From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 15:32:42 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.139~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b7e2eb6a120ea4e91cc78374ea704e686e0c391;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bonding-fix-event-handling-for-stacked-bonds.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch ipv4-recompile-ip-options-in-ipv4_link_failure.patch net-atm-fix-potential-spectre-v1-vulnerabilities.patch net-bridge-fix-per-port-af_packet-sockets.patch net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch net-thunderx-raise-xdp-mtu-to-1508.patch tcp-tcp_grow_window-needs-to-respect-tcp_space.patch team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch vhost-reject-zero-size-iova-range.patch --- diff --git a/queue-4.14/bonding-fix-event-handling-for-stacked-bonds.patch b/queue-4.14/bonding-fix-event-handling-for-stacked-bonds.patch new file mode 100644 index 00000000000..ae31f9c8d7c --- /dev/null +++ b/queue-4.14/bonding-fix-event-handling-for-stacked-bonds.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Sabrina Dubroca +Date: Fri, 12 Apr 2019 15:04:10 +0200 +Subject: bonding: fix event handling for stacked bonds + +From: Sabrina Dubroca + +[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ] + +When a bond is enslaved to another bond, bond_netdev_event() only +handles the event as if the bond is a master, and skips treating the +bond as a slave. + +This leads to a refcount leak on the slave, since we don't remove the +adjacency to its master and the master holds a reference on the slave. + +Reproducer: + ip link add bondL type bond + ip link add bondU type bond + ip link set bondL master bondU + ip link del bondL + +No "Fixes:" tag, this code is older than git history. + +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3169,8 +3169,12 @@ static int bond_netdev_event(struct noti + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { diff --git a/queue-4.14/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch b/queue-4.14/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..4b654840147 --- /dev/null +++ b/queue-4.14/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Eric Dumazet +Date: Sat, 13 Apr 2019 17:32:21 -0700 +Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure() + +From: Eric Dumazet + +[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ] + +fib_compute_spec_dst() needs to be called under rcu protection. + +syzbot reported : + +WARNING: suspicious RCU usage +5.1.0-rc4+ #165 Not tainted +include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by swapper/0/0: + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline] + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315 + +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162 + __in_dev_get_rcu include/linux/inetdevice.h:220 [inline] + fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294 + spec_dst_fill net/ipv4/ip_options.c:245 [inline] + __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343 + ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195 + dst_link_failure include/net/dst.h:427 [inline] + arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297 + neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995 + neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1194,14 +1194,20 @@ static struct dst_entry *ipv4_dst_check( + + static void ipv4_link_failure(struct sk_buff *skb) + { +- struct rtable *rt; + struct ip_options opt; ++ struct rtable *rt; ++ int res; + + /* Recompile ip options since IPCB may not be valid anymore. + */ + memset(&opt, 0, sizeof(opt)); + opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); +- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) + return; + + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); diff --git a/queue-4.14/ipv4-recompile-ip-options-in-ipv4_link_failure.patch b/queue-4.14/ipv4-recompile-ip-options-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..f97d5bc9a81 --- /dev/null +++ b/queue-4.14/ipv4-recompile-ip-options-in-ipv4_link_failure.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Stephen Suryaputra +Date: Fri, 12 Apr 2019 16:19:27 -0400 +Subject: ipv4: recompile ip options in ipv4_link_failure + +From: Stephen Suryaputra + +[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ] + +Recompile IP options since IPCB may not be valid anymore when +ipv4_link_failure is called from arp_error_report. + +Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error") +and the commit before that (9ef6b42ad6fd) for a similar issue. + +Signed-off-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1195,8 +1195,16 @@ static struct dst_entry *ipv4_dst_check( + static void ipv4_link_failure(struct sk_buff *skb) + { + struct rtable *rt; ++ struct ip_options opt; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) diff --git a/queue-4.14/net-atm-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.14/net-atm-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..b74d9ec814f --- /dev/null +++ b/queue-4.14/net-atm-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,53 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: "Gustavo A. R. Silva" +Date: Mon, 15 Apr 2019 15:57:23 -0500 +Subject: net: atm: Fix potential Spectre v1 vulnerabilities + +From: "Gustavo A. R. Silva" + +[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ] + +arg is controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap) + +Fix this by sanitizing arg before using it to index dev_lec. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/atm/lec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *v + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + diff --git a/queue-4.14/net-bridge-fix-per-port-af_packet-sockets.patch b/queue-4.14/net-bridge-fix-per-port-af_packet-sockets.patch new file mode 100644 index 00000000000..29149388356 --- /dev/null +++ b/queue-4.14/net-bridge-fix-per-port-af_packet-sockets.patch @@ -0,0 +1,77 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 13:56:39 +0300 +Subject: net: bridge: fix per-port af_packet sockets + +From: Nikolay Aleksandrov + +[ Upstream commit 3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ] + +When the commit below was introduced it changed two visible things: + - the skb was no longer passed through the protocol handlers with the + original device + - the skb was passed up the stack with skb->dev = bridge + +The first change broke af_packet sockets on bridge ports. For example we +use them for hostapd which listens for ETH_P_PAE packets on the ports. +We discussed two possible fixes: + - create a clone and pass it through NF_HOOK(), act on the original skb + based on the result + - somehow signal to the caller from the okfn() that it was called, + meaning the skb is ok to be passed, which this patch is trying to + implement via returning 1 from the bridge link-local okfn() + +Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and +drop/error would return < 0 thus the okfn() is called only when the +return was 1, so we signal to the caller that it was called by preserving +the return value from nf_hook(). + +Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_input.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -236,13 +236,10 @@ static void __br_handle_local_finish(str + /* note: already called with rcu_read_lock */ + static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- struct net_bridge_port *p = br_port_get_rcu(skb->dev); +- + __br_handle_local_finish(skb); + +- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev; +- br_pass_frame_up(skb); +- return 0; ++ /* return 1 to signal the okfn() was called so it's ok to use the skb */ ++ return 1; + } + + /* +@@ -318,10 +315,18 @@ rx_handler_result_t br_handle_frame(stru + goto forward; + } + +- /* Deliver packet to local host only */ +- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev), +- NULL, skb, skb->dev, NULL, br_handle_local_finish); +- return RX_HANDLER_CONSUMED; ++ /* The else clause should be hit when nf_hook(): ++ * - returns < 0 (drop/error) ++ * - returns = 0 (stolen/nf_queue) ++ * Thus return 1 from the okfn() to signal the skb is ok to pass ++ */ ++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, ++ dev_net(skb->dev), NULL, skb, skb->dev, NULL, ++ br_handle_local_finish) == 1) { ++ return RX_HANDLER_PASS; ++ } else { ++ return RX_HANDLER_CONSUMED; ++ } + } + + forward: diff --git a/queue-4.14/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch b/queue-4.14/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch new file mode 100644 index 00000000000..8a343d196a0 --- /dev/null +++ b/queue-4.14/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 15:08:25 +0300 +Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier + +From: Nikolay Aleksandrov + +[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ] + +br_multicast_start_querier() walks over the port list but it can be +called from a timer with only multicast_lock held which doesn't protect +the port list, so use RCU to walk over it. + +Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2119,7 +2119,8 @@ static void br_multicast_start_querier(s + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -2131,6 +2132,7 @@ static void br_multicast_start_querier(s + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-4.14/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch b/queue-4.14/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch new file mode 100644 index 00000000000..1b65d5d9800 --- /dev/null +++ b/queue-4.14/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Lorenzo Bianconi +Date: Tue, 9 Apr 2019 11:47:20 +0200 +Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv + +From: Lorenzo Bianconi + +[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ] + +gue tunnels run iptunnel_pull_offloads on received skbs. This can +determine a possible use-after-free accessing guehdr pointer since +the packet will be 'uncloned' running pskb_expand_head if it is a +cloned gso skb (e.g if the packet has been sent though a veth device) + +Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fou.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -120,6 +120,7 @@ static int gue_udp_recv(struct sock *sk, + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -211,13 +212,14 @@ static int gue_udp_recv(struct sock *sk, + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); diff --git a/queue-4.14/net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch b/queue-4.14/net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch new file mode 100644 index 00000000000..0c075c4c00b --- /dev/null +++ b/queue-4.14/net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Matteo Croce +Date: Thu, 11 Apr 2019 12:26:33 +0200 +Subject: net: thunderx: don't allow jumbo frames with XDP + +From: Matteo Croce + +[ Upstream commit 1f227d16083b2e280b7dde4ca78883d75593f2fd ] + +The thunderx driver forbids to load an eBPF program if the MTU is too high, +but this can be circumvented by loading the eBPF, then raising the MTU. + +Fix this by limiting the MTU if an eBPF program is already loaded. + +Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support") +Signed-off-by: Matteo Croce +Acked-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -1461,6 +1461,15 @@ static int nicvf_change_mtu(struct net_d + struct nicvf *nic = netdev_priv(netdev); + int orig_mtu = netdev->mtu; + ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) { ++ netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", ++ netdev->mtu); ++ return -EINVAL; ++ } ++ + netdev->mtu = new_mtu; + + if (!netif_running(netdev)) diff --git a/queue-4.14/net-thunderx-raise-xdp-mtu-to-1508.patch b/queue-4.14/net-thunderx-raise-xdp-mtu-to-1508.patch new file mode 100644 index 00000000000..81b5e326c47 --- /dev/null +++ b/queue-4.14/net-thunderx-raise-xdp-mtu-to-1508.patch @@ -0,0 +1,55 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Matteo Croce +Date: Thu, 11 Apr 2019 12:26:32 +0200 +Subject: net: thunderx: raise XDP MTU to 1508 + +From: Matteo Croce + +[ Upstream commit 5ee15c101f29e0093ffb5448773ccbc786eb313b ] + +The thunderx driver splits frames bigger than 1530 bytes to multiple +pages, making impossible to run an eBPF program on it. +This leads to a maximum MTU of 1508 if QinQ is in use. + +The thunderx driver forbids to load an eBPF program if the MTU is higher +than 1500 bytes. Raise the limit to 1508 so it is possible to use L2 +protocols which need some more headroom. + +Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support") +Signed-off-by: Matteo Croce +Acked-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -29,6 +29,13 @@ + #define DRV_NAME "thunder-nicvf" + #define DRV_VERSION "1.0" + ++/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs ++ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed ++ * this value, keeping headroom for the 14 byte Ethernet header and two ++ * VLAN tags (for QinQ) ++ */ ++#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2) ++ + /* Supported devices */ + static const struct pci_device_id nicvf_id_table[] = { + { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM, +@@ -1702,8 +1709,10 @@ static int nicvf_xdp_setup(struct nicvf + bool bpf_attached = false; + int ret = 0; + +- /* For now just support only the usual MTU sized frames */ +- if (prog && (dev->mtu > 1500)) { ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (prog && dev->mtu > MAX_XDP_MTU) { + netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", + dev->mtu); + return -EOPNOTSUPP; diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..da21cd8d8ed --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,12 @@ +bonding-fix-event-handling-for-stacked-bonds.patch +net-atm-fix-potential-spectre-v1-vulnerabilities.patch +net-bridge-fix-per-port-af_packet-sockets.patch +net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch +net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch +tcp-tcp_grow_window-needs-to-respect-tcp_space.patch +team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch +vhost-reject-zero-size-iova-range.patch +ipv4-recompile-ip-options-in-ipv4_link_failure.patch +ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch +net-thunderx-raise-xdp-mtu-to-1508.patch +net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch diff --git a/queue-4.14/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch b/queue-4.14/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch new file mode 100644 index 00000000000..923429281bd --- /dev/null +++ b/queue-4.14/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch @@ -0,0 +1,63 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Eric Dumazet +Date: Tue, 16 Apr 2019 10:55:20 -0700 +Subject: tcp: tcp_grow_window() needs to respect tcp_space() + +From: Eric Dumazet + +[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ] + +For some reason, tcp_grow_window() correctly tests if enough room +is present before attempting to increase tp->rcv_ssthresh, +but does not prevent it to grow past tcp_space() + +This is causing hard to debug issues, like failing +the (__tcp_select_window(sk) >= tp->rcv_wnd) test +in __tcp_ack_snd_check(), causing ACK delays and possibly +slow flows. + +Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio, +we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000" +after about 60 round trips, when the active side no longer sends +immediate acks. + +This bug predates git history. + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Acked-by: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -389,11 +389,12 @@ static int __tcp_grow_window(const struc + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -406,8 +407,7 @@ static void tcp_grow_window(struct sock + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } diff --git a/queue-4.14/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch b/queue-4.14/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch new file mode 100644 index 00000000000..b1eca5007c4 --- /dev/null +++ b/queue-4.14/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch @@ -0,0 +1,73 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Hangbin Liu +Date: Mon, 8 Apr 2019 16:45:17 +0800 +Subject: team: set slave to promisc if team is already in promisc mode + +From: Hangbin Liu + +[ Upstream commit 43c2adb9df7ddd6560fd3546d925b42cef92daa0 ] + +After adding a team interface to bridge, the team interface will enter +promisc mode. Then if we add a new slave to team0, the slave will keep +promisc off. Fix it by setting slave to promisc on if team master is +already in promisc mode, also do the same for allmulti. + +v2: add promisc and allmulti checking when delete ports + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1245,6 +1245,23 @@ static int team_port_add(struct team *te + goto err_option_port_add; + } + ++ /* set promiscuity level to new slave */ ++ if (dev->flags & IFF_PROMISC) { ++ err = dev_set_promiscuity(port_dev, 1); ++ if (err) ++ goto err_set_slave_promisc; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (dev->flags & IFF_ALLMULTI) { ++ err = dev_set_allmulti(port_dev, 1); ++ if (err) { ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ goto err_set_slave_promisc; ++ } ++ } ++ + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); + dev_mc_sync_multiple(port_dev, dev); +@@ -1261,6 +1278,9 @@ static int team_port_add(struct team *te + + return 0; + ++err_set_slave_promisc: ++ __team_option_inst_del_port(team, port); ++ + err_option_port_add: + team_upper_dev_unlink(team, port); + +@@ -1306,6 +1326,12 @@ static int team_port_del(struct team *te + + team_port_disable(team, port); + list_del_rcu(&port->list); ++ ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ if (dev->flags & IFF_ALLMULTI) ++ dev_set_allmulti(port_dev, -1); ++ + team_upper_dev_unlink(team, port); + netdev_rx_handler_unregister(port_dev); + team_port_disable_netpoll(port); diff --git a/queue-4.14/vhost-reject-zero-size-iova-range.patch b/queue-4.14/vhost-reject-zero-size-iova-range.patch new file mode 100644 index 00000000000..bbe29643845 --- /dev/null +++ b/queue-4.14/vhost-reject-zero-size-iova-range.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 23 Apr 2019 05:18:29 PM CEST +From: Jason Wang +Date: Tue, 9 Apr 2019 12:10:25 +0800 +Subject: vhost: reject zero size iova range + +From: Jason Wang + +[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ] + +We used to accept zero size iova range which will lead a infinite loop +in translate_desc(). Fixing this by failing the request in this case. + +Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com +Fixes: 6b1e6cc7 ("vhost: new device IOTLB API") +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -918,8 +918,12 @@ static int vhost_new_umem_range(struct v + u64 start, u64 size, u64 end, + u64 userspace_addr, int perm) + { +- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC); ++ struct vhost_umem_node *tmp, *node; + ++ if (!size) ++ return -EFAULT; ++ ++ node = kmalloc(sizeof(*node), GFP_ATOMIC); + if (!node) + return -ENOMEM; +