From: Greg Kroah-Hartman Date: Mon, 25 Jan 2021 15:29:02 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.171~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0bb1f21c76133f43d254019082a327dc6de88beb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ipv6-create-multicast-route-with-rtprot_kernel.patch ipv6-set-multicast-flag-on-the-multicast-route.patch kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch sh-dma-fix-kconfig-dependency-for-g2_dma.patch sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch udp-mask-tos-bits-in-udp_v4_early_demux.patch --- diff --git a/queue-4.19/ipv6-create-multicast-route-with-rtprot_kernel.patch b/queue-4.19/ipv6-create-multicast-route-with-rtprot_kernel.patch new file mode 100644 index 00000000000..8fdac1516da --- /dev/null +++ b/queue-4.19/ipv6-create-multicast-route-with-rtprot_kernel.patch @@ -0,0 +1,40 @@ +From a826b04303a40d52439aa141035fca5654ccaccd Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Fri, 15 Jan 2021 19:42:08 +0100 +Subject: ipv6: create multicast route with RTPROT_KERNEL + +From: Matteo Croce + +commit a826b04303a40d52439aa141035fca5654ccaccd upstream. + +The ff00::/8 multicast route is created without specifying the fc_protocol +field, so the default RTPROT_BOOT value is used: + + $ ip -6 -d route + unicast ::1 dev lo proto kernel scope global metric 256 pref medium + unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium + unicast ff00::/8 dev eth0 proto boot scope global metric 256 pref medium + +As the documentation says, this value identifies routes installed during +boot, but the route is created when interface is set up. +Change the value to RTPROT_KERNEL which is a better value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Matteo Croce +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2397,6 +2397,7 @@ static void addrconf_add_mroute(struct n + .fc_flags = RTF_UP, + .fc_type = RTN_UNICAST, + .fc_nlinfo.nl_net = dev_net(dev), ++ .fc_protocol = RTPROT_KERNEL, + }; + + ipv6_addr_set(&cfg.fc_dst, htonl(0xFF000000), 0, 0, 0); diff --git a/queue-4.19/ipv6-set-multicast-flag-on-the-multicast-route.patch b/queue-4.19/ipv6-set-multicast-flag-on-the-multicast-route.patch new file mode 100644 index 00000000000..c44d94afa37 --- /dev/null +++ b/queue-4.19/ipv6-set-multicast-flag-on-the-multicast-route.patch @@ -0,0 +1,38 @@ +From ceed9038b2783d14e0422bdc6fd04f70580efb4c Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Fri, 15 Jan 2021 19:42:09 +0100 +Subject: ipv6: set multicast flag on the multicast route + +From: Matteo Croce + +commit ceed9038b2783d14e0422bdc6fd04f70580efb4c upstream. + +The multicast route ff00::/8 is created with type RTN_UNICAST: + + $ ip -6 -d route + unicast ::1 dev lo proto kernel scope global metric 256 pref medium + unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium + unicast ff00::/8 dev eth0 proto kernel scope global metric 256 pref medium + +Set the type to RTN_MULTICAST which is more appropriate. + +Fixes: e8478e80e5a7 ("net/ipv6: Save route type in rt6_info") +Signed-off-by: Matteo Croce +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2395,7 +2395,7 @@ static void addrconf_add_mroute(struct n + .fc_ifindex = dev->ifindex, + .fc_dst_len = 8, + .fc_flags = RTF_UP, +- .fc_type = RTN_UNICAST, ++ .fc_type = RTN_MULTICAST, + .fc_nlinfo.nl_net = dev_net(dev), + .fc_protocol = RTPROT_KERNEL, + }; diff --git a/queue-4.19/kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch b/queue-4.19/kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch new file mode 100644 index 00000000000..b4d22f1afd6 --- /dev/null +++ b/queue-4.19/kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch @@ -0,0 +1,39 @@ +From 5dabd1712cd056814f9ab15f1d68157ceb04e741 Mon Sep 17 00:00:00 2001 +From: Lecopzer Chen +Date: Sat, 23 Jan 2021 21:01:29 -0800 +Subject: kasan: fix incorrect arguments passing in kasan_add_zero_shadow + +From: Lecopzer Chen + +commit 5dabd1712cd056814f9ab15f1d68157ceb04e741 upstream. + +kasan_remove_zero_shadow() shall use original virtual address, start and +size, instead of shadow address. + +Link: https://lkml.kernel.org/r/20210103063847.5963-1-lecopzer@gmail.com +Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN") +Signed-off-by: Lecopzer Chen +Reviewed-by: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dan Williams +Cc: Dmitry Vyukov +Cc: Alexander Potapenko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/kasan/kasan_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/kasan/kasan_init.c ++++ b/mm/kasan/kasan_init.c +@@ -487,7 +487,6 @@ int kasan_add_zero_shadow(void *start, u + + ret = kasan_populate_zero_shadow(shadow_start, shadow_end); + if (ret) +- kasan_remove_zero_shadow(shadow_start, +- size >> KASAN_SHADOW_SCALE_SHIFT); ++ kasan_remove_zero_shadow(start, size); + return ret; + } diff --git a/queue-4.19/kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch b/queue-4.19/kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch new file mode 100644 index 00000000000..7cddf898ecd --- /dev/null +++ b/queue-4.19/kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch @@ -0,0 +1,101 @@ +From a11a496ee6e2ab6ed850233c96b94caf042af0b9 Mon Sep 17 00:00:00 2001 +From: Lecopzer Chen +Date: Sat, 23 Jan 2021 21:01:25 -0800 +Subject: kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow + +From: Lecopzer Chen + +commit a11a496ee6e2ab6ed850233c96b94caf042af0b9 upstream. + +During testing kasan_populate_early_shadow and kasan_remove_zero_shadow, +if the shadow start and end address in kasan_remove_zero_shadow() is not +aligned to PMD_SIZE, the remain unaligned PTE won't be removed. + +In the test case for kasan_remove_zero_shadow(): + + shadow_start: 0xffffffb802000000, shadow end: 0xffffffbfbe000000 + + 3-level page table: + PUD_SIZE: 0x40000000 PMD_SIZE: 0x200000 PAGE_SIZE: 4K + +0xffffffbf80000000 ~ 0xffffffbfbdf80000 will not be removed because in +kasan_remove_pud_table(), kasan_pmd_table(*pud) is true but the next +address is 0xffffffbfbdf80000 which is not aligned to PUD_SIZE. + +In the correct condition, this should fallback to the next level +kasan_remove_pmd_table() but the condition flow always continue to skip +the unaligned part. + +Fix by correcting the condition when next and addr are neither aligned. + +Link: https://lkml.kernel.org/r/20210103135621.83129-1-lecopzer@gmail.com +Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN") +Signed-off-by: Lecopzer Chen +Cc: Andrey Ryabinin +Cc: Dan Williams +Cc: Dmitry Vyukov +Cc: Alexander Potapenko +Cc: YJ Chiang +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/kasan/kasan_init.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/mm/kasan/kasan_init.c ++++ b/mm/kasan/kasan_init.c +@@ -372,9 +372,10 @@ static void kasan_remove_pmd_table(pmd_t + + if (kasan_pte_table(*pmd)) { + if (IS_ALIGNED(addr, PMD_SIZE) && +- IS_ALIGNED(next, PMD_SIZE)) ++ IS_ALIGNED(next, PMD_SIZE)) { + pmd_clear(pmd); +- continue; ++ continue; ++ } + } + pte = pte_offset_kernel(pmd, addr); + kasan_remove_pte_table(pte, addr, next); +@@ -397,9 +398,10 @@ static void kasan_remove_pud_table(pud_t + + if (kasan_pmd_table(*pud)) { + if (IS_ALIGNED(addr, PUD_SIZE) && +- IS_ALIGNED(next, PUD_SIZE)) ++ IS_ALIGNED(next, PUD_SIZE)) { + pud_clear(pud); +- continue; ++ continue; ++ } + } + pmd = pmd_offset(pud, addr); + pmd_base = pmd_offset(pud, 0); +@@ -423,9 +425,10 @@ static void kasan_remove_p4d_table(p4d_t + + if (kasan_pud_table(*p4d)) { + if (IS_ALIGNED(addr, P4D_SIZE) && +- IS_ALIGNED(next, P4D_SIZE)) ++ IS_ALIGNED(next, P4D_SIZE)) { + p4d_clear(p4d); +- continue; ++ continue; ++ } + } + pud = pud_offset(p4d, addr); + kasan_remove_pud_table(pud, addr, next); +@@ -457,9 +460,10 @@ void kasan_remove_zero_shadow(void *star + + if (kasan_p4d_table(*pgd)) { + if (IS_ALIGNED(addr, PGDIR_SIZE) && +- IS_ALIGNED(next, PGDIR_SIZE)) ++ IS_ALIGNED(next, PGDIR_SIZE)) { + pgd_clear(pgd); +- continue; ++ continue; ++ } + } + + p4d = p4d_offset(pgd, addr); diff --git a/queue-4.19/net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch b/queue-4.19/net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch new file mode 100644 index 00000000000..e9ba4c62c63 --- /dev/null +++ b/queue-4.19/net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch @@ -0,0 +1,37 @@ +From a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Sun, 17 Jan 2021 17:15:38 +0200 +Subject: net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled + +From: Tariq Toukan + +commit a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 upstream. + +With NETIF_F_HW_TLS_RX packets are decrypted in HW. This cannot be +logically done when RXCSUM offload is off. + +Fixes: 14136564c8ee ("net: Add TLS RX offload feature") +Signed-off-by: Tariq Toukan +Reviewed-by: Boris Pismenny +Link: https://lore.kernel.org/r/20210117151538.9411-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8351,6 +8351,11 @@ static netdev_features_t netdev_fix_feat + } + } + ++ if ((features & NETIF_F_HW_TLS_RX) && !(features & NETIF_F_RXCSUM)) { ++ netdev_dbg(dev, "Dropping TLS RX HW offload feature since no RXCSUM feature.\n"); ++ features &= ~NETIF_F_HW_TLS_RX; ++ } ++ + return features; + } + diff --git a/queue-4.19/net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch b/queue-4.19/net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch new file mode 100644 index 00000000000..dd456c36538 --- /dev/null +++ b/queue-4.19/net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch @@ -0,0 +1,36 @@ +From 8e4052c32d6b4b39c1e13c652c7e33748d447409 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 19 Jan 2021 17:48:03 +0300 +Subject: net: dsa: b53: fix an off by one in checking "vlan->vid" + +From: Dan Carpenter + +commit 8e4052c32d6b4b39c1e13c652c7e33748d447409 upstream. + +The > comparison should be >= to prevent accessing one element beyond +the end of the dev->vlans[] array in the caller function, b53_vlan_add(). +The "dev->vlans" array is allocated in the b53_switch_init() function +and it has "dev->num_vlans" elements. + +Fixes: a2482d2ce349 ("net: dsa: b53: Plug in VLAN support") +Signed-off-by: Dan Carpenter +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/YAbxI97Dl/pmBy5V@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/dsa/b53/b53_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1142,7 +1142,7 @@ int b53_vlan_prepare(struct dsa_switch * + if ((is5325(dev) || is5365(dev)) && vlan->vid_begin == 0) + return -EOPNOTSUPP; + +- if (vlan->vid_end > dev->num_vlans) ++ if (vlan->vid_end >= dev->num_vlans) + return -ERANGE; + + b53_enable_vlan(dev, true, dev->vlan_filtering_enabled); diff --git a/queue-4.19/net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch b/queue-4.19/net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch new file mode 100644 index 00000000000..f5710dd8cc7 --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch @@ -0,0 +1,48 @@ +From 87fe04367d842c4d97a77303242d4dd4ac351e46 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Sat, 16 Jan 2021 03:39:35 +0100 +Subject: net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext + +From: Rasmus Villemoes + +commit 87fe04367d842c4d97a77303242d4dd4ac351e46 upstream. + +mv88e6xxx_port_vlan_join checks whether the VTU already contains an +entry for the given vid (via mv88e6xxx_vtu_getnext), and if so, merely +changes the relevant .member[] element and loads the updated entry +into the VTU. + +However, at least for the mv88e6250, the on-stack struct +mv88e6xxx_vtu_entry vlan never has its .state[] array explicitly +initialized, neither in mv88e6xxx_port_vlan_join() nor inside the +getnext implementation. So the new entry has random garbage for the +STU bits, breaking VLAN filtering. + +When the VTU entry is initially created, those bits are all zero, and +we should make sure to keep them that way when the entry is updated. + +Fixes: 92307069a96c (net: dsa: mv88e6xxx: Avoid VTU corruption on 6097) +Signed-off-by: Rasmus Villemoes +Reviewed-by: Florian Fainelli +Reviewed-by: Tobias Waldekranz +Tested-by: Tobias Waldekranz +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/dsa/mv88e6xxx/global1_vtu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c ++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c +@@ -357,6 +357,10 @@ int mv88e6185_g1_vtu_getnext(struct mv88 + if (err) + return err; + ++ err = mv88e6185_g1_stu_data_read(chip, entry); ++ if (err) ++ return err; ++ + /* VTU DBNum[3:0] are located in VTU Operation 3:0 + * VTU DBNum[7:4] are located in VTU Operation 11:8 + */ diff --git a/queue-4.19/net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch b/queue-4.19/net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch new file mode 100644 index 00000000000..350c8f9ac9a --- /dev/null +++ b/queue-4.19/net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch @@ -0,0 +1,44 @@ +From 79267ae22615496655feee2db0848f6786bcf67a Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Mon, 18 Jan 2021 15:52:10 +0200 +Subject: net: mscc: ocelot: allow offloading of bridge on top of LAG + +From: Vladimir Oltean + +commit 79267ae22615496655feee2db0848f6786bcf67a upstream. + +The blamed commit was too aggressive, and it made ocelot_netdevice_event +react only to network interface events emitted for the ocelot switch +ports. + +In fact, only the PRECHANGEUPPER should have had that check. + +When we ignore all events that are not for us, we miss the fact that the +upper of the LAG changes, and the bonding interface gets enslaved to a +bridge. This is an operation we could offload under certain conditions. + +Fixes: 7afb3e575e5a ("net: mscc: ocelot: don't handle netdev events for other netdevs") +Signed-off-by: Vladimir Oltean +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210118135210.2666246-1-olteanv@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mscc/ocelot.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1549,10 +1549,8 @@ static int ocelot_netdevice_event(struct + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + int ret = 0; + +- if (!ocelot_netdevice_dev_check(dev)) +- return 0; +- + if (event == NETDEV_PRECHANGEUPPER && ++ ocelot_netdevice_dev_check(dev) && + netif_is_lag_master(info->upper_dev)) { + struct netdev_lag_upper_info *lag_upper_info = info->upper_info; + struct netlink_ext_ack *extack; diff --git a/queue-4.19/net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch b/queue-4.19/net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch new file mode 100644 index 00000000000..c8b2fde669e --- /dev/null +++ b/queue-4.19/net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch @@ -0,0 +1,67 @@ +From bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 14 Jan 2021 10:52:29 -0800 +Subject: net_sched: avoid shift-out-of-bounds in tcindex_set_parms() + +From: Eric Dumazet + +commit bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 upstream. + +tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT +attribute is not silly. + +UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29 +shift exponent 255 is too large for 32-bit type 'int' +CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 + valid_perfect_hash net/sched/cls_tcindex.c:260 [inline] + tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425 + tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546 + tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127 + rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_tcindex.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -339,9 +339,13 @@ tcindex_set_parms(struct net *net, struc + if (tb[TCA_TCINDEX_MASK]) + cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); + +- if (tb[TCA_TCINDEX_SHIFT]) ++ if (tb[TCA_TCINDEX_SHIFT]) { + cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); +- ++ if (cp->shift > 16) { ++ err = -EINVAL; ++ goto errout; ++ } ++ } + if (!cp->hash) { + /* Hash not specified, use perfect hash if the upper limit + * of the hashing index is below the threshold. diff --git a/queue-4.19/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch b/queue-4.19/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch new file mode 100644 index 00000000000..f02a24a439a --- /dev/null +++ b/queue-4.19/net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch @@ -0,0 +1,64 @@ +From e4bedf48aaa5552bc1f49703abd17606e7e6e82a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 14 Jan 2021 08:06:37 -0800 +Subject: net_sched: reject silly cell_log in qdisc_get_rtab() + +From: Eric Dumazet + +commit e4bedf48aaa5552bc1f49703abd17606e7e6e82a upstream. + +iproute2 probably never goes beyond 8 for the cell exponent, +but stick to the max shift exponent for signed 32bit. + +UBSAN reported: +UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22 +shift exponent 130 is too large for 32-bit type 'int' +CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x183/0x22e lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:148 [inline] + __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395 + __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389 + qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435 + cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180 + qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246 + tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662 + rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345 + ___sys_sendmsg net/socket.c:2399 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2432 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Cong Wang +Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/sch_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -398,7 +398,8 @@ struct qdisc_rate_table *qdisc_get_rtab( + { + struct qdisc_rate_table *rtab; + +- if (tab == NULL || r->rate == 0 || r->cell_log == 0 || ++ if (tab == NULL || r->rate == 0 || ++ r->cell_log == 0 || r->cell_log >= 32 || + nla_len(tab) != TC_RTAB_SIZE) { + NL_SET_ERR_MSG(extack, "Invalid rate table parameters for searching"); + return NULL; diff --git a/queue-4.19/netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch b/queue-4.19/netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch new file mode 100644 index 00000000000..d61b636ba6d --- /dev/null +++ b/queue-4.19/netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch @@ -0,0 +1,78 @@ +From 2e5a6266fbb11ae93c468dfecab169aca9c27b43 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Sat, 16 Jan 2021 11:44:26 +0100 +Subject: netfilter: rpfilter: mask ecn bits before fib lookup + +From: Guillaume Nault + +commit 2e5a6266fbb11ae93c468dfecab169aca9c27b43 upstream. + +RT_TOS() only masks one of the two ECN bits. Therefore rpfilter_mt() +treats Not-ECT or ECT(1) packets in a different way than those with +ECT(0) or CE. + +Reproducer: + + Create two netns, connected with a veth: + $ ip netns add ns0 + $ ip netns add ns1 + $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1 + $ ip -netns ns0 link set dev veth01 up + $ ip -netns ns1 link set dev veth10 up + $ ip -netns ns0 address add 192.0.2.10/32 dev veth01 + $ ip -netns ns1 address add 192.0.2.11/32 dev veth10 + + Add a route to ns1 in ns0: + $ ip -netns ns0 route add 192.0.2.11/32 dev veth01 + + In ns1, only packets with TOS 4 can be routed to ns0: + $ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10 + + Ping from ns0 to ns1 works regardless of the ECN bits, as long as TOS + is 4: + $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT + ... 0% packet loss ... + $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1) + ... 0% packet loss ... + $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0) + ... 0% packet loss ... + $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE + ... 0% packet loss ... + + Now use iptable's rpfilter module in ns1: + $ ip netns exec ns1 iptables-legacy -t raw -A PREROUTING -m rpfilter --invert -j DROP + + Not-ECT and ECT(1) packets still pass: + $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT + ... 0% packet loss ... + $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1) + ... 0% packet loss ... + + But ECT(0) and ECN packets are dropped: + $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0) + ... 100% packet loss ... + $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE + ... 100% packet loss ... + +After this patch, rpfilter doesn't drop ECT(0) and CE packets anymore. + +Fixes: 8f97339d3feb ("netfilter: add ipv4 reverse path filter match") +Signed-off-by: Guillaume Nault +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ipt_rpfilter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/ipt_rpfilter.c ++++ b/net/ipv4/netfilter/ipt_rpfilter.c +@@ -94,7 +94,7 @@ static bool rpfilter_mt(const struct sk_ + flow.daddr = iph->saddr; + flow.saddr = rpfilter_get_saddr(iph->daddr); + flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; +- flow.flowi4_tos = RT_TOS(iph->tos); ++ flow.flowi4_tos = iph->tos & IPTOS_RT_MASK; + flow.flowi4_scope = RT_SCOPE_UNIVERSE; + flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par)); + diff --git a/queue-4.19/series b/queue-4.19/series index 37af4e378ed..ba1d1001755 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -41,3 +41,18 @@ usb-bdc-make-bdc-pci-driver-depend-on-broken.patch xhci-make-sure-trb-is-fully-written-before-giving-it-to-the-controller.patch xhci-tegra-delay-for-disabling-lfps-detector.patch driver-core-extend-device_is_dependent.patch +netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch +sh-dma-fix-kconfig-dependency-for-g2_dma.patch +net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch +sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch +skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch +kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch +kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch +udp-mask-tos-bits-in-udp_v4_early_demux.patch +ipv6-create-multicast-route-with-rtprot_kernel.patch +net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch +net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch +ipv6-set-multicast-flag-on-the-multicast-route.patch +net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch +net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch +net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch diff --git a/queue-4.19/sh-dma-fix-kconfig-dependency-for-g2_dma.patch b/queue-4.19/sh-dma-fix-kconfig-dependency-for-g2_dma.patch new file mode 100644 index 00000000000..32ff1530567 --- /dev/null +++ b/queue-4.19/sh-dma-fix-kconfig-dependency-for-g2_dma.patch @@ -0,0 +1,50 @@ +From f477a538c14d07f8c45e554c8c5208d588514e98 Mon Sep 17 00:00:00 2001 +From: Necip Fazil Yildiran +Date: Thu, 17 Sep 2020 18:45:48 +0300 +Subject: sh: dma: fix kconfig dependency for G2_DMA + +From: Necip Fazil Yildiran + +commit f477a538c14d07f8c45e554c8c5208d588514e98 upstream. + +When G2_DMA is enabled and SH_DMA is disabled, it results in the following +Kbuild warning: + +WARNING: unmet direct dependencies detected for SH_DMA_API + Depends on [n]: SH_DMA [=n] + Selected by [y]: + - G2_DMA [=y] && SH_DREAMCAST [=y] + +The reason is that G2_DMA selects SH_DMA_API without depending on or +selecting SH_DMA while SH_DMA_API depends on SH_DMA. + +When G2_DMA was first introduced with commit 40f49e7ed77f +("sh: dma: Make G2 DMA configurable."), this wasn't an issue since +SH_DMA_API didn't have such dependency, and this way was the only way to +enable it since SH_DMA_API was non-visible. However, later SH_DMA_API was +made visible and dependent on SH_DMA with commit d8902adcc1a9 +("dmaengine: sh: Add Support SuperH DMA Engine driver"). + +Let G2_DMA depend on SH_DMA_API instead to avoid Kbuild issues. + +Fixes: d8902adcc1a9 ("dmaengine: sh: Add Support SuperH DMA Engine driver") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Rich Felker +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/drivers/dma/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/sh/drivers/dma/Kconfig ++++ b/arch/sh/drivers/dma/Kconfig +@@ -63,8 +63,7 @@ config PVR2_DMA + + config G2_DMA + tristate "G2 Bus DMA support" +- depends on SH_DREAMCAST +- select SH_DMA_API ++ depends on SH_DREAMCAST && SH_DMA_API + help + This enables support for the DMA controller for the Dreamcast's + G2 bus. Drivers that want this will generally enable this on diff --git a/queue-4.19/sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch b/queue-4.19/sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch new file mode 100644 index 00000000000..01b8ff5e4ef --- /dev/null +++ b/queue-4.19/sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch @@ -0,0 +1,46 @@ +From f6a2e94b3f9d89cb40771ff746b16b5687650cbb Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 18 Jan 2021 16:08:12 +0100 +Subject: sh_eth: Fix power down vs. is_opened flag ordering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit f6a2e94b3f9d89cb40771ff746b16b5687650cbb upstream. + +sh_eth_close() does a synchronous power down of the device before +marking it closed. Revert the order, to make sure the device is never +marked opened while suspended. + +While at it, use pm_runtime_put() instead of pm_runtime_put_sync(), as +there is no reason to do a synchronous power down. + +Fixes: 7fa2955ff70ce453 ("sh_eth: Fix sleeping function called from invalid context") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Sergei Shtylyov +Reviewed-by: Niklas Söderlund +Link: https://lore.kernel.org/r/20210118150812.796791-1-geert+renesas@glider.be +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2620,10 +2620,10 @@ static int sh_eth_close(struct net_devic + /* Free all the skbuffs in the Rx queue and the DMA buffer. */ + sh_eth_ring_free(ndev); + +- pm_runtime_put_sync(&mdp->pdev->dev); +- + mdp->is_opened = 0; + ++ pm_runtime_put(&mdp->pdev->dev); ++ + return 0; + } + diff --git a/queue-4.19/skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch b/queue-4.19/skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch new file mode 100644 index 00000000000..45f07a18e8e --- /dev/null +++ b/queue-4.19/skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch @@ -0,0 +1,51 @@ +From 66c556025d687dbdd0f748c5e1df89c977b6c02a Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 15 Jan 2021 15:04:40 +0000 +Subject: skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too + +From: Alexander Lobakin + +commit 66c556025d687dbdd0f748c5e1df89c977b6c02a upstream. + +Commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for +tiny skbs") ensured that skbs with data size lower than 1025 bytes +will be kmalloc'ed to avoid excessive page cache fragmentation and +memory consumption. +However, the fix adressed only __napi_alloc_skb() (primarily for +virtio_net and napi_get_frags()), but the issue can still be achieved +through __netdev_alloc_skb(), which is still used by several drivers. +Drivers often allocate a tiny skb for headers and place the rest of +the frame to frags (so-called copybreak). +Mirror the condition to __netdev_alloc_skb() to handle this case too. + +Since v1 [0]: + - fix "Fixes:" tag; + - refine commit message (mention copybreak usecase). + +[0] https://lore.kernel.org/netdev/20210114235423.232737-1-alobakin@pm.me + +Fixes: a1c7fff7e18f ("net: netdev_alloc_skb() use build_skb()") +Signed-off-by: Alexander Lobakin +Link: https://lore.kernel.org/r/20210115150354.85967-1-alobakin@pm.me +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -398,7 +398,11 @@ struct sk_buff *__netdev_alloc_skb(struc + + len += NET_SKB_PAD; + +- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) || ++ /* If requested length is either too small or too big, ++ * we use kmalloc() for skb->head allocation. ++ */ ++ if (len <= SKB_WITH_OVERHEAD(1024) || ++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) || + (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) { + skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE); + if (!skb) diff --git a/queue-4.19/udp-mask-tos-bits-in-udp_v4_early_demux.patch b/queue-4.19/udp-mask-tos-bits-in-udp_v4_early_demux.patch new file mode 100644 index 00000000000..1c24fe4e348 --- /dev/null +++ b/queue-4.19/udp-mask-tos-bits-in-udp_v4_early_demux.patch @@ -0,0 +1,88 @@ +From 8d2b51b008c25240914984208b2ced57d1dd25a5 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Sat, 16 Jan 2021 11:44:22 +0100 +Subject: udp: mask TOS bits in udp_v4_early_demux() + +From: Guillaume Nault + +commit 8d2b51b008c25240914984208b2ced57d1dd25a5 upstream. + +udp_v4_early_demux() is the only function that calls +ip_mc_validate_source() with a TOS that hasn't been masked with +IPTOS_RT_MASK. + +This results in different behaviours for incoming multicast UDPv4 +packets, depending on if ip_mc_validate_source() is called from the +early-demux path (udp_v4_early_demux) or from the regular input path +(ip_route_input_noref). + +ECN would normally not be used with UDP multicast packets, so the +practical consequences should be limited on that side. However, +IPTOS_RT_MASK is used to also masks the TOS' high order bits, to align +with the non-early-demux path behaviour. + +Reproducer: + + Setup two netns, connected with veth: + $ ip netns add ns0 + $ ip netns add ns1 + $ ip -netns ns0 link set dev lo up + $ ip -netns ns1 link set dev lo up + $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1 + $ ip -netns ns0 link set dev veth01 up + $ ip -netns ns1 link set dev veth10 up + $ ip -netns ns0 address add 192.0.2.10 peer 192.0.2.11/32 dev veth01 + $ ip -netns ns1 address add 192.0.2.11 peer 192.0.2.10/32 dev veth10 + + In ns0, add route to multicast address 224.0.2.0/24 using source + address 198.51.100.10: + $ ip -netns ns0 address add 198.51.100.10/32 dev lo + $ ip -netns ns0 route add 224.0.2.0/24 dev veth01 src 198.51.100.10 + + In ns1, define route to 198.51.100.10, only for packets with TOS 4: + $ ip -netns ns1 route add 198.51.100.10/32 tos 4 dev veth10 + + Also activate rp_filter in ns1, so that incoming packets not matching + the above route get dropped: + $ ip netns exec ns1 sysctl -wq net.ipv4.conf.veth10.rp_filter=1 + + Now try to receive packets on 224.0.2.11: + $ ip netns exec ns1 socat UDP-RECVFROM:1111,ip-add-membership=224.0.2.11:veth10,ignoreeof - + + In ns0, send packet to 224.0.2.11 with TOS 4 and ECT(0) (that is, + tos 6 for socat): + $ echo test0 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6 + + The "test0" message is properly received by socat in ns1, because + early-demux has no cached dst to use, so source address validation + is done by ip_route_input_mc(), which receives a TOS that has the + ECN bits masked. + + Now send another packet to 224.0.2.11, still with TOS 4 and ECT(0): + $ echo test1 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6 + + The "test1" message isn't received by socat in ns1, because, now, + early-demux has a cached dst to use and calls ip_mc_validate_source() + immediately, without masking the ECN bits. + +Fixes: bc044e8db796 ("udp: perform source validation for mcast early demux") +Signed-off-by: Guillaume Nault +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/udp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2416,7 +2416,8 @@ int udp_v4_early_demux(struct sk_buff *s + */ + if (!inet_sk(sk)->inet_daddr && in_dev) + return ip_mc_validate_source(skb, iph->daddr, +- iph->saddr, iph->tos, ++ iph->saddr, ++ iph->tos & IPTOS_RT_MASK, + skb->dev, in_dev, &itag); + } + return 0;