--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 31 Jul 2018 06:30:54 -0700
+Subject: bonding: avoid lockdep confusion in bond_get_stats()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ]
+
+syzbot found that the following sequence produces a LOCKDEP splat [1]
+
+ip link add bond10 type bond
+ip link add bond11 type bond
+ip link set bond11 master bond10
+
+To fix this, we can use the already provided nest_level.
+
+This patch also provides correct nesting for dev->addr_list_lock
+
+[1]
+WARNING: possible recursive locking detected
+4.18.0-rc6+ #167 Not tainted
+--------------------------------------------
+syz-executor751/4439 is trying to acquire lock:
+(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
+(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
+
+but task is already holding lock:
+(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
+(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(&bond->stats_lock)->rlock);
+ lock(&(&bond->stats_lock)->rlock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+3 locks held by syz-executor751/4439:
+ #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
+ #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline]
+ #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
+ #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215
+
+stack backtrace:
+CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
+ print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
+ check_deadlock kernel/locking/lockdep.c:1809 [inline]
+ validate_chain kernel/locking/lockdep.c:2405 [inline]
+ __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
+ lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:310 [inline]
+ bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426
+ dev_get_stats+0x10f/0x470 net/core/dev.c:8316
+ bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432
+ dev_get_stats+0x10f/0x470 net/core/dev.c:8316
+ rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169
+ rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611
+ rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268
+ rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300
+ rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline]
+ rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716
+ notifier_call_chain+0x180/0x390 kernel/notifier.c:93
+ __raw_notifier_call_chain kernel/notifier.c:394 [inline]
+ raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
+ call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
+ call_netdevice_notifiers net/core/dev.c:1753 [inline]
+ netdev_features_change net/core/dev.c:1321 [inline]
+ netdev_change_features+0xb3/0x110 net/core/dev.c:7759
+ bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120
+ bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755
+ bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528
+ dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327
+ dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
+ sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992
+ sock_ioctl+0x30d/0x680 net/socket.c:1093
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ __do_sys_ioctl fs/ioctl.c:708 [inline]
+ __se_sys_ioctl fs/ioctl.c:706 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x440859
+Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859
+RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390
+R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1682,6 +1682,8 @@ int bond_enslave(struct net_device *bond
+ goto err_upper_unlink;
+ }
+
++ bond->nest_level = dev_get_nest_level(bond_dev) + 1;
++
+ /* If the mode uses primary, then the following is handled by
+ * bond_change_active_slave().
+ */
+@@ -1729,7 +1731,6 @@ int bond_enslave(struct net_device *bond
+ if (bond_mode_uses_xmit_hash(bond))
+ bond_update_slave_arr(bond, NULL);
+
+- bond->nest_level = dev_get_nest_level(bond_dev);
+
+ netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n",
+ slave_dev->name,
+@@ -3359,6 +3360,13 @@ static void bond_fold_stats(struct rtnl_
+ }
+ }
+
++static int bond_get_nest_level(struct net_device *bond_dev)
++{
++ struct bonding *bond = netdev_priv(bond_dev);
++
++ return bond->nest_level;
++}
++
+ static struct rtnl_link_stats64 *bond_get_stats(struct net_device *bond_dev,
+ struct rtnl_link_stats64 *stats)
+ {
+@@ -3367,7 +3375,7 @@ static struct rtnl_link_stats64 *bond_ge
+ struct list_head *iter;
+ struct slave *slave;
+
+- spin_lock(&bond->stats_lock);
++ spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev));
+ memcpy(stats, &bond->bond_stats, sizeof(*stats));
+
+ rcu_read_lock();
+@@ -4163,6 +4171,7 @@ static const struct net_device_ops bond_
+ .ndo_neigh_setup = bond_neigh_setup,
+ .ndo_vlan_rx_add_vid = bond_vlan_rx_add_vid,
+ .ndo_vlan_rx_kill_vid = bond_vlan_rx_kill_vid,
++ .ndo_get_lock_subclass = bond_get_nest_level,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ .ndo_netpoll_setup = bond_netpoll_setup,
+ .ndo_netpoll_cleanup = bond_netpoll_cleanup,
+@@ -4655,6 +4664,7 @@ static int bond_init(struct net_device *
+ if (!bond->wq)
+ return -ENOMEM;
+
++ bond->nest_level = SINGLE_DEPTH_NESTING;
+ netdev_lockdep_set_classes(bond_dev);
+
+ list_add_tail(&bond->bond_list, &bn->dev_list);
--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 30 Jul 2018 20:09:11 -0700
+Subject: inet: frag: enforce memory limits earlier
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]
+
+We currently check current frags memory usage only when
+a new frag queue is created. This allows attackers to first
+consume the memory budget (default : 4 MB) creating thousands
+of frag queues, then sending tiny skbs to exceed high_thresh
+limit by 2 to 3 order of magnitude.
+
+Note that before commit 648700f76b03 ("inet: frags: use rhashtables
+for reassembly units"), work queue could be starved under DOS,
+getting no cpu cycles.
+After commit 648700f76b03, only the per frag queue timer can eventually
+remove an incomplete frag queue and its skbs.
+
+Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Peter Oskolkov <posk@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_fragment.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag
+ {
+ struct inet_frag_queue *q;
+
+- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+- inet_frag_schedule_worker(f);
+- return NULL;
+- }
+-
+ q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
+ if (!q)
+ return NULL;
+@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(s
+ struct inet_frag_queue *q;
+ int depth = 0;
+
++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
++ inet_frag_schedule_worker(f);
++ return NULL;
++ }
++
+ if (frag_mem_limit(nf) > nf->low_thresh)
+ inet_frag_schedule_worker(f);
+
--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 30 Jul 2018 21:50:29 -0700
+Subject: ipv4: frags: handle possible skb truesize change
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ]
+
+ip_frag_queue() might call pskb_pull() on one skb that
+is already in the fragment queue.
+
+We need to take care of possible truesize change, or we
+might have an imbalance of the netns frags memory usage.
+
+IPv6 is immune to this bug, because RFC5722, Section 4,
+amended by Errata ID 3089 states :
+
+ When reassembling an IPv6 datagram, if
+ one or more its constituent fragments is determined to be an
+ overlapping fragment, the entire datagram (and any constituent
+ fragments) MUST be silently discarded.
+
+Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -446,11 +446,16 @@ found:
+ int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */
+
+ if (i < next->len) {
++ int delta = -next->truesize;
++
+ /* Eat head of the next overlapped fragment
+ * and leave the loop. The next ones cannot overlap.
+ */
+ if (!pskb_pull(next, i))
+ goto err;
++ delta += next->truesize;
++ if (delta)
++ add_frag_mem_limit(qp->q.net, delta);
+ FRAG_CB(next)->offset += i;
+ qp->q.meat -= i;
+ if (next->ip_summed != CHECKSUM_UNNECESSARY)
--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 31 Jul 2018 17:12:52 -0700
+Subject: net: dsa: Do not suspend/resume closed slave_dev
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]
+
+If a DSA slave network device was previously disabled, there is no need
+to suspend or resume it.
+
+Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement suspend/resume hooks")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/slave.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1199,6 +1199,9 @@ int dsa_slave_suspend(struct net_device
+ {
+ struct dsa_slave_priv *p = netdev_priv(slave_dev);
+
++ if (!netif_running(slave_dev))
++ return 0;
++
+ netif_device_detach(slave_dev);
+
+ if (p->phy) {
+@@ -1216,6 +1219,9 @@ int dsa_slave_resume(struct net_device *
+ {
+ struct dsa_slave_priv *p = netdev_priv(slave_dev);
+
++ if (!netif_running(slave_dev))
++ return 0;
++
+ netif_device_attach(slave_dev);
+
+ if (p->phy) {
--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Tue, 31 Jul 2018 15:08:20 +0100
+Subject: net: stmmac: Fix WoL for PCI-based setups
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ]
+
+WoL won't work in PCI-based setups because we are not saving the PCI EP
+state before entering suspend state and not allowing D3 wake.
+
+Fix this by using a wrapper around stmmac_{suspend/resume} which
+correctly sets the PCI EP state.
+
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 +++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -183,7 +183,7 @@ static int stmmac_pci_probe(struct pci_d
+ return -ENOMEM;
+
+ /* Enable pci device */
+- ret = pcim_enable_device(pdev);
++ ret = pci_enable_device(pdev);
+ if (ret) {
+ dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
+ __func__);
+@@ -232,9 +232,45 @@ static int stmmac_pci_probe(struct pci_d
+ static void stmmac_pci_remove(struct pci_dev *pdev)
+ {
+ stmmac_dvr_remove(&pdev->dev);
++ pci_disable_device(pdev);
+ }
+
+-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume);
++static int stmmac_pci_suspend(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ int ret;
++
++ ret = stmmac_suspend(dev);
++ if (ret)
++ return ret;
++
++ ret = pci_save_state(pdev);
++ if (ret)
++ return ret;
++
++ pci_disable_device(pdev);
++ pci_wake_from_d3(pdev, true);
++ return 0;
++}
++
++static int stmmac_pci_resume(struct device *dev)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ int ret;
++
++ pci_restore_state(pdev);
++ pci_set_power_state(pdev, PCI_D0);
++
++ ret = pci_enable_device(pdev);
++ if (ret)
++ return ret;
++
++ pci_set_master(pdev);
++
++ return stmmac_resume(dev);
++}
++
++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume);
+
+ #define STMMAC_VENDOR_ID 0x700
+ #define STMMAC_QUARK_ID 0x0937
--- /dev/null
+From foo@baz Sat Aug 4 09:11:40 CEST 2018
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 31 Jul 2018 21:13:16 +0000
+Subject: netlink: Fix spectre v1 gadget in netlink_create()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]
+
+'protocol' is a user-controlled value, so sanitize it after the bounds
+check to avoid using it for speculative out-of-bounds access to arrays
+indexed by it.
+
+This addresses the following accesses detected with the help of smatch:
+
+* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
+ spectre issue 'nlk_cb_mutex_keys' [w]
+
+* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
+ spectre issue 'nlk_cb_mutex_key_strings' [w]
+
+* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
+ issue 'nl_table' [w] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -62,6 +62,7 @@
+ #include <asm/cacheflush.h>
+ #include <linux/hash.h>
+ #include <linux/genetlink.h>
++#include <linux/nospec.h>
+
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+@@ -654,6 +655,7 @@ static int netlink_create(struct net *ne
+
+ if (protocol < 0 || protocol >= MAX_LINKS)
+ return -EPROTONOSUPPORT;
++ protocol = array_index_nospec(protocol, MAX_LINKS);
+
+ netlink_lock_table();
+ #ifdef CONFIG_MODULES
tcp-add-one-more-quick-ack-after-after-ecn-events.patch
pinctrl-intel-read-back-tx-buffer-state.patch
sched-wait-remove-the-lockless-swait_active-check-in-swake_up.patch
+bonding-avoid-lockdep-confusion-in-bond_get_stats.patch
+inet-frag-enforce-memory-limits-earlier.patch
+ipv4-frags-handle-possible-skb-truesize-change.patch
+net-dsa-do-not-suspend-resume-closed-slave_dev.patch
+netlink-fix-spectre-v1-gadget-in-netlink_create.patch
+net-stmmac-fix-wol-for-pci-based-setups.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
