P5wPGdUb6g2EgGZJqfcqS+Nn3863MdyoLbiJ25/lolg/BPgvF862MWnfhPjaL4ntgP HlFwl5jqRN2AMCNDxkqzxCjGUGpyeIz9d0/88Km8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vladimir Zapolskiy , Johan Hovold , Jiri Slaby Subject: [PATCH 5.4 81/87] tty: drivers/tty/, stop using tty_schedule_flip() Date: Wed, 27 Jul 2022 18:11:14 +0200 Message-Id: <20220727161012.352211572@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit 5f6a85158ccacc3f09744b3aafe8b11ab3b6c6f6 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are going to remove the latter (as it is used less), so call the former in drivers/tty/. Cc: Vladimir Zapolskiy Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/tty/cyclades.c | 6 +++--- drivers/tty/goldfish.c | 2 +- drivers/tty/moxa.c | 4 ++-- drivers/tty/serial/lpc32xx_hs.c | 2 +- drivers/tty/vt/keyboard.c | 6 +++--- drivers/tty/vt/vt.c | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) --- a/drivers/tty/cyclades.c +++ b/drivers/tty/cyclades.c @@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_ } info->idle_stats.recv_idle =3D jiffies; } - tty_schedule_flip(port); + tty_flip_buffer_push(port); =20 /* end of service */ cyy_writeb(info, CyRIR, save_xir & 0x3f); @@ -996,7 +996,7 @@ static void cyz_handle_rx(struct cyclade mod_timer(&info->rx_full_timer, jiffies + 1); #endif info->idle_stats.recv_idle =3D jiffies; - tty_schedule_flip(&info->port); + tty_flip_buffer_push(&info->port); =20 /* Update rx_get */ cy_writel(&buf_ctrl->rx_get, new_rx_get); @@ -1172,7 +1172,7 @@ static void cyz_handle_cmd(struct cyclad if (delta_count) wake_up_interruptible(&info->port.delta_msr_wait); if (special_count) - tty_schedule_flip(&info->port); + tty_flip_buffer_push(&info->port); } } =20 --- a/drivers/tty/goldfish.c +++ b/drivers/tty/goldfish.c @@ -151,7 +151,7 @@ static irqreturn_t goldfish_tty_interrup address =3D (unsigned long)(void *)buf; goldfish_tty_rw(qtty, address, count, 0); =20 - tty_schedule_flip(&qtty->port); + tty_flip_buffer_push(&qtty->port); return IRQ_HANDLED; } =20 --- a/drivers/tty/moxa.c +++ b/drivers/tty/moxa.c @@ -1385,7 +1385,7 @@ static int moxa_poll_port(struct moxa_po if (inited && !tty_throttled(tty) && MoxaPortRxQueue(p) > 0) { /* RX */ MoxaPortReadData(p); - tty_schedule_flip(&p->port); + tty_flip_buffer_push(&p->port); } } else { clear_bit(EMPTYWAIT, &p->statusflags); @@ -1410,7 +1410,7 @@ static int moxa_poll_port(struct moxa_po =20 if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */ tty_insert_flip_char(&p->port, 0, TTY_BREAK); - tty_schedule_flip(&p->port); + tty_flip_buffer_push(&p->port); } =20 if (intr & IntrLine) --- a/drivers/tty/serial/lpc32xx_hs.c +++ b/drivers/tty/serial/lpc32xx_hs.c @@ -345,7 +345,7 @@ static irqreturn_t serial_lpc32xx_interr LPC32XX_HSUART_IIR(port->membase)); port->icount.overrun++; tty_insert_flip_char(tport, 0, TTY_OVERRUN); - tty_schedule_flip(tport); + tty_flip_buffer_push(tport); } =20 /* Data received? */ --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -310,7 +310,7 @@ int kbd_rate(struct kbd_repeat *rpt) static void put_queue(struct vc_data *vc, int ch) { tty_insert_flip_char(&vc->port, ch, 0); - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void puts_queue(struct vc_data *vc, char *cp) @@ -319,7 +319,7 @@ static void puts_queue(struct vc_data *v tty_insert_flip_char(&vc->port, *cp, 0); cp++; } - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void applkey(struct vc_data *vc, int key, char mode) @@ -564,7 +564,7 @@ static void fn_inc_console(struct vc_dat static void fn_send_intr(struct vc_data *vc) { tty_insert_flip_char(&vc->port, 0, TTY_BREAK); - tty_schedule_flip(&vc->port); + tty_flip_buffer_push(&vc->port); } =20 static void fn_scroll_forw(struct vc_data *vc) --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1837,7 +1837,7 @@ static void respond_string(const char *p tty_insert_flip_char(port, *p, 0); p++; } - tty_schedule_flip(port); + tty_flip_buffer_push(port); } =20 static void cursor_report(struct vc_data *vc, struct tty_struct *tty) From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1ACE0C19F2C for ; Wed, 27 Jul 2022 16:47:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240460AbiG0QrA (ORCPT ); Wed, 27 Jul 2022 12:47:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240134AbiG0QqU (ORCPT ); Wed, 27 Jul 2022 12:46:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7DFB60507; Wed, 27 Jul 2022 09:31:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 04140B821A6; Wed, 27 Jul 2022 16:31:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3820BC433C1; Wed, 27 Jul 2022 16:31:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939494; bh=2KhsuBtZEV+6+XuZIeLhyX0nuT5PSEtGK16KaFUVp48=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UQLC9MmUEnyVIdsi0L45/ykBXMaluiE7glNouiGB1Psau4NDPYkKijKl4LhE/Qcab k4FsAIJ0QiwNknSc+cn7PJyoFUbySaQ4H/NHxyQCCwgKAHIav/lC48JsWgaO90asKc 76LsQj82Rx9HXg+sHJFh4XUQXVa1JtJb5zMipXoQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Richard Henderson , Ivan Kokshaysky , Matt Turner , William Hubbs , Chris Brannon , Kirk Reiser , Samuel Thibault , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Alexander Gordeev , Johan Hovold , Jiri Slaby Subject: [PATCH 5.4 82/87] tty: the rest, stop using tty_schedule_flip() Date: Wed, 27 Jul 2022 18:11:15 +0200 Message-Id: <20220727161012.386373695@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit b68b914494df4f79b4e9b58953110574af1cb7a2 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). We are going to remove the latter (as it is used less), so call the former in the rest of the users. Cc: Richard Henderson Cc: Ivan Kokshaysky Cc: Matt Turner Cc: William Hubbs Cc: Chris Brannon Cc: Kirk Reiser Cc: Samuel Thibault Cc: Heiko Carstens Cc: Vasily Gorbik Cc: Christian Borntraeger Cc: Alexander Gordeev Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/alpha/kernel/srmcons.c | 2 +- drivers/s390/char/keyboard.h | 4 ++-- drivers/staging/speakup/spk_ttyio.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) --- a/arch/alpha/kernel/srmcons.c +++ b/arch/alpha/kernel/srmcons.c @@ -59,7 +59,7 @@ srmcons_do_receive_chars(struct tty_port } while((result.bits.status & 1) && (++loops < 10)); =20 if (count) - tty_schedule_flip(port); + tty_flip_buffer_push(port); =20 return count; } --- a/drivers/s390/char/keyboard.h +++ b/drivers/s390/char/keyboard.h @@ -56,7 +56,7 @@ static inline void kbd_put_queue(struct tty_port *port, int ch) { tty_insert_flip_char(port, ch, 0); - tty_schedule_flip(port); + tty_flip_buffer_push(port); } =20 static inline void @@ -64,5 +64,5 @@ kbd_puts_queue(struct tty_port *port, ch { while (*cp) tty_insert_flip_char(port, *cp++, 0); - tty_schedule_flip(port); + tty_flip_buffer_push(port); } --- a/drivers/staging/speakup/spk_ttyio.c +++ b/drivers/staging/speakup/spk_ttyio.c @@ -88,7 +88,7 @@ static int spk_ttyio_receive_buf2(struct } =20 if (!ldisc_data->buf_free) - /* ttyio_in will tty_schedule_flip */ + /* ttyio_in will tty_flip_buffer_push */ return 0; =20 /* Make sure the consumer has read buf before we have seen @@ -325,7 +325,7 @@ static unsigned char ttyio_in(int timeou mb(); ldisc_data->buf_free =3D true; /* Let TTY push more characters */ - tty_schedule_flip(speakup_tty->port); + tty_flip_buffer_push(speakup_tty->port); =20 return rv; } From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32249C04A68 for ; Wed, 27 Jul 2022 16:47:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240312AbiG0QrE (ORCPT ); Wed, 27 Jul 2022 12:47:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240438AbiG0QqU (ORCPT ); Wed, 27 Jul 2022 12:46:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C1B760513; Wed, 27 Jul 2022 09:31:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 34AA461A3F; Wed, 27 Jul 2022 16:31:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15C3AC43140; Wed, 27 Jul 2022 16:31:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939497; bh=/GMk23CtWzGG8cLYQdV4sSVjdwm9g382gacanHf4Ph0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FOZyWa7iRAdI+bcw19nIu5rPaY3xYiKaG8RGcLyn/jvc5+v5L8N2N7s+cMsmrt1gu F/ERCjHFAjdg2s9l5kwUlm+oJSu/3OeDbQ//GwbxtdLcGWj5b/Qnwl4l0OyPuAmb9N M4F49CckwaZZRALFuiqsf8iITJyigv6J49EgoWTk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Jiri Slaby Subject: [PATCH 5.4 83/87] tty: drop tty_schedule_flip() Date: Wed, 27 Jul 2022 18:11:16 +0200 Message-Id: <20220727161012.425940164@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jiri Slaby commit 5db96ef23bda6c2a61a51693c85b78b52d03f654 upstream. Since commit a9c3f68f3cd8d (tty: Fix low_latency BUG) in 2014, tty_flip_buffer_push() is only a wrapper to tty_schedule_flip(). All users were converted in the previous patches, so remove tty_schedule_flip() completely while inlining its body into tty_flip_buffer_push(). One less exported function. Reviewed-by: Johan Hovold Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20211122111648.30379-4-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/tty/tty_buffer.c | 30 ++++++++---------------------- include/linux/tty_flip.h | 1 - 2 files changed, 8 insertions(+), 23 deletions(-) --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -395,27 +395,6 @@ int __tty_insert_flip_char(struct tty_po EXPORT_SYMBOL(__tty_insert_flip_char); =20 /** - * tty_schedule_flip - push characters to ldisc - * @port: tty port to push from - * - * Takes any pending buffers and transfers their ownership to the - * ldisc side of the queue. It then schedules those characters for - * processing by the line discipline. - */ - -void tty_schedule_flip(struct tty_port *port) -{ - struct tty_bufhead *buf =3D &port->buf; - - /* paired w/ acquire in flush_to_ldisc(); ensures - * flush_to_ldisc() sees buffer data. - */ - smp_store_release(&buf->tail->commit, buf->tail->used); - queue_work(system_unbound_wq, &buf->work); -} -EXPORT_SYMBOL(tty_schedule_flip); - -/** * tty_prepare_flip_string - make room for characters * @port: tty port * @chars: return pointer for character write area @@ -557,7 +536,14 @@ static void flush_to_ldisc(struct work_s =20 void tty_flip_buffer_push(struct tty_port *port) { - tty_schedule_flip(port); + struct tty_bufhead *buf =3D &port->buf; + + /* + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees + * buffer data. + */ + smp_store_release(&buf->tail->commit, buf->tail->used); + queue_work(system_unbound_wq, &buf->work); } EXPORT_SYMBOL(tty_flip_buffer_push); =20 --- a/include/linux/tty_flip.h +++ b/include/linux/tty_flip.h @@ -12,7 +12,6 @@ extern int tty_insert_flip_string_fixed_ extern int tty_prepare_flip_string(struct tty_port *port, unsigned char **chars, size_t size); extern void tty_flip_buffer_push(struct tty_port *port); -void tty_schedule_flip(struct tty_port *port); int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char f= lag); =20 static inline int tty_insert_flip_char(struct tty_port *port, From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57550C04A68 for ; Wed, 27 Jul 2022 16:47:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240471AbiG0QrI (ORCPT ); Wed, 27 Jul 2022 12:47:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240297AbiG0QqY (ORCPT ); Wed, 27 Jul 2022 12:46:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AA3460525; Wed, 27 Jul 2022 09:31:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 05B4D61A39; Wed, 27 Jul 2022 16:31:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FAFEC433C1; Wed, 27 Jul 2022 16:31:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939500; bh=2Vlo7M8NSNs8mY3VMCsSnVhil6Q8QE9JRpDlIGdKv1U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pgEeIzNPyBlDUUnEirXGbDJs6pS7FMv0XPS+o7lim3SOCPDmFgx1HChKHHBkPnOfF jQX+zRcPCMfx2+aGKqqRme61+iEJiZvtIRT7eKSsC9InQWGAOlDGMf7HTgXjk67KmM zx7n0Wr5JdcOVRBz4tWMbywIYFeSyUNpGmZ603ak= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hillf Danton , =?UTF-8?q?=E4=B8=80=E5=8F=AA=E7=8B=97?= , Dan Carpenter , Jiri Slaby Subject: [PATCH 5.4 84/87] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Date: Wed, 27 Jul 2022 18:11:17 +0200 Message-Id: <20220727161012.464035141@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit 716b10580283fda66f2b88140e3964f8a7f9da89 upstream. We will need this new helper in the next patch. Cc: Hillf Danton Cc: =E4=B8=80=E5=8F=AA=E7=8B=97 Cc: Dan Carpenter Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/tty/tty_buffer.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -523,6 +523,15 @@ static void flush_to_ldisc(struct work_s =20 } =20 +static inline void tty_flip_buffer_commit(struct tty_buffer *tail) +{ + /* + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees + * buffer data. + */ + smp_store_release(&tail->commit, tail->used); +} + /** * tty_flip_buffer_push - terminal * @port: tty port to push @@ -538,11 +547,7 @@ void tty_flip_buffer_push(struct tty_por { struct tty_bufhead *buf =3D &port->buf; =20 - /* - * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees - * buffer data. - */ - smp_store_release(&buf->tail->commit, buf->tail->used); + tty_flip_buffer_commit(buf->tail); queue_work(system_unbound_wq, &buf->work); } EXPORT_SYMBOL(tty_flip_buffer_push); From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2895BC04A68 for ; Wed, 27 Jul 2022 16:47:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240370AbiG0QrM (ORCPT ); Wed, 27 Jul 2022 12:47:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240292AbiG0Qqe (ORCPT ); Wed, 27 Jul 2022 12:46:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D7EE60531; Wed, 27 Jul 2022 09:31:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E4BED61A59; Wed, 27 Jul 2022 16:31:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EA891C433D6; Wed, 27 Jul 2022 16:31:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939503; bh=IAz/0NP1UEuLiyTzhyYgV1Ut3JG3tIC0PrtV/SRhFeU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eUlpCeM8k/NaOL+qjkjqfIQK7fc2DXxHUHunwXWfmhJLiaCJT2rh/XbPnoBDKV+Yk q1RVQRnlY968EgFnyk+JRWckA5poTuB/h0kcwMhKhYYHCbYRfvrgx2k+yZjseSYI9V a0mxl01/Od2q0aTDLdRE/EnodlkQ69kWJgU4VtMs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?=E4=B8=80=E5=8F=AA=E7=8B=97?= , Dan Carpenter , Hillf Danton , Jiri Slaby Subject: [PATCH 5.4 85/87] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Date: Wed, 27 Jul 2022 18:11:18 +0200 Message-Id: <20220727161012.507492356@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Slaby commit a501ab75e7624d133a5a3c7ec010687c8b961d23 upstream. There is a race in pty_write(). pty_write() can be called in parallel with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to the buffer. Provided, tty_flip_buffer_push() in pty_write() is called outside the lock, it can commit inconsistent tail. This can lead to out of bounds writes and other issues. See the Link below. To fix this, we have to introduce a new helper called tty_insert_flip_string_and_push_buffer(). It does both tty_insert_flip_string() and tty_flip_buffer_commit() under the port lock. It also calls queue_work(), but outside the lock. See 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write) for the reasons. Keep the helper internal-only (in drivers' tty.h). It is not intended to be used widely. Link: https://seclists.org/oss-sec/2022/q2/155 Fixes: 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty= _write) Cc: =E4=B8=80=E5=8F=AA=E7=8B=97 Cc: Dan Carpenter Suggested-by: Hillf Danton Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/tty/pty.c | 14 ++------------ drivers/tty/tty_buffer.c | 31 +++++++++++++++++++++++++++++++ include/linux/tty_flip.h | 3 +++ 3 files changed, 36 insertions(+), 12 deletions(-) --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -111,21 +111,11 @@ static void pty_unthrottle(struct tty_st static int pty_write(struct tty_struct *tty, const unsigned char *buf, int= c) { struct tty_struct *to =3D tty->link; - unsigned long flags; =20 - if (tty->stopped) + if (tty->stopped || !c) return 0; =20 - if (c > 0) { - spin_lock_irqsave(&to->port->lock, flags); - /* Stuff the data into the input queue of the other end */ - c =3D tty_insert_flip_string(to->port, buf, c); - spin_unlock_irqrestore(&to->port->lock, flags); - /* And shovel */ - if (c) - tty_flip_buffer_push(to->port); - } - return c; + return tty_insert_flip_string_and_push_buffer(to->port, buf, c); } =20 /** --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c @@ -553,6 +553,37 @@ void tty_flip_buffer_push(struct tty_por EXPORT_SYMBOL(tty_flip_buffer_push); =20 /** + * tty_insert_flip_string_and_push_buffer - add characters to the tty buff= er and + * push + * @port: tty port + * @chars: characters + * @size: size + * + * The function combines tty_insert_flip_string() and tty_flip_buffer_push= () + * with the exception of properly holding the @port->lock. + * + * To be used only internally (by pty currently). + * + * Returns: the number added. + */ +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, + const unsigned char *chars, size_t size) +{ + struct tty_bufhead *buf =3D &port->buf; + unsigned long flags; + + spin_lock_irqsave(&port->lock, flags); + size =3D tty_insert_flip_string(port, chars, size); + if (size) + tty_flip_buffer_commit(buf->tail); + spin_unlock_irqrestore(&port->lock, flags); + + queue_work(system_unbound_wq, &buf->work); + + return size; +} + +/** * tty_buffer_init - prepare a tty buffer structure * @tty: tty to initialise * --- a/include/linux/tty_flip.h +++ b/include/linux/tty_flip.h @@ -39,4 +39,7 @@ static inline int tty_insert_flip_string extern void tty_buffer_lock_exclusive(struct tty_port *port); extern void tty_buffer_unlock_exclusive(struct tty_port *port); =20 +int tty_insert_flip_string_and_push_buffer(struct tty_port *port, + const unsigned char *chars, size_t cnt); + #endif /* _LINUX_TTY_FLIP_H */ From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18C7BC04A68 for ; Wed, 27 Jul 2022 16:47:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240490AbiG0QrQ (ORCPT ); Wed, 27 Jul 2022 12:47:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240447AbiG0Qqn (ORCPT ); Wed, 27 Jul 2022 12:46:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECD6360536; Wed, 27 Jul 2022 09:31:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CAE2761A38; Wed, 27 Jul 2022 16:31:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D45C3C433D6; Wed, 27 Jul 2022 16:31:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939506; bh=ydtawCHI9tI+KQC+sjXz+6STk9xAOxNf1KQiu79LHKw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oJEEk97GRplMn9upSC+0sZVbjVrnNp9hcoPLOzas+Z/b0vnu1ZNifMIl5QLb9D+Am REMoETt7n8IfgrB9Pa51QS9HaY1NVE9BgCh34P7wH58RriVNVtgMHc+mSbJr/beqdz 9FiVRkqPJJ9eaFh1Ub3rz6QOrffxHcPcSv1FaRL8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jose Alonso , "David S. Miller" Subject: [PATCH 5.4 86/87] net: usb: ax88179_178a needs FLAG_SEND_ZLP Date: Wed, 27 Jul 2022 18:11:19 +0200 Message-Id: <20220727161012.546406528@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jose Alonso commit 36a15e1cb134c0395261ba1940762703f778438c upstream. The extra byte inserted by usbnet.c when (length % dev->maxpacket =3D=3D 0) is causing problems to device. This patch sets FLAG_SEND_ZLP to avoid this. Tested with: 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet Problems observed: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Using ssh/sshfs. The remote sshd daemon can abort with the message: "message authentication code incorrect" This happens because the tcp message sent is corrupted during the USB "Bulk out". The device calculate the tcp checksum and send a valid tcp message to the remote sshd. Then the encryption detects the error and aborts. 2) NETDEV WATCHDOG: ... (ax88179_178a): transmit queue 0 timed out 3) Stop normal work without any log message. The "Bulk in" continue receiving packets normally. The host sends "Bulk out" and the device responds with -ECONNRESET. (The netusb.c code tx_complete ignore -ECONNRESET) Under normal conditions these errors take days to happen and in intense usage take hours. A test with ping gives packet loss, showing that something is wrong: ping -4 -s 462 {destination} # 462 =3D 512 - 42 - 8 Not all packets fail. My guess is that the device tries to find another packet starting at the extra byte and will fail or not depending on the next bytes (old buffer content). =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Signed-off-by: Jose Alonso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/usb/ax88179_178a.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) --- a/drivers/net/usb/ax88179_178a.c +++ b/drivers/net/usb/ax88179_178a.c @@ -1690,7 +1690,7 @@ static const struct driver_info ax88179_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1703,7 +1703,7 @@ static const struct driver_info ax88178a .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1716,7 +1716,7 @@ static const struct driver_info cypress_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1729,7 +1729,7 @@ static const struct driver_info dlink_du .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1742,7 +1742,7 @@ static const struct driver_info sitecom_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1755,7 +1755,7 @@ static const struct driver_info samsung_ .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1768,7 +1768,7 @@ static const struct driver_info lenovo_i .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; @@ -1781,7 +1781,7 @@ static const struct driver_info belkin_i .link_reset =3D ax88179_link_reset, .reset =3D ax88179_reset, .stop =3D ax88179_stop, - .flags =3D FLAG_ETHER | FLAG_FRAMING_AX, + .flags =3D FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP, .rx_fixup =3D ax88179_rx_fixup, .tx_fixup =3D ax88179_tx_fixup, }; From nobody Wed Apr 15 02:54:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 145C2C04A68 for ; Wed, 27 Jul 2022 16:47:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240008AbiG0Qri (ORCPT ); Wed, 27 Jul 2022 12:47:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240404AbiG0Qqx (ORCPT ); Wed, 27 Jul 2022 12:46:53 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 168775247D; Wed, 27 Jul 2022 09:31:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9CCAB61A4F; Wed, 27 Jul 2022 16:31:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A3B00C433C1; Wed, 27 Jul 2022 16:31:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939509; bh=smYeKmamlWhHlqS80zNjKhdEHi3FB7mA4ILpi3O5Zzk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XM1FrO4C80moDNu+gMaG0FciS45KLeUhDNrlhmOAqs7zQXwLFjdxLD9uZgM7La90N V+B1IjiMTTAdg7NqYq8dcBvPFQ0tgavFd9RDRqLsr1qlKaQvnfSpGorhTMAx7TdY55 WIjrfZ+96p3Gsb+AhFtUkWFYcfmGNI0/Ch/i8UX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Beulich , Paolo Bonzini Subject: [PATCH 5.4 87/87] x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() Date: Wed, 27 Jul 2022 18:11:20 +0200 Message-Id: <20220727161012.576805216@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161008.993711844@linuxfoundation.org> References: <20220727161008.993711844@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jan Beulich commit 1df931d95f4dc1c11db1123e85d4e08156e46ef9 upstream. As noted (and fixed) a couple of times in the past, "=3D@cc" outputs and clobbering of "cc" don't work well together. The compiler appears to mean to reject such, but doesn't - in its upstream form - quite manage to yet for "cc". Furthermore two similar macros don't clobber "cc", and clobbering "cc" is pointless in asm()-s for x86 anyway - the compiler always assumes status flags to be clobbered there. Fixes: 989b5db215a2 ("x86/uaccess: Implement macros for CMPXCHG on user add= resses") Signed-off-by: Jan Beulich Message-Id: <485c0c0b-a3a7-0b7c-5264-7d00c01de032@suse.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/x86/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -498,7 +498,7 @@ __pu_label: \ [ptr] "+m" (*_ptr), \ [old] "+a" (__old) \ : [new] ltype (__new) \ - : "memory", "cc"); \ + : "memory"); \ if (unlikely(__err)) \ goto label; \ if (unlikely(!success)) \