--- /dev/null
+From foo@baz Wed Aug 26 04:19:14 PM CEST 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 14 Aug 2020 20:05:58 -0700
+Subject: bonding: fix a potential double-unregister
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ]
+
+When we tear down a network namespace, we unregister all
+the netdevices within it. So we may queue a slave device
+and a bonding device together in the same unregister queue.
+
+If the only slave device is non-ethernet, it would
+automatically unregister the bonding device as well. Thus,
+we may end up unregistering the bonding device twice.
+
+Workaround this special case by checking reg_state.
+
+Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()")
+Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1940,7 +1940,8 @@ static int bond_release_and_destroy(str
+ int ret;
+
+ ret = bond_release(bond_dev, slave_dev);
+- if (ret == 0 && !bond_has_slaves(bond)) {
++ if (ret == 0 && !bond_has_slaves(bond) &&
++ bond_dev->reg_state != NETREG_UNREGISTERING) {
+ bond_dev->priv_flags |= IFF_DISABLE_NETPOLL;
+ netdev_info(bond_dev, "Destroying bond %s\n",
+ bond_dev->name);
--- /dev/null
+From foo@baz Wed Aug 26 04:19:14 PM CEST 2020
+From: Jarod Wilson <jarod@redhat.com>
+Date: Thu, 13 Aug 2020 10:09:00 -0400
+Subject: bonding: show saner speed for broadcast mode
+
+From: Jarod Wilson <jarod@redhat.com>
+
+[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ]
+
+Broadcast mode bonds transmit a copy of all traffic simultaneously out of
+all interfaces, so the "speed" of the bond isn't really the aggregate of
+all interfaces, but rather, the speed of the slowest active interface.
+
+Also, the type of the speed field is u32, not unsigned long, so adjust
+that accordingly, as required to make min() function here without
+complaining about mismatching types.
+
+Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool")
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4057,13 +4057,23 @@ static netdev_tx_t bond_start_xmit(struc
+ return ret;
+ }
+
++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed)
++{
++ if (speed == 0 || speed == SPEED_UNKNOWN)
++ speed = slave->speed;
++ else
++ speed = min(speed, slave->speed);
++
++ return speed;
++}
++
+ static int bond_ethtool_get_settings(struct net_device *bond_dev,
+ struct ethtool_cmd *ecmd)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- unsigned long speed = 0;
+ struct list_head *iter;
+ struct slave *slave;
++ u32 speed = 0;
+
+ ecmd->duplex = DUPLEX_UNKNOWN;
+ ecmd->port = PORT_OTHER;
+@@ -4075,8 +4085,13 @@ static int bond_ethtool_get_settings(str
+ */
+ bond_for_each_slave(bond, slave, iter) {
+ if (bond_slave_can_tx(slave)) {
+- if (slave->speed != SPEED_UNKNOWN)
+- speed += slave->speed;
++ if (slave->speed != SPEED_UNKNOWN) {
++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST)
++ speed = bond_mode_bcast_speed(slave,
++ speed);
++ else
++ speed += slave->speed;
++ }
+ if (ecmd->duplex == DUPLEX_UNKNOWN &&
+ slave->duplex != DUPLEX_UNKNOWN)
+ ecmd->duplex = slave->duplex;
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 14 Aug 2020 22:53:24 -0700
+Subject: ipvlan: fix device features
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ]
+
+Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose
+NETIF_F_LLTX feature because of the incorrect handling of
+features in ipvlan_fix_features().
+
+--before--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Actual changes:
+vlan-challenged: off [fixed]
+tx-lockless: off [fixed]
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: off [fixed]
+lpaa10:~#
+
+--after--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Could not change any device features
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~#
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -87,12 +87,21 @@ static void ipvlan_port_destroy(struct n
+ static struct lock_class_key ipvlan_netdev_xmit_lock_key;
+ static struct lock_class_key ipvlan_netdev_addr_lock_key;
+
++#define IPVLAN_ALWAYS_ON_OFLOADS \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | \
++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL)
++
++#define IPVLAN_ALWAYS_ON \
++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED)
++
+ #define IPVLAN_FEATURES \
+ (NETIF_F_SG | NETIF_F_ALL_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_TSO | NETIF_F_UFO | NETIF_F_GSO_ROBUST | \
+ NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \
+ NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+
++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */
++
+ #define IPVLAN_STATE_MASK \
+ ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT))
+
+@@ -117,7 +126,9 @@ static int ipvlan_init(struct net_device
+ dev->state = (dev->state & ~IPVLAN_STATE_MASK) |
+ (phy_dev->state & IPVLAN_STATE_MASK);
+ dev->features = phy_dev->features & IPVLAN_FEATURES;
+- dev->features |= NETIF_F_LLTX;
++ dev->features |= IPVLAN_ALWAYS_ON;
++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES;
++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS;
+ dev->gso_max_size = phy_dev->gso_max_size;
+ dev->hard_header_len = phy_dev->hard_header_len;
+
+@@ -201,7 +212,14 @@ static netdev_features_t ipvlan_fix_feat
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+
+- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features |= NETIF_F_ALL_FOR_ALL;
++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features = netdev_increment_features(ipvlan->phy_dev->features,
++ features, features);
++ features |= IPVLAN_ALWAYS_ON;
++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON);
++
++ return features;
+ }
+
+ static void ipvlan_change_rx_flags(struct net_device *dev, int change)
+@@ -590,9 +608,8 @@ static int ipvlan_device_event(struct no
+
+ case NETDEV_FEAT_CHANGE:
+ list_for_each_entry(ipvlan, &port->ipvlans, pnode) {
+- ipvlan->dev->features = dev->features & IPVLAN_FEATURES;
+ ipvlan->dev->gso_max_size = dev->gso_max_size;
+- netdev_features_change(ipvlan->dev);
++ netdev_update_features(ipvlan->dev);
+ }
+ break;
+
--- /dev/null
+From foo@baz Wed Aug 26 04:28:25 PM CEST 2020
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 15 Aug 2020 04:44:31 -0400
+Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ]
+
+We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
+we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
+we may access the wrong data.
+
+Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4370,8 +4370,8 @@ struct sk_buff *skb_vlan_untag(struct sk
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (unlikely(!skb))
+ goto err_free;
+-
+- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
+ goto err_free;
+
+ vhdr = (struct vlan_hdr *)skb->data;
--- /dev/null
+net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch
+tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch
+ipvlan-fix-device-features.patch
+bonding-show-saner-speed-for-broadcast-mode.patch
+bonding-fix-a-potential-double-unregister.patch
--- /dev/null
+From foo@baz Wed Aug 26 04:28:25 PM CEST 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 15 Aug 2020 16:29:15 -0700
+Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ]
+
+__tipc_nl_compat_dumpit() has two callers, and it expects them to
+pass a valid nlmsghdr via arg->data. This header is artificial and
+crafted just for __tipc_nl_compat_dumpit().
+
+tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well
+as some nested attribute, TIPC_NLA_SOCK. But the other caller
+tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized
+on this call path.
+
+Fix this by just adding a similar nlmsghdr without any payload in
+tipc_nl_compat_dumpit().
+
+This bug exists since day 1, but the recent commit 6ea67769ff33
+("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it
+easier to appear.
+
+Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
+Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
+Cc: Jon Maloy <jmaloy@redhat.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Richard Alpe <richard.alpe@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -250,8 +250,9 @@ err_out:
+ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ struct tipc_nl_compat_msg *msg)
+ {
+- int err;
++ struct nlmsghdr *nlh;
+ struct sk_buff *arg;
++ int err;
+
+ if (msg->req_type && (!msg->req_size ||
+ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+@@ -280,6 +281,15 @@ static int tipc_nl_compat_dumpit(struct
+ return -ENOMEM;
+ }
+
++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI);
++ if (!nlh) {
++ kfree_skb(arg);
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return -EMSGSIZE;
++ }
++ nlmsg_end(arg, nlh);
++
+ err = __tipc_nl_compat_dumpit(cmd, msg, arg);
+ if (err) {
+ kfree_skb(msg->rep);
projects / thirdparty / kernel / stable-queue.git / commitdiff
