4.4-stable patches

added patches:
	bonding-add-vlan-tx-offload-to-hw_enc_features.patch
	net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
	net-packet-fix-race-in-tpacket_snd.patch
	sctp-fix-the-transport-error_count-check.patch
	xen-netback-reset-nr_frags-before-freeing-skb.patch

diff --git a/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch b/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch
new file mode 100644 (file)
index 0000000..69540e7
--- /dev/null
+++ b/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch
@@ -0,0 +1,62 @@
+From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 7 Aug 2019 10:19:59 +0800
+Subject: bonding: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d595b03de2cb0bdf9bcdf35ff27840cc3a37158f ]
+
+As commit 30d8177e8ac7 ("bonding: Always enable vlan tx offload")
+said, we should always enable bonding's vlan tx offload, pass the
+vlan packets to the slave devices with vlan tci, let them to handle
+vlan implementation.
+
+Now if encapsulation protocols like VXLAN is used, skb->encapsulation
+may be set, then the packet is passed to vlan device which based on
+bonding device. However in netif_skb_features(), the check of
+hw_enc_features:
+
+        if (skb->encapsulation)
+                 features &= dev->hw_enc_features;
+
+clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results
+in same issue in commit 30d8177e8ac7 like this:
+
+vlan_dev_hard_start_xmit
+  -->dev_queue_xmit
+    -->validate_xmit_skb
+      -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared
+      -->validate_xmit_vlan
+        -->__vlan_hwaccel_push_inside //skb->tci is cleared
+...
+ --> bond_start_xmit
+   --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34
+     --> __skb_flow_dissect // nhoff point to IP header
+        -->  case htons(ETH_P_8021Q)
+             // skb_vlan_tag_present is false, so
+             vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
+             //vlan point to ip header wrongly
+
+Fixes: b2a103e6d0af ("bonding: convert to ndo_fix_features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1111,7 +1111,9 @@ static void bond_compute_features(struct
+ 
+ done:
+       bond_dev->vlan_features = vlan_features;
+-      bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
++      bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++                                  NETIF_F_HW_VLAN_CTAG_TX |
++                                  NETIF_F_HW_VLAN_STAG_TX;
+       bond_dev->gso_max_segs = gso_max_segs;
+       netif_set_gso_max_size(bond_dev, gso_max_size);
+ 

diff --git a/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch b/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
new file mode 100644 (file)
index 0000000..5690f9c
--- /dev/null
+++ b/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Thu, 1 Aug 2019 11:10:19 -0500
+Subject: net/mlx5e: Only support tx/rx pause setting for port owner
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 466df6eb4a9e813b3cfc674363316450c57a89c5 ]
+
+Only support changing tx/rx pause frame setting if the net device
+is the vport group manager.
+
+Fixes: 3c2d18ef22df ("net/mlx5e: Support ethtool get/set_pauseparam")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -855,6 +855,9 @@ static int mlx5e_set_pauseparam(struct n
+       struct mlx5_core_dev *mdev = priv->mdev;
+       int err;
+ 
++      if (!MLX5_CAP_GEN(mdev, vport_group_manager))
++              return -EOPNOTSUPP;
++
+       if (pauseparam->autoneg)
+               return -EINVAL;
+ 

diff --git a/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch b/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch
new file mode 100644 (file)
index 0000000..c80c417
--- /dev/null
+++ b/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch
@@ -0,0 +1,78 @@
+From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 14 Aug 2019 02:11:57 -0700
+Subject: net/packet: fix race in tpacket_snd()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]
+
+packet_sendmsg() checks tx_ring.pg_vec to decide
+if it must call tpacket_snd().
+
+Problem is that the check is lockless, meaning another thread
+can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
+tx_ring.pg_vec back to NULL.
+
+Given that tpacket_snd() grabs pg_vec_lock mutex, we can
+perform the check again to solve the race.
+
+syzbot reported :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
+Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
+RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
+RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
+R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
+R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
+FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ packet_current_frame net/packet/af_packet.c:487 [inline]
+ tpacket_snd net/packet/af_packet.c:2667 [inline]
+ packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2498,6 +2498,13 @@ static int tpacket_snd(struct packet_soc
+ 
+       mutex_lock(&po->pg_vec_lock);
+ 
++      /* packet_sendmsg() check on tx_ring.pg_vec was lockless,
++       * we need to confirm it under protection of pg_vec_lock.
++       */
++      if (unlikely(!po->tx_ring.pg_vec)) {
++              err = -EBUSY;
++              goto out;
++      }
+       if (likely(saddr == NULL)) {
+               dev     = packet_cached_dev_get(po);
+               proto   = po->num;

diff --git a/queue-4.4/sctp-fix-the-transport-error_count-check.patch b/queue-4.4/sctp-fix-the-transport-error_count-check.patch
new file mode 100644 (file)
index 0000000..290061e
--- /dev/null
+++ b/queue-4.4/sctp-fix-the-transport-error_count-check.patch
@@ -0,0 +1,37 @@
+From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 12 Aug 2019 20:49:12 +0800
+Subject: sctp: fix the transport error_count check
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a1794de8b92ea6bc2037f445b296814ac826693e ]
+
+As the annotation says in sctp_do_8_2_transport_strike():
+
+  "If the transport error count is greater than the pf_retrans
+   threshold, and less than pathmaxrtx ..."
+
+It should be transport->error_count checked with pathmaxrxt,
+instead of asoc->pf_retrans.
+
+Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -504,7 +504,7 @@ static void sctp_do_8_2_transport_strike
+        * see SCTP Quick Failover Draft, section 5.1
+        */
+       if ((transport->state == SCTP_ACTIVE) &&
+-         (asoc->pf_retrans < transport->pathmaxrxt) &&
++         (transport->error_count < transport->pathmaxrxt) &&
+          (transport->error_count > asoc->pf_retrans)) {
+ 
+               sctp_assoc_control_transport(asoc, transport,

diff --git a/queue-4.4/series b/queue-4.4/series
index 28ecb04369255110e201672f8c4b18c065bee48c..916cfc64a404c9653a702b2724e72e19ac34d75e 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -72,3 +72,8 @@ ib-mlx5-make-coding-style-more-consistent.patch
 x86-vdso-remove-direct-hpet-access-through-the-vdso.patch
 iommu-amd-move-iommu_init_pci-to-.init-section.patch
 x86-boot-disable-the-address-of-packed-member-compiler-warning.patch
+net-packet-fix-race-in-tpacket_snd.patch
+xen-netback-reset-nr_frags-before-freeing-skb.patch
+net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
+sctp-fix-the-transport-error_count-check.patch
+bonding-add-vlan-tx-offload-to-hw_enc_features.patch

diff --git a/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch b/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch
new file mode 100644 (file)
index 0000000..aef9681
--- /dev/null
+++ b/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch
@@ -0,0 +1,38 @@
+From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 5 Aug 2019 16:34:34 +0100
+Subject: xen/netback: Reset nr_frags before freeing skb
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 3a0233ddec554b886298de2428edb5c50a20e694 ]
+
+At this point nr_frags has been incremented but the frag does not yet
+have a page assigned so freeing the skb results in a crash. Reset
+nr_frags before freeing the skb to prevent this.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -1421,6 +1421,7 @@ static void xenvif_tx_build_gops(struct
+                       skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
+                       nskb = xenvif_alloc_skb(0);
+                       if (unlikely(nskb == NULL)) {
++                              skb_shinfo(skb)->nr_frags = 0;
+                               kfree_skb(skb);
+                               xenvif_tx_err(queue, &txreq, idx);
+                               if (net_ratelimit())
+@@ -1436,6 +1437,7 @@ static void xenvif_tx_build_gops(struct
+ 
+                       if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
+                               /* Failure in xenvif_set_skb_gso is fatal. */
++                              skb_shinfo(skb)->nr_frags = 0;
+                               kfree_skb(skb);
+                               kfree_skb(nskb);
+                               break;