--- /dev/null
+From foo@baz Thu 24 Oct 2019 09:47:17 PM EDT
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Wed, 16 Oct 2019 20:52:09 +0200
+Subject: ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 595e0651d0296bad2491a4a29a7a43eae6328b02 ]
+
+...instead of -EINVAL. An issue was found with older kernel versions
+while unplugging a NFS client with pending RPCs, and the wrong error
+code here prevented it from recovering once link is back up with a
+configured address.
+
+Incidentally, this is not an issue anymore since commit 4f8943f80883
+("SUNRPC: Replace direct task wakeups from softirq context"), included
+in 5.2-rc7, had the effect of decoupling the forwarding of this error
+by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin
+Coddington.
+
+To the best of my knowledge, this isn't currently causing any further
+issue, but the error code doesn't look appropriate anyway, and we
+might hit this in other paths as well.
+
+In detail, as analysed by Gonzalo Siero, once the route is deleted
+because the interface is down, and can't be resolved and we return
+-EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(),
+as the socket error seen by tcp_write_err(), called by
+tcp_retransmit_timer().
+
+In turn, tcp_write_err() indirectly calls xs_error_report(), which
+wakes up the RPC pending tasks with a status of -EINVAL. This is then
+seen by call_status() in the SUN RPC implementation, which aborts the
+RPC call calling rpc_exit(), instead of handling this as a
+potentially temporary condition, i.e. as a timeout.
+
+Return -EINVAL only if the input parameters passed to
+ip_route_output_key_hash_rcu() are actually invalid (this is the case
+if the specified source address is multicast, limited broadcast or
+all zeroes), but return -ENETUNREACH in all cases where, at the given
+moment, the given source address doesn't allow resolving the route.
+
+While at it, drop the initialisation of err to -ENETUNREACH, which
+was added to __ip_route_output_key() back then by commit
+0315e3827048 ("net: Fix behaviour of unreachable, blackhole and
+prohibit routes"), but actually had no effect, as it was, and is,
+overwritten by the fib_lookup() return code assignment, and anyway
+ignored in all other branches, including the if (fl4->saddr) one:
+I find this rather confusing, as it would look like -ENETUNREACH is
+the "default" error, while that statement has no effect.
+
+Also note that after commit fc75fc8339e7 ("ipv4: dont create routes
+on down devices"), we would get -ENETUNREACH if the device is down,
+but -EINVAL if the source address is specified and we can't resolve
+the route, and this appears to be rather inconsistent.
+
+Reported-by: Stefan Walter <walteste@inf.ethz.ch>
+Analysed-by: Benjamin Coddington <bcodding@redhat.com>
+Analysed-by: Gonzalo Siero <gsierohu@redhat.com>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2209,7 +2209,7 @@ struct rtable *__ip_route_output_key_has
+ struct fib_result res;
+ struct rtable *rth;
+ int orig_oif;
+- int err = -ENETUNREACH;
++ int err;
+
+ res.tclassid = 0;
+ res.fi = NULL;
+@@ -2224,11 +2224,14 @@ struct rtable *__ip_route_output_key_has
+
+ rcu_read_lock();
+ if (fl4->saddr) {
+- rth = ERR_PTR(-EINVAL);
+ if (ipv4_is_multicast(fl4->saddr) ||
+ ipv4_is_lbcast(fl4->saddr) ||
+- ipv4_is_zeronet(fl4->saddr))
++ ipv4_is_zeronet(fl4->saddr)) {
++ rth = ERR_PTR(-EINVAL);
+ goto out;
++ }
++
++ rth = ERR_PTR(-ENETUNREACH);
+
+ /* I removed check for oif == dev_out->oif here.
+ It was wrong for two reasons:
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/block/loop.c | 1 +
+ drivers/block/loop.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index da3902ac16c86..8aadd4d0c3a88 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
-@@ -1557,6 +1557,7 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -1557,6 +1557,7 @@ static int lo_compat_ioctl(struct block_
arg = (unsigned long) compat_ptr(arg);
case LOOP_SET_FD:
case LOOP_CHANGE_FD:
err = lo_ioctl(bdev, mode, cmd, arg);
break;
default:
---
-2.20.1
-
--- /dev/null
+From foo@baz Thu 24 Oct 2019 09:41:49 PM EDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Oct 2019 11:22:30 -0700
+Subject: net: avoid potential infinite loop in tc_ctl_action()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ]
+
+tc_ctl_action() has the ability to loop forever if tcf_action_add()
+returns -EAGAIN.
+
+This special case has been done in case a module needed to be loaded,
+but it turns out that tcf_add_notify() could also return -EAGAIN
+if the socket sk_rcvbuf limit is hit.
+
+We need to separate the two cases, and only loop for the module
+loading case.
+
+While we are at it, add a limit of 10 attempts since unbounded
+loops are always scary.
+
+syzbot repro was something like :
+
+socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3
+write(3, ..., 38) = 38
+setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0
+sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...)
+
+NMI backtrace for cpu 0
+CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101
+ nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62
+ arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
+ trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
+ check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
+ watchdog+0x9d0/0xef0 kernel/hung_task.c:289
+ kthread+0x361/0x430 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+Sending NMI from CPU 0 to CPUs 1:
+NMI backtrace for cpu 1
+CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline]
+RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453
+Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6
+RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046
+RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000
+RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914
+RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1
+R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f
+R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003
+FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
+ _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159
+ __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122
+ __wake_up+0xe/0x10 kernel/sched/wait.c:142
+ netlink_unlock_table net/netlink/af_netlink.c:466 [inline]
+ netlink_unlock_table net/netlink/af_netlink.c:463 [inline]
+ netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514
+ netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534
+ rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714
+ tcf_add_notify net/sched/act_api.c:1343 [inline]
+ tcf_action_add+0x243/0x370 net/sched/act_api.c:1362
+ tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410
+ rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x803/0x920 net/socket.c:2311
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2356
+ __do_sys_sendmsg net/socket.c:2365 [inline]
+ __se_sys_sendmsg net/socket.c:2363 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363
+ do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x440939
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -946,10 +946,15 @@ static int
+ tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
+ u32 portid, int ovr)
+ {
+- int ret = 0;
++ int loop, ret;
+ LIST_HEAD(actions);
+
+- ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions);
++ for (loop = 0; loop < 10; loop++) {
++ ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions);
++ if (ret != -EAGAIN)
++ break;
++ }
++
+ if (ret)
+ goto done;
+
+@@ -992,10 +997,7 @@ static int tc_ctl_action(struct sk_buff
+ */
+ if (n->nlmsg_flags & NLM_F_REPLACE)
+ ovr = 1;
+-replay:
+ ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr);
+- if (ret == -EAGAIN)
+- goto replay;
+ break;
+ case RTM_DELACTION:
+ ret = tca_action_gd(net, tca[TCA_ACT_TAB], n,
--- /dev/null
+From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 15 Oct 2019 10:45:47 -0700
+Subject: net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit efb86fede98cdc70b674692ff617b1162f642c49 ]
+
+The RGMII_MODE_EN bit value was 0 for GENET versions 1 through 3, and
+became 6 for GENET v4 and above, account for that difference.
+
+Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 1 +
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -362,6 +362,7 @@ struct bcmgenet_mib_counters {
+ #define EXT_ENERGY_DET_MASK (1 << 12)
+
+ #define EXT_RGMII_OOB_CTRL 0x0C
++#define RGMII_MODE_EN_V123 (1 << 0)
+ #define RGMII_LINK (1 << 4)
+ #define OOB_DISABLE (1 << 5)
+ #define RGMII_MODE_EN (1 << 6)
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -328,7 +328,11 @@ int bcmgenet_mii_config(struct net_devic
+ */
+ if (priv->ext_phy) {
+ reg = bcmgenet_ext_readl(priv, EXT_RGMII_OOB_CTRL);
+- reg |= RGMII_MODE_EN | id_mode_dis;
++ reg |= id_mode_dis;
++ if (GENET_IS_V1(priv) || GENET_IS_V2(priv) || GENET_IS_V3(priv))
++ reg |= RGMII_MODE_EN_V123;
++ else
++ reg |= RGMII_MODE_EN;
+ bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL);
+ }
+
--- /dev/null
+From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 11 Oct 2019 12:53:49 -0700
+Subject: net: bcmgenet: Set phydev->dev_flags only for internal PHYs
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ]
+
+phydev->dev_flags is entirely dependent on the PHY device driver which
+is going to be used, setting the internal GENET PHY revision in those
+bits only makes sense when drivers/net/phy/bcm7xxx.c is the PHY driver
+being used.
+
+Fixes: 487320c54143 ("net: bcmgenet: communicate integrated PHY revision to PHY driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -346,11 +346,12 @@ int bcmgenet_mii_probe(struct net_device
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct device_node *dn = priv->pdev->dev.of_node;
+ struct phy_device *phydev;
+- u32 phy_flags;
++ u32 phy_flags = 0;
+ int ret;
+
+ /* Communicate the integrated PHY revision */
+- phy_flags = priv->gphy_rev;
++ if (priv->internal_phy)
++ phy_flags = priv->gphy_rev;
+
+ /* Initialize link state variables that bcmgenet_mii_setup() uses */
+ priv->old_link = -1;
--- /dev/null
+From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 15 Oct 2019 15:24:38 +0800
+Subject: sctp: change sctp_prot .no_autobind with true
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ]
+
+syzbot reported a memory leak:
+
+ BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
+ backtrace:
+
+ [...] slab_alloc mm/slab.c:3319 [inline]
+ [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
+ [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
+ [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
+ [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
+ [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
+ [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
+ [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
+ [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
+ [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
+ [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
+ [...] __do_sys_setsockopt net/socket.c:2100 [inline]
+
+It was caused by when sending msgs without binding a port, in the path:
+inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
+.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
+not. Later when binding another port by sctp_setsockopt_bindx(), a new
+bucket will be created as bp->port is not set.
+
+sctp's autobind is supposed to call sctp_autobind() where it does all
+things including setting bp->port. Since sctp_autobind() is called in
+sctp_sendmsg() if the sk is not yet bound, it should have skipped the
+auto bind.
+
+THis patch is to avoid calling inet_autobind() in inet_send_prepare()
+by changing sctp_prot .no_autobind with true, also remove the unused
+.get_port.
+
+Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7443,7 +7443,7 @@ struct proto sctp_prot = {
+ .backlog_rcv = sctp_backlog_rcv,
+ .hash = sctp_hash,
+ .unhash = sctp_unhash,
+- .get_port = sctp_get_port,
++ .no_autobind = true,
+ .obj_size = sizeof(struct sctp_sock),
+ .sysctl_mem = sysctl_sctp_mem,
+ .sysctl_rmem = sysctl_sctp_rmem,
+@@ -7482,7 +7482,7 @@ struct proto sctpv6_prot = {
+ .backlog_rcv = sctp_backlog_rcv,
+ .hash = sctp_hash,
+ .unhash = sctp_unhash,
+- .get_port = sctp_get_port,
++ .no_autobind = true,
+ .obj_size = sizeof(struct sctp6_sock),
+ .sysctl_mem = sysctl_sctp_mem,
+ .sysctl_rmem = sysctl_sctp_rmem,
mips-treat-loongson-extensions-as-ases.patch
mips-elf_hwcap-export-userspace-ases.patch
loop-add-loop_set_direct_io-to-compat-ioctl.patch
+net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch
+net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch
+sctp-change-sctp_prot-.no_autobind-with-true.patch
+net-avoid-potential-infinite-loop-in-tc_ctl_action.patch
+ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
