From: Greg Kroah-Hartman Date: Fri, 26 Jul 2019 08:54:11 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v5.2.4~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13c12f66f9a5a7894d049dc782d3138a2614c813;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: bnx2x-prevent-load-reordering-in-tx-completion-processing.patch caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch igmp-fix-memory-leak-in-igmpv3_del_delrec.patch ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch ipv6-rt6_check-should-return-null-if-from-is-null.patch ipv6-unlink-sibling-route-in-case-of-failure.patch macsec-fix-checksumming-after-decryption.patch macsec-fix-use-after-free-of-skb-during-rx.patch net-bcmgenet-use-promisc-for-unsupported-filters.patch net-bridge-don-t-cache-ether-dest-pointer-on-input.patch net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch net-mlx5e-fix-port-tunnel-gre-entropy-control.patch net-mlx5e-fix-return-value-from-timeout-recover-function.patch net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch net-neigh-fix-multiple-neigh-timer-scheduling.patch net-openvswitch-fix-csum-updates-for-mpls-actions.patch net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch net-stmmac-re-work-the-queue-selection-for-tso-packets.patch net-tls-fix-poll-ignoring-partially-copied-records.patch net-tls-make-sure-offload-also-gets-the-keys-wiped.patch net-tls-reject-offload-of-tls-1.3.patch net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch netrom-fix-a-memory-leak-in-nr_rx_frame.patch netrom-hold-sock-when-setting-skb-destructor.patch nfc-fix-potential-illegal-memory-access.patch r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch rxrpc-fix-send-on-a-connected-but-unbound-socket.patch sctp-fix-error-handling-on-stream-scheduler-initialization.patch sctp-not-bind-the-socket-in-sctp_connect.patch selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch sky2-disable-msi-on-asus-p6t.patch tcp-be-more-careful-in-tcp_fragment.patch tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch --- diff --git a/queue-5.1/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch b/queue-5.1/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch new file mode 100644 index 00000000000..726abcbb8bf --- /dev/null +++ b/queue-5.1/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch @@ -0,0 +1,33 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Brian King +Date: Mon, 15 Jul 2019 16:41:50 -0500 +Subject: bnx2x: Prevent load reordering in tx completion processing + +From: Brian King + +[ Upstream commit ea811b795df24644a8eb760b493c43fba4450677 ] + +This patch fixes an issue seen on Power systems with bnx2x which results +in the skb is NULL WARN_ON in bnx2x_free_tx_pkt firing due to the skb +pointer getting loaded in bnx2x_free_tx_pkt prior to the hw_cons +load in bnx2x_tx_int. Adding a read memory barrier resolves the issue. + +Signed-off-by: Brian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -285,6 +285,9 @@ int bnx2x_tx_int(struct bnx2x *bp, struc + hw_cons = le16_to_cpu(*txdata->tx_cons_sb); + sw_cons = txdata->tx_pkt_cons; + ++ /* Ensure subsequent loads occur after hw_cons */ ++ smp_rmb(); ++ + while (sw_cons != hw_cons) { + u16 pkt_cons; + diff --git a/queue-5.1/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch b/queue-5.1/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch new file mode 100644 index 00000000000..9225bc7e3a6 --- /dev/null +++ b/queue-5.1/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch @@ -0,0 +1,32 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Taehee Yoo +Date: Mon, 15 Jul 2019 14:10:17 +0900 +Subject: caif-hsi: fix possible deadlock in cfhsi_exit_module() + +From: Taehee Yoo + +[ Upstream commit fdd258d49e88a9e0b49ef04a506a796f1c768a8e ] + +cfhsi_exit_module() calls unregister_netdev() under rtnl_lock(). +but unregister_netdev() internally calls rtnl_lock(). +So deadlock would occur. + +Fixes: c41254006377 ("caif-hsi: Add rtnl support") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_hsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/caif/caif_hsi.c ++++ b/drivers/net/caif/caif_hsi.c +@@ -1455,7 +1455,7 @@ static void __exit cfhsi_exit_module(voi + rtnl_lock(); + list_for_each_safe(list_node, n, &cfhsi_list) { + cfhsi = list_entry(list_node, struct cfhsi, list); +- unregister_netdev(cfhsi->ndev); ++ unregister_netdevice(cfhsi->ndev); + } + rtnl_unlock(); + } diff --git a/queue-5.1/hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch b/queue-5.1/hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch new file mode 100644 index 00000000000..7b9b35f8358 --- /dev/null +++ b/queue-5.1/hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch @@ -0,0 +1,31 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Haiyang Zhang +Date: Fri, 19 Jul 2019 17:33:51 +0000 +Subject: hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() + +From: Haiyang Zhang + +[ Upstream commit be4363bdf0ce9530f15aa0a03d1060304d116b15 ] + +There is an extra rcu_read_unlock left in netvsc_recv_callback(), +after a previous patch that removes RCU from this function. +This patch removes the extra RCU unlock. + +Fixes: 345ac08990b8 ("hv_netvsc: pass netvsc_device to receive callback") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -849,7 +849,6 @@ int netvsc_recv_callback(struct net_devi + + if (unlikely(!skb)) { + ++net_device_ctx->eth_stats.rx_no_memory; +- rcu_read_unlock(); + return NVSP_STAT_FAIL; + } + diff --git a/queue-5.1/igmp-fix-memory-leak-in-igmpv3_del_delrec.patch b/queue-5.1/igmp-fix-memory-leak-in-igmpv3_del_delrec.patch new file mode 100644 index 00000000000..3d684d50ac1 --- /dev/null +++ b/queue-5.1/igmp-fix-memory-leak-in-igmpv3_del_delrec.patch @@ -0,0 +1,78 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Eric Dumazet +Date: Thu, 27 Jun 2019 01:27:01 -0700 +Subject: igmp: fix memory leak in igmpv3_del_delrec() + +From: Eric Dumazet + +[ Upstream commit e5b1c6c6277d5a283290a8c033c72544746f9b5b ] + +im->tomb and/or im->sources might not be NULL, but we +currently overwrite their values blindly. + +Using swap() will make sure the following call to kfree_pmc(pmc) +will properly free the psf structures. + +Tested with the C repro provided by syzbot, which basically does : + + socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3 + setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0 + ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0 + setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0 + ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0 + exit_group(0) = ? + +BUG: memory leak +unreferenced object 0xffff88811450f140 (size 64): + comm "softirq", pid 0, jiffies 4294942448 (age 32.070s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline] + [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline] + [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline] + [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline] + [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100 + [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484 + [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959 + [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248 + [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618 + [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126 + [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 + [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline] + [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline] + [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 + [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down") +Signed-off-by: Eric Dumazet +Cc: Hangbin Liu +Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1232,12 +1232,8 @@ static void igmpv3_del_delrec(struct in_ + if (pmc) { + im->interface = pmc->interface; + if (im->sfmode == MCAST_INCLUDE) { +- im->tomb = pmc->tomb; +- pmc->tomb = NULL; +- +- im->sources = pmc->sources; +- pmc->sources = NULL; +- ++ swap(im->tomb, pmc->tomb); ++ swap(im->sources, pmc->sources); + for (psf = im->sources; psf; psf = psf->sf_next) + psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + } else { diff --git a/queue-5.1/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch b/queue-5.1/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch new file mode 100644 index 00000000000..8b841a887d4 --- /dev/null +++ b/queue-5.1/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch @@ -0,0 +1,56 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Matteo Croce +Date: Mon, 1 Jul 2019 19:01:55 +0200 +Subject: ipv4: don't set IPv6 only flags to IPv4 addresses + +From: Matteo Croce + +[ Upstream commit 2e60546368165c2449564d71f6005dda9205b5fb ] + +Avoid the situation where an IPV6 only flag is applied to an IPv4 address: + + # ip addr add 192.0.2.1/24 dev dummy0 nodad home mngtmpaddr noprefixroute + # ip -4 addr show dev dummy0 + 2: dummy0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet 192.0.2.1/24 scope global noprefixroute dummy0 + valid_lft forever preferred_lft forever + +Or worse, by sending a malicious netlink command: + + # ip -4 addr show dev dummy0 + 2: dummy0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet 192.0.2.1/24 scope global nodad optimistic dadfailed home tentative mngtmpaddr noprefixroute stable-privacy dummy0 + valid_lft forever preferred_lft forever + +Signed-off-by: Matteo Croce +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/devinet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -66,6 +66,11 @@ + #include + #include + ++#define IPV6ONLY_FLAGS \ ++ (IFA_F_NODAD | IFA_F_OPTIMISTIC | IFA_F_DADFAILED | \ ++ IFA_F_HOMEADDRESS | IFA_F_TENTATIVE | \ ++ IFA_F_MANAGETEMPADDR | IFA_F_STABLE_PRIVACY) ++ + static struct ipv4_devconf ipv4_devconf = { + .data = { + [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, +@@ -472,6 +477,9 @@ static int __inet_insert_ifa(struct in_i + ifa->ifa_flags &= ~IFA_F_SECONDARY; + last_primary = &in_dev->ifa_list; + ++ /* Don't set IPv6 only flags to IPv4 addresses */ ++ ifa->ifa_flags &= ~IPV6ONLY_FLAGS; ++ + for (ifap = &in_dev->ifa_list; (ifa1 = *ifap) != NULL; + ifap = &ifa1->ifa_next) { + if (!(ifa1->ifa_flags & IFA_F_SECONDARY) && diff --git a/queue-5.1/ipv6-rt6_check-should-return-null-if-from-is-null.patch b/queue-5.1/ipv6-rt6_check-should-return-null-if-from-is-null.patch new file mode 100644 index 00000000000..da85205fd96 --- /dev/null +++ b/queue-5.1/ipv6-rt6_check-should-return-null-if-from-is-null.patch @@ -0,0 +1,35 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: David Ahern +Date: Wed, 17 Jul 2019 15:08:43 -0700 +Subject: ipv6: rt6_check should return NULL if 'from' is NULL + +From: David Ahern + +[ Upstream commit 49d05fe2c9d1b4a27761c9807fec39b8155bef9e ] + +Paul reported that l2tp sessions were broken after the commit referenced +in the Fixes tag. Prior to this commit rt6_check returned NULL if the +rt6_info 'from' was NULL - ie., the dst_entry was disconnected from a FIB +entry. Restore that behavior. + +Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes") +Reported-by: Paul Donohue +Tested-by: Paul Donohue +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2183,7 +2183,7 @@ static struct dst_entry *rt6_check(struc + { + u32 rt_cookie = 0; + +- if ((from && !fib6_get_cookie_safe(from, &rt_cookie)) || ++ if (!from || !fib6_get_cookie_safe(from, &rt_cookie) || + rt_cookie != cookie) + return NULL; + diff --git a/queue-5.1/ipv6-unlink-sibling-route-in-case-of-failure.patch b/queue-5.1/ipv6-unlink-sibling-route-in-case-of-failure.patch new file mode 100644 index 00000000000..6a6484c9732 --- /dev/null +++ b/queue-5.1/ipv6-unlink-sibling-route-in-case-of-failure.patch @@ -0,0 +1,61 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Ido Schimmel +Date: Wed, 17 Jul 2019 23:39:33 +0300 +Subject: ipv6: Unlink sibling route in case of failure + +From: Ido Schimmel + +[ Upstream commit 54851aa90cf27041d64b12f65ac72e9f97bd90fd ] + +When a route needs to be appended to an existing multipath route, +fib6_add_rt2node() first appends it to the siblings list and increments +the number of sibling routes on each sibling. + +Later, the function notifies the route via call_fib6_entry_notifiers(). +In case the notification is vetoed, the route is not unlinked from the +siblings list, which can result in a use-after-free. + +Fix this by unlinking the route from the siblings list before returning +an error. + +Audited the rest of the call sites from which the FIB notification chain +is called and could not find more problems. + +Fixes: 2233000cba40 ("net/ipv6: Move call_fib6_entry_notifiers up for route adds") +Signed-off-by: Ido Schimmel +Reported-by: Alexander Petrovskiy +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1113,8 +1113,24 @@ add: + err = call_fib6_entry_notifiers(info->nl_net, + FIB_EVENT_ENTRY_ADD, + rt, extack); +- if (err) ++ if (err) { ++ struct fib6_info *sibling, *next_sibling; ++ ++ /* If the route has siblings, then it first ++ * needs to be unlinked from them. ++ */ ++ if (!rt->fib6_nsiblings) ++ return err; ++ ++ list_for_each_entry_safe(sibling, next_sibling, ++ &rt->fib6_siblings, ++ fib6_siblings) ++ sibling->fib6_nsiblings--; ++ rt->fib6_nsiblings = 0; ++ list_del_init(&rt->fib6_siblings); ++ rt6_multipath_rebalance(next_sibling); + return err; ++ } + + rcu_assign_pointer(rt->fib6_next, iter); + atomic_inc(&rt->fib6_ref); diff --git a/queue-5.1/macsec-fix-checksumming-after-decryption.patch b/queue-5.1/macsec-fix-checksumming-after-decryption.patch new file mode 100644 index 00000000000..f66bf9fa664 --- /dev/null +++ b/queue-5.1/macsec-fix-checksumming-after-decryption.patch @@ -0,0 +1,28 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Andreas Steinmetz +Date: Sun, 30 Jun 2019 22:46:45 +0200 +Subject: macsec: fix checksumming after decryption + +From: Andreas Steinmetz + +[ Upstream commit 7d8b16b9facb0dd81d1469808dd9a575fa1d525a ] + +Fix checksumming after decryption. + +Signed-off-by: Andreas Steinmetz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -869,6 +869,7 @@ static void macsec_reset_skb(struct sk_b + + static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len) + { ++ skb->ip_summed = CHECKSUM_NONE; + memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN); + skb_pull(skb, hdr_len); + pskb_trim_unique(skb, skb->len - icv_len); diff --git a/queue-5.1/macsec-fix-use-after-free-of-skb-during-rx.patch b/queue-5.1/macsec-fix-use-after-free-of-skb-during-rx.patch new file mode 100644 index 00000000000..b1659b2c992 --- /dev/null +++ b/queue-5.1/macsec-fix-use-after-free-of-skb-during-rx.patch @@ -0,0 +1,34 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Andreas Steinmetz +Date: Sun, 30 Jun 2019 22:46:42 +0200 +Subject: macsec: fix use-after-free of skb during RX + +From: Andreas Steinmetz + +[ Upstream commit 095c02da80a41cf6d311c504d8955d6d1c2add10 ] + +Fix use-after-free of skb when rx_handler returns RX_HANDLER_PASS. + +Signed-off-by: Andreas Steinmetz +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1103,10 +1103,9 @@ static rx_handler_result_t macsec_handle + } + + skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- *pskb = NULL; ++ *pskb = skb; ++ if (!skb) + return RX_HANDLER_CONSUMED; +- } + + pulled_sci = pskb_may_pull(skb, macsec_extra_len(true)); + if (!pulled_sci) { diff --git a/queue-5.1/net-bcmgenet-use-promisc-for-unsupported-filters.patch b/queue-5.1/net-bcmgenet-use-promisc-for-unsupported-filters.patch new file mode 100644 index 00000000000..a9336891aa8 --- /dev/null +++ b/queue-5.1/net-bcmgenet-use-promisc-for-unsupported-filters.patch @@ -0,0 +1,126 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Justin Chen +Date: Wed, 17 Jul 2019 14:58:53 -0700 +Subject: net: bcmgenet: use promisc for unsupported filters + +From: Justin Chen + +[ Upstream commit 35cbef9863640f06107144687bd13151bc2e8ce3 ] + +Currently we silently ignore filters if we cannot meet the filter +requirements. This will lead to the MAC dropping packets that are +expected to pass. A better solution would be to set the NIC to promisc +mode when the required filters cannot be met. + +Also correct the number of MDF filters supported. It should be 17, +not 16. + +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 57 +++++++++++-------------- + 1 file changed, 26 insertions(+), 31 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3086,39 +3086,42 @@ static void bcmgenet_timeout(struct net_ + netif_tx_wake_all_queues(dev); + } + +-#define MAX_MC_COUNT 16 ++#define MAX_MDF_FILTER 17 + + static inline void bcmgenet_set_mdf_addr(struct bcmgenet_priv *priv, + unsigned char *addr, +- int *i, +- int *mc) ++ int *i) + { +- u32 reg; +- + bcmgenet_umac_writel(priv, addr[0] << 8 | addr[1], + UMAC_MDF_ADDR + (*i * 4)); + bcmgenet_umac_writel(priv, addr[2] << 24 | addr[3] << 16 | + addr[4] << 8 | addr[5], + UMAC_MDF_ADDR + ((*i + 1) * 4)); +- reg = bcmgenet_umac_readl(priv, UMAC_MDF_CTRL); +- reg |= (1 << (MAX_MC_COUNT - *mc)); +- bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL); + *i += 2; +- (*mc)++; + } + + static void bcmgenet_set_rx_mode(struct net_device *dev) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + struct netdev_hw_addr *ha; +- int i, mc; ++ int i, nfilter; + u32 reg; + + netif_dbg(priv, hw, dev, "%s: %08X\n", __func__, dev->flags); + +- /* Promiscuous mode */ ++ /* Number of filters needed */ ++ nfilter = netdev_uc_count(dev) + netdev_mc_count(dev) + 2; ++ ++ /* ++ * Turn on promicuous mode for three scenarios ++ * 1. IFF_PROMISC flag is set ++ * 2. IFF_ALLMULTI flag is set ++ * 3. The number of filters needed exceeds the number filters ++ * supported by the hardware. ++ */ + reg = bcmgenet_umac_readl(priv, UMAC_CMD); +- if (dev->flags & IFF_PROMISC) { ++ if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) || ++ (nfilter > MAX_MDF_FILTER)) { + reg |= CMD_PROMISC; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL); +@@ -3128,32 +3131,24 @@ static void bcmgenet_set_rx_mode(struct + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + } + +- /* UniMac doesn't support ALLMULTI */ +- if (dev->flags & IFF_ALLMULTI) { +- netdev_warn(dev, "ALLMULTI is not supported\n"); +- return; +- } +- + /* update MDF filter */ + i = 0; +- mc = 0; + /* Broadcast */ +- bcmgenet_set_mdf_addr(priv, dev->broadcast, &i, &mc); ++ bcmgenet_set_mdf_addr(priv, dev->broadcast, &i); + /* my own address.*/ +- bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i, &mc); +- /* Unicast list*/ +- if (netdev_uc_count(dev) > (MAX_MC_COUNT - mc)) +- return; ++ bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i); + +- if (!netdev_uc_empty(dev)) +- netdev_for_each_uc_addr(ha, dev) +- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc); +- /* Multicast */ +- if (netdev_mc_empty(dev) || netdev_mc_count(dev) >= (MAX_MC_COUNT - mc)) +- return; ++ /* Unicast */ ++ netdev_for_each_uc_addr(ha, dev) ++ bcmgenet_set_mdf_addr(priv, ha->addr, &i); + ++ /* Multicast */ + netdev_for_each_mc_addr(ha, dev) +- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc); ++ bcmgenet_set_mdf_addr(priv, ha->addr, &i); ++ ++ /* Enable filters */ ++ reg = GENMASK(MAX_MDF_FILTER - 1, MAX_MDF_FILTER - nfilter); ++ bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL); + } + + /* Set the hardware MAC address. */ diff --git a/queue-5.1/net-bridge-don-t-cache-ether-dest-pointer-on-input.patch b/queue-5.1/net-bridge-don-t-cache-ether-dest-pointer-on-input.patch new file mode 100644 index 00000000000..0dd7e406930 --- /dev/null +++ b/queue-5.1/net-bridge-don-t-cache-ether-dest-pointer-on-input.patch @@ -0,0 +1,56 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:20 +0300 +Subject: net: bridge: don't cache ether dest pointer on input + +From: Nikolay Aleksandrov + +[ Upstream commit 3d26eb8ad1e9b906433903ce05f775cf038e747f ] + +We would cache ether dst pointer on input in br_handle_frame_finish but +after the neigh suppress code that could lead to a stale pointer since +both ipv4 and ipv6 suppress code do pskb_may_pull. This means we have to +always reload it after the suppress code so there's no point in having +it cached just retrieve it directly. + +Fixes: 057658cb33fbf ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports") +Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_input.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -79,7 +79,6 @@ int br_handle_frame_finish(struct net *n + struct net_bridge_fdb_entry *dst = NULL; + struct net_bridge_mdb_entry *mdst; + bool local_rcv, mcast_hit = false; +- const unsigned char *dest; + struct net_bridge *br; + u16 vid = 0; + +@@ -97,10 +96,9 @@ int br_handle_frame_finish(struct net *n + br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, false); + + local_rcv = !!(br->dev->flags & IFF_PROMISC); +- dest = eth_hdr(skb)->h_dest; +- if (is_multicast_ether_addr(dest)) { ++ if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) { + /* by definition the broadcast is also a multicast address */ +- if (is_broadcast_ether_addr(dest)) { ++ if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) { + pkt_type = BR_PKT_BROADCAST; + local_rcv = true; + } else { +@@ -150,7 +148,7 @@ int br_handle_frame_finish(struct net *n + } + break; + case BR_PKT_UNICAST: +- dst = br_fdb_find_rcu(br, dest, vid); ++ dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid); + default: + break; + } diff --git a/queue-5.1/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch b/queue-5.1/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch new file mode 100644 index 00000000000..04e910f8da6 --- /dev/null +++ b/queue-5.1/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch @@ -0,0 +1,41 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:19 +0300 +Subject: net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query + +From: Nikolay Aleksandrov + +[ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ] + +We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may +call pskb_may_pull afterwards and end up using a stale pointer. +So use the header directly, it's just 1 place where it's needed. + +Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.") +Signed-off-by: Nikolay Aleksandrov +Tested-by: Martin Weinelt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1302,7 +1302,6 @@ static int br_ip6_multicast_query(struct + u16 vid) + { + unsigned int transport_len = ipv6_transport_len(skb); +- const struct ipv6hdr *ip6h = ipv6_hdr(skb); + struct mld_msg *mld; + struct net_bridge_mdb_entry *mp; + struct mld2_query *mld2q; +@@ -1346,7 +1345,7 @@ static int br_ip6_multicast_query(struct + + if (is_general_query) { + saddr.proto = htons(ETH_P_IPV6); +- saddr.u.ip6 = ip6h->saddr; ++ saddr.u.ip6 = ipv6_hdr(skb)->saddr; + + br_multicast_query_received(br, port, &br->ip6_other_query, + &saddr, max_delay); diff --git a/queue-5.1/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch b/queue-5.1/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch new file mode 100644 index 00000000000..bfe16a6c076 --- /dev/null +++ b/queue-5.1/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch @@ -0,0 +1,166 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:18 +0300 +Subject: net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling + +From: Nikolay Aleksandrov + +[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ] + +We take a pointer to grec prior to calling pskb_may_pull and use it +afterwards to get nsrcs so record nsrcs before the pull when handling +igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling +mld2 which again could lead to reading 2 bytes out-of-bounds. + + ================================================================== + BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge] + Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16 + + CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + Call Trace: + dump_stack+0x71/0xab + print_address_description+0x6a/0x280 + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + __kasan_report+0x152/0x1aa + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + kasan_report+0xe/0x20 + br_multicast_rcv+0x480c/0x4ad0 [bridge] + ? br_multicast_disable_port+0x150/0x150 [bridge] + ? ktime_get_with_offset+0xb4/0x150 + ? __kasan_kmalloc.constprop.6+0xa6/0xf0 + ? __netif_receive_skb+0x1b0/0x1b0 + ? br_fdb_update+0x10e/0x6e0 [bridge] + ? br_handle_frame_finish+0x3c6/0x11d0 [bridge] + br_handle_frame_finish+0x3c6/0x11d0 [bridge] + ? br_pass_frame_up+0x3a0/0x3a0 [bridge] + ? virtnet_probe+0x1c80/0x1c80 [virtio_net] + br_handle_frame+0x731/0xd90 [bridge] + ? select_idle_sibling+0x25/0x7d0 + ? br_handle_frame_finish+0x11d0/0x11d0 [bridge] + __netif_receive_skb_core+0xced/0x2d70 + ? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring] + ? do_xdp_generic+0x20/0x20 + ? virtqueue_napi_complete+0x39/0x70 [virtio_net] + ? virtnet_poll+0x94d/0xc78 [virtio_net] + ? receive_buf+0x5120/0x5120 [virtio_net] + ? __netif_receive_skb_one_core+0x97/0x1d0 + __netif_receive_skb_one_core+0x97/0x1d0 + ? __netif_receive_skb_core+0x2d70/0x2d70 + ? _raw_write_trylock+0x100/0x100 + ? __queue_work+0x41e/0xbe0 + process_backlog+0x19c/0x650 + ? _raw_read_lock_irq+0x40/0x40 + net_rx_action+0x71e/0xbc0 + ? __switch_to_asm+0x40/0x70 + ? napi_complete_done+0x360/0x360 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __schedule+0x85e/0x14d0 + __do_softirq+0x1db/0x5f9 + ? takeover_tasklets+0x5f0/0x5f0 + run_ksoftirqd+0x26/0x40 + smpboot_thread_fn+0x443/0x680 + ? sort_range+0x20/0x20 + ? schedule+0x94/0x210 + ? __kthread_parkme+0x78/0xf0 + ? sort_range+0x20/0x20 + kthread+0x2ae/0x3a0 + ? kthread_create_worker_on_cpu+0xc0/0xc0 + ret_from_fork+0x35/0x40 + + The buggy address belongs to the page: + page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 + flags: 0xffffc000000000() + raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000 + raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + > ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ================================================================== + Disabling lock debugging due to kernel taint + +Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") +Reported-by: Martin Weinelt +Signed-off-by: Nikolay Aleksandrov +Tested-by: Martin Weinelt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -934,6 +934,7 @@ static int br_ip4_multicast_igmp3_report + int type; + int err = 0; + __be32 group; ++ u16 nsrcs; + + ih = igmpv3_report_hdr(skb); + num = ntohs(ih->ngrec); +@@ -947,8 +948,9 @@ static int br_ip4_multicast_igmp3_report + grec = (void *)(skb->data + len - sizeof(*grec)); + group = grec->grec_mca; + type = grec->grec_type; ++ nsrcs = ntohs(grec->grec_nsrcs); + +- len += ntohs(grec->grec_nsrcs) * 4; ++ len += nsrcs * 4; + if (!ip_mc_may_pull(skb, len)) + return -EINVAL; + +@@ -969,7 +971,7 @@ static int br_ip4_multicast_igmp3_report + src = eth_hdr(skb)->h_source; + if ((type == IGMPV3_CHANGE_TO_INCLUDE || + type == IGMPV3_MODE_IS_INCLUDE) && +- ntohs(grec->grec_nsrcs) == 0) { ++ nsrcs == 0) { + br_ip4_multicast_leave_group(br, port, group, vid, src); + } else { + err = br_ip4_multicast_add_group(br, port, group, vid, +@@ -1006,7 +1008,8 @@ static int br_ip6_multicast_mld2_report( + len = skb_transport_offset(skb) + sizeof(*icmp6h); + + for (i = 0; i < num; i++) { +- __be16 *nsrcs, _nsrcs; ++ __be16 *_nsrcs, __nsrcs; ++ u16 nsrcs; + + nsrcs_offset = len + offsetof(struct mld2_grec, grec_nsrcs); + +@@ -1014,12 +1017,13 @@ static int br_ip6_multicast_mld2_report( + nsrcs_offset + sizeof(_nsrcs)) + return -EINVAL; + +- nsrcs = skb_header_pointer(skb, nsrcs_offset, +- sizeof(_nsrcs), &_nsrcs); +- if (!nsrcs) ++ _nsrcs = skb_header_pointer(skb, nsrcs_offset, ++ sizeof(__nsrcs), &__nsrcs); ++ if (!_nsrcs) + return -EINVAL; + +- grec_len = struct_size(grec, grec_src, ntohs(*nsrcs)); ++ nsrcs = ntohs(*_nsrcs); ++ grec_len = struct_size(grec, grec_src, nsrcs); + + if (!ipv6_mc_may_pull(skb, len + grec_len)) + return -EINVAL; +@@ -1044,7 +1048,7 @@ static int br_ip6_multicast_mld2_report( + src = eth_hdr(skb)->h_source; + if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE || + grec->grec_type == MLD2_MODE_IS_INCLUDE) && +- ntohs(*nsrcs) == 0) { ++ nsrcs == 0) { + br_ip6_multicast_leave_group(br, port, &grec->grec_mca, + vid, src); + } else { diff --git a/queue-5.1/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch b/queue-5.1/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch new file mode 100644 index 00000000000..eb9fb0f3c3e --- /dev/null +++ b/queue-5.1/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch @@ -0,0 +1,38 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:21 +0300 +Subject: net: bridge: stp: don't cache eth dest pointer before skb pull + +From: Nikolay Aleksandrov + +[ Upstream commit 2446a68ae6a8cee6d480e2f5b52f5007c7c41312 ] + +Don't cache eth dest pointer before calling pskb_may_pull. + +Fixes: cf0f02d04a83 ("[BRIDGE]: use llc for receiving STP packets") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_stp_bpdu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -147,7 +147,6 @@ void br_send_tcn_bpdu(struct net_bridge_ + void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb, + struct net_device *dev) + { +- const unsigned char *dest = eth_hdr(skb)->h_dest; + struct net_bridge_port *p; + struct net_bridge *br; + const unsigned char *buf; +@@ -176,7 +175,7 @@ void br_stp_rcv(const struct stp_proto * + if (p->state == BR_STATE_DISABLED) + goto out; + +- if (!ether_addr_equal(dest, br->group_addr)) ++ if (!ether_addr_equal(eth_hdr(skb)->h_dest, br->group_addr)) + goto out; + + if (p->flags & BR_BPDU_GUARD) { diff --git a/queue-5.1/net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch b/queue-5.1/net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch new file mode 100644 index 00000000000..33238533ab8 --- /dev/null +++ b/queue-5.1/net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch @@ -0,0 +1,31 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Baruch Siach +Date: Thu, 27 Jun 2019 21:17:39 +0300 +Subject: net: dsa: mv88e6xxx: wait after reset deactivation + +From: Baruch Siach + +[ Upstream commit 7b75e49de424ceb53d13e60f35d0a73765626fda ] + +Add a 1ms delay after reset deactivation. Otherwise the chip returns +bogus ID value. This is observed with 88E6390 (Peridot) chip. + +Signed-off-by: Baruch Siach +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4910,6 +4910,8 @@ static int mv88e6xxx_probe(struct mdio_d + err = PTR_ERR(chip->reset); + goto out; + } ++ if (chip->reset) ++ usleep_range(1000, 2000); + + err = mv88e6xxx_detect(chip); + if (err) diff --git a/queue-5.1/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch b/queue-5.1/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch new file mode 100644 index 00000000000..099dbb7682e --- /dev/null +++ b/queue-5.1/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch @@ -0,0 +1,91 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Florian Westphal +Date: Wed, 26 Jun 2019 20:40:45 +0200 +Subject: net: make skb_dst_force return true when dst is refcounted + +From: Florian Westphal + +[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ] + +netfilter did not expect that skb_dst_force() can cause skb to lose its +dst entry. + +I got a bug report with a skb->dst NULL dereference in netfilter +output path. The backtrace contains nf_reinject(), so the dst might have +been cleared when skb got queued to userspace. + +Other users were fixed via +if (skb_dst(skb)) { + skb_dst_force(skb); + if (!skb_dst(skb)) + goto handle_err; +} + +But I think its preferable to make the 'dst might be cleared' part +of the function explicit. + +In netfilter case, skb with a null dst is expected when queueing in +prerouting hook, so drop skb for the other hooks. + +v2: + v1 of this patch returned true in case skb had no dst entry. + Eric said: + Say if we have two skb_dst_force() calls for some reason + on the same skb, only the first one will return false. + + This now returns false even when skb had no dst, as per Erics + suggestion, so callers might need to check skb_dst() first before + skb_dst_force(). + +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 5 ++++- + net/netfilter/nf_queue.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -313,8 +313,9 @@ static inline bool dst_hold_safe(struct + * @skb: buffer + * + * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ * Returns true if dst is refcounted. + */ +-static inline void skb_dst_force(struct sk_buff *skb) ++static inline bool skb_dst_force(struct sk_buff *skb) + { + if (skb_dst_is_noref(skb)) { + struct dst_entry *dst = skb_dst(skb); +@@ -325,6 +326,8 @@ static inline void skb_dst_force(struct + + skb->_skb_refdst = (unsigned long)dst; + } ++ ++ return skb->_skb_refdst != 0UL; + } + + +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -190,6 +190,11 @@ static int __nf_queue(struct sk_buff *sk + goto err; + } + ++ if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) { ++ status = -ENETDOWN; ++ goto err; ++ } ++ + *entry = (struct nf_queue_entry) { + .skb = skb, + .state = *state, +@@ -198,7 +203,6 @@ static int __nf_queue(struct sk_buff *sk + }; + + nf_queue_entry_get_refs(entry); +- skb_dst_force(skb); + + switch (entry->state.pf) { + case AF_INET: diff --git a/queue-5.1/net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch b/queue-5.1/net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch new file mode 100644 index 00000000000..24bf26552ac --- /dev/null +++ b/queue-5.1/net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch @@ -0,0 +1,41 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Aya Levin +Date: Sun, 30 Jun 2019 11:11:26 +0300 +Subject: net/mlx5e: Fix error flow in tx reporter diagnose + +From: Aya Levin + +[ Upstream commit 99d31cbd8953c6929da978bf049ab0f0b4e503d9 ] + +Fix tx reporter's diagnose callback. Propagate error when failing to +gather diagnostics information or failing to print diagnostic data per +queue. + +Fixes: de8650a82071 ("net/mlx5e: Add tx reporter support") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Acked-by: Jiri Pirko +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -262,13 +262,13 @@ static int mlx5e_tx_reporter_diagnose(st + + err = mlx5_core_query_sq_state(priv->mdev, sq->sqn, &state); + if (err) +- break; ++ goto unlock; + + err = mlx5e_tx_reporter_build_diagnose_output(fmsg, sq->sqn, + state, + netif_xmit_stopped(sq->txq)); + if (err) +- break; ++ goto unlock; + } + err = devlink_fmsg_arr_pair_nest_end(fmsg); + if (err) diff --git a/queue-5.1/net-mlx5e-fix-port-tunnel-gre-entropy-control.patch b/queue-5.1/net-mlx5e-fix-port-tunnel-gre-entropy-control.patch new file mode 100644 index 00000000000..d76ca8459ed --- /dev/null +++ b/queue-5.1/net-mlx5e-fix-port-tunnel-gre-entropy-control.patch @@ -0,0 +1,56 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Eli Britstein +Date: Sun, 2 Jun 2019 06:19:03 +0000 +Subject: net/mlx5e: Fix port tunnel GRE entropy control + +From: Eli Britstein + +[ Upstream commit 914adbb1bcf89478ac138318d28b302704564d59 ] + +GRE entropy calculation is a single bit per card, and not per port. +Force disable GRE entropy calculation upon the first GRE encap rule, +and release the force at the last GRE encap rule removal. This is done +per port. + +Fixes: 97417f6182f8 ("net/mlx5e: Fix GRE key by controlling port tunnel entropy calculation") +Signed-off-by: Eli Britstein +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c | 23 ++--------------- + 1 file changed, 4 insertions(+), 19 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c +@@ -100,27 +100,12 @@ static int mlx5_set_entropy(struct mlx5_ + */ + if (entropy_flags.gre_calc_supported && + reformat_type == MLX5_REFORMAT_TYPE_L2_TO_NVGRE) { +- /* Other applications may change the global FW entropy +- * calculations settings. Check that the current entropy value +- * is the negative of the updated value. +- */ +- if (entropy_flags.force_enabled && +- enable == entropy_flags.gre_calc_enabled) { +- mlx5_core_warn(tun_entropy->mdev, +- "Unexpected GRE entropy calc setting - expected %d", +- !entropy_flags.gre_calc_enabled); +- return -EOPNOTSUPP; +- } +- err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev, enable, +- entropy_flags.force_supported); ++ if (!entropy_flags.force_supported) ++ return 0; ++ err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev, ++ enable, !enable); + if (err) + return err; +- /* if we turn on the entropy we don't need to force it anymore */ +- if (entropy_flags.force_supported && enable) { +- err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev, 1, 0); +- if (err) +- return err; +- } + } else if (entropy_flags.calc_supported) { + /* Other applications may change the global FW entropy + * calculations settings. Check that the current entropy value diff --git a/queue-5.1/net-mlx5e-fix-return-value-from-timeout-recover-function.patch b/queue-5.1/net-mlx5e-fix-return-value-from-timeout-recover-function.patch new file mode 100644 index 00000000000..4d1be45c50d --- /dev/null +++ b/queue-5.1/net-mlx5e-fix-return-value-from-timeout-recover-function.patch @@ -0,0 +1,50 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Aya Levin +Date: Mon, 17 Jun 2019 12:01:45 +0300 +Subject: net/mlx5e: Fix return value from timeout recover function + +From: Aya Levin + +[ Upstream commit 39825350ae2a52f8513741b36e42118bd80dd689 ] + +Fix timeout recover function to return a meaningful return value. +When an interrupt was not sent by the FW, return IO error instead of +'true'. + +Fixes: c7981bea48fb ("net/mlx5e: Fix return status of TX reporter timeout recover") +Signed-off-by: Aya Levin +Acked-by: Jiri Pirko +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -142,22 +142,20 @@ static int mlx5e_tx_reporter_timeout_rec + { + struct mlx5_eq_comp *eq = sq->cq.mcq.eq; + u32 eqe_count; +- int ret; + + netdev_err(sq->channel->netdev, "EQ 0x%x: Cons = 0x%x, irqn = 0x%x\n", + eq->core.eqn, eq->core.cons_index, eq->core.irqn); + + eqe_count = mlx5_eq_poll_irq_disabled(eq); +- ret = eqe_count ? false : true; + if (!eqe_count) { + clear_bit(MLX5E_SQ_STATE_ENABLED, &sq->state); +- return ret; ++ return -EIO; + } + + netdev_err(sq->channel->netdev, "Recover %d eqes on EQ 0x%x\n", + eqe_count, eq->core.eqn); + sq->channel->stats->eq_rearm++; +- return ret; ++ return 0; + } + + int mlx5e_tx_reporter_timeout(struct mlx5e_txqsq *sq) diff --git a/queue-5.1/net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch b/queue-5.1/net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch new file mode 100644 index 00000000000..0a436dc5796 --- /dev/null +++ b/queue-5.1/net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch @@ -0,0 +1,45 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Aya Levin +Date: Sun, 7 Jul 2019 16:57:06 +0300 +Subject: net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn + +From: Aya Levin + +[ Upstream commit ef1ce7d7b67b46661091c7ccc0396186b7a247ef ] + +Check return value from mlx5e_attach_netdev, add error path on failure. + +Fixes: 48935bbb7ae8 ("net/mlx5e: IPoIB, Add netdevice profile skeleton") +Signed-off-by: Aya Levin +Reviewed-by: Feras Daoud +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c +@@ -698,7 +698,9 @@ static int mlx5_rdma_setup_rn(struct ib_ + + prof->init(mdev, netdev, prof, ipriv); + +- mlx5e_attach_netdev(epriv); ++ err = mlx5e_attach_netdev(epriv); ++ if (err) ++ goto detach; + netif_carrier_off(netdev); + + /* set rdma_netdev func pointers */ +@@ -714,6 +716,11 @@ static int mlx5_rdma_setup_rn(struct ib_ + + return 0; + ++detach: ++ prof->cleanup(epriv); ++ if (ipriv->sub_interface) ++ return err; ++ mlx5e_destroy_mdev_resources(mdev); + destroy_ht: + mlx5i_pkey_qpn_ht_cleanup(netdev); + return err; diff --git a/queue-5.1/net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch b/queue-5.1/net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch new file mode 100644 index 00000000000..3a30b1d72c7 --- /dev/null +++ b/queue-5.1/net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch @@ -0,0 +1,86 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Saeed Mahameed +Date: Fri, 3 May 2019 13:14:59 -0700 +Subject: net/mlx5e: Rx, Fix checksum calculation for new hardware + +From: Saeed Mahameed + +[ Upstream commit db849faa9bef993a1379dc510623f750a72fa7ce ] + +CQE checksum full mode in new HW, provides a full checksum of rx frame. +Covering bytes starting from eth protocol up to last byte in the received +frame (frame_size - ETH_HLEN), as expected by the stack. + +Fixing up skb->csum by the driver is not required in such case. This fix +is to avoid wrong checksum calculation in drivers which already support +the new hardware with the new checksum mode. + +Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices") +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 + + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 7 ++++++- + include/linux/mlx5/mlx5_ifc.h | 3 ++- + 4 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -294,6 +294,7 @@ enum { + MLX5E_RQ_STATE_ENABLED, + MLX5E_RQ_STATE_AM, + MLX5E_RQ_STATE_NO_CSUM_COMPLETE, ++ MLX5E_RQ_STATE_CSUM_FULL, /* cqe_csum_full hw bit is set */ + }; + + struct mlx5e_cq { +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -948,6 +948,9 @@ static int mlx5e_open_rq(struct mlx5e_ch + if (err) + goto err_destroy_rq; + ++ if (MLX5_CAP_ETH(c->mdev, cqe_checksum_full)) ++ __set_bit(MLX5E_RQ_STATE_CSUM_FULL, &c->rq.state); ++ + if (params->rx_dim_enabled) + __set_bit(MLX5E_RQ_STATE_AM, &c->rq.state); + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -829,8 +829,14 @@ static inline void mlx5e_handle_csum(str + if (unlikely(get_ip_proto(skb, network_depth, proto) == IPPROTO_SCTP)) + goto csum_unnecessary; + ++ stats->csum_complete++; + skb->ip_summed = CHECKSUM_COMPLETE; + skb->csum = csum_unfold((__force __sum16)cqe->check_sum); ++ ++ if (test_bit(MLX5E_RQ_STATE_CSUM_FULL, &rq->state)) ++ return; /* CQE csum covers all received bytes */ ++ ++ /* csum might need some fixups ...*/ + if (network_depth > ETH_HLEN) + /* CQE csum is calculated from the IP header and does + * not cover VLAN headers (if present). This will add +@@ -841,7 +847,6 @@ static inline void mlx5e_handle_csum(str + skb->csum); + + mlx5e_skb_padding_csum(skb, network_depth, proto, stats); +- stats->csum_complete++; + return; + } + +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -716,7 +716,8 @@ struct mlx5_ifc_per_protocol_networking_ + u8 swp[0x1]; + u8 swp_csum[0x1]; + u8 swp_lso[0x1]; +- u8 reserved_at_23[0xd]; ++ u8 cqe_checksum_full[0x1]; ++ u8 reserved_at_24[0xc]; + u8 max_vxlan_udp_ports[0x8]; + u8 reserved_at_38[0x6]; + u8 max_geneve_opt_len[0x1]; diff --git a/queue-5.1/net-neigh-fix-multiple-neigh-timer-scheduling.patch b/queue-5.1/net-neigh-fix-multiple-neigh-timer-scheduling.patch new file mode 100644 index 00000000000..22ee64a248a --- /dev/null +++ b/queue-5.1/net-neigh-fix-multiple-neigh-timer-scheduling.patch @@ -0,0 +1,92 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Lorenzo Bianconi +Date: Sun, 14 Jul 2019 23:36:11 +0200 +Subject: net: neigh: fix multiple neigh timer scheduling + +From: Lorenzo Bianconi + +[ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ] + +Neigh timer can be scheduled multiple times from userspace adding +multiple neigh entries and forcing the neigh timer scheduling passing +NTF_USE in the netlink requests. +This will result in a refcount leak and in the following dump stack: + +[ 32.465295] NEIGH: BUG, double timer add, state is 8 +[ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65 +[ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 +[ 32.465313] Call Trace: +[ 32.465318] dump_stack+0x7c/0xc0 +[ 32.465323] __neigh_event_send+0x20c/0x880 +[ 32.465326] ? ___neigh_create+0x846/0xfb0 +[ 32.465329] ? neigh_lookup+0x2a9/0x410 +[ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800 +[ 32.465334] neigh_add+0x4f8/0x5e0 +[ 32.465337] ? neigh_xmit+0x620/0x620 +[ 32.465341] ? find_held_lock+0x85/0xa0 +[ 32.465345] rtnetlink_rcv_msg+0x204/0x570 +[ 32.465348] ? rtnl_dellink+0x450/0x450 +[ 32.465351] ? mark_held_locks+0x90/0x90 +[ 32.465354] ? match_held_lock+0x1b/0x230 +[ 32.465357] netlink_rcv_skb+0xc4/0x1d0 +[ 32.465360] ? rtnl_dellink+0x450/0x450 +[ 32.465363] ? netlink_ack+0x420/0x420 +[ 32.465366] ? netlink_deliver_tap+0x115/0x560 +[ 32.465369] ? __alloc_skb+0xc9/0x2f0 +[ 32.465372] netlink_unicast+0x270/0x330 +[ 32.465375] ? netlink_attachskb+0x2f0/0x2f0 +[ 32.465378] netlink_sendmsg+0x34f/0x5a0 +[ 32.465381] ? netlink_unicast+0x330/0x330 +[ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20 +[ 32.465388] ? netlink_unicast+0x330/0x330 +[ 32.465391] sock_sendmsg+0x91/0xa0 +[ 32.465394] ___sys_sendmsg+0x407/0x480 +[ 32.465397] ? copy_msghdr_from_user+0x200/0x200 +[ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40 +[ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250 +[ 32.465407] ? __wake_up_common_lock+0xcb/0x110 +[ 32.465410] ? __wake_up_common+0x230/0x230 +[ 32.465413] ? netlink_bind+0x3e1/0x490 +[ 32.465416] ? netlink_setsockopt+0x540/0x540 +[ 32.465420] ? __fget_light+0x9c/0xf0 +[ 32.465423] ? sockfd_lookup_light+0x8c/0xb0 +[ 32.465426] __sys_sendmsg+0xa5/0x110 +[ 32.465429] ? __ia32_sys_shutdown+0x30/0x30 +[ 32.465432] ? __fd_install+0xe1/0x2c0 +[ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100 +[ 32.465438] ? mark_held_locks+0x24/0x90 +[ 32.465441] ? do_syscall_64+0xf/0x270 +[ 32.465444] do_syscall_64+0x63/0x270 +[ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER' +receiving a netlink request with NTF_USE flag set + +Reported-by: Marek Majkowski +Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1126,6 +1126,7 @@ int __neigh_event_send(struct neighbour + + atomic_set(&neigh->probes, + NEIGH_VAR(neigh->parms, UCAST_PROBES)); ++ neigh_del_timer(neigh); + neigh->nud_state = NUD_INCOMPLETE; + neigh->updated = now; + next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), +@@ -1142,6 +1143,7 @@ int __neigh_event_send(struct neighbour + } + } else if (neigh->nud_state & NUD_STALE) { + neigh_dbg(2, "neigh %p is delayed\n", neigh); ++ neigh_del_timer(neigh); + neigh->nud_state = NUD_DELAY; + neigh->updated = jiffies; + neigh_add_timer(neigh, jiffies + diff --git a/queue-5.1/net-openvswitch-fix-csum-updates-for-mpls-actions.patch b/queue-5.1/net-openvswitch-fix-csum-updates-for-mpls-actions.patch new file mode 100644 index 00000000000..c32442127fa --- /dev/null +++ b/queue-5.1/net-openvswitch-fix-csum-updates-for-mpls-actions.patch @@ -0,0 +1,73 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: John Hurley +Date: Thu, 27 Jun 2019 14:37:30 +0100 +Subject: net: openvswitch: fix csum updates for MPLS actions + +From: John Hurley + +[ Upstream commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615 ] + +Skbs may have their checksum value populated by HW. If this is a checksum +calculated over the entire packet then the CHECKSUM_COMPLETE field is +marked. Changes to the data pointer on the skb throughout the network +stack still try to maintain this complete csum value if it is required +through functions such as skb_postpush_rcsum. + +The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when +changes are made to packet data without a push or a pull. This occurs when +the ethertype of the MAC header is changed or when MPLS lse fields are +modified. + +The modification is carried out using the csum_partial function to get the +csum of a buffer and add it into the larger checksum. The buffer is an +inversion of the data to be removed followed by the new data. Because the +csum is calculated over 16 bits and these values align with 16 bits, the +effect is the removal of the old value from the CHECKSUM_COMPLETE and +addition of the new value. + +However, the csum fed into the function and the outcome of the +calculation are also inverted. This would only make sense if it was the +new value rather than the old that was inverted in the input buffer. + +Fix the issue by removing the bit inverts in the csum_partial calculation. + +The bug was verified and the fix tested by comparing the folded value of +the updated CHECKSUM_COMPLETE value with the folded value of a full +software checksum calculation (reset skb->csum to 0 and run +skb_checksum_complete(skb)). Prior to the fix the outcomes differed but +after they produce the same result. + +Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel") +Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls") +Signed-off-by: John Hurley +Reviewed-by: Jakub Kicinski +Reviewed-by: Simon Horman +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/actions.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -175,8 +175,7 @@ static void update_ethertype(struct sk_b + if (skb->ip_summed == CHECKSUM_COMPLETE) { + __be16 diff[] = { ~(hdr->h_proto), ethertype }; + +- skb->csum = ~csum_partial((char *)diff, sizeof(diff), +- ~skb->csum); ++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); + } + + hdr->h_proto = ethertype; +@@ -268,8 +267,7 @@ static int set_mpls(struct sk_buff *skb, + if (skb->ip_summed == CHECKSUM_COMPLETE) { + __be32 diff[] = { ~(stack->label_stack_entry), lse }; + +- skb->csum = ~csum_partial((char *)diff, sizeof(diff), +- ~skb->csum); ++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); + } + + stack->label_stack_entry = lse; diff --git a/queue-5.1/net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch b/queue-5.1/net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch new file mode 100644 index 00000000000..8cb75ef2490 --- /dev/null +++ b/queue-5.1/net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch @@ -0,0 +1,46 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Andrew Lunn +Date: Sun, 21 Jul 2019 18:50:08 +0200 +Subject: net: phy: sfp: hwmon: Fix scaling of RX power + +From: Andrew Lunn + +[ Upstream commit 0cea0e1148fe134a4a3aaf0b1496f09241fb943a ] + +The RX power read from the SFP uses units of 0.1uW. This must be +scaled to units of uW for HWMON. This requires a divide by 10, not the +current 100. + +With this change in place, sensors(1) and ethtool -m agree: + +sff2-isa-0000 +Adapter: ISA adapter +in0: +3.23 V +temp1: +33.1 C +power1: 270.00 uW +power2: 200.00 uW +curr1: +0.01 A + + Laser output power : 0.2743 mW / -5.62 dBm + Receiver signal average optical power : 0.2014 mW / -6.96 dBm + +Reported-by: chris.healy@zii.aero +Signed-off-by: Andrew Lunn +Fixes: 1323061a018a ("net: phy: sfp: Add HWMON support for module sensors") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -515,7 +515,7 @@ static int sfp_hwmon_read_sensor(struct + + static void sfp_hwmon_to_rx_power(long *value) + { +- *value = DIV_ROUND_CLOSEST(*value, 100); ++ *value = DIV_ROUND_CLOSEST(*value, 10); + } + + static void sfp_hwmon_calibrate(struct sfp *sfp, unsigned int slope, int offset, diff --git a/queue-5.1/net-stmmac-re-work-the-queue-selection-for-tso-packets.patch b/queue-5.1/net-stmmac-re-work-the-queue-selection-for-tso-packets.patch new file mode 100644 index 00000000000..6e85eb6f387 --- /dev/null +++ b/queue-5.1/net-stmmac-re-work-the-queue-selection-for-tso-packets.patch @@ -0,0 +1,81 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Jose Abreu +Date: Mon, 8 Jul 2019 14:26:28 +0200 +Subject: net: stmmac: Re-work the queue selection for TSO packets + +From: Jose Abreu + +[ Upstream commit 4993e5b37e8bcb55ac90f76eb6d2432647273747 ] + +Ben Hutchings says: + "This is the wrong place to change the queue mapping. + stmmac_xmit() is called with a specific TX queue locked, + and accessing a different TX queue results in a data race + for all of that queue's state. + + I think this commit should be reverted upstream and in all + stable branches. Instead, the driver should implement the + ndo_select_queue operation and override the queue mapping there." + +Fixes: c5acdbee22a1 ("net: stmmac: Send TSO packets always from Queue 0") +Suggested-by: Ben Hutchings +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 29 ++++++++++++++-------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3058,17 +3058,8 @@ static netdev_tx_t stmmac_xmit(struct sk + + /* Manage oversized TCP frames for GMAC4 device */ + if (skb_is_gso(skb) && priv->tso) { +- if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) { +- /* +- * There is no way to determine the number of TSO +- * capable Queues. Let's use always the Queue 0 +- * because if TSO is supported then at least this +- * one will be capable. +- */ +- skb_set_queue_mapping(skb, 0); +- ++ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) + return stmmac_tso_xmit(skb, dev); +- } + } + + if (unlikely(stmmac_tx_avail(priv, queue) < nfrags + 1)) { +@@ -3885,6 +3876,23 @@ static int stmmac_setup_tc(struct net_de + } + } + ++static u16 stmmac_select_queue(struct net_device *dev, struct sk_buff *skb, ++ struct net_device *sb_dev, ++ select_queue_fallback_t fallback) ++{ ++ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) { ++ /* ++ * There is no way to determine the number of TSO ++ * capable Queues. Let's use always the Queue 0 ++ * because if TSO is supported then at least this ++ * one will be capable. ++ */ ++ return 0; ++ } ++ ++ return fallback(dev, skb, NULL) % dev->real_num_tx_queues; ++} ++ + static int stmmac_set_mac_address(struct net_device *ndev, void *addr) + { + struct stmmac_priv *priv = netdev_priv(ndev); +@@ -4101,6 +4109,7 @@ static const struct net_device_ops stmma + .ndo_tx_timeout = stmmac_tx_timeout, + .ndo_do_ioctl = stmmac_ioctl, + .ndo_setup_tc = stmmac_setup_tc, ++ .ndo_select_queue = stmmac_select_queue, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = stmmac_poll_controller, + #endif diff --git a/queue-5.1/net-tls-fix-poll-ignoring-partially-copied-records.patch b/queue-5.1/net-tls-fix-poll-ignoring-partially-copied-records.patch new file mode 100644 index 00000000000..ee260fbed93 --- /dev/null +++ b/queue-5.1/net-tls-fix-poll-ignoring-partially-copied-records.patch @@ -0,0 +1,42 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Jakub Kicinski +Date: Thu, 4 Jul 2019 14:50:36 -0700 +Subject: net/tls: fix poll ignoring partially copied records + +From: Jakub Kicinski + +[ Upstream commit 13aecb17acabc2a92187d08f7ca93bb8aad62c6f ] + +David reports that RPC applications which use epoll() occasionally +get stuck, and that TLS ULP causes the kernel to not wake applications, +even though read() will return data. + +This is indeed true. The ctx->rx_list which holds partially copied +records is not consulted when deciding whether socket is readable. + +Note that SO_RCVLOWAT with epoll() is and has always been broken for +kernel TLS. We'd need to parse all records from the TCP layer, instead +of just the first one. + +Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") +Reported-by: David Beckett +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1931,7 +1931,8 @@ bool tls_sw_stream_read(const struct soc + ingress_empty = list_empty(&psock->ingress_msg); + rcu_read_unlock(); + +- return !ingress_empty || ctx->recv_pkt; ++ return !ingress_empty || ctx->recv_pkt || ++ !skb_queue_empty(&ctx->rx_list); + } + + static int tls_read_size(struct strparser *strp, struct sk_buff *skb) diff --git a/queue-5.1/net-tls-make-sure-offload-also-gets-the-keys-wiped.patch b/queue-5.1/net-tls-make-sure-offload-also-gets-the-keys-wiped.patch new file mode 100644 index 00000000000..3d20d075557 --- /dev/null +++ b/queue-5.1/net-tls-make-sure-offload-also-gets-the-keys-wiped.patch @@ -0,0 +1,66 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Jakub Kicinski +Date: Fri, 28 Jun 2019 16:11:39 -0700 +Subject: net/tls: make sure offload also gets the keys wiped + +From: Jakub Kicinski + +[ Upstream commit acd3e96d53a24d219f720ed4012b62723ae05da1 ] + +Commit 86029d10af18 ("tls: zero the crypto information from tls_context +before freeing") added memzero_explicit() calls to clear the key material +before freeing struct tls_context, but it missed tls_device.c has its +own way of freeing this structure. Replace the missing free. + +Fixes: 86029d10af18 ("tls: zero the crypto information from tls_context before freeing") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tls.h | 1 + + net/tls/tls_device.c | 2 +- + net/tls/tls_main.c | 4 ++-- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -285,6 +285,7 @@ struct tls_offload_context_rx { + (ALIGN(sizeof(struct tls_offload_context_rx), sizeof(void *)) + \ + TLS_DRIVER_STATE_SIZE) + ++void tls_ctx_free(struct tls_context *ctx); + int wait_on_pending_writer(struct sock *sk, long *timeo); + int tls_sk_query(struct sock *sk, int optname, char __user *optval, + int __user *optlen); +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -61,7 +61,7 @@ static void tls_device_free_ctx(struct t + if (ctx->rx_conf == TLS_HW) + kfree(tls_offload_ctx_rx(ctx)); + +- kfree(ctx); ++ tls_ctx_free(ctx); + } + + static void tls_device_gc_task(struct work_struct *work) +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -251,7 +251,7 @@ static void tls_write_space(struct sock + ctx->sk_write_space(sk); + } + +-static void tls_ctx_free(struct tls_context *ctx) ++void tls_ctx_free(struct tls_context *ctx) + { + if (!ctx) + return; +@@ -638,7 +638,7 @@ static void tls_hw_sk_destruct(struct so + + ctx->sk_destruct(sk); + /* Free ctx */ +- kfree(ctx); ++ tls_ctx_free(ctx); + icsk->icsk_ulp_data = NULL; + } + diff --git a/queue-5.1/net-tls-reject-offload-of-tls-1.3.patch b/queue-5.1/net-tls-reject-offload-of-tls-1.3.patch new file mode 100644 index 00000000000..bdc767949a7 --- /dev/null +++ b/queue-5.1/net-tls-reject-offload-of-tls-1.3.patch @@ -0,0 +1,46 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Jakub Kicinski +Date: Fri, 28 Jun 2019 16:07:59 -0700 +Subject: net/tls: reject offload of TLS 1.3 + +From: Jakub Kicinski + +[ Upstream commit 618bac45937a3dc6126ac0652747481e97000f99 ] + +Neither drivers nor the tls offload code currently supports TLS +version 1.3. Check the TLS version when installing connection +state. TLS 1.3 will just fallback to the kernel crypto for now. + +Fixes: 130b392c6cd6 ("net: tls: Add tls 1.3 support") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -746,6 +746,11 @@ int tls_set_device_offload(struct sock * + } + + crypto_info = &ctx->crypto_send.info; ++ if (crypto_info->version != TLS_1_2_VERSION) { ++ rc = -EOPNOTSUPP; ++ goto free_offload_ctx; ++ } ++ + switch (crypto_info->cipher_type) { + case TLS_CIPHER_AES_GCM_128: + nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE; +@@ -880,6 +885,9 @@ int tls_set_device_offload_rx(struct soc + struct net_device *netdev; + int rc = 0; + ++ if (ctx->crypto_recv.info.version != TLS_1_2_VERSION) ++ return -EOPNOTSUPP; ++ + /* We support starting offload on multiple sockets + * concurrently, so we only need a read lock here. + * This lock must precede get_netdev_for_sock to prevent races between diff --git a/queue-5.1/net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch b/queue-5.1/net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch new file mode 100644 index 00000000000..dd0eae2fd7e --- /dev/null +++ b/queue-5.1/net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch @@ -0,0 +1,77 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Cong Wang +Date: Tue, 16 Jul 2019 13:57:30 -0700 +Subject: net_sched: unset TCQ_F_CAN_BYPASS when adding filters + +From: Cong Wang + +[ Upstream commit 3f05e6886a595c9a29a309c52f45326be917823c ] + +For qdisc's that support TC filters and set TCQ_F_CAN_BYPASS, +notably fq_codel, it makes no sense to let packets bypass the TC +filters we setup in any scenario, otherwise our packets steering +policy could not be enforced. + +This can be reproduced easily with the following script: + + ip li add dev dummy0 type dummy + ifconfig dummy0 up + tc qd add dev dummy0 root fq_codel + tc filter add dev dummy0 parent 8001: protocol arp basic action mirred egress redirect dev lo + tc filter add dev dummy0 parent 8001: protocol ip basic action mirred egress redirect dev lo + ping -I dummy0 192.168.112.1 + +Without this patch, packets are sent directly to dummy0 without +hitting any of the filters. With this patch, packets are redirected +to loopback as expected. + +This fix is not perfect, it only unsets the flag but does not set it back +because we have to save the information somewhere in the qdisc if we +really want that. Note, both fq_codel and sfq clear this flag in their +->bind_tcf() but this is clearly not sufficient when we don't use any +class ID. + +Fixes: 23624935e0c4 ("net_sched: TCQ_F_CAN_BYPASS generalization") +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_api.c | 1 + + net/sched/sch_fq_codel.c | 2 -- + net/sched/sch_sfq.c | 2 -- + 3 files changed, 1 insertion(+), 4 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -2162,6 +2162,7 @@ replay: + tfilter_notify(net, skb, n, tp, block, q, parent, fh, + RTM_NEWTFILTER, false, rtnl_held); + tfilter_put(tp, fh); ++ q->flags &= ~TCQ_F_CAN_BYPASS; + } + + errout: +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -600,8 +600,6 @@ static unsigned long fq_codel_find(struc + static unsigned long fq_codel_bind(struct Qdisc *sch, unsigned long parent, + u32 classid) + { +- /* we cannot bypass queue discipline anymore */ +- sch->flags &= ~TCQ_F_CAN_BYPASS; + return 0; + } + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -828,8 +828,6 @@ static unsigned long sfq_find(struct Qdi + static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent, + u32 classid) + { +- /* we cannot bypass queue discipline anymore */ +- sch->flags &= ~TCQ_F_CAN_BYPASS; + return 0; + } + diff --git a/queue-5.1/netrom-fix-a-memory-leak-in-nr_rx_frame.patch b/queue-5.1/netrom-fix-a-memory-leak-in-nr_rx_frame.patch new file mode 100644 index 00000000000..1f95b1310e9 --- /dev/null +++ b/queue-5.1/netrom-fix-a-memory-leak-in-nr_rx_frame.patch @@ -0,0 +1,40 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Cong Wang +Date: Thu, 27 Jun 2019 14:30:58 -0700 +Subject: netrom: fix a memory leak in nr_rx_frame() + +From: Cong Wang + +[ Upstream commit c8c8218ec5af5d2598381883acbefbf604e56b5e ] + +When the skb is associated with a new sock, just assigning +it to skb->sk is not sufficient, we have to set its destructor +to free the sock properly too. + +Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -872,7 +872,7 @@ int nr_rx_frame(struct sk_buff *skb, str + unsigned short frametype, flags, window, timeout; + int ret; + +- skb->sk = NULL; /* Initially we don't know who it's for */ ++ skb_orphan(skb); + + /* + * skb->data points to the netrom frame start +@@ -971,6 +971,7 @@ int nr_rx_frame(struct sk_buff *skb, str + window = skb->data[20]; + + skb->sk = make; ++ skb->destructor = sock_efree; + make->sk_state = TCP_ESTABLISHED; + + /* Fill in his circuit details */ diff --git a/queue-5.1/netrom-hold-sock-when-setting-skb-destructor.patch b/queue-5.1/netrom-hold-sock-when-setting-skb-destructor.patch new file mode 100644 index 00000000000..22ce9c15e45 --- /dev/null +++ b/queue-5.1/netrom-hold-sock-when-setting-skb-destructor.patch @@ -0,0 +1,39 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Cong Wang +Date: Mon, 22 Jul 2019 20:41:22 -0700 +Subject: netrom: hold sock when setting skb->destructor + +From: Cong Wang + +[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ] + +sock_efree() releases the sock refcnt, if we don't hold this refcnt +when setting skb->destructor to it, the refcnt would not be balanced. +This leads to several bug reports from syzbot. + +I have checked other users of sock_efree(), all of them hold the +sock refcnt. + +Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()") +Reported-and-tested-by: +Reported-and-tested-by: +Reported-and-tested-by: +Reported-and-tested-by: +Cc: Ralf Baechle +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -970,6 +970,7 @@ int nr_rx_frame(struct sk_buff *skb, str + + window = skb->data[20]; + ++ sock_hold(make); + skb->sk = make; + skb->destructor = sock_efree; + make->sk_state = TCP_ESTABLISHED; diff --git a/queue-5.1/nfc-fix-potential-illegal-memory-access.patch b/queue-5.1/nfc-fix-potential-illegal-memory-access.patch new file mode 100644 index 00000000000..e6dbb7006f8 --- /dev/null +++ b/queue-5.1/nfc-fix-potential-illegal-memory-access.patch @@ -0,0 +1,31 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Yang Wei +Date: Mon, 8 Jul 2019 22:57:39 +0800 +Subject: nfc: fix potential illegal memory access + +From: Yang Wei + +[ Upstream commit dd006fc434e107ef90f7de0db9907cbc1c521645 ] + +The frags_q is not properly initialized, it may result in illegal memory +access when conn_info is NULL. +The "goto free_exit" should be replaced by "goto exit". + +Signed-off-by: Yang Wei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -119,7 +119,7 @@ static int nci_queue_tx_data_frags(struc + conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id); + if (!conn_info) { + rc = -EPROTO; +- goto free_exit; ++ goto exit; + } + + __skb_queue_head_init(&frags_q); diff --git a/queue-5.1/r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch b/queue-5.1/r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch new file mode 100644 index 00000000000..9406051ba92 --- /dev/null +++ b/queue-5.1/r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch @@ -0,0 +1,173 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Heiner Kallweit +Date: Sat, 13 Jul 2019 13:45:47 +0200 +Subject: r8169: fix issue with confused RX unit after PHY power-down on RTL8411b + +From: Heiner Kallweit + +[ Upstream commit fe4e8db0392a6c2e795eb89ef5fcd86522e66248 ] + +On RTL8411b the RX unit gets confused if the PHY is powered-down. +This was reported in [0] and confirmed by Realtek. Realtek provided +a sequence to fix the RX unit after PHY wakeup. + +The issue itself seems to have been there longer, the Fixes tag +refers to where the fix applies properly. + +[0] https://bugzilla.redhat.com/show_bug.cgi?id=1692075 + +Fixes: a99790bf5c7f ("r8169: Reinstate ASPM Support") +Tested-by: Ionut Radu +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 137 +++++++++++++++++++++++++++++++++++ + 1 file changed, 137 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5241,6 +5241,143 @@ static void rtl_hw_start_8411_2(struct r + /* disable aspm and clock request before access ephy */ + rtl_hw_aspm_clkreq_enable(tp, false); + rtl_ephy_init(tp, e_info_8411_2, ARRAY_SIZE(e_info_8411_2)); ++ ++ /* The following Realtek-provided magic fixes an issue with the RX unit ++ * getting confused after the PHY having been powered-down. ++ */ ++ r8168_mac_ocp_write(tp, 0xFC28, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC2A, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC2C, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC2E, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC30, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC32, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC34, 0x0000); ++ r8168_mac_ocp_write(tp, 0xFC36, 0x0000); ++ mdelay(3); ++ r8168_mac_ocp_write(tp, 0xFC26, 0x0000); ++ ++ r8168_mac_ocp_write(tp, 0xF800, 0xE008); ++ r8168_mac_ocp_write(tp, 0xF802, 0xE00A); ++ r8168_mac_ocp_write(tp, 0xF804, 0xE00C); ++ r8168_mac_ocp_write(tp, 0xF806, 0xE00E); ++ r8168_mac_ocp_write(tp, 0xF808, 0xE027); ++ r8168_mac_ocp_write(tp, 0xF80A, 0xE04F); ++ r8168_mac_ocp_write(tp, 0xF80C, 0xE05E); ++ r8168_mac_ocp_write(tp, 0xF80E, 0xE065); ++ r8168_mac_ocp_write(tp, 0xF810, 0xC602); ++ r8168_mac_ocp_write(tp, 0xF812, 0xBE00); ++ r8168_mac_ocp_write(tp, 0xF814, 0x0000); ++ r8168_mac_ocp_write(tp, 0xF816, 0xC502); ++ r8168_mac_ocp_write(tp, 0xF818, 0xBD00); ++ r8168_mac_ocp_write(tp, 0xF81A, 0x074C); ++ r8168_mac_ocp_write(tp, 0xF81C, 0xC302); ++ r8168_mac_ocp_write(tp, 0xF81E, 0xBB00); ++ r8168_mac_ocp_write(tp, 0xF820, 0x080A); ++ r8168_mac_ocp_write(tp, 0xF822, 0x6420); ++ r8168_mac_ocp_write(tp, 0xF824, 0x48C2); ++ r8168_mac_ocp_write(tp, 0xF826, 0x8C20); ++ r8168_mac_ocp_write(tp, 0xF828, 0xC516); ++ r8168_mac_ocp_write(tp, 0xF82A, 0x64A4); ++ r8168_mac_ocp_write(tp, 0xF82C, 0x49C0); ++ r8168_mac_ocp_write(tp, 0xF82E, 0xF009); ++ r8168_mac_ocp_write(tp, 0xF830, 0x74A2); ++ r8168_mac_ocp_write(tp, 0xF832, 0x8CA5); ++ r8168_mac_ocp_write(tp, 0xF834, 0x74A0); ++ r8168_mac_ocp_write(tp, 0xF836, 0xC50E); ++ r8168_mac_ocp_write(tp, 0xF838, 0x9CA2); ++ r8168_mac_ocp_write(tp, 0xF83A, 0x1C11); ++ r8168_mac_ocp_write(tp, 0xF83C, 0x9CA0); ++ r8168_mac_ocp_write(tp, 0xF83E, 0xE006); ++ r8168_mac_ocp_write(tp, 0xF840, 0x74F8); ++ r8168_mac_ocp_write(tp, 0xF842, 0x48C4); ++ r8168_mac_ocp_write(tp, 0xF844, 0x8CF8); ++ r8168_mac_ocp_write(tp, 0xF846, 0xC404); ++ r8168_mac_ocp_write(tp, 0xF848, 0xBC00); ++ r8168_mac_ocp_write(tp, 0xF84A, 0xC403); ++ r8168_mac_ocp_write(tp, 0xF84C, 0xBC00); ++ r8168_mac_ocp_write(tp, 0xF84E, 0x0BF2); ++ r8168_mac_ocp_write(tp, 0xF850, 0x0C0A); ++ r8168_mac_ocp_write(tp, 0xF852, 0xE434); ++ r8168_mac_ocp_write(tp, 0xF854, 0xD3C0); ++ r8168_mac_ocp_write(tp, 0xF856, 0x49D9); ++ r8168_mac_ocp_write(tp, 0xF858, 0xF01F); ++ r8168_mac_ocp_write(tp, 0xF85A, 0xC526); ++ r8168_mac_ocp_write(tp, 0xF85C, 0x64A5); ++ r8168_mac_ocp_write(tp, 0xF85E, 0x1400); ++ r8168_mac_ocp_write(tp, 0xF860, 0xF007); ++ r8168_mac_ocp_write(tp, 0xF862, 0x0C01); ++ r8168_mac_ocp_write(tp, 0xF864, 0x8CA5); ++ r8168_mac_ocp_write(tp, 0xF866, 0x1C15); ++ r8168_mac_ocp_write(tp, 0xF868, 0xC51B); ++ r8168_mac_ocp_write(tp, 0xF86A, 0x9CA0); ++ r8168_mac_ocp_write(tp, 0xF86C, 0xE013); ++ r8168_mac_ocp_write(tp, 0xF86E, 0xC519); ++ r8168_mac_ocp_write(tp, 0xF870, 0x74A0); ++ r8168_mac_ocp_write(tp, 0xF872, 0x48C4); ++ r8168_mac_ocp_write(tp, 0xF874, 0x8CA0); ++ r8168_mac_ocp_write(tp, 0xF876, 0xC516); ++ r8168_mac_ocp_write(tp, 0xF878, 0x74A4); ++ r8168_mac_ocp_write(tp, 0xF87A, 0x48C8); ++ r8168_mac_ocp_write(tp, 0xF87C, 0x48CA); ++ r8168_mac_ocp_write(tp, 0xF87E, 0x9CA4); ++ r8168_mac_ocp_write(tp, 0xF880, 0xC512); ++ r8168_mac_ocp_write(tp, 0xF882, 0x1B00); ++ r8168_mac_ocp_write(tp, 0xF884, 0x9BA0); ++ r8168_mac_ocp_write(tp, 0xF886, 0x1B1C); ++ r8168_mac_ocp_write(tp, 0xF888, 0x483F); ++ r8168_mac_ocp_write(tp, 0xF88A, 0x9BA2); ++ r8168_mac_ocp_write(tp, 0xF88C, 0x1B04); ++ r8168_mac_ocp_write(tp, 0xF88E, 0xC508); ++ r8168_mac_ocp_write(tp, 0xF890, 0x9BA0); ++ r8168_mac_ocp_write(tp, 0xF892, 0xC505); ++ r8168_mac_ocp_write(tp, 0xF894, 0xBD00); ++ r8168_mac_ocp_write(tp, 0xF896, 0xC502); ++ r8168_mac_ocp_write(tp, 0xF898, 0xBD00); ++ r8168_mac_ocp_write(tp, 0xF89A, 0x0300); ++ r8168_mac_ocp_write(tp, 0xF89C, 0x051E); ++ r8168_mac_ocp_write(tp, 0xF89E, 0xE434); ++ r8168_mac_ocp_write(tp, 0xF8A0, 0xE018); ++ r8168_mac_ocp_write(tp, 0xF8A2, 0xE092); ++ r8168_mac_ocp_write(tp, 0xF8A4, 0xDE20); ++ r8168_mac_ocp_write(tp, 0xF8A6, 0xD3C0); ++ r8168_mac_ocp_write(tp, 0xF8A8, 0xC50F); ++ r8168_mac_ocp_write(tp, 0xF8AA, 0x76A4); ++ r8168_mac_ocp_write(tp, 0xF8AC, 0x49E3); ++ r8168_mac_ocp_write(tp, 0xF8AE, 0xF007); ++ r8168_mac_ocp_write(tp, 0xF8B0, 0x49C0); ++ r8168_mac_ocp_write(tp, 0xF8B2, 0xF103); ++ r8168_mac_ocp_write(tp, 0xF8B4, 0xC607); ++ r8168_mac_ocp_write(tp, 0xF8B6, 0xBE00); ++ r8168_mac_ocp_write(tp, 0xF8B8, 0xC606); ++ r8168_mac_ocp_write(tp, 0xF8BA, 0xBE00); ++ r8168_mac_ocp_write(tp, 0xF8BC, 0xC602); ++ r8168_mac_ocp_write(tp, 0xF8BE, 0xBE00); ++ r8168_mac_ocp_write(tp, 0xF8C0, 0x0C4C); ++ r8168_mac_ocp_write(tp, 0xF8C2, 0x0C28); ++ r8168_mac_ocp_write(tp, 0xF8C4, 0x0C2C); ++ r8168_mac_ocp_write(tp, 0xF8C6, 0xDC00); ++ r8168_mac_ocp_write(tp, 0xF8C8, 0xC707); ++ r8168_mac_ocp_write(tp, 0xF8CA, 0x1D00); ++ r8168_mac_ocp_write(tp, 0xF8CC, 0x8DE2); ++ r8168_mac_ocp_write(tp, 0xF8CE, 0x48C1); ++ r8168_mac_ocp_write(tp, 0xF8D0, 0xC502); ++ r8168_mac_ocp_write(tp, 0xF8D2, 0xBD00); ++ r8168_mac_ocp_write(tp, 0xF8D4, 0x00AA); ++ r8168_mac_ocp_write(tp, 0xF8D6, 0xE0C0); ++ r8168_mac_ocp_write(tp, 0xF8D8, 0xC502); ++ r8168_mac_ocp_write(tp, 0xF8DA, 0xBD00); ++ r8168_mac_ocp_write(tp, 0xF8DC, 0x0132); ++ ++ r8168_mac_ocp_write(tp, 0xFC26, 0x8000); ++ ++ r8168_mac_ocp_write(tp, 0xFC2A, 0x0743); ++ r8168_mac_ocp_write(tp, 0xFC2C, 0x0801); ++ r8168_mac_ocp_write(tp, 0xFC2E, 0x0BE9); ++ r8168_mac_ocp_write(tp, 0xFC30, 0x02FD); ++ r8168_mac_ocp_write(tp, 0xFC32, 0x0C25); ++ r8168_mac_ocp_write(tp, 0xFC34, 0x00A9); ++ r8168_mac_ocp_write(tp, 0xFC36, 0x012D); ++ + rtl_hw_aspm_clkreq_enable(tp, true); + } + diff --git a/queue-5.1/rxrpc-fix-send-on-a-connected-but-unbound-socket.patch b/queue-5.1/rxrpc-fix-send-on-a-connected-but-unbound-socket.patch new file mode 100644 index 00000000000..8d2fb0f2537 --- /dev/null +++ b/queue-5.1/rxrpc-fix-send-on-a-connected-but-unbound-socket.patch @@ -0,0 +1,125 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: David Howells +Date: Tue, 2 Jul 2019 15:59:12 +0100 +Subject: rxrpc: Fix send on a connected, but unbound socket + +From: David Howells + +[ Upstream commit e835ada07091f40dcfb1bc735082bd0a7c005e59 ] + +If sendmsg() or sendmmsg() is called on a connected socket that hasn't had +bind() called on it, then an oops will occur when the kernel tries to +connect the call because no local endpoint has been allocated. + +Fix this by implicitly binding the socket if it is in the +RXRPC_CLIENT_UNBOUND state, just like it does for the RXRPC_UNBOUND state. + +Further, the state should be transitioned to RXRPC_CLIENT_BOUND after this +to prevent further attempts to bind it. + +This can be tested with: + + #include + #include + #include + #include + #include + #include + static const unsigned char inet6_addr[16] = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -1, -1, 0xac, 0x14, 0x14, 0xaa + }; + int main(void) + { + struct sockaddr_rxrpc srx; + struct cmsghdr *cm; + struct msghdr msg; + unsigned char control[16]; + int fd; + memset(&srx, 0, sizeof(srx)); + srx.srx_family = 0x21; + srx.srx_service = 0; + srx.transport_type = AF_INET; + srx.transport_len = 0x1c; + srx.transport.sin6.sin6_family = AF_INET6; + srx.transport.sin6.sin6_port = htons(0x4e22); + srx.transport.sin6.sin6_flowinfo = htons(0x4e22); + srx.transport.sin6.sin6_scope_id = htons(0xaa3b); + memcpy(&srx.transport.sin6.sin6_addr, inet6_addr, 16); + cm = (struct cmsghdr *)control; + cm->cmsg_len = CMSG_LEN(sizeof(unsigned long)); + cm->cmsg_level = SOL_RXRPC; + cm->cmsg_type = RXRPC_USER_CALL_ID; + *(unsigned long *)CMSG_DATA(cm) = 0; + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = control; + msg.msg_controllen = cm->cmsg_len; + msg.msg_flags = 0; + fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET); + connect(fd, (struct sockaddr *)&srx, sizeof(srx)); + sendmsg(fd, &msg, 0); + return 0; + } + +Leading to the following oops: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + ... + RIP: 0010:rxrpc_connect_call+0x42/0xa01 + ... + Call Trace: + ? mark_held_locks+0x47/0x59 + ? __local_bh_enable_ip+0xb6/0xba + rxrpc_new_client_call+0x3b1/0x762 + ? rxrpc_do_sendmsg+0x3c0/0x92e + rxrpc_do_sendmsg+0x3c0/0x92e + rxrpc_sendmsg+0x16b/0x1b5 + sock_sendmsg+0x2d/0x39 + ___sys_sendmsg+0x1a4/0x22a + ? release_sock+0x19/0x9e + ? reacquire_held_locks+0x136/0x160 + ? release_sock+0x19/0x9e + ? find_held_lock+0x2b/0x6e + ? __lock_acquire+0x268/0xf73 + ? rxrpc_connect+0xdd/0xe4 + ? __local_bh_enable_ip+0xb6/0xba + __sys_sendmsg+0x5e/0x94 + do_syscall_64+0x7d/0x1bf + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 2341e0775747 ("rxrpc: Simplify connect() implementation and simplify sendmsg() op") +Reported-by: syzbot+7966f2a0b2c7da8939b4@syzkaller.appspotmail.com +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -521,6 +521,7 @@ static int rxrpc_sendmsg(struct socket * + + switch (rx->sk.sk_state) { + case RXRPC_UNBOUND: ++ case RXRPC_CLIENT_UNBOUND: + rx->srx.srx_family = AF_RXRPC; + rx->srx.srx_service = 0; + rx->srx.transport_type = SOCK_DGRAM; +@@ -545,10 +546,9 @@ static int rxrpc_sendmsg(struct socket * + } + + rx->local = local; +- rx->sk.sk_state = RXRPC_CLIENT_UNBOUND; ++ rx->sk.sk_state = RXRPC_CLIENT_BOUND; + /* Fall through */ + +- case RXRPC_CLIENT_UNBOUND: + case RXRPC_CLIENT_BOUND: + if (!m->msg_name && + test_bit(RXRPC_SOCK_CONNECTED, &rx->flags)) { diff --git a/queue-5.1/sctp-fix-error-handling-on-stream-scheduler-initialization.patch b/queue-5.1/sctp-fix-error-handling-on-stream-scheduler-initialization.patch new file mode 100644 index 00000000000..845aa2b6724 --- /dev/null +++ b/queue-5.1/sctp-fix-error-handling-on-stream-scheduler-initialization.patch @@ -0,0 +1,60 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Marcelo Ricardo Leitner +Date: Thu, 27 Jun 2019 19:48:10 -0300 +Subject: sctp: fix error handling on stream scheduler initialization + +From: Marcelo Ricardo Leitner + +[ Upstream commit 4d1415811e492d9a8238f8a92dd0d51612c788e9 ] + +It allocates the extended area for outbound streams only on sendmsg +calls, if they are not yet allocated. When using the priority +stream scheduler, this initialization may imply into a subsequent +allocation, which may fail. In this case, it was aborting the stream +scheduler initialization but leaving the ->ext pointer (allocated) in +there, thus in a partially initialized state. On a subsequent call to +sendmsg, it would notice the ->ext pointer in there, and trip on +uninitialized stuff when trying to schedule the data chunk. + +The fix is undo the ->ext initialization if the stream scheduler +initialization fails and avoid the partially initialized state. + +Although syzkaller bisected this to commit 4ff40b86262b ("sctp: set +chunk transport correctly when it's a new asoc"), this bug was actually +introduced on the commit I marked below. + +Reported-by: syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com +Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") +Tested-by: Xin Long +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/stream.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -168,13 +168,20 @@ out: + int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid) + { + struct sctp_stream_out_ext *soute; ++ int ret; + + soute = kzalloc(sizeof(*soute), GFP_KERNEL); + if (!soute) + return -ENOMEM; + SCTP_SO(stream, sid)->ext = soute; + +- return sctp_sched_init_sid(stream, sid, GFP_KERNEL); ++ ret = sctp_sched_init_sid(stream, sid, GFP_KERNEL); ++ if (ret) { ++ kfree(SCTP_SO(stream, sid)->ext); ++ SCTP_SO(stream, sid)->ext = NULL; ++ } ++ ++ return ret; + } + + void sctp_stream_free(struct sctp_stream *stream) diff --git a/queue-5.1/sctp-not-bind-the-socket-in-sctp_connect.patch b/queue-5.1/sctp-not-bind-the-socket-in-sctp_connect.patch new file mode 100644 index 00000000000..70aea8529c9 --- /dev/null +++ b/queue-5.1/sctp-not-bind-the-socket-in-sctp_connect.patch @@ -0,0 +1,72 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Xin Long +Date: Wed, 26 Jun 2019 16:31:39 +0800 +Subject: sctp: not bind the socket in sctp_connect + +From: Xin Long + +[ Upstream commit 9b6c08878e23adb7cc84bdca94d8a944b03f099e ] + +Now when sctp_connect() is called with a wrong sa_family, it binds +to a port but doesn't set bp->port, then sctp_get_af_specific will +return NULL and sctp_connect() returns -EINVAL. + +Then if sctp_bind() is called to bind to another port, the last +port it has bound will leak due to bp->port is NULL by then. + +sctp_connect() doesn't need to bind ports, as later __sctp_connect +will do it if bp->port is NULL. So remove it from sctp_connect(). +While at it, remove the unnecessary sockaddr.sa_family len check +as it's already done in sctp_inet_connect. + +Fixes: 644fbdeacf1d ("sctp: fix the issue that flags are ignored when using kernel_connect") +Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 24 +++--------------------- + 1 file changed, 3 insertions(+), 21 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4828,35 +4828,17 @@ out_nounlock: + static int sctp_connect(struct sock *sk, struct sockaddr *addr, + int addr_len, int flags) + { +- struct inet_sock *inet = inet_sk(sk); + struct sctp_af *af; +- int err = 0; ++ int err = -EINVAL; + + lock_sock(sk); +- + pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk, + addr, addr_len); + +- /* We may need to bind the socket. */ +- if (!inet->inet_num) { +- if (sk->sk_prot->get_port(sk, 0)) { +- release_sock(sk); +- return -EAGAIN; +- } +- inet->inet_sport = htons(inet->inet_num); +- } +- + /* Validate addr_len before calling common connect/connectx routine. */ +- af = addr_len < offsetofend(struct sockaddr, sa_family) ? NULL : +- sctp_get_af_specific(addr->sa_family); +- if (!af || addr_len < af->sockaddr_len) { +- err = -EINVAL; +- } else { +- /* Pass correct addr len to common routine (so it knows there +- * is only one address being passed. +- */ ++ af = sctp_get_af_specific(addr->sa_family); ++ if (af && addr_len >= af->sockaddr_len) + err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL); +- } + + release_sock(sk); + return err; diff --git a/queue-5.1/selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch b/queue-5.1/selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch new file mode 100644 index 00000000000..7b980d416cf --- /dev/null +++ b/queue-5.1/selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch @@ -0,0 +1,32 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Frank de Brabander +Date: Fri, 5 Jul 2019 13:43:14 +0200 +Subject: selftests: txring_overwrite: fix incorrect test of mmap() return value + +From: Frank de Brabander + +[ Upstream commit cecaa76b2919aac2aa584ce476e9fcd5b084add5 ] + +If mmap() fails it returns MAP_FAILED, which is defined as ((void *) -1). +The current if-statement incorrectly tests if *ring is NULL. + +Fixes: 358be656406d ("selftests/net: add txring_overwrite") +Signed-off-by: Frank de Brabander +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/txring_overwrite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/txring_overwrite.c ++++ b/tools/testing/selftests/net/txring_overwrite.c +@@ -113,7 +113,7 @@ static int setup_tx(char **ring) + + *ring = mmap(0, req.tp_block_size * req.tp_block_nr, + PROT_READ | PROT_WRITE, MAP_SHARED, fdt, 0); +- if (!*ring) ++ if (*ring == MAP_FAILED) + error(1, errno, "mmap"); + + return fdt; diff --git a/queue-5.1/series b/queue-5.1/series new file mode 100644 index 00000000000..3778b0ae08c --- /dev/null +++ b/queue-5.1/series @@ -0,0 +1,42 @@ +bnx2x-prevent-load-reordering-in-tx-completion-processing.patch +caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch +hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch +igmp-fix-memory-leak-in-igmpv3_del_delrec.patch +ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch +ipv6-rt6_check-should-return-null-if-from-is-null.patch +ipv6-unlink-sibling-route-in-case-of-failure.patch +net-bcmgenet-use-promisc-for-unsupported-filters.patch +net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch +net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch +net-neigh-fix-multiple-neigh-timer-scheduling.patch +net-openvswitch-fix-csum-updates-for-mpls-actions.patch +net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch +net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch +net-stmmac-re-work-the-queue-selection-for-tso-packets.patch +net-tls-make-sure-offload-also-gets-the-keys-wiped.patch +nfc-fix-potential-illegal-memory-access.patch +r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch +rxrpc-fix-send-on-a-connected-but-unbound-socket.patch +sctp-fix-error-handling-on-stream-scheduler-initialization.patch +sctp-not-bind-the-socket-in-sctp_connect.patch +sky2-disable-msi-on-asus-p6t.patch +tcp-be-more-careful-in-tcp_fragment.patch +tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch +tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch +vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch +net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch +net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch +net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch +net-bridge-don-t-cache-ether-dest-pointer-on-input.patch +net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch +macsec-fix-use-after-free-of-skb-during-rx.patch +macsec-fix-checksumming-after-decryption.patch +netrom-fix-a-memory-leak-in-nr_rx_frame.patch +netrom-hold-sock-when-setting-skb-destructor.patch +selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch +net-tls-fix-poll-ignoring-partially-copied-records.patch +net-tls-reject-offload-of-tls-1.3.patch +net-mlx5e-fix-port-tunnel-gre-entropy-control.patch +net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch +net-mlx5e-fix-return-value-from-timeout-recover-function.patch +net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch diff --git a/queue-5.1/sky2-disable-msi-on-asus-p6t.patch b/queue-5.1/sky2-disable-msi-on-asus-p6t.patch new file mode 100644 index 00000000000..ad3a9493eaf --- /dev/null +++ b/queue-5.1/sky2-disable-msi-on-asus-p6t.patch @@ -0,0 +1,41 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Takashi Iwai +Date: Tue, 23 Jul 2019 17:15:25 +0200 +Subject: sky2: Disable MSI on ASUS P6T + +From: Takashi Iwai + +[ Upstream commit a261e3797506bd561700be643fe1a85bf81e9661 ] + +The onboard sky2 NIC on ASUS P6T WS PRO doesn't work after PM resume +due to the infamous IRQ problem. Disabling MSI works around it, so +let's add it to the blacklist. + +Unfortunately the BIOS on the machine doesn't fill the standard +DMI_SYS_* entry, so we pick up DMI_BOARD_* entries instead. + +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1142496 +Reported-and-tested-by: Marcus Seyfarth +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4933,6 +4933,13 @@ static const struct dmi_system_id msi_bl + DMI_MATCH(DMI_PRODUCT_NAME, "P-79"), + }, + }, ++ { ++ .ident = "ASUS P6T", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6T"), ++ }, ++ }, + {} + }; + diff --git a/queue-5.1/tcp-be-more-careful-in-tcp_fragment.patch b/queue-5.1/tcp-be-more-careful-in-tcp_fragment.patch new file mode 100644 index 00000000000..2aa5c20236f --- /dev/null +++ b/queue-5.1/tcp-be-more-careful-in-tcp_fragment.patch @@ -0,0 +1,94 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Eric Dumazet +Date: Fri, 19 Jul 2019 11:52:33 -0700 +Subject: tcp: be more careful in tcp_fragment() + +From: Eric Dumazet + +[ Upstream commit b617158dc096709d8600c53b6052144d12b89fab ] + +Some applications set tiny SO_SNDBUF values and expect +TCP to just work. Recent patches to address CVE-2019-11478 +broke them in case of losses, since retransmits might +be prevented. + +We should allow these flows to make progress. + +This patch allows the first and last skb in retransmit queue +to be split even if memory limits are hit. + +It also adds the some room due to the fact that tcp_sendmsg() +and tcp_sendpage() might overshoot sk_wmem_queued by about one full +TSO skb (64KB size). Note this allowance was already present +in stable backports for kernels < 4.15 + +Note for < 4.15 backports : + tcp_rtx_queue_tail() will probably look like : + +static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk) +{ + struct sk_buff *skb = tcp_send_head(sk); + + return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk); +} + +Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") +Signed-off-by: Eric Dumazet +Reported-by: Andrew Prout +Tested-by: Andrew Prout +Tested-by: Jonathan Lemon +Tested-by: Michal Kubecek +Acked-by: Neal Cardwell +Acked-by: Yuchung Cheng +Acked-by: Christoph Paasch +Cc: Jonathan Looney +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 5 +++++ + net/ipv4/tcp_output.c | 13 +++++++++++-- + 2 files changed, 16 insertions(+), 2 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1679,6 +1679,11 @@ static inline struct sk_buff *tcp_rtx_qu + return skb_rb_first(&sk->tcp_rtx_queue); + } + ++static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk) ++{ ++ return skb_rb_last(&sk->tcp_rtx_queue); ++} ++ + static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk) + { + return skb_peek(&sk->sk_write_queue); +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1289,6 +1289,7 @@ int tcp_fragment(struct sock *sk, enum t + struct tcp_sock *tp = tcp_sk(sk); + struct sk_buff *buff; + int nsize, old_factor; ++ long limit; + int nlen; + u8 flags; + +@@ -1299,8 +1300,16 @@ int tcp_fragment(struct sock *sk, enum t + if (nsize < 0) + nsize = 0; + +- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf && +- tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) { ++ /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb. ++ * We need some allowance to not penalize applications setting small ++ * SO_SNDBUF values. ++ * Also allow first and last skb in retransmit queue to be split. ++ */ ++ limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE); ++ if (unlikely((sk->sk_wmem_queued >> 1) > limit && ++ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE && ++ skb != tcp_rtx_queue_head(sk) && ++ skb != tcp_rtx_queue_tail(sk))) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); + return -ENOMEM; + } diff --git a/queue-5.1/tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch b/queue-5.1/tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch new file mode 100644 index 00000000000..a38b37d535c --- /dev/null +++ b/queue-5.1/tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch @@ -0,0 +1,102 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Eric Dumazet +Date: Thu, 18 Jul 2019 19:28:14 -0700 +Subject: tcp: fix tcp_set_congestion_control() use from bpf hook + +From: Eric Dumazet + +[ Upstream commit 8d650cdedaabb33e85e9b7c517c0c71fcecc1de9 ] + +Neal reported incorrect use of ns_capable() from bpf hook. + +bpf_setsockopt(...TCP_CONGESTION...) + -> tcp_set_congestion_control() + -> ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) + -> ns_capable_common() + -> current_cred() + -> rcu_dereference_protected(current->cred, 1) + +Accessing 'current' in bpf context makes no sense, since packets +are processed from softirq context. + +As Neal stated : The capability check in tcp_set_congestion_control() +was written assuming a system call context, and then was reused from +a BPF call site. + +The fix is to add a new parameter to tcp_set_congestion_control(), +so that the ns_capable() call is only performed under the right +context. + +Fixes: 91b5b21c7c16 ("bpf: Add support for changing congestion control") +Signed-off-by: Eric Dumazet +Cc: Lawrence Brakmo +Reported-by: Neal Cardwell +Acked-by: Neal Cardwell +Acked-by: Lawrence Brakmo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 3 ++- + net/core/filter.c | 2 +- + net/ipv4/tcp.c | 4 +++- + net/ipv4/tcp_cong.c | 6 +++--- + 4 files changed, 9 insertions(+), 6 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1067,7 +1067,8 @@ void tcp_get_default_congestion_control( + void tcp_get_available_congestion_control(char *buf, size_t len); + void tcp_get_allowed_congestion_control(char *buf, size_t len); + int tcp_set_allowed_congestion_control(char *allowed); +-int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, bool reinit); ++int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, ++ bool reinit, bool cap_net_admin); + u32 tcp_slow_start(struct tcp_sock *tp, u32 acked); + void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked); + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4211,7 +4211,7 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_so + TCP_CA_NAME_MAX-1)); + name[TCP_CA_NAME_MAX-1] = 0; + ret = tcp_set_congestion_control(sk, name, false, +- reinit); ++ reinit, true); + } else { + struct tcp_sock *tp = tcp_sk(sk); + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2784,7 +2784,9 @@ static int do_tcp_setsockopt(struct sock + name[val] = 0; + + lock_sock(sk); +- err = tcp_set_congestion_control(sk, name, true, true); ++ err = tcp_set_congestion_control(sk, name, true, true, ++ ns_capable(sock_net(sk)->user_ns, ++ CAP_NET_ADMIN)); + release_sock(sk); + return err; + } +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -332,7 +332,8 @@ out: + * tcp_reinit_congestion_control (if the current congestion control was + * already initialized. + */ +-int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, bool reinit) ++int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, ++ bool reinit, bool cap_net_admin) + { + struct inet_connection_sock *icsk = inet_csk(sk); + const struct tcp_congestion_ops *ca; +@@ -368,8 +369,7 @@ int tcp_set_congestion_control(struct so + } else { + err = -EBUSY; + } +- } else if (!((ca->flags & TCP_CONG_NON_RESTRICTED) || +- ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))) { ++ } else if (!((ca->flags & TCP_CONG_NON_RESTRICTED) || cap_net_admin)) { + err = -EPERM; + } else if (!try_module_get(ca->owner)) { + err = -EBUSY; diff --git a/queue-5.1/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch b/queue-5.1/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch new file mode 100644 index 00000000000..8505cba45e7 --- /dev/null +++ b/queue-5.1/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch @@ -0,0 +1,35 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Christoph Paasch +Date: Sat, 6 Jul 2019 16:13:07 -0700 +Subject: tcp: Reset bytes_acked and bytes_received when disconnecting + +From: Christoph Paasch + +[ Upstream commit e858faf556d4e14c750ba1e8852783c6f9520a0e ] + +If an app is playing tricks to reuse a socket via tcp_disconnect(), +bytes_acked/received needs to be reset to 0. Otherwise tcp_info will +report the sum of the current and the old connection.. + +Cc: Eric Dumazet +Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info") +Fixes: bdd1f9edacb5 ("tcp: add tcpi_bytes_received to tcp_info") +Signed-off-by: Christoph Paasch +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2630,6 +2630,8 @@ int tcp_disconnect(struct sock *sk, int + tcp_saved_syn_free(tp); + tp->compressed_ack = 0; + tp->bytes_sent = 0; ++ tp->bytes_acked = 0; ++ tp->bytes_received = 0; + tp->bytes_retrans = 0; + tp->duplicate_sack[0].start_seq = 0; + tp->duplicate_sack[0].end_seq = 0; diff --git a/queue-5.1/vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch b/queue-5.1/vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch new file mode 100644 index 00000000000..2025b3903bc --- /dev/null +++ b/queue-5.1/vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch @@ -0,0 +1,113 @@ +From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST +From: Peter Kosyh +Date: Fri, 19 Jul 2019 11:11:47 +0300 +Subject: vrf: make sure skb->data contains ip header to make routing + +From: Peter Kosyh + +[ Upstream commit 107e47cc80ec37cb332bd41b22b1c7779e22e018 ] + +vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing +using ip/ipv6 addresses, but don't make sure the header is available +in skb->data[] (skb_headlen() is less then header size). + +Case: + +1) igb driver from intel. +2) Packet size is greater then 255. +3) MPLS forwards to VRF device. + +So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound() +functions. + +Signed-off-by: Peter Kosyh +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 58 ++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 35 insertions(+), 23 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -169,23 +169,29 @@ static int vrf_ip6_local_out(struct net + static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb, + struct net_device *dev) + { +- const struct ipv6hdr *iph = ipv6_hdr(skb); ++ const struct ipv6hdr *iph; + struct net *net = dev_net(skb->dev); +- struct flowi6 fl6 = { +- /* needed to match OIF rule */ +- .flowi6_oif = dev->ifindex, +- .flowi6_iif = LOOPBACK_IFINDEX, +- .daddr = iph->daddr, +- .saddr = iph->saddr, +- .flowlabel = ip6_flowinfo(iph), +- .flowi6_mark = skb->mark, +- .flowi6_proto = iph->nexthdr, +- .flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF, +- }; ++ struct flowi6 fl6; + int ret = NET_XMIT_DROP; + struct dst_entry *dst; + struct dst_entry *dst_null = &net->ipv6.ip6_null_entry->dst; + ++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr))) ++ goto err; ++ ++ iph = ipv6_hdr(skb); ++ ++ memset(&fl6, 0, sizeof(fl6)); ++ /* needed to match OIF rule */ ++ fl6.flowi6_oif = dev->ifindex; ++ fl6.flowi6_iif = LOOPBACK_IFINDEX; ++ fl6.daddr = iph->daddr; ++ fl6.saddr = iph->saddr; ++ fl6.flowlabel = ip6_flowinfo(iph); ++ fl6.flowi6_mark = skb->mark; ++ fl6.flowi6_proto = iph->nexthdr; ++ fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF; ++ + dst = ip6_route_output(net, NULL, &fl6); + if (dst == dst_null) + goto err; +@@ -241,21 +247,27 @@ static int vrf_ip_local_out(struct net * + static netdev_tx_t vrf_process_v4_outbound(struct sk_buff *skb, + struct net_device *vrf_dev) + { +- struct iphdr *ip4h = ip_hdr(skb); ++ struct iphdr *ip4h; + int ret = NET_XMIT_DROP; +- struct flowi4 fl4 = { +- /* needed to match OIF rule */ +- .flowi4_oif = vrf_dev->ifindex, +- .flowi4_iif = LOOPBACK_IFINDEX, +- .flowi4_tos = RT_TOS(ip4h->tos), +- .flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF, +- .flowi4_proto = ip4h->protocol, +- .daddr = ip4h->daddr, +- .saddr = ip4h->saddr, +- }; ++ struct flowi4 fl4; + struct net *net = dev_net(vrf_dev); + struct rtable *rt; + ++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr))) ++ goto err; ++ ++ ip4h = ip_hdr(skb); ++ ++ memset(&fl4, 0, sizeof(fl4)); ++ /* needed to match OIF rule */ ++ fl4.flowi4_oif = vrf_dev->ifindex; ++ fl4.flowi4_iif = LOOPBACK_IFINDEX; ++ fl4.flowi4_tos = RT_TOS(ip4h->tos); ++ fl4.flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF; ++ fl4.flowi4_proto = ip4h->protocol; ++ fl4.daddr = ip4h->daddr; ++ fl4.saddr = ip4h->saddr; ++ + rt = ip_route_output_flow(net, &fl4, NULL); + if (IS_ERR(rt)) + goto err;