]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.18-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 20 Sep 2018 05:25:03 +0000 (07:25 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 20 Sep 2018 05:25:03 +0000 (07:25 +0200)
added patches:
be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch
erspan-fix-error-handling-for-erspan-tunnel.patch
erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch
net-mlx5-check-for-error-in-mlx5_attach_interface.patch
net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch
net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch
net-mlx5-fix-not-releasing-read-lock-when-adding-flow-rules.patch
net-mlx5-fix-possible-deadlock-from-lockdep-when-adding-fte-to-fg.patch
net-mlx5-fix-use-after-free-in-self-healing-flow.patch
net-mlx5-use-u16-for-work-queue-buffer-fragment-size.patch
net-qca_spi-fix-race-condition-in-spi-transfers.patch
net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch
rds-fix-two-rcu-related-problems.patch
tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch
tipc-orphan-sock-in-tipc_release.patch

15 files changed:
queue-4.18/be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch [new file with mode: 0644]
queue-4.18/erspan-fix-error-handling-for-erspan-tunnel.patch [new file with mode: 0644]
queue-4.18/erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch [new file with mode: 0644]
queue-4.18/net-mlx5-check-for-error-in-mlx5_attach_interface.patch [new file with mode: 0644]
queue-4.18/net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch [new file with mode: 0644]
queue-4.18/net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch [new file with mode: 0644]
queue-4.18/net-mlx5-fix-not-releasing-read-lock-when-adding-flow-rules.patch [new file with mode: 0644]
queue-4.18/net-mlx5-fix-possible-deadlock-from-lockdep-when-adding-fte-to-fg.patch [new file with mode: 0644]
queue-4.18/net-mlx5-fix-use-after-free-in-self-healing-flow.patch [new file with mode: 0644]
queue-4.18/net-mlx5-use-u16-for-work-queue-buffer-fragment-size.patch [new file with mode: 0644]
queue-4.18/net-qca_spi-fix-race-condition-in-spi-transfers.patch [new file with mode: 0644]
queue-4.18/net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch [new file with mode: 0644]
queue-4.18/rds-fix-two-rcu-related-problems.patch [new file with mode: 0644]
queue-4.18/tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch [new file with mode: 0644]
queue-4.18/tipc-orphan-sock-in-tipc_release.patch [new file with mode: 0644]

diff --git a/queue-4.18/be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch b/queue-4.18/be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch
new file mode 100644 (file)
index 0000000..b73081b
--- /dev/null
@@ -0,0 +1,31 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Petr Oros <poros@redhat.com>
+Date: Wed, 5 Sep 2018 14:37:45 +0200
+Subject: be2net: Fix memory leak in be_cmd_get_profile_config()
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 9d7f19dc4673fbafebfcbf30eb90e09fa7d1c037 ]
+
+DMA allocated memory is lost in be_cmd_get_profile_config() when we
+call it with non-NULL port_res parameter.
+
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_cmds.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
+@@ -4500,7 +4500,7 @@ int be_cmd_get_profile_config(struct be_
+                               port_res->max_vfs += le16_to_cpu(pcie->num_vfs);
+                       }
+               }
+-              return status;
++              goto err;
+       }
+       pcie = be_get_pcie_desc(resp->func_param, desc_count,
diff --git a/queue-4.18/erspan-fix-error-handling-for-erspan-tunnel.patch b/queue-4.18/erspan-fix-error-handling-for-erspan-tunnel.patch
new file mode 100644 (file)
index 0000000..7a25181
--- /dev/null
@@ -0,0 +1,34 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Mon, 10 Sep 2018 22:19:48 +0800
+Subject: erspan: fix error handling for erspan tunnel
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 51dc63e3911fbb1f0a7a32da2fe56253e2040ea4 ]
+
+When processing icmp unreachable message for erspan tunnel, tunnel id
+should be erspan_net_id instead of ipgre_net_id.
+
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Cc: William Tu <u9012063@gmail.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -178,6 +178,9 @@ static void ipgre_err(struct sk_buff *sk
+       if (tpi->proto == htons(ETH_P_TEB))
+               itn = net_generic(net, gre_tap_net_id);
++      else if (tpi->proto == htons(ETH_P_ERSPAN) ||
++               tpi->proto == htons(ETH_P_ERSPAN2))
++              itn = net_generic(net, erspan_net_id);
+       else
+               itn = net_generic(net, ipgre_net_id);
diff --git a/queue-4.18/erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch b/queue-4.18/erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch
new file mode 100644 (file)
index 0000000..1fe7b08
--- /dev/null
@@ -0,0 +1,33 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Mon, 10 Sep 2018 22:19:47 +0800
+Subject: erspan: return PACKET_REJECT when the appropriate tunnel is not found
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 5a64506b5c2c3cdb29d817723205330378075448 ]
+
+If erspan tunnel hasn't been established, we'd better send icmp port
+unreachable message after receive erspan packets.
+
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Cc: William Tu <u9012063@gmail.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -331,6 +331,8 @@ static int erspan_rcv(struct sk_buff *sk
+               ip_tunnel_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error);
+               return PACKET_RCVD;
+       }
++      return PACKET_REJECT;
++
+ drop:
+       kfree_skb(skb);
+       return PACKET_RCVD;
diff --git a/queue-4.18/net-mlx5-check-for-error-in-mlx5_attach_interface.patch b/queue-4.18/net-mlx5-check-for-error-in-mlx5_attach_interface.patch
new file mode 100644 (file)
index 0000000..f12fc4f
--- /dev/null
@@ -0,0 +1,59 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Wed, 15 Aug 2018 11:08:48 -0500
+Subject: net/mlx5: Check for error in mlx5_attach_interface
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 47bc94b82291e007da61ee1b3d18c77871f3e158 ]
+
+Currently, mlx5_attach_interface does not check for error
+after calling intf->attach or intf->add. When these two calls
+fails, the client is not initialized and will cause issues such as
+kernel panic on invalid address in the teardown path (mlx5_detach_interface)
+
+Fixes: 737a234bb638 ("net/mlx5: Introduce attach/detach to interface API")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -132,11 +132,11 @@ void mlx5_add_device(struct mlx5_interfa
+       delayed_event_start(priv);
+       dev_ctx->context = intf->add(dev);
+-      set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
+-      if (intf->attach)
+-              set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
+-
+       if (dev_ctx->context) {
++              set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
++              if (intf->attach)
++                      set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
++
+               spin_lock_irq(&priv->ctx_lock);
+               list_add_tail(&dev_ctx->list, &priv->ctx_list);
+@@ -211,12 +211,17 @@ static void mlx5_attach_interface(struct
+       if (intf->attach) {
+               if (test_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state))
+                       goto out;
+-              intf->attach(dev, dev_ctx->context);
++              if (intf->attach(dev, dev_ctx->context))
++                      goto out;
++
+               set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
+       } else {
+               if (test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state))
+                       goto out;
+               dev_ctx->context = intf->add(dev);
++              if (!dev_ctx->context)
++                      goto out;
++
+               set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
+       }
diff --git a/queue-4.18/net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch b/queue-4.18/net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch
new file mode 100644 (file)
index 0000000..ff5155f
--- /dev/null
@@ -0,0 +1,31 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Raed Salem <raeds@mellanox.com>
+Date: Tue, 21 Aug 2018 15:22:42 +0300
+Subject: net/mlx5: E-Switch, Fix memory leak when creating switchdev mode FDB tables
+
+From: Raed Salem <raeds@mellanox.com>
+
+[ Upstream commit c88a026e01219488e745f4f0267fd76c2bb68421 ]
+
+The memory allocated for the slow path table flow group input structure
+was not freed upon successful return, fix that.
+
+Fixes: 1967ce6ea5c8 ("net/mlx5: E-Switch, Refactor fast path FDB table creation in switchdev mode")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -658,6 +658,7 @@ static int esw_create_offloads_fdb_table
+       if (err)
+               goto miss_rule_err;
++      kvfree(flow_group_in);
+       return 0;
+ miss_rule_err:
diff --git a/queue-4.18/net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch b/queue-4.18/net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch
new file mode 100644 (file)
index 0000000..c842cf9
--- /dev/null
@@ -0,0 +1,55 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Tue, 7 Aug 2018 09:59:03 +0300
+Subject: net/mlx5: Fix debugfs cleanup in the device init/remove flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 5df816e7f43f1297c40021ef17ec6e722b45c82f ]
+
+When initializing the device (procedure init_one), the driver
+calls mlx5_pci_init to perform pci initialization. As part of this
+initialization, mlx5_pci_init creates a debugfs directory.
+If this creation fails, init_one aborts, returning failure to
+the caller (which is the probe method caller).
+
+The main reason for such a failure to occur is if the debugfs
+directory already exists. This can happen if the last time
+mlx5_pci_close was called, debugfs_remove (silently) failed due
+to the debugfs directory not being empty.
+
+Guarantee that such a debugfs_remove failure will not occur by
+instead calling debugfs_remove_recursive in procedure mlx5_pci_close.
+
+Fixes: 59211bd3b632 ("net/mlx5: Split the load/unload flow into hardware and software flows")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -874,8 +874,10 @@ static int mlx5_pci_init(struct mlx5_cor
+       priv->numa_node = dev_to_node(&dev->pdev->dev);
+       priv->dbg_root = debugfs_create_dir(dev_name(&pdev->dev), mlx5_debugfs_root);
+-      if (!priv->dbg_root)
++      if (!priv->dbg_root) {
++              dev_err(&pdev->dev, "Cannot create debugfs dir, aborting\n");
+               return -ENOMEM;
++      }
+       err = mlx5_pci_enable_device(dev);
+       if (err) {
+@@ -924,7 +926,7 @@ static void mlx5_pci_close(struct mlx5_c
+       pci_clear_master(dev->pdev);
+       release_bar(dev->pdev);
+       mlx5_pci_disable_device(dev);
+-      debugfs_remove(priv->dbg_root);
++      debugfs_remove_recursive(priv->dbg_root);
+ }
+ static int mlx5_init_once(struct mlx5_core_dev *dev, struct mlx5_priv *priv)
diff --git a/queue-4.18/net-mlx5-fix-not-releasing-read-lock-when-adding-flow-rules.patch b/queue-4.18/net-mlx5-fix-not-releasing-read-lock-when-adding-flow-rules.patch
new file mode 100644 (file)
index 0000000..99022d7
--- /dev/null
@@ -0,0 +1,33 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Roi Dayan <roid@mellanox.com>
+Date: Sun, 19 Aug 2018 08:56:09 +0300
+Subject: net/mlx5: Fix not releasing read lock when adding flow rules
+
+From: Roi Dayan <roid@mellanox.com>
+
+[ Upstream commit 071304772fc747d5df13c51f1cf48a4b922a5e0d ]
+
+If building match list fg fails and we never jumped to
+search_again_locked label then the function returned without
+unlocking the read lock.
+
+Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1797,6 +1797,8 @@ search_again_locked:
+       if (err) {
+               if (take_write)
+                       up_write_ref_node(&ft->node);
++              else
++                      up_read_ref_node(&ft->node);
+               return ERR_PTR(err);
+       }
diff --git a/queue-4.18/net-mlx5-fix-possible-deadlock-from-lockdep-when-adding-fte-to-fg.patch b/queue-4.18/net-mlx5-fix-possible-deadlock-from-lockdep-when-adding-fte-to-fg.patch
new file mode 100644 (file)
index 0000000..eb8703a
--- /dev/null
@@ -0,0 +1,157 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Roi Dayan <roid@mellanox.com>
+Date: Mon, 20 Aug 2018 11:43:03 +0300
+Subject: net/mlx5: Fix possible deadlock from lockdep when adding fte to fg
+
+From: Roi Dayan <roid@mellanox.com>
+
+[ Upstream commit ad9421e36a77056a4f095d49b9605e80b4d216ed ]
+
+This is a false positive report due to incorrect nested lock
+annotations as we lock multiple fgs with the same subclass.
+Instead of locking all fgs only lock the one being used as was
+done before.
+
+Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c |   74 +++++++++++-----------
+ 1 file changed, 37 insertions(+), 37 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1649,6 +1649,33 @@ static u64 matched_fgs_get_version(struc
+       return version;
+ }
++static struct fs_fte *
++lookup_fte_locked(struct mlx5_flow_group *g,
++                u32 *match_value,
++                bool take_write)
++{
++      struct fs_fte *fte_tmp;
++
++      if (take_write)
++              nested_down_write_ref_node(&g->node, FS_LOCK_PARENT);
++      else
++              nested_down_read_ref_node(&g->node, FS_LOCK_PARENT);
++      fte_tmp = rhashtable_lookup_fast(&g->ftes_hash, match_value,
++                                       rhash_fte);
++      if (!fte_tmp || !tree_get_node(&fte_tmp->node)) {
++              fte_tmp = NULL;
++              goto out;
++      }
++
++      nested_down_write_ref_node(&fte_tmp->node, FS_LOCK_CHILD);
++out:
++      if (take_write)
++              up_write_ref_node(&g->node);
++      else
++              up_read_ref_node(&g->node);
++      return fte_tmp;
++}
++
+ static struct mlx5_flow_handle *
+ try_add_to_existing_fg(struct mlx5_flow_table *ft,
+                      struct list_head *match_head,
+@@ -1671,10 +1698,6 @@ try_add_to_existing_fg(struct mlx5_flow_
+       if (IS_ERR(fte))
+               return  ERR_PTR(-ENOMEM);
+-      list_for_each_entry(iter, match_head, list) {
+-              nested_down_read_ref_node(&iter->g->node, FS_LOCK_PARENT);
+-      }
+-
+ search_again_locked:
+       version = matched_fgs_get_version(match_head);
+       /* Try to find a fg that already contains a matching fte */
+@@ -1682,20 +1705,9 @@ search_again_locked:
+               struct fs_fte *fte_tmp;
+               g = iter->g;
+-              fte_tmp = rhashtable_lookup_fast(&g->ftes_hash, spec->match_value,
+-                                               rhash_fte);
+-              if (!fte_tmp || !tree_get_node(&fte_tmp->node))
++              fte_tmp = lookup_fte_locked(g, spec->match_value, take_write);
++              if (!fte_tmp)
+                       continue;
+-
+-              nested_down_write_ref_node(&fte_tmp->node, FS_LOCK_CHILD);
+-              if (!take_write) {
+-                      list_for_each_entry(iter, match_head, list)
+-                              up_read_ref_node(&iter->g->node);
+-              } else {
+-                      list_for_each_entry(iter, match_head, list)
+-                              up_write_ref_node(&iter->g->node);
+-              }
+-
+               rule = add_rule_fg(g, spec->match_value,
+                                  flow_act, dest, dest_num, fte_tmp);
+               up_write_ref_node(&fte_tmp->node);
+@@ -1704,19 +1716,6 @@ search_again_locked:
+               return rule;
+       }
+-      /* No group with matching fte found. Try to add a new fte to any
+-       * matching fg.
+-       */
+-
+-      if (!take_write) {
+-              list_for_each_entry(iter, match_head, list)
+-                      up_read_ref_node(&iter->g->node);
+-              list_for_each_entry(iter, match_head, list)
+-                      nested_down_write_ref_node(&iter->g->node,
+-                                                 FS_LOCK_PARENT);
+-              take_write = true;
+-      }
+-
+       /* Check the ft version, for case that new flow group
+        * was added while the fgs weren't locked
+        */
+@@ -1728,27 +1727,30 @@ search_again_locked:
+       /* Check the fgs version, for case the new FTE with the
+        * same values was added while the fgs weren't locked
+        */
+-      if (version != matched_fgs_get_version(match_head))
++      if (version != matched_fgs_get_version(match_head)) {
++              take_write = true;
+               goto search_again_locked;
++      }
+       list_for_each_entry(iter, match_head, list) {
+               g = iter->g;
+               if (!g->node.active)
+                       continue;
++
++              nested_down_write_ref_node(&g->node, FS_LOCK_PARENT);
++
+               err = insert_fte(g, fte);
+               if (err) {
++                      up_write_ref_node(&g->node);
+                       if (err == -ENOSPC)
+                               continue;
+-                      list_for_each_entry(iter, match_head, list)
+-                              up_write_ref_node(&iter->g->node);
+                       kmem_cache_free(steering->ftes_cache, fte);
+                       return ERR_PTR(err);
+               }
+               nested_down_write_ref_node(&fte->node, FS_LOCK_CHILD);
+-              list_for_each_entry(iter, match_head, list)
+-                      up_write_ref_node(&iter->g->node);
++              up_write_ref_node(&g->node);
+               rule = add_rule_fg(g, spec->match_value,
+                                  flow_act, dest, dest_num, fte);
+               up_write_ref_node(&fte->node);
+@@ -1757,8 +1759,6 @@ search_again_locked:
+       }
+       rule = ERR_PTR(-ENOENT);
+ out:
+-      list_for_each_entry(iter, match_head, list)
+-              up_write_ref_node(&iter->g->node);
+       kmem_cache_free(steering->ftes_cache, fte);
+       return rule;
+ }
diff --git a/queue-4.18/net-mlx5-fix-use-after-free-in-self-healing-flow.patch b/queue-4.18/net-mlx5-fix-use-after-free-in-self-healing-flow.patch
new file mode 100644 (file)
index 0000000..2300f64
--- /dev/null
@@ -0,0 +1,91 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Sun, 5 Aug 2018 09:19:33 +0300
+Subject: net/mlx5: Fix use-after-free in self-healing flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 76d5581c870454be5f1f1a106c57985902e7ea20 ]
+
+When the mlx5 health mechanism detects a problem while the driver
+is in the middle of init_one or remove_one, the driver needs to prevent
+the health mechanism from scheduling future work; if future work
+is scheduled, there is a problem with use-after-free: the system WQ
+tries to run the work item (which has been freed) at the scheduled
+future time.
+
+Prevent this by disabling work item scheduling in the health mechanism
+when the driver is in the middle of init_one() or remove_one().
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/health.c |   10 +++++++++-
+ drivers/net/ethernet/mellanox/mlx5/core/main.c   |    6 +++---
+ include/linux/mlx5/driver.h                      |    2 +-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+@@ -331,9 +331,17 @@ void mlx5_start_health_poll(struct mlx5_
+       add_timer(&health->timer);
+ }
+-void mlx5_stop_health_poll(struct mlx5_core_dev *dev)
++void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health)
+ {
+       struct mlx5_core_health *health = &dev->priv.health;
++      unsigned long flags;
++
++      if (disable_health) {
++              spin_lock_irqsave(&health->wq_lock, flags);
++              set_bit(MLX5_DROP_NEW_HEALTH_WORK, &health->flags);
++              set_bit(MLX5_DROP_NEW_RECOVERY_WORK, &health->flags);
++              spin_unlock_irqrestore(&health->wq_lock, flags);
++      }
+       del_timer_sync(&health->timer);
+ }
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1266,7 +1266,7 @@ err_cleanup_once:
+               mlx5_cleanup_once(dev);
+ err_stop_poll:
+-      mlx5_stop_health_poll(dev);
++      mlx5_stop_health_poll(dev, boot);
+       if (mlx5_cmd_teardown_hca(dev)) {
+               dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
+               goto out_err;
+@@ -1325,7 +1325,7 @@ static int mlx5_unload_one(struct mlx5_c
+       mlx5_free_irq_vectors(dev);
+       if (cleanup)
+               mlx5_cleanup_once(dev);
+-      mlx5_stop_health_poll(dev);
++      mlx5_stop_health_poll(dev, cleanup);
+       err = mlx5_cmd_teardown_hca(dev);
+       if (err) {
+               dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
+@@ -1587,7 +1587,7 @@ static int mlx5_try_fast_unload(struct m
+        * with the HCA, so the health polll is no longer needed.
+        */
+       mlx5_drain_health_wq(dev);
+-      mlx5_stop_health_poll(dev);
++      mlx5_stop_health_poll(dev, false);
+       ret = mlx5_cmd_force_teardown_hca(dev);
+       if (ret) {
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1042,7 +1042,7 @@ int mlx5_cmd_free_uar(struct mlx5_core_d
+ void mlx5_health_cleanup(struct mlx5_core_dev *dev);
+ int mlx5_health_init(struct mlx5_core_dev *dev);
+ void mlx5_start_health_poll(struct mlx5_core_dev *dev);
+-void mlx5_stop_health_poll(struct mlx5_core_dev *dev);
++void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health);
+ void mlx5_drain_health_wq(struct mlx5_core_dev *dev);
+ void mlx5_trigger_health_work(struct mlx5_core_dev *dev);
+ void mlx5_drain_health_recovery(struct mlx5_core_dev *dev);
diff --git a/queue-4.18/net-mlx5-use-u16-for-work-queue-buffer-fragment-size.patch b/queue-4.18/net-mlx5-use-u16-for-work-queue-buffer-fragment-size.patch
new file mode 100644 (file)
index 0000000..cb17101
--- /dev/null
@@ -0,0 +1,62 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Tue, 21 Aug 2018 16:04:41 +0300
+Subject: net/mlx5: Use u16 for Work Queue buffer fragment size
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 8d71e818506718e8d7032ce824b5c74a17d4f7a5 ]
+
+Minimal stride size is 16.
+Hence, the number of strides in a fragment (of PAGE_SIZE)
+is <= PAGE_SIZE / 16 <= 4K.
+
+u16 is sufficient to represent this.
+
+Fixes: 388ca8be0037 ("IB/mlx5: Implement fragmented completion queue (CQ)")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/wq.c |    4 ++--
+ drivers/net/ethernet/mellanox/mlx5/core/wq.h |    2 +-
+ include/linux/mlx5/driver.h                  |    2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/wq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/wq.c
+@@ -39,9 +39,9 @@ u32 mlx5_wq_cyc_get_size(struct mlx5_wq_
+       return (u32)wq->fbc.sz_m1 + 1;
+ }
+-u32 mlx5_wq_cyc_get_frag_size(struct mlx5_wq_cyc *wq)
++u16 mlx5_wq_cyc_get_frag_size(struct mlx5_wq_cyc *wq)
+ {
+-      return (u32)wq->fbc.frag_sz_m1 + 1;
++      return wq->fbc.frag_sz_m1 + 1;
+ }
+ u32 mlx5_cqwq_get_size(struct mlx5_cqwq *wq)
+--- a/drivers/net/ethernet/mellanox/mlx5/core/wq.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/wq.h
+@@ -80,7 +80,7 @@ int mlx5_wq_cyc_create(struct mlx5_core_
+                      void *wqc, struct mlx5_wq_cyc *wq,
+                      struct mlx5_wq_ctrl *wq_ctrl);
+ u32 mlx5_wq_cyc_get_size(struct mlx5_wq_cyc *wq);
+-u32 mlx5_wq_cyc_get_frag_size(struct mlx5_wq_cyc *wq);
++u16 mlx5_wq_cyc_get_frag_size(struct mlx5_wq_cyc *wq);
+ int mlx5_wq_qp_create(struct mlx5_core_dev *mdev, struct mlx5_wq_param *param,
+                     void *qpc, struct mlx5_wq_qp *wq,
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -357,7 +357,7 @@ struct mlx5_frag_buf {
+ struct mlx5_frag_buf_ctrl {
+       struct mlx5_frag_buf    frag_buf;
+       u32                     sz_m1;
+-      u32                     frag_sz_m1;
++      u16                     frag_sz_m1;
+       u32                     strides_offset;
+       u8                      log_sz;
+       u8                      log_stride;
diff --git a/queue-4.18/net-qca_spi-fix-race-condition-in-spi-transfers.patch b/queue-4.18/net-qca_spi-fix-race-condition-in-spi-transfers.patch
new file mode 100644 (file)
index 0000000..c69603e
--- /dev/null
@@ -0,0 +1,332 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 5 Sep 2018 15:23:18 +0200
+Subject: net: qca_spi: Fix race condition in spi transfers
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit e65a9e480e91ddf9e15155454d370cead64689c8 ]
+
+With performance optimization the spi transfer and messages of basic
+register operations like qcaspi_read_register moved into the private
+driver structure. But they weren't protected against mutual access
+(e.g. between driver kthread and ethtool). So dumping the QCA7000
+registers via ethtool during network traffic could make spi_sync
+hang forever, because the completion in spi_message is overwritten.
+
+So revert the optimization completely.
+
+Fixes: 291ab06ecf676 ("net: qualcomm: new Ethernet over SPI driver for QCA700")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_7k.c  |   76 ++++++++++-----------
+ drivers/net/ethernet/qualcomm/qca_spi.c |  114 ++++++++++++++++----------------
+ drivers/net/ethernet/qualcomm/qca_spi.h |    5 -
+ 3 files changed, 95 insertions(+), 100 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_7k.c
++++ b/drivers/net/ethernet/qualcomm/qca_7k.c
+@@ -45,34 +45,33 @@ qcaspi_read_register(struct qcaspi *qca,
+ {
+       __be16 rx_data;
+       __be16 tx_data;
+-      struct spi_transfer *transfer;
+-      struct spi_message *msg;
++      struct spi_transfer transfer[2];
++      struct spi_message msg;
+       int ret;
++      memset(transfer, 0, sizeof(transfer));
++
++      spi_message_init(&msg);
++
+       tx_data = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_INTERNAL | reg);
++      *result = 0;
++
++      transfer[0].tx_buf = &tx_data;
++      transfer[0].len = QCASPI_CMD_LEN;
++      transfer[1].rx_buf = &rx_data;
++      transfer[1].len = QCASPI_CMD_LEN;
++
++      spi_message_add_tail(&transfer[0], &msg);
+       if (qca->legacy_mode) {
+-              msg = &qca->spi_msg1;
+-              transfer = &qca->spi_xfer1;
+-              transfer->tx_buf = &tx_data;
+-              transfer->rx_buf = NULL;
+-              transfer->len = QCASPI_CMD_LEN;
+-              spi_sync(qca->spi_dev, msg);
+-      } else {
+-              msg = &qca->spi_msg2;
+-              transfer = &qca->spi_xfer2[0];
+-              transfer->tx_buf = &tx_data;
+-              transfer->rx_buf = NULL;
+-              transfer->len = QCASPI_CMD_LEN;
+-              transfer = &qca->spi_xfer2[1];
++              spi_sync(qca->spi_dev, &msg);
++              spi_message_init(&msg);
+       }
+-      transfer->tx_buf = NULL;
+-      transfer->rx_buf = &rx_data;
+-      transfer->len = QCASPI_CMD_LEN;
+-      ret = spi_sync(qca->spi_dev, msg);
++      spi_message_add_tail(&transfer[1], &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+       if (!ret)
+-              ret = msg->status;
++              ret = msg.status;
+       if (ret)
+               qcaspi_spi_error(qca);
+@@ -86,35 +85,32 @@ int
+ qcaspi_write_register(struct qcaspi *qca, u16 reg, u16 value)
+ {
+       __be16 tx_data[2];
+-      struct spi_transfer *transfer;
+-      struct spi_message *msg;
++      struct spi_transfer transfer[2];
++      struct spi_message msg;
+       int ret;
++      memset(&transfer, 0, sizeof(transfer));
++
++      spi_message_init(&msg);
++
+       tx_data[0] = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_INTERNAL | reg);
+       tx_data[1] = cpu_to_be16(value);
++      transfer[0].tx_buf = &tx_data[0];
++      transfer[0].len = QCASPI_CMD_LEN;
++      transfer[1].tx_buf = &tx_data[1];
++      transfer[1].len = QCASPI_CMD_LEN;
++
++      spi_message_add_tail(&transfer[0], &msg);
+       if (qca->legacy_mode) {
+-              msg = &qca->spi_msg1;
+-              transfer = &qca->spi_xfer1;
+-              transfer->tx_buf = &tx_data[0];
+-              transfer->rx_buf = NULL;
+-              transfer->len = QCASPI_CMD_LEN;
+-              spi_sync(qca->spi_dev, msg);
+-      } else {
+-              msg = &qca->spi_msg2;
+-              transfer = &qca->spi_xfer2[0];
+-              transfer->tx_buf = &tx_data[0];
+-              transfer->rx_buf = NULL;
+-              transfer->len = QCASPI_CMD_LEN;
+-              transfer = &qca->spi_xfer2[1];
++              spi_sync(qca->spi_dev, &msg);
++              spi_message_init(&msg);
+       }
+-      transfer->tx_buf = &tx_data[1];
+-      transfer->rx_buf = NULL;
+-      transfer->len = QCASPI_CMD_LEN;
+-      ret = spi_sync(qca->spi_dev, msg);
++      spi_message_add_tail(&transfer[1], &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+       if (!ret)
+-              ret = msg->status;
++              ret = msg.status;
+       if (ret)
+               qcaspi_spi_error(qca);
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -99,22 +99,24 @@ static u32
+ qcaspi_write_burst(struct qcaspi *qca, u8 *src, u32 len)
+ {
+       __be16 cmd;
+-      struct spi_message *msg = &qca->spi_msg2;
+-      struct spi_transfer *transfer = &qca->spi_xfer2[0];
++      struct spi_message msg;
++      struct spi_transfer transfer[2];
+       int ret;
+-      cmd = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_EXTERNAL);
+-      transfer->tx_buf = &cmd;
+-      transfer->rx_buf = NULL;
+-      transfer->len = QCASPI_CMD_LEN;
+-      transfer = &qca->spi_xfer2[1];
+-      transfer->tx_buf = src;
+-      transfer->rx_buf = NULL;
+-      transfer->len = len;
++      memset(&transfer, 0, sizeof(transfer));
++      spi_message_init(&msg);
+-      ret = spi_sync(qca->spi_dev, msg);
++      cmd = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_EXTERNAL);
++      transfer[0].tx_buf = &cmd;
++      transfer[0].len = QCASPI_CMD_LEN;
++      transfer[1].tx_buf = src;
++      transfer[1].len = len;
++
++      spi_message_add_tail(&transfer[0], &msg);
++      spi_message_add_tail(&transfer[1], &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+-      if (ret || (msg->actual_length != QCASPI_CMD_LEN + len)) {
++      if (ret || (msg.actual_length != QCASPI_CMD_LEN + len)) {
+               qcaspi_spi_error(qca);
+               return 0;
+       }
+@@ -125,17 +127,20 @@ qcaspi_write_burst(struct qcaspi *qca, u
+ static u32
+ qcaspi_write_legacy(struct qcaspi *qca, u8 *src, u32 len)
+ {
+-      struct spi_message *msg = &qca->spi_msg1;
+-      struct spi_transfer *transfer = &qca->spi_xfer1;
++      struct spi_message msg;
++      struct spi_transfer transfer;
+       int ret;
+-      transfer->tx_buf = src;
+-      transfer->rx_buf = NULL;
+-      transfer->len = len;
++      memset(&transfer, 0, sizeof(transfer));
++      spi_message_init(&msg);
++
++      transfer.tx_buf = src;
++      transfer.len = len;
+-      ret = spi_sync(qca->spi_dev, msg);
++      spi_message_add_tail(&transfer, &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+-      if (ret || (msg->actual_length != len)) {
++      if (ret || (msg.actual_length != len)) {
+               qcaspi_spi_error(qca);
+               return 0;
+       }
+@@ -146,23 +151,25 @@ qcaspi_write_legacy(struct qcaspi *qca,
+ static u32
+ qcaspi_read_burst(struct qcaspi *qca, u8 *dst, u32 len)
+ {
+-      struct spi_message *msg = &qca->spi_msg2;
++      struct spi_message msg;
+       __be16 cmd;
+-      struct spi_transfer *transfer = &qca->spi_xfer2[0];
++      struct spi_transfer transfer[2];
+       int ret;
+-      cmd = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_EXTERNAL);
+-      transfer->tx_buf = &cmd;
+-      transfer->rx_buf = NULL;
+-      transfer->len = QCASPI_CMD_LEN;
+-      transfer = &qca->spi_xfer2[1];
+-      transfer->tx_buf = NULL;
+-      transfer->rx_buf = dst;
+-      transfer->len = len;
++      memset(&transfer, 0, sizeof(transfer));
++      spi_message_init(&msg);
+-      ret = spi_sync(qca->spi_dev, msg);
++      cmd = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_EXTERNAL);
++      transfer[0].tx_buf = &cmd;
++      transfer[0].len = QCASPI_CMD_LEN;
++      transfer[1].rx_buf = dst;
++      transfer[1].len = len;
++
++      spi_message_add_tail(&transfer[0], &msg);
++      spi_message_add_tail(&transfer[1], &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+-      if (ret || (msg->actual_length != QCASPI_CMD_LEN + len)) {
++      if (ret || (msg.actual_length != QCASPI_CMD_LEN + len)) {
+               qcaspi_spi_error(qca);
+               return 0;
+       }
+@@ -173,17 +180,20 @@ qcaspi_read_burst(struct qcaspi *qca, u8
+ static u32
+ qcaspi_read_legacy(struct qcaspi *qca, u8 *dst, u32 len)
+ {
+-      struct spi_message *msg = &qca->spi_msg1;
+-      struct spi_transfer *transfer = &qca->spi_xfer1;
++      struct spi_message msg;
++      struct spi_transfer transfer;
+       int ret;
+-      transfer->tx_buf = NULL;
+-      transfer->rx_buf = dst;
+-      transfer->len = len;
++      memset(&transfer, 0, sizeof(transfer));
++      spi_message_init(&msg);
++
++      transfer.rx_buf = dst;
++      transfer.len = len;
+-      ret = spi_sync(qca->spi_dev, msg);
++      spi_message_add_tail(&transfer, &msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+-      if (ret || (msg->actual_length != len)) {
++      if (ret || (msg.actual_length != len)) {
+               qcaspi_spi_error(qca);
+               return 0;
+       }
+@@ -195,19 +205,23 @@ static int
+ qcaspi_tx_cmd(struct qcaspi *qca, u16 cmd)
+ {
+       __be16 tx_data;
+-      struct spi_message *msg = &qca->spi_msg1;
+-      struct spi_transfer *transfer = &qca->spi_xfer1;
++      struct spi_message msg;
++      struct spi_transfer transfer;
+       int ret;
++      memset(&transfer, 0, sizeof(transfer));
++
++      spi_message_init(&msg);
++
+       tx_data = cpu_to_be16(cmd);
+-      transfer->len = sizeof(tx_data);
+-      transfer->tx_buf = &tx_data;
+-      transfer->rx_buf = NULL;
++      transfer.len = sizeof(cmd);
++      transfer.tx_buf = &tx_data;
++      spi_message_add_tail(&transfer, &msg);
+-      ret = spi_sync(qca->spi_dev, msg);
++      ret = spi_sync(qca->spi_dev, &msg);
+       if (!ret)
+-              ret = msg->status;
++              ret = msg.status;
+       if (ret)
+               qcaspi_spi_error(qca);
+@@ -835,16 +849,6 @@ qcaspi_netdev_setup(struct net_device *d
+       qca = netdev_priv(dev);
+       memset(qca, 0, sizeof(struct qcaspi));
+-      memset(&qca->spi_xfer1, 0, sizeof(struct spi_transfer));
+-      memset(&qca->spi_xfer2, 0, sizeof(struct spi_transfer) * 2);
+-
+-      spi_message_init(&qca->spi_msg1);
+-      spi_message_add_tail(&qca->spi_xfer1, &qca->spi_msg1);
+-
+-      spi_message_init(&qca->spi_msg2);
+-      spi_message_add_tail(&qca->spi_xfer2[0], &qca->spi_msg2);
+-      spi_message_add_tail(&qca->spi_xfer2[1], &qca->spi_msg2);
+-
+       memset(&qca->txr, 0, sizeof(qca->txr));
+       qca->txr.count = TX_RING_MAX_LEN;
+ }
+--- a/drivers/net/ethernet/qualcomm/qca_spi.h
++++ b/drivers/net/ethernet/qualcomm/qca_spi.h
+@@ -83,11 +83,6 @@ struct qcaspi {
+       struct tx_ring txr;
+       struct qcaspi_stats stats;
+-      struct spi_message spi_msg1;
+-      struct spi_message spi_msg2;
+-      struct spi_transfer spi_xfer1;
+-      struct spi_transfer spi_xfer2[2];
+-
+       u8 *rx_buffer;
+       u32 buffer_size;
+       u8 sync;
diff --git a/queue-4.18/net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch b/queue-4.18/net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch
new file mode 100644 (file)
index 0000000..0158b24
--- /dev/null
@@ -0,0 +1,48 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Vakul Garg <vakul.garg@nxp.com>
+Date: Thu, 6 Sep 2018 21:41:40 +0530
+Subject: net/tls: Set count of SG entries if sk_alloc_sg returns -ENOSPC
+
+From: Vakul Garg <vakul.garg@nxp.com>
+
+[ Upstream commit 52ea992cfac357b73180d5c051dca43bc8d20c2a ]
+
+tls_sw_sendmsg() allocates plaintext and encrypted SG entries using
+function sk_alloc_sg(). In case the number of SG entries hit
+MAX_SKB_FRAGS, sk_alloc_sg() returns -ENOSPC and sets the variable for
+current SG index to '0'. This leads to calling of function
+tls_push_record() with 'sg_encrypted_num_elem = 0' and later causes
+kernel crash. To fix this, set the number of SG elements to the number
+of elements in plaintext/encrypted SG arrays in case sk_alloc_sg()
+returns -ENOSPC.
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -149,6 +149,9 @@ static int alloc_encrypted_sg(struct soc
+                        &ctx->sg_encrypted_num_elem,
+                        &ctx->sg_encrypted_size, 0);
++      if (rc == -ENOSPC)
++              ctx->sg_encrypted_num_elem = ARRAY_SIZE(ctx->sg_encrypted_data);
++
+       return rc;
+ }
+@@ -162,6 +165,9 @@ static int alloc_plaintext_sg(struct soc
+                        &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
+                        tls_ctx->pending_open_record_frags);
++      if (rc == -ENOSPC)
++              ctx->sg_plaintext_num_elem = ARRAY_SIZE(ctx->sg_plaintext_data);
++
+       return rc;
+ }
diff --git a/queue-4.18/rds-fix-two-rcu-related-problems.patch b/queue-4.18/rds-fix-two-rcu-related-problems.patch
new file mode 100644 (file)
index 0000000..79b681a
--- /dev/null
@@ -0,0 +1,62 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 10 Sep 2018 18:27:26 -0700
+Subject: rds: fix two RCU related problems
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit cc4dfb7f70a344f24c1c71e298deea0771dadcb2 ]
+
+When a rds sock is bound, it is inserted into the bind_hash_table
+which is protected by RCU. But when releasing rds sock, after it
+is removed from this hash table, it is freed immediately without
+respecting RCU grace period. This could cause some use-after-free
+as reported by syzbot.
+
+Mark the rds sock with SOCK_RCU_FREE before inserting it into the
+bind_hash_table, so that it would be always freed after a RCU grace
+period.
+
+The other problem is in rds_find_bound(), the rds sock could be
+freed in between rhashtable_lookup_fast() and rds_sock_addref(),
+so we need to extend RCU read lock protection in rds_find_bound()
+to close this race condition.
+
+Reported-and-tested-by: syzbot+8967084bcac563795dc6@syzkaller.appspotmail.com
+Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
+Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: rds-devel@oss.oracle.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oarcle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/bind.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -60,11 +60,13 @@ struct rds_sock *rds_find_bound(__be32 a
+       u64 key = ((u64)addr << 32) | port;
+       struct rds_sock *rs;
+-      rs = rhashtable_lookup_fast(&bind_hash_table, &key, ht_parms);
++      rcu_read_lock();
++      rs = rhashtable_lookup(&bind_hash_table, &key, ht_parms);
+       if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
+               rds_sock_addref(rs);
+       else
+               rs = NULL;
++      rcu_read_unlock();
+       rdsdebug("returning rs %p for %pI4:%u\n", rs, &addr,
+               ntohs(port));
+@@ -157,6 +159,7 @@ int rds_bind(struct socket *sock, struct
+               goto out;
+       }
++      sock_set_flag(sk, SOCK_RCU_FREE);
+       ret = rds_add_bound(rs, sin->sin_addr.s_addr, &sin->sin_port);
+       if (ret)
+               goto out;
diff --git a/queue-4.18/tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch b/queue-4.18/tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch
new file mode 100644 (file)
index 0000000..28ee6a6
--- /dev/null
@@ -0,0 +1,53 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Thu, 6 Sep 2018 15:54:59 +0200
+Subject: tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 5cf4a8532c992bb22a9ecd5f6d93f873f4eaccc2 ]
+
+According to the documentation in msg_zerocopy.rst, the SO_ZEROCOPY
+flag was introduced because send(2) ignores unknown message flags and
+any legacy application which was accidentally passing the equivalent of
+MSG_ZEROCOPY earlier should not see any new behaviour.
+
+Before commit f214f915e7db ("tcp: enable MSG_ZEROCOPY"), a send(2) call
+which passed the equivalent of MSG_ZEROCOPY without setting SO_ZEROCOPY
+would succeed.  However, after that commit, it fails with -ENOBUFS.  So
+it appears that the SO_ZEROCOPY flag fails to fulfill its intended
+purpose.  Fix it.
+
+Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c |    3 ---
+ net/ipv4/tcp.c    |    2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -939,9 +939,6 @@ struct ubuf_info *sock_zerocopy_alloc(st
+       WARN_ON_ONCE(!in_task());
+-      if (!sock_flag(sk, SOCK_ZEROCOPY))
+-              return NULL;
+-
+       skb = sock_omalloc(sk, 0, GFP_KERNEL);
+       if (!skb)
+               return NULL;
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1186,7 +1186,7 @@ int tcp_sendmsg_locked(struct sock *sk,
+       flags = msg->msg_flags;
+-      if (flags & MSG_ZEROCOPY && size) {
++      if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
+               if (sk->sk_state != TCP_ESTABLISHED) {
+                       err = -EINVAL;
+                       goto out_err;
diff --git a/queue-4.18/tipc-orphan-sock-in-tipc_release.patch b/queue-4.18/tipc-orphan-sock-in-tipc_release.patch
new file mode 100644 (file)
index 0000000..d595d3e
--- /dev/null
@@ -0,0 +1,36 @@
+From foo@baz Thu Sep 20 07:23:37 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 3 Sep 2018 19:12:41 -0700
+Subject: tipc: orphan sock in tipc_release()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 0a3b8b2b215f9e84b82ae97df71292ccfd92b1e7 ]
+
+Before we unlock the sock in tipc_release(), we have to
+detach sk->sk_socket from sk, otherwise a parallel
+tipc_sk_fill_sock_diag() could stil read it after we
+free this socket.
+
+Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC")
+Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -578,6 +578,7 @@ static int tipc_release(struct socket *s
+       sk_stop_timer(sk, &sk->sk_timer);
+       tipc_sk_remove(tsk);
++      sock_orphan(sk);
+       /* Reject any messages that accumulated in backlog queue */
+       release_sock(sk);
+       tipc_dest_list_purge(&tsk->cong_links);