From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C687AC3F6B0 for ; Tue, 9 Aug 2022 18:03:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344415AbiHISDI (ORCPT ); Tue, 9 Aug 2022 14:03:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245685AbiHISCg (ORCPT ); Tue, 9 Aug 2022 14:02:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25C4E26103; Tue, 9 Aug 2022 11:01:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9B1A361028; Tue, 9 Aug 2022 18:01:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1312FC433B5; Tue, 9 Aug 2022 18:01:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068085; bh=iJZpFLRwvDbeVZ/DqC+ffQrnPhgOnA1QgJ3ZxT8FJCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WmOK7Pd7yvlhE9xMi9f4xQ2hoPbbN6PRhhefvZNY/617vqAv4F8GXJc8Vh+u4Aunb vHjvSlzLlAQjtyLEFAb7/onKad+u2eEo9XjiVllzutyIVyA+l6K3HerdD/i4yYPO/2 crPcWOT1ZSuTLmxV4Itr2FQH5beEkLWuvndoD0pY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Lee Jones , Luiz Augusto von Dentz Subject: [PATCH 4.19 01/32] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Date: Tue, 9 Aug 2022 19:59:52 +0200 Message-Id: <20220809175513.135324082@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Luiz Augusto von Dentz commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Cc: stable@kernel.org Reported-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz Tested-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/bluetooth/l2cap.h | 1=20 net/bluetooth/l2cap_core.c | 61 +++++++++++++++++++++++++++++++++----= ----- 2 files changed, 49 insertions(+), 13 deletions(-) --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h @@ -798,6 +798,7 @@ enum { }; =20 void l2cap_chan_hold(struct l2cap_chan *c); +struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c); void l2cap_chan_put(struct l2cap_chan *c); =20 static inline void l2cap_chan_lock(struct l2cap_chan *chan) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -113,7 +113,8 @@ static struct l2cap_chan *__l2cap_get_ch } =20 /* Find channel with given SCID. - * Returns locked channel. */ + * Returns a reference locked channel. + */ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid) { @@ -121,15 +122,19 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_scid(conn, cid); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; } =20 /* Find channel with given DCID. - * Returns locked channel. + * Returns a reference locked channel. */ static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) @@ -138,8 +143,12 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_dcid(conn, cid); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; @@ -164,8 +173,12 @@ static struct l2cap_chan *l2cap_get_chan =20 mutex_lock(&conn->chan_lock); c =3D __l2cap_get_chan_by_ident(conn, ident); - if (c) - l2cap_chan_lock(c); + if (c) { + /* Only lock if chan reference is not 0 */ + c =3D l2cap_chan_hold_unless_zero(c); + if (c) + l2cap_chan_lock(c); + } mutex_unlock(&conn->chan_lock); =20 return c; @@ -491,6 +504,16 @@ void l2cap_chan_hold(struct l2cap_chan * kref_get(&c->kref); } =20 +struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) +{ + BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); + + if (!kref_get_unless_zero(&c->kref)) + return NULL; + + return c; +} + void l2cap_chan_put(struct l2cap_chan *c) { BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref)); @@ -1803,7 +1826,10 @@ static struct l2cap_chan *l2cap_global_c src_match =3D !bacmp(&c->src, src); dst_match =3D !bacmp(&c->dst, dst); if (src_match && dst_match) { - l2cap_chan_hold(c); + c =3D l2cap_chan_hold_unless_zero(c); + if (!c) + continue; + read_unlock(&chan_list_lock); return c; } @@ -1818,7 +1844,7 @@ static struct l2cap_chan *l2cap_global_c } =20 if (c1) - l2cap_chan_hold(c1); + c1 =3D l2cap_chan_hold_unless_zero(c1); =20 read_unlock(&chan_list_lock); =20 @@ -4204,6 +4230,7 @@ static inline int l2cap_config_req(struc =20 unlock: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); return err; } =20 @@ -4316,6 +4343,7 @@ static inline int l2cap_config_rsp(struc =20 done: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); return err; } =20 @@ -5044,6 +5072,7 @@ send_move_response: l2cap_send_move_chan_rsp(chan, result); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5136,6 +5165,7 @@ static void l2cap_move_continue(struct l } =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, @@ -5165,6 +5195,7 @@ static void l2cap_move_fail(struct l2cap l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static int l2cap_move_channel_rsp(struct l2cap_conn *conn, @@ -5228,6 +5259,7 @@ static int l2cap_move_channel_confirm(st l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5263,6 +5295,7 @@ static inline int l2cap_move_channel_con } =20 l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -5635,12 +5668,11 @@ static inline int l2cap_le_credits(struc if (credits > max_credits) { BT_ERR("LE credits overflow"); l2cap_send_disconn_req(chan, ECONNRESET); - l2cap_chan_unlock(chan); =20 /* Return 0 so that we don't trigger an unnecessary * command reject packet. */ - return 0; + goto unlock; } =20 chan->tx_credits +=3D credits; @@ -5651,7 +5683,9 @@ static inline int l2cap_le_credits(struc if (chan->tx_credits) chan->ops->resume(chan); =20 +unlock: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); =20 return 0; } @@ -6949,6 +6983,7 @@ drop: =20 done: l2cap_chan_unlock(chan); + l2cap_chan_put(chan); } =20 static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, @@ -7353,7 +7388,7 @@ static struct l2cap_chan *l2cap_global_f if (src_type !=3D c->src_type) continue; =20 - l2cap_chan_hold(c); + c =3D l2cap_chan_hold_unless_zero(c); read_unlock(&chan_list_lock); return c; } From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DBB3C19F2D for ; Tue, 9 Aug 2022 18:03:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245221AbiHISDo (ORCPT ); Tue, 9 Aug 2022 14:03:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245324AbiHISCx (ORCPT ); Tue, 9 Aug 2022 14:02:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B63326561; Tue, 9 Aug 2022 11:01:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 17BEFB8171E; Tue, 9 Aug 2022 18:01:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 800D0C4347C; Tue, 9 Aug 2022 18:01:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068093; bh=yagiaS4psLuXibb3+PS+oAKKqpiYlNe2XinfS2S4DwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jc23lkZqTX+J3SZtRTJ3DlK+SyRWS1K9WbCNrYw4ryEwiQHZkx8vjBGO/m2+huglE kdD12QKi5UAZLXe25d8LSZF6MDr55LDwtg893qGpjuNUves4+laokDJgNU1eadHyC4 EM0doS0HNJYfdeh5t6/5Iib/wHWylTmR2aI92fMg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, ChenXiaoSong , Hawkins Jiawei , Anton Altaparmakov , Yongqiang Liu , Zhang Yi , Zhang Xiaoxu , Andrew Morton Subject: [PATCH 4.19 02/32] ntfs: fix use-after-free in ntfs_ucsncmp() Date: Tue, 9 Aug 2022 19:59:53 +0200 Message-Id: <20220809175513.165252309@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: ChenXiaoSong commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream. Syzkaller reported use-after-free bug as follows: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 Read of size 2 at addr ffff8880751acee8 by task a.out/879 CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5= 218c8bd2c-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd= 239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1c0/0x2b0 print_address_description.constprop.0.cold+0xd4/0x484 print_report.cold+0x55/0x232 kasan_report+0xbf/0xf0 ntfs_ucsncmp+0x123/0x130 ntfs_are_names_equal.cold+0x2b/0x41 ntfs_attr_find+0x43b/0xb90 ntfs_attr_lookup+0x16d/0x1e0 ntfs_read_locked_attr_inode+0x4aa/0x2360 ntfs_attr_iget+0x1af/0x220 ntfs_read_locked_inode+0x246c/0x5120 ntfs_iget+0x132/0x180 load_system_files+0x1cc6/0x3480 ntfs_fill_super+0xa66/0x1cf0 mount_bdev+0x38d/0x460 legacy_get_tree+0x10d/0x220 vfs_get_tree+0x93/0x300 do_new_mount+0x2da/0x6d0 path_mount+0x496/0x19d0 __x64_sys_mount+0x284/0x300 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3f2118d9ea Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 = 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:= 0x555c6a81d pfn:0x751ac memcg:ffff888101f7e180 anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=3D0|z= one=3D1|lastcpupid=3D0x1fffff) raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The reason is that struct ATTR_RECORD->name_offset is 6485, end address of name string is out of bounds. Fix this by adding sanity check on end address of attribute name string. [akpm@linux-foundation.org: coding-style cleanups] [chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@hu= awei.com Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huaw= ei.com Signed-off-by: ChenXiaoSong Signed-off-by: Hawkins Jiawei Cc: Anton Altaparmakov Cc: ChenXiaoSong Cc: Yongqiang Liu Cc: Zhang Yi Cc: Zhang Xiaoxu Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- fs/ntfs/attrib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -606,8 +606,12 @@ static int ntfs_attr_find(const ATTR_TYP a =3D (ATTR_RECORD*)((u8*)ctx->attr + le32_to_cpu(ctx->attr->length)); for (;; a =3D (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { - if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + - le32_to_cpu(ctx->mrec->bytes_allocated)) + u8 *mrec_end =3D (u8 *)ctx->mrec + + le32_to_cpu(ctx->mrec->bytes_allocated); + u8 *name_end =3D (u8 *)a + le16_to_cpu(a->name_offset) + + a->name_length * sizeof(ntfschar); + if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || + name_end > mrec_end) break; ctx->attr =3D a; if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) || From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48390C19F2D for ; Tue, 9 Aug 2022 18:04:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245352AbiHISD4 (ORCPT ); Tue, 9 Aug 2022 14:03:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344413AbiHISC4 (ORCPT ); Tue, 9 Aug 2022 14:02:56 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63F972654A; Tue, 9 Aug 2022 11:01:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 12FE9B8171A; Tue, 9 Aug 2022 18:01:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 61326C433C1; Tue, 9 Aug 2022 18:01:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068096; bh=0DOI+tH+obLM/ah1ir/rAmzRsoGfunCYQfDTahRUfW4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tE4Gv26oIjjRTcrIZg1nIpO9oCJ0LV0mcVJu0UFGEF7znvFrH65KIGZWDDDcQqccw FJ5mFOFupiV13XEpMOHQAbaYUzj7aD8WnC05FBefGQSrGrDtm3gMeQbW2X19Rf3pS9 pfFfRNtxivmV9vKWPGXMdqIU2XWeDOCpaW2lt9Kg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Harald Freudenberger , "Jason A. Donenfeld" , Juergen Christ , Alexander Gordeev Subject: [PATCH 4.19 03/32] s390/archrandom: prevent CPACF trng invocations in interrupt context Date: Tue, 9 Aug 2022 19:59:54 +0200 Message-Id: <20220809175513.196899624@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Harald Freudenberger commit 918e75f77af7d2e049bb70469ec0a2c12782d96a upstream. This patch slightly reworks the s390 arch_get_random_seed_{int,long} implementation: Make sure the CPACF trng instruction is never called in any interrupt context. This is done by adding an additional condition in_task(). Justification: There are some constrains to satisfy for the invocation of the arch_get_random_seed_{int,long}() functions: - They should provide good random data during kernel initialization. - They should not be called in interrupt context as the TRNG instruction is relatively heavy weight and may for example make some network loads cause to timeout and buck. However, it was not clear what kind of interrupt context is exactly encountered during kernel init or network traffic eventually calling arch_get_random_seed_long(). After some days of investigations it is clear that the s390 start_kernel function is not running in any interrupt context and so the trng is called: Jul 11 18:33:39 t35lp54 kernel: [<00000001064e90ca>] arch_get_random_seed_= long.part.0+0x32/0x70 Jul 11 18:33:39 t35lp54 kernel: [<000000010715f246>] random_init+0xf6/0x238 Jul 11 18:33:39 t35lp54 kernel: [<000000010712545c>] start_kernel+0x4a4/0x= 628 Jul 11 18:33:39 t35lp54 kernel: [<000000010590402a>] startup_continue+0x2a= /0x40 The condition in_task() is true and the CPACF trng provides random data during kernel startup. The network traffic however, is more difficult. A typical call stack looks like this: Jul 06 17:37:07 t35lp54 kernel: [<000000008b5600fc>] extract_entropy.const= prop.0+0x23c/0x240 Jul 06 17:37:07 t35lp54 kernel: [<000000008b560136>] crng_reseed+0x36/0xd8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b5604b8>] crng_make_state+0x78/= 0x340 Jul 06 17:37:07 t35lp54 kernel: [<000000008b5607e0>] _get_random_bytes+0x6= 0/0xf8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b56108a>] get_random_u32+0xda/0= x248 Jul 06 17:37:07 t35lp54 kernel: [<000000008aefe7a8>] kfence_guarded_alloc+= 0x48/0x4b8 Jul 06 17:37:07 t35lp54 kernel: [<000000008aeff35e>] __kfence_alloc+0x18e/= 0x1b8 Jul 06 17:37:07 t35lp54 kernel: [<000000008aef7f10>] __kmalloc_node_track_= caller+0x368/0x4d8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b611eac>] kmalloc_reserve+0x44/= 0xa0 Jul 06 17:37:07 t35lp54 kernel: [<000000008b611f98>] __alloc_skb+0x90/0x178 Jul 06 17:37:07 t35lp54 kernel: [<000000008b6120dc>] __napi_alloc_skb+0x5c= /0x118 Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f06b4>] qeth_extract_skb+0x13= c/0x680 Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f6526>] qeth_poll+0x256/0x3f8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b63d76e>] __napi_poll.constprop= .0+0x46/0x2f8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b63dbec>] net_rx_action+0x1cc/0= x408 Jul 06 17:37:07 t35lp54 kernel: [<000000008b937302>] __do_softirq+0x132/0x= 6b0 Jul 06 17:37:07 t35lp54 kernel: [<000000008abf46ce>] __irq_exit_rcu+0x13e/= 0x170 Jul 06 17:37:07 t35lp54 kernel: [<000000008abf531a>] irq_exit_rcu+0x22/0x50 Jul 06 17:37:07 t35lp54 kernel: [<000000008b922506>] do_io_irq+0xe6/0x198 Jul 06 17:37:07 t35lp54 kernel: [<000000008b935826>] io_int_handler+0xd6/0= x110 Jul 06 17:37:07 t35lp54 kernel: [<000000008b9358a6>] psw_idle_exit+0x0/0xa Jul 06 17:37:07 t35lp54 kernel: ([<000000008ab9c59a>] arch_cpu_idle+0x52/0x= e0) Jul 06 17:37:07 t35lp54 kernel: [<000000008b933cfe>] default_idle_call+0x6= e/0xd0 Jul 06 17:37:07 t35lp54 kernel: [<000000008ac59f4e>] do_idle+0xf6/0x1b0 Jul 06 17:37:07 t35lp54 kernel: [<000000008ac5a28e>] cpu_startup_entry+0x3= 6/0x40 Jul 06 17:37:07 t35lp54 kernel: [<000000008abb0d90>] smp_start_secondary+0= x148/0x158 Jul 06 17:37:07 t35lp54 kernel: [<000000008b935b9e>] restart_int_handler+0= x6e/0x90 which confirms that the call is in softirq context. So in_task() covers exa= ctly the cases where we want to have CPACF trng called: not in nmi, not in hard = irq, not in soft irq but in normal task context and during kernel init. Signed-off-by: Harald Freudenberger Acked-by: Jason A. Donenfeld Reviewed-by: Juergen Christ Link: https://lore.kernel.org/r/20220713131721.257907-1-freude@linux.ibm.com Fixes: e4f74400308c ("s390/archrandom: simplify back to earlier design and = initialize earlier") [agordeev@linux.ibm.com changed desc, added Fixes and Link, removed -stable] Signed-off-by: Alexander Gordeev Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/s390/include/asm/archrandom.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/arch/s390/include/asm/archrandom.h +++ b/arch/s390/include/asm/archrandom.h @@ -2,7 +2,7 @@ /* * Kernel interface for the s390 arch_random_* functions * - * Copyright IBM Corp. 2017, 2020 + * Copyright IBM Corp. 2017, 2022 * * Author: Harald Freudenberger * @@ -14,6 +14,7 @@ #ifdef CONFIG_ARCH_RANDOM =20 #include +#include #include #include =20 @@ -32,7 +33,8 @@ static inline bool __must_check arch_get =20 static inline bool __must_check arch_get_random_seed_long(unsigned long *v) { - if (static_branch_likely(&s390_arch_random_available)) { + if (static_branch_likely(&s390_arch_random_available) && + in_task()) { cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); atomic64_add(sizeof(*v), &s390_arch_random_counter); return true; @@ -42,7 +44,8 @@ static inline bool __must_check arch_get =20 static inline bool __must_check arch_get_random_seed_int(unsigned int *v) { - if (static_branch_likely(&s390_arch_random_available)) { + if (static_branch_likely(&s390_arch_random_available) && + in_task()) { cpacf_trng(NULL, 0, (u8 *)v, sizeof(*v)); atomic64_add(sizeof(*v), &s390_arch_random_counter); return true; From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1BC8C19F2D for ; Tue, 9 Aug 2022 18:03:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344542AbiHISDu (ORCPT ); Tue, 9 Aug 2022 14:03:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344414AbiHISC4 (ORCPT ); Tue, 9 Aug 2022 14:02:56 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E919C27177; Tue, 9 Aug 2022 11:01:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CAD9D61050; Tue, 9 Aug 2022 18:01:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E941C433D6; Tue, 9 Aug 2022 18:01:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068099; bh=/2+d9OPR6NFLDRBEJdCKTHd7LGem0wQnA1LurVjf3iE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kaUcqYagmuoo9R3zvY7uGHtilVeOfWDbcRL0I9UqwmO2PjVlvXI3l2572OTaCSb1S XX2mrDFV3W6qHtyzriS6+ywz/yBKWl15B0PgUOA8GC1HEXswEcBBnWADPyRMSJvZPV XdQzcfoyqO0C1Yd2TVLGvBSV8u+19F5qIbK7gYEA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 04/32] tcp: Fix data-races around sysctl_tcp_dsack. Date: Tue, 9 Aug 2022 19:59:55 +0200 Message-Id: <20220809175513.231288785@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d upstream. While reading sysctl_tcp_dsack, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4197,7 +4197,7 @@ static void tcp_dsack_set(struct sock *s { struct tcp_sock *tp =3D tcp_sk(sk); =20 - if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { + if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { int mib_idx; =20 if (before(seq, tp->rcv_nxt)) @@ -4232,7 +4232,7 @@ static void tcp_send_dupack(struct sock NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOST); tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS); =20 - if (tcp_is_sack(tp) && sock_net(sk)->ipv4.sysctl_tcp_dsack) { + if (tcp_is_sack(tp) && READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_dsack)) { u32 end_seq =3D TCP_SKB_CB(skb)->end_seq; =20 if (after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt)) From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA69EC25B0C for ; Tue, 9 Aug 2022 18:04:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344567AbiHISD7 (ORCPT ); Tue, 9 Aug 2022 14:03:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344428AbiHISC5 (ORCPT ); Tue, 9 Aug 2022 14:02:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F295E2717C; Tue, 9 Aug 2022 11:01:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9144061032; Tue, 9 Aug 2022 18:01:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0CFC5C433B5; Tue, 9 Aug 2022 18:01:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068102; bh=FFrz7DX6Q17sKODRW878j2Iuw3+7Vmfe99AmsiCyBU0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qrdry0DG0FVJz0ddP4NBNyNIqq4c/xH6fdD9Rhvc9hoEDaPTfspUIAKWv64ai+xbw vxM9JUX68GqrM9nKGzfGa2Er5QhG8XnNS6LNaLUims8Agpsl2vxbEshVlbtSeREqJw wB5RjllEj+/jWVlfsYlpdU/QGz067P7bP1tYJd+8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 05/32] tcp: Fix a data-race around sysctl_tcp_app_win. Date: Tue, 9 Aug 2022 19:59:56 +0200 Message-Id: <20220809175513.262403233@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 02ca527ac5581cf56749db9fd03d854e842253dd upstream. While reading sysctl_tcp_app_win, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -432,7 +432,7 @@ static void tcp_grow_window(struct sock */ void tcp_init_buffer_space(struct sock *sk) { - int tcp_app_win =3D sock_net(sk)->ipv4.sysctl_tcp_app_win; + int tcp_app_win =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_app_win); struct tcp_sock *tp =3D tcp_sk(sk); int maxwin; From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA206C3F6B0 for ; Tue, 9 Aug 2022 18:04:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344587AbiHISEF (ORCPT ); Tue, 9 Aug 2022 14:04:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237606AbiHISDG (ORCPT ); Tue, 9 Aug 2022 14:03:06 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC5192657F; Tue, 9 Aug 2022 11:01:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 691E761028; Tue, 9 Aug 2022 18:01:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D152FC433D7; Tue, 9 Aug 2022 18:01:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068105; bh=dqrGDBv5Fni7p4XMtiyBMCJpynKRI0h2aG7lpP0oGww=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e6fDPR9eSVQI3NkgFkErcVaE+Tqg45g+FAUy8xaf6HY4FRDIVn10HF6CFDs1VGq4A yTN1+yuixNuSNacB0NeMwBI72cMqgwuzjmRW+oUBg3TKmfOyCoLqZWSdAss48NlqGz /UlfxEpSUQtEaqpRFks7GVM6jvxMSY9XeE56JF00= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 06/32] tcp: Fix a data-race around sysctl_tcp_adv_win_scale. Date: Tue, 9 Aug 2022 19:59:57 +0200 Message-Id: <20220809175513.293786850@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 36eeee75ef0157e42fb6593dcc65daab289b559e upstream. While reading sysctl_tcp_adv_win_scale, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- include/net/tcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1355,7 +1355,7 @@ void tcp_select_initial_window(const str =20 static inline int tcp_win_from_space(const struct sock *sk, int space) { - int tcp_adv_win_scale =3D sock_net(sk)->ipv4.sysctl_tcp_adv_win_scale; + int tcp_adv_win_scale =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_adv_win= _scale); =20 return tcp_adv_win_scale <=3D 0 ? (space>>(-tcp_adv_win_scale)) : From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFC8BC19F2D for ; Tue, 9 Aug 2022 18:04:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344576AbiHISEL (ORCPT ); Tue, 9 Aug 2022 14:04:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344430AbiHISDJ (ORCPT ); Tue, 9 Aug 2022 14:03:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A651B26ACB; Tue, 9 Aug 2022 11:01:48 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 884986102F; Tue, 9 Aug 2022 18:01:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 94D6CC433D7; Tue, 9 Aug 2022 18:01:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068108; bh=FWybJrsJ5L9geNkyKEL+qVsDwe6mNVUKpe3eQKONMQw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rcydyobw7bMcnMUB/tUboFmKWTSLQ/2gNndUUR4O9XyfviWMraMOiggl/lLMdQnMo pCg2yEOydEjjVmu3EROKgBXefRd9QbPTLz2NAzUI3yf6UWdFI0ftaLjktUyWaX+G2r sFo3IecR+2u/gpE7slRtF1FbE9lCYblq9aFX58wE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 07/32] tcp: Fix a data-race around sysctl_tcp_frto. Date: Tue, 9 Aug 2022 19:59:58 +0200 Message-Id: <20220809175513.332099159@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 upstream. While reading sysctl_tcp_frto, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -2018,7 +2018,7 @@ void tcp_enter_loss(struct sock *sk) * loss recovery is underway except recurring timeout(s) on * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing */ - tp->frto =3D net->ipv4.sysctl_tcp_frto && + tp->frto =3D READ_ONCE(net->ipv4.sysctl_tcp_frto) && (new_recovery || icsk->icsk_retransmits) && !inet_csk(sk)->icsk_mtup.probe_size; } From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BC8EC25B07 for ; Tue, 9 Aug 2022 18:04:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245386AbiHISEY (ORCPT ); Tue, 9 Aug 2022 14:04:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344457AbiHISDL (ORCPT ); Tue, 9 Aug 2022 14:03:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3373D26ADB; Tue, 9 Aug 2022 11:01:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 151AD61012; Tue, 9 Aug 2022 18:01:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82052C433D7; Tue, 9 Aug 2022 18:01:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068110; bh=nWkaHB4aObE4+ORXQz/gbELbp69I+2ype2nxZe9a19U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iOhBMOUbVNQ52uVzKGFoOVHEBuoGke5N8942aYr5Ifsey68O0HTid97VCiRfs5+/a wgKfgy1cCuwG/NOq1ltM6EdHW2i/fXyO63gksfeTawZGkNdR4auWKsxYUNKDVgIkI7 6qibuxIxFUuwo2nYkduWsJi5OO4ef2JnRlsVpHo4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 08/32] tcp: Fix a data-race around sysctl_tcp_nometrics_save. Date: Tue, 9 Aug 2022 19:59:59 +0200 Message-Id: <20220809175513.362227305@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 upstream. While reading sysctl_tcp_nometrics_save, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_metrics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp_metrics.c +++ b/net/ipv4/tcp_metrics.c @@ -329,7 +329,7 @@ void tcp_update_metrics(struct sock *sk) int m; =20 sk_dst_confirm(sk); - if (net->ipv4.sysctl_tcp_nometrics_save || !dst) + if (READ_ONCE(net->ipv4.sysctl_tcp_nometrics_save) || !dst) return; =20 rcu_read_lock(); From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E0F9C19F2D for ; Tue, 9 Aug 2022 18:04:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245146AbiHISE1 (ORCPT ); Tue, 9 Aug 2022 14:04:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344471AbiHISD2 (ORCPT ); Tue, 9 Aug 2022 14:03:28 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44CA92656D; Tue, 9 Aug 2022 11:01:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D0ACD61058; Tue, 9 Aug 2022 18:01:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 48688C4347C; Tue, 9 Aug 2022 18:01:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068113; bh=/w7F+iipsaqlzfkd/2XvhEnRnAT6KKvkuj4hCLT0PrQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pIVJXLUgoTdDUNIIjSq1IqBE0CuXvw1SX+joAUGdvvRM00uO7ffyW3m8qM1usMG9o gxs4gP08ALbt/d4SD0MjVAdRYgeOkqaa+qfVSQXcphBIzgrgxF2G+W2UmcXZS2hw75 /bkbgvoV2IAHlcKzHV72Acw0cPI7dmY7EZFcjoW8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bart Van Assche , Liang He , "Martin K. Petersen" Subject: [PATCH 4.19 09/32] scsi: ufs: host: Hold reference returned by of_parse_phandle() Date: Tue, 9 Aug 2022 20:00:00 +0200 Message-Id: <20220809175513.392199843@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream. In ufshcd_populate_vreg(), we should hold the reference returned by of_parse_phandle() and then use it to call of_node_put() for refcount balance. Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com Fixes: aa4976130934 ("ufs: Add regulator enable support") Reviewed-by: Bart Van Assche Signed-off-by: Liang He Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- a/drivers/scsi/ufs/ufshcd-pltfrm.c +++ b/drivers/scsi/ufs/ufshcd-pltfrm.c @@ -124,9 +124,20 @@ out: return ret; } =20 +static bool phandle_exists(const struct device_node *np, + const char *phandle_name, int index) +{ + struct device_node *parse_np =3D of_parse_phandle(np, phandle_name, index= ); + + if (parse_np) + of_node_put(parse_np); + + return parse_np !=3D NULL; +} + #define MAX_PROP_SIZE 32 static int ufshcd_populate_vreg(struct device *dev, const char *name, - struct ufs_vreg **out_vreg) + struct ufs_vreg **out_vreg) { int ret =3D 0; char prop_name[MAX_PROP_SIZE]; @@ -139,7 +150,7 @@ static int ufshcd_populate_vreg(struct d } =20 snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); - if (!of_parse_phandle(np, prop_name, 0)) { + if (!phandle_exists(np, prop_name, 0)) { dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", __func__, prop_name); goto out; From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F30F8C25B0C for ; Tue, 9 Aug 2022 18:03:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344460AbiHISDM (ORCPT ); Tue, 9 Aug 2022 14:03:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343849AbiHISCi (ORCPT ); Tue, 9 Aug 2022 14:02:38 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C9F42611E; Tue, 9 Aug 2022 11:01:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5DB986102F; Tue, 9 Aug 2022 18:01:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C969BC433C1; Tue, 9 Aug 2022 18:01:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068088; bh=yf73s1TIN7k8z2scu/2o/hJJ1mGHcwXT5PU9UwGww/Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OGXjXWCGdwsWq4DlmytcsJgXYw2pk8CSYBNnrIRbhWeoYDR1s04velHW5SqiyKL/d m6fopfCmMbfc1p7bDYD/teqkw5qL/j1aESN4Mv/Vqaqy7PuphvSRmTCkXEC30Fv43u cnRTVp8/RVyPxU1U5O7EQ7R1Ai3xA0apNQp8nEa4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" Subject: [PATCH 4.19 10/32] tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. Date: Tue, 9 Aug 2022 20:00:01 +0200 Message-Id: <20220809175513.421710176@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream. While reading sysctl_tcp_challenge_ack_limit, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3468,7 +3468,7 @@ static void tcp_send_challenge_ack(struc /* Then check host-wide RFC 5961 rate limit. */ now =3D jiffies / HZ; if (now !=3D challenge_timestamp) { - u32 ack_limit =3D net->ipv4.sysctl_tcp_challenge_ack_limit; + u32 ack_limit =3D READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); u32 half =3D (ack_limit + 1) >> 1; =20 challenge_timestamp =3D now; From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1901C19F2D for ; Tue, 9 Aug 2022 18:03:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344459AbiHISDT (ORCPT ); Tue, 9 Aug 2022 14:03:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343501AbiHISCu (ORCPT ); Tue, 9 Aug 2022 14:02:50 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA05626110; Tue, 9 Aug 2022 11:01:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5E0EEB816EC; Tue, 9 Aug 2022 18:01:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4FABC433D6; Tue, 9 Aug 2022 18:01:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068091; bh=K/+z6RtiqdIGnLZ1gtlrGutH0ZaIuy+G3NLRTJq9AYA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=azgY44G7ups9UT8kZLIOATI1omjjSCU0cXV+9d5PDWOKenMKkWCj19JU4eq0j1fdq BOf8Nv1+20QhUlLCuvT9MkocR+NassIy1dSm5VWz5Zt0PegUwu9WcMGidWdHD9kHT5 N5fz2TMvgc2S3OO8DaP5dKCEsWGnA+vMUC6GsZKE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com, Ayushman Dutta , Kuniyuki Iwashima , David Ahern , Eric Dumazet , Jakub Kicinski Subject: [PATCH 4.19 11/32] net: ping6: Fix memleak in ipv6_renew_options(). Date: Tue, 9 Aug 2022 20:00:02 +0200 Message-Id: <20220809175513.451194988@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream. When we close ping6 sockets, some resources are left unfreed because pingv6_prot is missing sk->sk_prot->destroy(). As reported by syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. struct ipv6_sr_hdr *hdr; char data[24] =3D {0}; int fd; hdr =3D (struct ipv6_sr_hdr *)data; hdr->hdrlen =3D 2; hdr->type =3D IPV6_SRCRT_TYPE_4; fd =3D socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); close(fd); To fix memory leaks, let's add a destroy function. Note the socket() syscall checks if the GID is within the range of net.ipv4.ping_group_range. The default value is [1, 0] so that no GID meets the condition (1 <=3D GID <=3D 0). Thus, the local DoS does not succeed until we change the default value. However, at least Ubuntu/Fedora/RHEL loosen it. $ cat /usr/lib/sysctl.d/50-default.conf ... -net.ipv4.ping_group_range =3D 0 2147483647 Also, there could be another path reported with these options, and some of them require CAP_NET_RAW. setsockopt IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) IPV6_HOPOPTS (inet6_sk(sk)->opt) IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) IPV6_RTHDR (inet6_sk(sk)->opt) IPV6_DSTOPTS (inet6_sk(sk)->opt) IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) getsockopt IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) For the record, I left a different splat with syzbot's one. unreferenced object 0xffff888006270c60 (size 96): comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) hex dump (first 32 bytes): 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock= .c:2554) [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_so= ckglue.c:715) [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/sock= et.c:2262 net/socket.c:2262) [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x= 86/entry/common.c:80) [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/e= ntry_64.S:120) [0]: https://syzkaller.appspot.com/bug?extid=3Da8430774139ec3ab7176 Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com Reported-by: Ayushman Dutta Signed-off-by: Kuniyuki Iwashima Reviewed-by: David Ahern Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv6/ping.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c @@ -27,6 +27,11 @@ #include #include =20 +static void ping_v6_destroy(struct sock *sk) +{ + inet6_destroy_sock(sk); +} + /* Compatibility glue so we can support IPv6 when it's compiled as a modul= e */ static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int = len, int *addr_len) @@ -170,6 +175,7 @@ struct proto pingv6_prot =3D { .owner =3D THIS_MODULE, .init =3D ping_init_sock, .close =3D ping_close, + .destroy =3D ping_v6_destroy, .connect =3D ip6_datagram_connect_v6_only, .disconnect =3D __udp_disconnect, .setsockopt =3D ipv6_setsockopt, From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25408C19F2D for ; Tue, 9 Aug 2022 18:06:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344794AbiHISGk (ORCPT ); Tue, 9 Aug 2022 14:06:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344781AbiHISFq (ORCPT ); Tue, 9 Aug 2022 14:05:46 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E14E27FC8; Tue, 9 Aug 2022 11:02:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0FE6861012; Tue, 9 Aug 2022 18:02:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 79B7FC433C1; Tue, 9 Aug 2022 18:02:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068158; bh=OSOCjuKU/rjuKloGep42br5G+ar+oQ9cJvsuobfhIu4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YMlURqaX9fb5A35KpMfbJYMiqW0pF4QZg5FbH1mGmafm2Ez7khawVJCdsPU/2ctyQ G+BJkvTiJGJIVAAjr9ocXFz9N4RDjc97U4EOuq8qP7iMxR3lDNW4G0YBjvdYLwCxgS qCoCqw9lw9fdu52wVu0PRiXz6lAoN4ksmPK7nNLw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 12/32] igmp: Fix data-races around sysctl_igmp_qrv. Date: Tue, 9 Aug 2022 20:00:03 +0200 Message-Id: <20220809175513.482217787@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 8ebcc62c738f68688ee7c6fec2efe5bc6d3d7e60 ] While reading sysctl_igmp_qrv, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. This test can be packed into a helper, so such changes will be in the follow-up series after net is merged into net-next. qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); Fixes: a9fe8e29945d ("ipv4: implement igmp_qrv sysctl to tune igmp robustne= ss variable") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/igmp.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index b831825f234f..a08acb54b6b0 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -831,7 +831,7 @@ static void igmp_ifc_event(struct in_device *in_dev) struct net *net =3D dev_net(in_dev->dev); if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) return; - WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_= qrv); + WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sy= sctl_igmp_qrv)); igmp_ifc_start_timer(in_dev, 1); } =20 @@ -1013,7 +1013,7 @@ static bool igmp_heard_query(struct in_device *in_dev= , struct sk_buff *skb, * received value was zero, use the default or statically * configured value. */ - in_dev->mr_qrv =3D ih3->qrv ?: net->ipv4.sysctl_igmp_qrv; + in_dev->mr_qrv =3D ih3->qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); in_dev->mr_qi =3D IGMPV3_QQIC(ih3->qqic)*HZ ?: IGMP_QUERY_INTERVAL; =20 /* RFC3376, 8.3. Query Response Interval: @@ -1192,7 +1192,7 @@ static void igmpv3_add_delrec(struct in_device *in_de= v, struct ip_mc_list *im) pmc->interface =3D im->interface; in_dev_hold(in_dev); pmc->multiaddr =3D im->multiaddr; - pmc->crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + pmc->crcount =3D in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); pmc->sfmode =3D im->sfmode; if (pmc->sfmode =3D=3D MCAST_INCLUDE) { struct ip_sf_list *psf; @@ -1243,9 +1243,11 @@ static void igmpv3_del_delrec(struct in_device *in_d= ev, struct ip_mc_list *im) swap(im->tomb, pmc->tomb); swap(im->sources, pmc->sources); for (psf =3D im->sources; psf; psf =3D psf->sf_next) - psf->sf_crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + psf->sf_crcount =3D in_dev->mr_qrv ?: + READ_ONCE(net->ipv4.sysctl_igmp_qrv); } else { - im->crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + im->crcount =3D in_dev->mr_qrv ?: + READ_ONCE(net->ipv4.sysctl_igmp_qrv); } in_dev_put(pmc->interface); kfree_pmc(pmc); @@ -1347,7 +1349,7 @@ static void igmp_group_added(struct ip_mc_list *im) if (in_dev->dead) return; =20 - im->unsolicit_count =3D net->ipv4.sysctl_igmp_qrv; + im->unsolicit_count =3D READ_ONCE(net->ipv4.sysctl_igmp_qrv); if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) { spin_lock_bh(&im->lock); igmp_start_timer(im, IGMP_INITIAL_REPORT_DELAY); @@ -1361,7 +1363,7 @@ static void igmp_group_added(struct ip_mc_list *im) * IN() to IN(A). */ if (im->sfmode =3D=3D MCAST_EXCLUDE) - im->crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + im->crcount =3D in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); =20 igmp_ifc_event(in_dev); #endif @@ -1769,7 +1771,7 @@ static void ip_mc_reset(struct in_device *in_dev) =20 in_dev->mr_qi =3D IGMP_QUERY_INTERVAL; in_dev->mr_qri =3D IGMP_QUERY_RESPONSE_INTERVAL; - in_dev->mr_qrv =3D net->ipv4.sysctl_igmp_qrv; + in_dev->mr_qrv =3D READ_ONCE(net->ipv4.sysctl_igmp_qrv); } #else static void ip_mc_reset(struct in_device *in_dev) @@ -1903,7 +1905,7 @@ static int ip_mc_del1_src(struct ip_mc_list *pmc, int= sfmode, #ifdef CONFIG_IP_MULTICAST if (psf->sf_oldin && !IGMP_V1_SEEN(in_dev) && !IGMP_V2_SEEN(in_dev)) { - psf->sf_crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + psf->sf_crcount =3D in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_q= rv); psf->sf_next =3D pmc->tomb; pmc->tomb =3D psf; rv =3D 1; @@ -1967,7 +1969,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __= be32 *pmca, int sfmode, /* filter mode change */ pmc->sfmode =3D MCAST_INCLUDE; #ifdef CONFIG_IP_MULTICAST - pmc->crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + pmc->crcount =3D in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount); for (psf =3D pmc->sources; psf; psf =3D psf->sf_next) psf->sf_crcount =3D 0; @@ -2146,7 +2148,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __= be32 *pmca, int sfmode, #ifdef CONFIG_IP_MULTICAST /* else no filters; keep old mode for reports */ =20 - pmc->crcount =3D in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + pmc->crcount =3D in_dev->mr_qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount); for (psf =3D pmc->sources; psf; psf =3D psf->sf_next) psf->sf_crcount =3D 0; --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A535BC3F6B0 for ; Tue, 9 Aug 2022 18:04:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344515AbiHISEi (ORCPT ); Tue, 9 Aug 2022 14:04:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344499AbiHISDd (ORCPT ); Tue, 9 Aug 2022 14:03:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BA89275D0; Tue, 9 Aug 2022 11:02:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D0C6A61028; Tue, 9 Aug 2022 18:01:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D803AC433D6; Tue, 9 Aug 2022 18:01:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068119; bh=3SEtrh6MNpXnvKk3vVEPj7E7RPsWRJCj7UxewlvKznA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dqmY4VjtsHshm4Euv5YV1OEJo8VFyErs53U6z1HKOKwvG4l3duI5Z3HATZ7Ozvl0p RDKxkK6keoHlPtsjBBEm7x78wYWbO6PR3/kKRVMphkmEQRkLrduBdfwKVGIOfjET14 BGebXetERLyX90hLzwMYYH5faWcgLMp7yk9yNtKQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liang He , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.19 13/32] net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Date: Tue, 9 Aug 2022 20:00:04 +0200 Message-Id: <20220809175513.511637160@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Liang He [ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ] In bcm5421_init(), we should call of_node_put() for the reference returned by of_get_parent() which has increased the refcount. Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/sungem_phy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/sungem_phy.c b/drivers/net/sungem_phy.c index 63a8ff816e59..e556b00dfed2 100644 --- a/drivers/net/sungem_phy.c +++ b/drivers/net/sungem_phy.c @@ -453,6 +453,7 @@ static int bcm5421_init(struct mii_phy* phy) int can_low_power =3D 1; if (np =3D=3D NULL || of_get_property(np, "no-autolowpower", NULL)) can_low_power =3D 0; + of_node_put(np); if (can_low_power) { /* Enable automatic low-power */ sungem_phy_write(phy, 0x1c, 0x9002); --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA7B6C19F2D for ; Tue, 9 Aug 2022 18:05:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344713AbiHISFU (ORCPT ); Tue, 9 Aug 2022 14:05:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344546AbiHISEJ (ORCPT ); Tue, 9 Aug 2022 14:04:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0858827142; Tue, 9 Aug 2022 11:02:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 61CB061070; Tue, 9 Aug 2022 18:02:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CCCAFC433D7; Tue, 9 Aug 2022 18:02:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068136; bh=9htbukA8UGUM9CUPIOvsSUS7+HBVOsmT534H4uIYboM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DBhAA342xbT2IDz5y6ABvN9hFjl3ewKGQZ7Ru+twRm1X0rs/6Tl3H1VMIl+D+GHeh rCYwhteavf+cOu5N+O16bTxodHkILa4lEEIs7alE+SUDieFrvDxYjditsK4p9Msyhz sx3gTCEfVGnX6ApQce3smUai9+4mmNhMVTXczu7o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 14/32] tcp: Fix a data-race around sysctl_tcp_min_tso_segs. Date: Tue, 9 Aug 2022 20:00:05 +0200 Message-Id: <20220809175513.541606468@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit e0bb4ab9dfddd872622239f49fb2bd403b70853b ] While reading sysctl_tcp_min_tso_segs, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 13d9e8570ce5..3090b61e4edd 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -1745,7 +1745,7 @@ static u32 tcp_tso_segs(struct sock *sk, unsigned int= mss_now) =20 min_tso =3D ca_ops->min_tso_segs ? ca_ops->min_tso_segs(sk) : - sock_net(sk)->ipv4.sysctl_tcp_min_tso_segs; + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_tso_segs); =20 tso_segs =3D tcp_tso_autosize(sk, mss_now, min_tso); return min_t(u32, tso_segs, sk->sk_gso_max_segs); --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF519C19F2D for ; Tue, 9 Aug 2022 18:05:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344497AbiHISFf (ORCPT ); Tue, 9 Aug 2022 14:05:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344635AbiHISET (ORCPT ); Tue, 9 Aug 2022 14:04:19 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A41327B23; Tue, 9 Aug 2022 11:02:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 91FF461058; Tue, 9 Aug 2022 18:02:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D23FC4347C; Tue, 9 Aug 2022 18:02:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068139; bh=JJLoWX/i+PM0oYkcJDxKEqZrwJsz3Tar8k6vyE7PVb8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=saN8XzFCcJFS5QofSb5LJXqmeRSwVrXMe30V1p/qy8pupaPI3JDneI9jDKodbWJZh czHZVQGhKdMpwWp59DuW433zQ5ZT+a/mdj22t2h4Vu+yxg1azbBA6BPJ7gSbav9Y27 XK9vcVPMGSAKJ9kDxGgKPDUl8QgqYLnEYkgX5kGA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 15/32] tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. Date: Tue, 9 Aug 2022 20:00:06 +0200 Message-Id: <20220809175513.572561739@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 1330ffacd05fc9ac4159d19286ce119e22450ed2 ] While reading sysctl_tcp_min_rtt_wlen, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: f672258391b4 ("tcp: track min RTT using windowed min-filter") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index f2dac14caeb3..04788bd5e82c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -2903,7 +2903,7 @@ static void tcp_fastretrans_alert(struct sock *sk, co= nst u32 prior_snd_una, =20 static void tcp_update_rtt_min(struct sock *sk, u32 rtt_us, const int flag) { - u32 wlen =3D sock_net(sk)->ipv4.sysctl_tcp_min_rtt_wlen * HZ; + u32 wlen =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_rtt_wlen) * HZ; struct tcp_sock *tp =3D tcp_sk(sk); =20 if ((flag & FLAG_ACK_MAYBE_DELAYED) && rtt_us > tcp_min_rtt(tp)) { --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B469DC19F2D for ; Tue, 9 Aug 2022 18:05:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245076AbiHISF5 (ORCPT ); Tue, 9 Aug 2022 14:05:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344658AbiHISEr (ORCPT ); Tue, 9 Aug 2022 14:04:47 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30F1D2714E; Tue, 9 Aug 2022 11:02:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 81ADA6101C; Tue, 9 Aug 2022 18:02:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 87F6BC43470; Tue, 9 Aug 2022 18:02:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068141; bh=sTA3hE0yPZpR1noreH2827Yh1FajznPrRSsblFg38eQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jAUKcGdso4E0P/UUkfp2mAKANEyx1xj4dEx3ejmWok3pMWB+r0kCzoyV/eS3hj+q/ G7VUcGiHX0ExGTH314GJrGhQNohLzqSpJ/9e5wXVoj6q8q4SPHLIA/4r7LIMJf9akw aqcpvxpif/EEysmVyFy8hFwPwuLKJDQkOCpijCDU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 16/32] tcp: Fix a data-race around sysctl_tcp_autocorking. Date: Tue, 9 Aug 2022 20:00:07 +0200 Message-Id: <20220809175513.602497816@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 85225e6f0a76e6745bc841c9f25169c509b573d8 ] While reading sysctl_tcp_autocorking, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: f54b311142a9 ("tcp: auto corking") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 7acc0d07f148..768a7daab559 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -706,7 +706,7 @@ static bool tcp_should_autocork(struct sock *sk, struct= sk_buff *skb, int size_goal) { return skb->len < size_goal && - sock_net(sk)->ipv4.sysctl_tcp_autocorking && + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_autocorking) && !tcp_rtx_queue_empty(sk) && refcount_read(&sk->sk_wmem_alloc) > skb->truesize; } --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACFA1C19F2D for ; Tue, 9 Aug 2022 18:07:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245168AbiHISHw (ORCPT ); Tue, 9 Aug 2022 14:07:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344691AbiHISFK (ORCPT ); Tue, 9 Aug 2022 14:05:10 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 573BC27CD0; Tue, 9 Aug 2022 11:02:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0054D6109E; Tue, 9 Aug 2022 18:02:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 687CAC43141; Tue, 9 Aug 2022 18:02:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068144; bh=8aF3FxV/ALEBr6GIZ3WgB/THrpqRvHOI1d3gzgitkjs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QuHklywIiSRiB/Wrhjyq+TiXyOVZoSvXR1BAAVG5G1j+vk5k4LEYZpnukt0INoIN1 BTW1Rl9P6fCHU7jgsJIm1kZ8BapLtfaObwTDr+WgChx5Evs+vHi27S7P7so+pI2MTR Dhe4lan25Ly6+wTK6aCvDLs+CC32zx91zx9AKzRw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 17/32] tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. Date: Tue, 9 Aug 2022 20:00:08 +0200 Message-Id: <20220809175513.631737701@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 2afdbe7b8de84c28e219073a6661080e1b3ded48 ] While reading sysctl_tcp_invalid_ratelimit, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 032ee4236954 ("tcp: helpers to mitigate ACK loops by rate-limiting o= ut-of-window dupacks") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 04788bd5e82c..38412d93400a 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3420,7 +3420,8 @@ static bool __tcp_oow_rate_limited(struct net *net, i= nt mib_idx, if (*last_oow_ack_time) { s32 elapsed =3D (s32)(tcp_jiffies32 - *last_oow_ack_time); =20 - if (0 <=3D elapsed && elapsed < net->ipv4.sysctl_tcp_invalid_ratelimit) { + if (0 <=3D elapsed && + elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) { NET_INC_STATS(net, mib_idx); return true; /* rate-limited: don't send yet! */ } --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A07D4C19F2D for ; Tue, 9 Aug 2022 18:06:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344606AbiHISGQ (ORCPT ); Tue, 9 Aug 2022 14:06:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344675AbiHISFa (ORCPT ); Tue, 9 Aug 2022 14:05:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72AEC27B1A; Tue, 9 Aug 2022 11:02:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F1608B8171A; Tue, 9 Aug 2022 18:02:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 50008C433D6; Tue, 9 Aug 2022 18:02:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068147; bh=p57W8xdgWJ4rBg4QKkF/0C1QRV+CcyrZojmXs1ej7Rs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=baUyoisuFVB7MLPLu9/12yEZeao2kC7QYD5fQw4Q7OiwA6SKzvpzxtqoYKqKD09zp eX7uJayWjACmEPLso3dfiT5F7riv69mCyIIV93BKkWk2RKYLw04O5hQJwIYsvgUtZz 2J2hIRe6azyX7mTTmvWKDdABSg+fS9h7+T1dSARE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 18/32] Documentation: fix sctp_wmem in ip-sysctl.rst Date: Tue, 9 Aug 2022 20:00:09 +0200 Message-Id: <20220809175513.662269725@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Xin Long [ Upstream commit aa709da0e032cee7c202047ecd75f437bb0126ed ] Since commit 1033990ac5b2 ("sctp: implement memory accounting on tx path"), SCTP has supported memory accounting on tx path where 'sctp_wmem' is used by sk_wmem_schedule(). So we should fix the description for this option in ip-sysctl.rst accordingly. v1->v2: - Improve the description as Marcelo suggested. Fixes: 1033990ac5b2 ("sctp: implement memory accounting on tx path") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- Documentation/networking/ip-sysctl.txt | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/network= ing/ip-sysctl.txt index e315e6052b9f..eb24b8137226 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -2170,7 +2170,14 @@ sctp_rmem - vector of 3 INTEGERs: min, default, max Default: 4K =20 sctp_wmem - vector of 3 INTEGERs: min, default, max - Currently this tunable has no effect. + Only the first value ("min") is used, "default" and "max" are + ignored. + + min: Minimum size of send buffer that can be used by SCTP sockets. + It is guaranteed to each SCTP socket (but not association) even + under moderate memory pressure. + + Default: 4K =20 addr_scope_policy - INTEGER Control IPv4 address scoping - draft-stewart-tsvwg-sctp-ipv4-00 --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 118D9C19F2D for ; Tue, 9 Aug 2022 18:06:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344094AbiHISGK (ORCPT ); Tue, 9 Aug 2022 14:06:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245729AbiHISF2 (ORCPT ); Tue, 9 Aug 2022 14:05:28 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2447F27CF4; Tue, 9 Aug 2022 11:02:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A6B4E61059; Tue, 9 Aug 2022 18:02:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1FDE6C43140; Tue, 9 Aug 2022 18:02:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068150; bh=RPpTH3ijHdIcyCKVdvgk0xcCqRlXftJTxWnJmnRkBSc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mqghpZnKH2DL0I5pFYprP0kEkxcXh2eFCMXochGjmu8/zBpezqNchVVrlPjr88TtE 2So7E9a5pfEpDa2YBhkIeR71fxNkcHlGghhm2lhHOlDvL+yTzqgHDs+rDApL9pkEB5 VwdA6Ov57EvQraI9JdJ3mDfBZFdz9ity9t75QhaQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 19/32] tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. Date: Tue, 9 Aug 2022 20:00:10 +0200 Message-Id: <20220809175513.692599259@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 4866b2b0f7672b6d760c4b8ece6fb56f965dcc8a ] While reading sysctl_tcp_comp_sack_delay_ns, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6d82aa242092 ("tcp: add tcp_comp_sack_delay_ns sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 38412d93400a..b71866aba426 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -5262,7 +5262,8 @@ static void __tcp_ack_snd_check(struct sock *sk, int = ofo_possible) if (tp->srtt_us && tp->srtt_us < rtt) rtt =3D tp->srtt_us; =20 - delay =3D min_t(unsigned long, sock_net(sk)->ipv4.sysctl_tcp_comp_sack_de= lay_ns, + delay =3D min_t(unsigned long, + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_comp_sack_delay_ns), rtt * (NSEC_PER_USEC >> 3)/20); sock_hold(sk); hrtimer_start(&tp->compressed_ack_timer, ns_to_ktime(delay), --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00B3FC19F2D for ; Tue, 9 Aug 2022 18:06:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343696AbiHISGV (ORCPT ); Tue, 9 Aug 2022 14:06:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344730AbiHISFl (ORCPT ); Tue, 9 Aug 2022 14:05:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3F9FFCD; Tue, 9 Aug 2022 11:02:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7DD7D6102F; Tue, 9 Aug 2022 18:02:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E8988C43470; Tue, 9 Aug 2022 18:02:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068153; bh=0agPFwrtUITObKzifFD7D/Pb+hzEpwXxQLiarBqFdVw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=um8JbDteB14og0GGSyUu8PwPAY2MvRje3FUGSKIqVLgztaDD0gnZ4tou+4qZ6tgg7 kBRc1WWFNQHS18UylBFuyBVFUTw17cfV8FmLBk3hi38AyF8aDdsHwFJHkYCWQhoLLf /EpShNvJsd+xawNaQSK1Tz1415JEwVj6CSadTNBk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 20/32] tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. Date: Tue, 9 Aug 2022 20:00:11 +0200 Message-Id: <20220809175513.723352841@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 79f55473bfc8ac51bd6572929a679eeb4da22251 ] While reading sysctl_tcp_comp_sack_nr, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 9c21d2fc41c0 ("tcp: add tcp_comp_sack_nr sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index b71866aba426..e1d065ea5a15 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -5239,7 +5239,7 @@ static void __tcp_ack_snd_check(struct sock *sk, int = ofo_possible) } =20 if (!tcp_is_sack(tp) || - tp->compressed_ack >=3D sock_net(sk)->ipv4.sysctl_tcp_comp_sack_nr) + tp->compressed_ack >=3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_comp_= sack_nr)) goto send_now; =20 if (tp->compressed_ack_rcv_nxt !=3D tp->rcv_nxt) { --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01E80C19F2D for ; Tue, 9 Aug 2022 18:06:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344767AbiHISGf (ORCPT ); Tue, 9 Aug 2022 14:06:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344757AbiHISFo (ORCPT ); Tue, 9 Aug 2022 14:05:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E7E127CD9; Tue, 9 Aug 2022 11:02:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A11CD6106C; Tue, 9 Aug 2022 18:02:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ACC5FC433C1; Tue, 9 Aug 2022 18:02:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068156; bh=iJ3n/ovvuywHeUCdRoL+0FiyTg+YR+72DqrzGIc88cA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EArP4kQimPVZOHgd6z7Mnb8LkVKWd9bDiiOPy5Av8loHnFq0Aou5rGXJafUtOmzz5 R1LKSQu8wMzg5UhoiuyamXDYN+ACnss+LN218gFodTUrhIkWR6pq/XHTTkRjKtq72z EPvqU2ITBlUZMpJOMVeUYeYx7cSlhG4QWiOa1hSs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dawid Lukwinski , Michal Maloszewski , Dave Switzer , Tony Nguyen , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.19 21/32] i40e: Fix interface init with MSI interrupts (no MSI-X) Date: Tue, 9 Aug 2022 20:00:12 +0200 Message-Id: <20220809175513.753445598@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Michal Maloszewski [ Upstream commit 5fcbb711024aac6d4db385623e6f2fdf019f7782 ] Fix the inability to bring an interface up on a setup with only MSI interrupts enabled (no MSI-X). Solution is to add a default number of QPs =3D 1. This is enough, since without MSI-X support driver enables only a basic feature set. Fixes: bc6d33c8d93f ("i40e: Fix the number of queues available to be mapped= for use") Signed-off-by: Dawid Lukwinski Signed-off-by: Michal Maloszewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220722175401.112572-1-anthony.l.nguyen@in= tel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethe= rnet/intel/i40e/i40e_main.c index 3615c6533cf4..2f3b393e5506 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -1808,11 +1808,15 @@ static void i40e_vsi_setup_queue_map(struct i40e_vs= i *vsi, * non-zero req_queue_pairs says that user requested a new * queue count via ethtool's set_channels, so use this * value for queues distribution across traffic classes + * We need at least one queue pair for the interface + * to be usable as we see in else statement. */ if (vsi->req_queue_pairs > 0) vsi->num_queue_pairs =3D vsi->req_queue_pairs; else if (pf->flags & I40E_FLAG_MSIX_ENABLED) vsi->num_queue_pairs =3D pf->num_lan_msix; + else + vsi->num_queue_pairs =3D 1; } =20 /* Number of queues per enabled TC */ --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8F68C25B0C for ; Tue, 9 Aug 2022 18:04:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344588AbiHISEu (ORCPT ); Tue, 9 Aug 2022 14:04:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344519AbiHISDf (ORCPT ); Tue, 9 Aug 2022 14:03:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31A5D275DC; Tue, 9 Aug 2022 11:02:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B61AF61059; Tue, 9 Aug 2022 18:02:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB55EC43140; Tue, 9 Aug 2022 18:02:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068122; bh=MvaeA/cVp4t6tzABceBLyrsBotareJIIkv1jHZMt8pM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZBWL5GW/WZnyxQU7FYAqIpBJliQUOXRgheGDlgWDw+QkKyflYAe8RspUw2fRa5pEp eneQBf9OfnLgLJHXE6uXX56+YPkuK7O+kM88vX4skuZJbHKx/aOxry3Hc2WJhMoQbG /ygzfbbheuIMaQvPQoUgCCpuf3UbAmDJhMQThF2U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Duoming Zhou , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin Subject: [PATCH 4.19 22/32] sctp: fix sleep in atomic context bug in timer handlers Date: Tue, 9 Aug 2022 20:00:13 +0200 Message-Id: <20220809175513.783627725@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Duoming Zhou [ Upstream commit b89fc26f741d9f9efb51cba3e9b241cf1380ec5a ] There are sleep in atomic context bugs in timer handlers of sctp such as sctp_generate_t3_rtx_event(), sctp_generate_probe_event(), sctp_generate_t1_init_event(), sctp_generate_timeout_event(), sctp_generate_t3_rtx_event() and so on. The root cause is sctp_sched_prio_init_sid() with GFP_KERNEL parameter that may sleep could be called by different timer handlers which is in interrupt context. One of the call paths that could trigger bug is shown below: (interrupt context) sctp_generate_probe_event sctp_do_sm sctp_side_effects sctp_cmd_interpreter sctp_outq_teardown sctp_outq_init sctp_sched_set_sched n->init_sid(..,GFP_KERNEL) sctp_sched_prio_init_sid //may sleep This patch changes gfp_t parameter of init_sid in sctp_sched_set_sched() from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic context bugs. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Signed-off-by: Duoming Zhou Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/20220723015809.11553-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/sctp/stream_sched.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c index a6c04a94b08f..3a5c0d00e96c 100644 --- a/net/sctp/stream_sched.c +++ b/net/sctp/stream_sched.c @@ -178,7 +178,7 @@ int sctp_sched_set_sched(struct sctp_association *asoc, if (!SCTP_SO(&asoc->stream, i)->ext) continue; =20 - ret =3D n->init_sid(&asoc->stream, i, GFP_KERNEL); + ret =3D n->init_sid(&asoc->stream, i, GFP_ATOMIC); if (ret) goto err; } --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33E04C19F2D for ; Tue, 9 Aug 2022 18:04:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344537AbiHISEn (ORCPT ); Tue, 9 Aug 2022 14:04:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344532AbiHISDk (ORCPT ); Tue, 9 Aug 2022 14:03:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7391D275E9; Tue, 9 Aug 2022 11:02:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5575261012; Tue, 9 Aug 2022 18:02:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 92CC4C433D7; Tue, 9 Aug 2022 18:02:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068125; bh=Rk+9dz2pOvI01ubf5O3Bj2SDe/szN9eGPeK/+iP1tN0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nEz2DYwEFp+R74lHD7c82fRuS+8aLSL6BoAT0EGSm6rP1+UQ1ZFsUOTPaajp7P5iJ U3O81yDnFTJk6qWWg3kaScAHJox1QNwpIGGJ9hZiXzOCAEJ5e4SuzAaujj/SF2eMpj A2WxtC9/E0f1IyBVISQFVkEzmmbu+HetxWkfGEX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Domingo Dirutigliano , Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 23/32] netfilter: nf_queue: do not allow packet truncation below transport header offset Date: Tue, 9 Aug 2022 20:00:14 +0200 Message-Id: <20220809175513.816660088@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Florian Westphal [ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ] Domingo Dirutigliano and Nicola Guerrera report kernel panic when sending nf_queue verdict with 1-byte nfta_payload attribute. The IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. If user truncates the packet below the header size, this skb_pull() will result in a malformed skb (skb->len < 0). Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue ha= ndler over nfnetlink") Reported-by: Domingo Dirutigliano Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/netfilter/nfnetlink_queue.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queu= e.c index a5aff2834bd6..cd496b074a71 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -850,11 +850,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, un= signed int queuenum) } =20 static int -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, = int diff) { struct sk_buff *nskb; =20 if (diff < 0) { + unsigned int min_len =3D skb_transport_offset(e->skb); + + if (data_len < min_len) + return -EINVAL; + if (pskb_trim(e->skb, data_len)) return -ENOMEM; } else if (diff > 0) { --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95E8EC3F6B0 for ; Tue, 9 Aug 2022 18:05:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245696AbiHISFE (ORCPT ); Tue, 9 Aug 2022 14:05:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245360AbiHISED (ORCPT ); Tue, 9 Aug 2022 14:04:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDB3FC20; Tue, 9 Aug 2022 11:02:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2E8ECB8171F; Tue, 9 Aug 2022 18:02:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 574E8C433B5; Tue, 9 Aug 2022 18:02:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068127; bh=ftSdrVIZmrXKAF+/QR73NejNX3j9SCskn0iE+E2C5xk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OD3N3RKuasvdljQw2OwuWqhpmV6/4mV3y+MZM6VQIoMC6f7NLbq6bdADmproEeDNf VDqrwAqUZ21b2MHJO1xhQIzkELRAuRowWwaz7oabH883mV327KvzI585dkl14+P8/8 8g9kVgW1AoVhzDwjm67log0RjV6TPNFuLfnbfDRY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chang Rui , Fangrui Song , Leo Yan , Namhyung Kim , Alexander Shishkin , Ian Rogers , Ingo Molnar , Jiri Olsa , Mark Rutland , Peter Zijlstra , Arnaldo Carvalho de Melo , Sasha Levin Subject: [PATCH 4.19 24/32] perf symbol: Correct address for bss symbols Date: Tue, 9 Aug 2022 20:00:15 +0200 Message-Id: <20220809175513.847092052@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Leo Yan [ Upstream commit 2d86612aacb7805f72873691a2644d7279ed0630 ] When using 'perf mem' and 'perf c2c', an issue is observed that tool reports the wrong offset for global data symbols. This is a common issue on both x86 and Arm64 platforms. Let's see an example, for a test program, below is the disassembly for its .bss section which is dumped with objdump: ... Disassembly of section .bss: 0000000000004040 : ... 0000000000004080 : ... 00000000000040c0 : ... 0000000000004100 : ... First we used 'perf mem record' to run the test program and then used 'perf --debug verbose=3D4 mem report' to observe what's the symbol info for 'buf1' and 'buf2' structures. # ./perf mem record -e ldlat-loads,ldlat-stores -- false_sharing.exe 8 # ./perf --debug verbose=3D4 mem report ... dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 sh_addr: 0x4= 040 sh_offset: 0x3028 symbol__new: buf2 0x30a8-0x30e8 ... dso__load_sym_internal: adjusting symbol: st_value: 0x4080 sh_addr: 0x4= 040 sh_offset: 0x3028 symbol__new: buf1 0x3068-0x30a8 ... The perf tool relies on libelf to parse symbols, in executable and shared object files, 'st_value' holds a virtual address; 'sh_addr' is the address at which section's first byte should reside in memory, and 'sh_offset' is the byte offset from the beginning of the file to the first byte in the section. The perf tool uses below formula to convert a symbol's memory address to a file address: file_address =3D st_value - sh_addr + sh_offset ^ ` Memory address We can see the final adjusted address ranges for buf1 and buf2 are [0x30a8-0x30e8) and [0x3068-0x30a8) respectively, apparently this is incorrect, in the code, the structure for 'buf1' and 'buf2' specifies compiler attribute with 64-byte alignment. The problem happens for 'sh_offset', libelf returns it as 0x3028 which is not 64-byte aligned, combining with disassembly, it's likely libelf doesn't respect the alignment for .bss section, therefore, it doesn't return the aligned value for 'sh_offset'. Suggested by Fangrui Song, ELF file contains program header which contains PT_LOAD segments, the fields p_vaddr and p_offset in PT_LOAD segments contain the execution info. A better choice for converting memory address to file address is using the formula: file_address =3D st_value - p_vaddr + p_offset This patch introduces elf_read_program_header() which returns the program header based on the passed 'st_value', then it uses the formula above to calculate the symbol file address; and the debugging log is updated respectively. After applying the change: # ./perf --debug verbose=3D4 mem report ... dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 p_vaddr: 0x3= d28 p_offset: 0x2d28 symbol__new: buf2 0x30c0-0x3100 ... dso__load_sym_internal: adjusting symbol: st_value: 0x4080 p_vaddr: 0x3= d28 p_offset: 0x2d28 symbol__new: buf1 0x3080-0x30c0 ... Fixes: f17e04afaff84b5c ("perf report: Fix ELF symbol parsing") Reported-by: Chang Rui Suggested-by: Fangrui Song Signed-off-by: Leo Yan Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20220724060013.171050-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- tools/perf/util/symbol-elf.c | 45 ++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c index 166c621e0223..bd33d6613929 100644 --- a/tools/perf/util/symbol-elf.c +++ b/tools/perf/util/symbol-elf.c @@ -201,6 +201,33 @@ Elf_Scn *elf_section_by_name(Elf *elf, GElf_Ehdr *ep, return NULL; } =20 +static int elf_read_program_header(Elf *elf, u64 vaddr, GElf_Phdr *phdr) +{ + size_t i, phdrnum; + u64 sz; + + if (elf_getphdrnum(elf, &phdrnum)) + return -1; + + for (i =3D 0; i < phdrnum; i++) { + if (gelf_getphdr(elf, i, phdr) =3D=3D NULL) + return -1; + + if (phdr->p_type !=3D PT_LOAD) + continue; + + sz =3D max(phdr->p_memsz, phdr->p_filesz); + if (!sz) + continue; + + if (vaddr >=3D phdr->p_vaddr && (vaddr < phdr->p_vaddr + sz)) + return 0; + } + + /* Not found any valid program header */ + return -1; +} + static bool want_demangle(bool is_kernel_sym) { return is_kernel_sym ? symbol_conf.demangle_kernel : symbol_conf.demangle; @@ -1063,6 +1090,7 @@ int dso__load_sym(struct dso *dso, struct map *map, s= truct symsrc *syms_ss, sym.st_value); used_opd =3D true; } + /* * When loading symbols in a data mapping, ABS symbols (which * has a value of SHN_ABS in its st_shndx) failed at @@ -1099,11 +1127,20 @@ int dso__load_sym(struct dso *dso, struct map *map,= struct symsrc *syms_ss, goto out_elf_end; } else if ((used_opd && runtime_ss->adjust_symbols) || (!used_opd && syms_ss->adjust_symbols)) { + GElf_Phdr phdr; + + if (elf_read_program_header(syms_ss->elf, + (u64)sym.st_value, &phdr)) { + pr_warning("%s: failed to find program header for " + "symbol: %s st_value: %#" PRIx64 "\n", + __func__, elf_name, (u64)sym.st_value); + continue; + } pr_debug4("%s: adjusting symbol: st_value: %#" PRIx64 " " - "sh_addr: %#" PRIx64 " sh_offset: %#" PRIx64 "\n", __func__, - (u64)sym.st_value, (u64)shdr.sh_addr, - (u64)shdr.sh_offset); - sym.st_value -=3D shdr.sh_addr - shdr.sh_offset; + "p_vaddr: %#" PRIx64 " p_offset: %#" PRIx64 "\n", + __func__, (u64)sym.st_value, (u64)phdr.p_vaddr, + (u64)phdr.p_offset); + sym.st_value -=3D phdr.p_vaddr - phdr.p_offset; } =20 demangled =3D demangle_sym(dso, kmodule, elf_name); --=20 2.35.1 From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 723DEC19F2D for ; Tue, 9 Aug 2022 18:05:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344667AbiHISE5 (ORCPT ); Tue, 9 Aug 2022 14:04:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245235AbiHISEF (ORCPT ); Tue, 9 Aug 2022 14:04:05 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F9B827B00; Tue, 9 Aug 2022 11:02:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C50B7B8171A; Tue, 9 Aug 2022 18:02:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 38CBDC433D7; Tue, 9 Aug 2022 18:02:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068130; bh=ljrqwzOrbT0JrmQUw2UjpfLFC5dyyN3a2eOKGBHBJcM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ghxsZwWP2OvjZE5/0OmFLRotORYSlOaQLzejbNGtQPYH3FISyoQ8E6dZ9vR1Dzw+b K17t9H5dMltc7zVPrn4Xep6ErKkaaiJeUIq3Gd8YmRer3A4LP3Ve2kLUaz00ewhGXx RQXQzUtXPrchUN78lH+dUun6Qs6TmNYCROk28X5Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , "Jason A. Donenfeld" , "Justin M. Forbes" , Ard Biesheuvel , Arnd Bergmann , Nicolas Pitre , Nathan Chancellor , Nick Desaulniers Subject: [PATCH 4.19 25/32] ARM: crypto: comment out gcc warning that breaks clang builds Date: Tue, 9 Aug 2022 20:00:16 +0200 Message-Id: <20220809175513.878882115@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Greg Kroah-Hartman The gcc build warning prevents all clang-built kernels from working properly, so comment it out to fix the build. This is a -stable kernel only patch for now, it will be resolved differently in mainline releases in the future. Cc: "Jason A. Donenfeld" Cc: "Justin M. Forbes" Cc: Ard Biesheuvel Acked-by: Arnd Bergmann Cc: Nicolas Pitre Cc: Nathan Chancellor Cc: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/arm/lib/xor-neon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/arm/lib/xor-neon.c +++ b/arch/arm/lib/xor-neon.c @@ -29,8 +29,9 @@ MODULE_LICENSE("GPL"); * While older versions of GCC do not generate incorrect code, they fail to * recognize the parallel nature of these functions, and emit plain ARM co= de, * which is known to be slower than the optimized ARM code in asm-arm/xor.= h. + * + * #warning This code requires at least version 4.6 of GCC */ -#warning This code requires at least version 4.6 of GCC #endif =20 #pragma GCC diagnostic ignored "-Wunused-variable" From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDD4BC25B07 for ; Tue, 9 Aug 2022 18:05:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343508AbiHISFS (ORCPT ); Tue, 9 Aug 2022 14:05:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344603AbiHISEH (ORCPT ); Tue, 9 Aug 2022 14:04:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C92826AFC; Tue, 9 Aug 2022 11:02:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E27AA6101C; Tue, 9 Aug 2022 18:02:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3E76C433C1; Tue, 9 Aug 2022 18:02:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068133; bh=4JTwL98KeRAHBUUp0B3u8WDPwf7Kzfa2VOERamwCuU4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Fwvq8JA26x0VP3O59D0WiS1OK4QiyxqAHvXXix6vcEEATrt45gj3llY2io9jkho1P peFvceFAp9SSXqxgLe4SKMp2LV6me+C7GsV8UzsFv/Ukzs0Q/dNjhpW/4o48m7Za5j RHpBKuLAXDYnD24LzIqhD5LW8oRnI0Rjvo2c9Ft4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wei Mingzhi , Jakub Kicinski , Kalle Valo , Yan Xinyu Subject: [PATCH 4.19 26/32] mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. Date: Tue, 9 Aug 2022 20:00:17 +0200 Message-Id: <20220809175513.910068873@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Wei Mingzhi commit 829eea7c94e0bac804e65975639a2f2e5f147033 upstream. USB device ID of some versions of XiaoDu WiFi Dongle is 2955:1003 instead of 2955:1001. Both are the same mt7601u hardware. Signed-off-by: Wei Mingzhi Acked-by: Jakub Kicinski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210618160840.305024-1-whistler@member.fsf= .org Cc: Yan Xinyu Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/net/wireless/mediatek/mt7601u/usb.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/wireless/mediatek/mt7601u/usb.c +++ b/drivers/net/wireless/mediatek/mt7601u/usb.c @@ -34,6 +34,7 @@ static const struct usb_device_id mt7601 { USB_DEVICE(0x2717, 0x4106) }, { USB_DEVICE(0x2955, 0x0001) }, { USB_DEVICE(0x2955, 0x1001) }, + { USB_DEVICE(0x2955, 0x1003) }, { USB_DEVICE(0x2a5f, 0x1000) }, { USB_DEVICE(0x7392, 0x7710) }, { 0, } From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94F14C25B0C for ; Tue, 9 Aug 2022 18:07:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344897AbiHISHV (ORCPT ); Tue, 9 Aug 2022 14:07:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344236AbiHISGh (ORCPT ); Tue, 9 Aug 2022 14:06:37 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3098626112; Tue, 9 Aug 2022 11:02:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C5D48B816A0; Tue, 9 Aug 2022 18:02:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E5BF5C43470; Tue, 9 Aug 2022 18:02:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068175; bh=LVK7Kh2hdJ0k8iNs9K6078HDnZHYovn17rMstcfj3g8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H8g9RPkDXycdXE/gfOj3bfWIPae1cnQfmD8CFFPw3hlVd/p912O9PoOsg/IVPdubX ppAukz80vz3OVXyTc01nZkwCJsT+PGJnKjnZfz2y/7Fr4GJC92CyPVporaOygWDouA G0yku1xq5Vzpfe8zGAFDnRIajag5Dri/tdY76wXg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hannes Reinecke , Sumit Saxena , Kashyap Desai , Bart Van Assche , Ewan Milne , Long Li , John Garry , "chenxiang (M)" , Ming Lei , "Martin K. Petersen" , Yu Kuai Subject: [PATCH 4.19 27/32] scsi: core: Fix race between handling STS_RESOURCE and completion Date: Tue, 9 Aug 2022 20:00:18 +0200 Message-Id: <20220809175513.938731002@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ming Lei commit 673235f915318ced5d7ec4b2bfd8cb909e6a4a55 upstream. When queuing I/O request to LLD, STS_RESOURCE may be returned because: - Host is in recovery or blocked - Target queue throttling or target is blocked - LLD rejection In these scenarios BLK_STS_DEV_RESOURCE is returned to the block layer to avoid an unnecessary re-run of the queue. However, all of the requests queued to this SCSI device may complete immediately after reading 'sdev->device_busy' and BLK_STS_DEV_RESOURCE is returned to block layer. In that case the current I/O won't get a chance to get queued since it is invisible at that time for both scsi_run_queue_async() and blk-mq's RESTART. Fix the issue by not returning BLK_STS_DEV_RESOURCE in this situation. Link: https://lore.kernel.org/r/20201202100419.525144-1-ming.lei@redhat.com Fixes: 86ff7c2a80cd ("blk-mq: introduce BLK_STS_DEV_RESOURCE") Cc: Hannes Reinecke Cc: Sumit Saxena Cc: Kashyap Desai Cc: Bart Van Assche Cc: Ewan Milne Cc: Long Li Reported-by: John Garry Tested-by: "chenxiang (M)" Signed-off-by: Ming Lei Signed-off-by: Martin K. Petersen Signed-off-by: Yu Kuai Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/scsi/scsi_lib.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -2157,8 +2157,7 @@ out_put_budget: case BLK_STS_OK: break; case BLK_STS_RESOURCE: - if (atomic_read(&sdev->device_busy) || - scsi_device_blocked(sdev)) + if (scsi_device_blocked(sdev)) ret =3D BLK_STS_DEV_RESOURCE; break; default: From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50F8AC19F2D for ; Tue, 9 Aug 2022 18:06:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344815AbiHISGs (ORCPT ); Tue, 9 Aug 2022 14:06:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344814AbiHISFv (ORCPT ); Tue, 9 Aug 2022 14:05:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77404B82; Tue, 9 Aug 2022 11:02:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 544A661028; Tue, 9 Aug 2022 18:02:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5D2BAC433B5; Tue, 9 Aug 2022 18:02:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068161; bh=kAAceLf1VywHIek44vBXTfsB0yb0I7oJ0SqPKKlSA08=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Be5lnO9aUThTpkb20Uw2Y5tM/HWR/AmNYAlpa6CK6AABvRIfKP9voqXel2Wj/UXfG Qp72eiYFUrfDkiyo7v/atQD7lrYSHnlFfAgfLujcvneYQTzQH+kA8ZWYWFwZ4I/Wuh kPH5ckMGMcOyVBvPyG/LpQdrg4h5UediGD/LoqgQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Werner Sembach , Hans de Goede , "Rafael J. Wysocki" Subject: [PATCH 4.19 28/32] ACPI: video: Force backlight native for some TongFang devices Date: Tue, 9 Aug 2022 20:00:19 +0200 Message-Id: <20220809175513.969951780@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Werner Sembach commit c752089f7cf5b5800c6ace4cdd1a8351ee78a598 upstream. The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2: They have a working native and video interface. However the default detection mechanism first registers the video interface before unregistering it again and switching to the native interface during boot. This results in a dangling SBIOS request for backlight change for some reason, causing the backlight to switch to ~2% once per boot on the first power cord connect or disconnect event. Setting the native interface explicitly circumvents this buggy behaviour by avoiding the unregistering process. Signed-off-by: Werner Sembach Cc: All applicable Reviewed-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/acpi/video_detect.c | 51 +++++++++++++++++++++++++++++++++++++++= ++++- 1 file changed, 50 insertions(+), 1 deletion(-) --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -431,7 +431,56 @@ static const struct dmi_system_id video_ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), }, }, - + /* + * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, + * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo + * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description + * above. + */ + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5PU1G", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF4NU1F", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF4NU1F", + .matches =3D { + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), + DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5NU1G", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5NU1G", + .matches =3D { + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), + DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"), + }, + }, + { + .callback =3D video_detect_force_native, + .ident =3D "TongFang PF5LUXG", + .matches =3D { + DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"), + }, + }, /* * Desktops which falsely report a backlight and which our heuristics * for this do not catch. From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6457BC19F2D for ; Tue, 9 Aug 2022 18:06:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344839AbiHISG4 (ORCPT ); Tue, 9 Aug 2022 14:06:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244954AbiHISFz (ORCPT ); Tue, 9 Aug 2022 14:05:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61F4C27FE9; Tue, 9 Aug 2022 11:02:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9DA2761052; Tue, 9 Aug 2022 18:02:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 170AAC433D6; Tue, 9 Aug 2022 18:02:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068164; bh=yXd7a1cUrnNABJJH7d5iVOcQbSOFbG5yvXQbf4pNum4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M6b1uFbtfVngQ7uyU1KkFJAqJO8New8VgJumSqFidUMX+aKipL9gtfq03uTgQT2v5 fS62WDe3Rk+Ag6ajw6azF7mS6CxlPMcvZOWtY3uwco/hEi/KFHCEoIS8Nm6ZICSPPp 8QM0lStdmudWNb3IPoWgN9SWemIQ1U61yhhtBbeQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Werner Sembach , Hans de Goede , "Rafael J. Wysocki" Subject: [PATCH 4.19 29/32] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Date: Tue, 9 Aug 2022 20:00:20 +0200 Message-Id: <20220809175513.999483881@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Werner Sembach commit f0341e67b3782603737f7788e71bd3530012a4f4 upstream. Taking a recent change in the i8042 quirklist to this one: Clevo board_names are somewhat unique, and if not: The generic Board_-/Sys_Vendor string "Notebook" doesn't help much anyway. So identifying the devices just by the board_name helps keeping the list significantly shorter and might even hit more devices requiring the fix. Signed-off-by: Werner Sembach Fixes: c844d22fe0c0 ("ACPI: video: Force backlight native for Clevo NL5xRU = and NL5xNU") Cc: All applicable Reviewed-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/acpi/video_detect.c | 34 ---------------------------------- 1 file changed, 34 deletions(-) --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -371,23 +371,6 @@ static const struct dmi_system_id video_ .callback =3D video_detect_force_native, .ident =3D "Clevo NL5xRU", .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xRU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xRU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), }, }, @@ -411,23 +394,6 @@ static const struct dmi_system_id video_ .callback =3D video_detect_force_native, .ident =3D "Clevo NL5xNU", .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xNU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, - { - .callback =3D video_detect_force_native, - .ident =3D "Clevo NL5xNU", - .matches =3D { - DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), }, }, From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03B6DC25B07 for ; Tue, 9 Aug 2022 18:07:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344870AbiHISHI (ORCPT ); Tue, 9 Aug 2022 14:07:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344725AbiHISG3 (ORCPT ); Tue, 9 Aug 2022 14:06:29 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C70E4286C1; Tue, 9 Aug 2022 11:02:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 72535B81719; Tue, 9 Aug 2022 18:02:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D28F3C433B5; Tue, 9 Aug 2022 18:02:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068167; bh=gyTyTAtF0h1Lvq38jp5hMQsfBHPwxXXW/6W+y5fR1so=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0bOkKXHjHLZaLlNkr9jagXcq4JW5AlaCiE2UAerwOPTOwCvJkYavQJT4fDjCFd1Oa eObjlg8RM7eN204KHIExHqo04efV+vkdsLGmsXTrscM1WFhdrB3O+0MIOBvueof94+ MhFvefD5x4u4ZVFJ6U+gJHblx8UQ+6iPWSTIbz98= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable , Ning Qiang , Kees Cook , Benjamin Herrenschmidt , Michael Ellerman Subject: [PATCH 4.19 30/32] macintosh/adb: fix oob read in do_adb_query() function Date: Tue, 9 Aug 2022 20:00:21 +0200 Message-Id: <20220809175514.029299291@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ning Qiang commit fd97e4ad6d3b0c9fce3bca8ea8e6969d9ce7423b upstream. In do_adb_query() function of drivers/macintosh/adb.c, req->data is copied form userland. The parameter "req->data[2]" is missing check, the array size of adb_handler[] is 16, so adb_handler[req->data[2]].original_address = and adb_handler[req->data[2]].handler_id will lead to oob read. Cc: stable Signed-off-by: Ning Qiang Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Acked-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220713153734.2248-1-sohu0106@126.com Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- drivers/macintosh/adb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/macintosh/adb.c +++ b/drivers/macintosh/adb.c @@ -645,7 +645,7 @@ do_adb_query(struct adb_request *req) =20 switch(req->data[1]) { case ADB_QUERY_GETDEVINFO: - if (req->nbytes < 3) + if (req->nbytes < 3 || req->data[2] >=3D 16) break; mutex_lock(&adb_handler_mutex); req->reply[0] =3D adb_handler[req->data[2]].original_address; From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F75EC25B0D for ; Tue, 9 Aug 2022 18:07:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344882AbiHISHK (ORCPT ); Tue, 9 Aug 2022 14:07:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344730AbiHISG3 (ORCPT ); Tue, 9 Aug 2022 14:06:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73A03286C5; Tue, 9 Aug 2022 11:02:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 47C3261009; Tue, 9 Aug 2022 18:02:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B032FC43140; Tue, 9 Aug 2022 18:02:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068170; bh=8q69jngKFZcGJS7RtYrpA7h5Zupf4kN/O/KyQXbdxdY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aNIyY6CrjZf17DnIXXLPhgO/TMgvAjTXNCO9W/zcqdXwAHKiGzrhnd4IRCUlngzsG vSnh06lEtPFQ6bOijj4KgaQpg79NbcpNVkbbVceuw+wtolQQLxV+sLIvNjVgYWiBN9 zhnF0QW+Bq9vR8ubgiHShIpdwUkn6dxUWBVKZ0z0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Sneddon , Pawan Gupta , Borislav Petkov Subject: [PATCH 4.19 31/32] x86/speculation: Add RSB VM Exit protections Date: Tue, 9 Aug 2022 20:00:22 +0200 Message-Id: <20220809175514.060533908@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Daniel Sneddon commit 2b1299322016731d56807aa49254a5ea3080b6b3 upstream. tl;dr: The Enhanced IBRS mitigation for Spectre v2 does not work as documented for RET instructions after VM exits. Mitigate it with a new one-entry RSB stuffing mechanism and a new LFENCE. =3D=3D Background =3D=3D Indirect Branch Restricted Speculation (IBRS) was designed to help mitigate Branch Target Injection and Speculative Store Bypass, i.e. Spectre, attacks. IBRS prevents software run in less privileged modes from affecting branch prediction in more privileged modes. IBRS requires the MSR to be written on every privilege level change. To overcome some of the performance issues of IBRS, Enhanced IBRS was introduced. eIBRS is an "always on" IBRS, in other words, just turn it on once instead of writing the MSR on every privilege level change. When eIBRS is enabled, more privileged modes should be protected from less privileged modes, including protecting VMMs from guests. =3D=3D Problem =3D=3D Here's a simplification of how guests are run on Linux' KVM: void run_kvm_guest(void) { // Prepare to run guest VMRESUME(); // Clean up after guest runs } The execution flow for that would look something like this to the processor: 1. Host-side: call run_kvm_guest() 2. Host-side: VMRESUME 3. Guest runs, does "CALL guest_function" 4. VM exit, host runs again 5. Host might make some "cleanup" function calls 6. Host-side: RET from run_kvm_guest() Now, when back on the host, there are a couple of possible scenarios of post-guest activity the host needs to do before executing host code: * on pre-eIBRS hardware (legacy IBRS, or nothing at all), the RSB is not touched and Linux has to do a 32-entry stuffing. * on eIBRS hardware, VM exit with IBRS enabled, or restoring the host IBRS=3D1 shortly after VM exit, has a documented side effect of flushing the RSB except in this PBRSB situation where the software needs to stuff the last RSB entry "by hand". IOW, with eIBRS supported, host RET instructions should no longer be influenced by guest behavior after the host retires a single CALL instruction. However, if the RET instructions are "unbalanced" with CALLs after a VM exit as is the RET in #6, it might speculatively use the address for the instruction after the CALL in #3 as an RSB prediction. This is a problem since the (untrusted) guest controls this address. Balanced CALL/RET instruction pairs such as in step #5 are not affected. =3D=3D Solution =3D=3D The PBRSB issue affects a wide variety of Intel processors which support eIBRS. But not all of them need mitigation. Today, X86_FEATURE_RETPOLINE triggers an RSB filling sequence that mitigates PBRSB. Systems setting RETPOLINE need no further mitigation - i.e., eIBRS systems which enable retpoline explicitly. However, such systems (X86_FEATURE_IBRS_ENHANCED) do not set RETPOLINE and most of them need a new mitigation. Therefore, introduce a new feature flag X86_FEATURE_RSB_VMEXIT_LITE which triggers a lighter-weight PBRSB mitigation versus RSB Filling at vmexit. The lighter-weight mitigation performs a CALL instruction which is immediately followed by a speculative execution barrier (INT3). This steers speculative execution to the barrier -- just like a retpoline -- which ensures that speculation can never reach an unbalanced RET. Then, ensure this CALL is retired before continuing execution with an LFENCE. In other words, the window of exposure is opened at VM exit where RET behavior is troublesome. While the window is open, force RSB predictions sampling for RET targets to a dead end at the INT3. Close the window with the LFENCE. There is a subset of eIBRS systems which are not vulnerable to PBRSB. Add these systems to the cpu_vuln_whitelist[] as NO_EIBRS_PBRSB. Future systems that aren't vulnerable will set ARCH_CAP_PBRSB_NO. [ bp: Massage, incorporate review comments from Andy Cooper. ] [ Pawan: Update commit message to replace RSB_VMEXIT with RETPOLINE ] Signed-off-by: Daniel Sneddon Co-developed-by: Pawan Gupta Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- Documentation/admin-guide/hw-vuln/spectre.rst | 8 +++ arch/x86/include/asm/cpufeatures.h | 2=20 arch/x86/include/asm/msr-index.h | 4 + arch/x86/include/asm/nospec-branch.h | 15 ++++++ arch/x86/kernel/cpu/bugs.c | 61 +++++++++++++++++++++= ++++- arch/x86/kernel/cpu/common.c | 12 ++++- arch/x86/kvm/vmx.c | 6 +- 7 files changed, 102 insertions(+), 6 deletions(-) --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -422,6 +422,14 @@ The possible values in this file are: 'RSB filling' Protection of RSB on context switch enabled =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D =20 + - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status: + + =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D + 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VM= EXIT enabled + 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable + 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB + =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D + Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability. --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -283,6 +283,7 @@ #define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */ #define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entr= y SWAPGS path */ #define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel = entry SWAPGS path */ +#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+ 6) /* "" Fill RSB on VM exit w= hen EIBRS is enabled */ =20 /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */ #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ @@ -395,5 +396,6 @@ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during cer= tain page attribute changes */ #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitiga= ted */ #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Process= or MMIO Stale Data vulnerabilities */ +#define X86_BUG_EIBRS_PBRSB X86_BUG(26) /* EIBRS is vulnerable to Post Ba= rrier RSB Predictions */ =20 #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -120,6 +120,10 @@ * bit available to control VERW * behavior. */ +#define ARCH_CAP_PBRSB_NO BIT(24) /* + * Not susceptible to Post-Barrier + * Return Stack Buffer Predictions. + */ =20 #define MSR_IA32_FLUSH_CMD 0x0000010b #define L1D_FLUSH BIT(0) /* --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -54,6 +54,14 @@ jnz 771b; \ add $(BITS_PER_LONG/8) * nr, sp; =20 +/* Sequence to mitigate PBRSB on eIBRS CPUs */ +#define __ISSUE_UNBALANCED_RET_GUARD(sp) \ + call 881f; \ + int3; \ +881: \ + add $(BITS_PER_LONG/8), sp; \ + lfence; + #ifdef __ASSEMBLY__ =20 /* @@ -269,6 +277,13 @@ static inline void vmexit_fill_RSB(void) : "=3Dr" (loops), ASM_CALL_CONSTRAINT : : "memory" ); #endif + asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE + ALTERNATIVE("jmp 920f", + __stringify(__ISSUE_UNBALANCED_RET_GUARD(%0)), + X86_FEATURE_RSB_VMEXIT_LITE) + "920:" + : ASM_CALL_CONSTRAINT + : : "memory" ); } =20 static __always_inline --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1043,6 +1043,49 @@ static enum spectre_v2_mitigation __init return SPECTRE_V2_RETPOLINE; } =20 +static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spect= re_v2_mitigation mode) +{ + /* + * Similar to context switches, there are two types of RSB attacks + * after VM exit: + * + * 1) RSB underflow + * + * 2) Poisoned RSB entry + * + * When retpoline is enabled, both are mitigated by filling/clearing + * the RSB. + * + * When IBRS is enabled, while #1 would be mitigated by the IBRS branch + * prediction isolation protections, RSB still needs to be cleared + * because of #2. Note that SMEP provides no protection here, unlike + * user-space-poisoned RSB entries. + * + * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB + * bug is present then a LITE version of RSB protection is required, + * just a single call needs to retire before a RET is executed. + */ + switch (mode) { + case SPECTRE_V2_NONE: + /* These modes already fill RSB at vmexit */ + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_EIBRS_RETPOLINE: + return; + + case SPECTRE_V2_EIBRS_LFENCE: + case SPECTRE_V2_EIBRS: + if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); + } + return; + } + + pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exi= t"); + dump_stack(); +} + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd =3D spectre_v2_parse_cmdline(); @@ -1135,6 +1178,8 @@ static void __init spectre_v2_select_mit setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switc= h\n"); =20 + spectre_v2_determine_rsb_fill_type_at_vmexit(mode); + /* * Retpoline means the kernel is safe because it has no indirect * branches. Enhanced IBRS protects firmware too, so, enable restricted @@ -1867,6 +1912,19 @@ static char *ibpb_state(void) return ""; } =20 +static char *pbrsb_eibrs_state(void) +{ + if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { + if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || + boot_cpu_has(X86_FEATURE_RETPOLINE)) + return ", PBRSB-eIBRS: SW sequence"; + else + return ", PBRSB-eIBRS: Vulnerable"; + } else { + return ", PBRSB-eIBRS: Not affected"; + } +} + static ssize_t spectre_v2_show_state(char *buf) { if (spectre_v2_enabled =3D=3D SPECTRE_V2_LFENCE) @@ -1879,12 +1937,13 @@ static ssize_t spectre_v2_show_state(cha spectre_v2_enabled =3D=3D SPECTRE_V2_EIBRS_LFENCE) return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and= SMT\n"); =20 - return sprintf(buf, "%s%s%s%s%s%s\n", + return sprintf(buf, "%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", stibp_state(), boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", + pbrsb_eibrs_state(), spectre_v2_module_string()); } =20 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -954,6 +954,7 @@ static void identify_cpu_without_cpuid(s #define MSBDS_ONLY BIT(5) #define NO_SWAPGS BIT(6) #define NO_ITLB_MULTIHIT BIT(7) +#define NO_EIBRS_PBRSB BIT(8) =20 #define VULNWL(_vendor, _family, _model, _whitelist) \ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } @@ -990,7 +991,7 @@ static const __initconst struct x86_cpu_ =20 VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTI= HIT), VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MUL= TIHIT), - VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_M= ULTIHIT), + VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_M= ULTIHIT | NO_EIBRS_PBRSB), =20 /* * Technically, swapgs isn't serializing on AMD (despite it previously @@ -1000,7 +1001,9 @@ static const __initconst struct x86_cpu_ * good enough for our purposes. */ =20 - VULNWL_INTEL(ATOM_TREMONT_X, NO_ITLB_MULTIHIT), + VULNWL_INTEL(ATOM_TREMONT, NO_EIBRS_PBRSB), + VULNWL_INTEL(ATOM_TREMONT_L, NO_EIBRS_PBRSB), + VULNWL_INTEL(ATOM_TREMONT_X, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), =20 /* AMD Family 0xf - 0x12 */ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO= _ITLB_MULTIHIT), @@ -1154,6 +1157,11 @@ static void __init cpu_set_bug_bits(stru !arch_cap_mmio_immune(ia32_cap)) setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); =20 + if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) && + !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && + !(ia32_cap & ARCH_CAP_PBRSB_NO)) + setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB); + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; =20 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -10988,6 +10988,9 @@ static void __noclone vmx_vcpu_run(struc #endif ); =20 + /* Eliminate branch target predictions from guest mode */ + vmexit_fill_RSB(); + vmx_enable_fb_clear(vmx); =20 /* @@ -11010,9 +11013,6 @@ static void __noclone vmx_vcpu_run(struc =20 x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0); =20 - /* Eliminate branch target predictions from guest mode */ - vmexit_fill_RSB(); - /* All fields are clean at this point */ if (static_branch_unlikely(&enable_evmcs)) current_evmcs->hv_clean_fields |=3D From nobody Sat Apr 11 15:26:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2AB3C19F2D for ; Tue, 9 Aug 2022 18:07:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344890AbiHISHO (ORCPT ); Tue, 9 Aug 2022 14:07:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344757AbiHISGh (ORCPT ); Tue, 9 Aug 2022 14:06:37 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71AFB20192; Tue, 9 Aug 2022 11:02:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 03BDBB8171A; Tue, 9 Aug 2022 18:02:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67F98C43470; Tue, 9 Aug 2022 18:02:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660068172; bh=GKZ5PKCQqTqdXrWsuss0Jv7382G5VfbXuBTColpUSUw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bd2P/pI7IbN64JhdOaUW7w7+6K+L6BOV4AqHZbb1WqD/Kd5q9A3VVIZKRZEDEYpSe dFnDkGphnhi5Z3iTAYEFBPIjDXWs6lcj93qkwi6+UzOE5t1g+bwk/uarWx3mxMUJUy MgZe+B3SD1vf40YFcMVzuqvUAgHbiqeLGyG+LBoc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrew Cooper , Pawan Gupta , Borislav Petkov Subject: [PATCH 4.19 32/32] x86/speculation: Add LFENCE to RSB fill sequence Date: Tue, 9 Aug 2022 20:00:23 +0200 Message-Id: <20220809175514.089995381@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220809175513.082573955@linuxfoundation.org> References: <20220809175513.082573955@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pawan Gupta commit ba6e31af2be96c4d0536f2152ed6f7b6c11bca47 upstream. RSB fill sequence does not have any protection for miss-prediction of conditional branch at the end of the sequence. CPU can speculatively execute code immediately after the sequence, while RSB filling hasn't completed yet. #define __FILL_RETURN_BUFFER(reg, nr, sp) \ mov $(nr/2), reg; \ 771: \ call 772f; \ 773: /* speculation trap */ \ pause; \ lfence; \ jmp 773b; \ 772: \ call 774f; \ 775: /* speculation trap */ \ pause; \ lfence; \ jmp 775b; \ 774: \ dec reg; \ jnz 771b; <----- CPU can miss-predict here. \ add $(BITS_PER_LONG/8) * nr, sp; Before RSB is filled, RETs that come in program order after this macro can be executed speculatively, making them vulnerable to RSB-based attacks. Mitigate it by adding an LFENCE after the conditional branch to prevent speculation while RSB is being filled. Suggested-by: Andrew Cooper Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- arch/x86/include/asm/nospec-branch.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -52,7 +52,9 @@ 774: \ dec reg; \ jnz 771b; \ - add $(BITS_PER_LONG/8) * nr, sp; + add $(BITS_PER_LONG/8) * nr, sp; \ + /* barrier for jnz misprediction */ \ + lfence; =20 /* Sequence to mitigate PBRSB on eIBRS CPUs */ #define __ISSUE_UNBALANCED_RET_GUARD(sp) \