From: Greg Kroah-Hartman Date: Tue, 11 Sep 2018 08:28:53 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.4.156~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=14782ffef074e6713f5deceaf716188592e83ad0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: act_ife-fix-a-potential-deadlock.patch act_ife-fix-a-potential-use-after-free.patch act_ife-move-tcfa_lock-down-to-where-necessary.patch bnxt_en-clean-up-unused-functions.patch bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch hv_netvsc-ignore-devices-that-are-not-pci.patch ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch net-bcmgenet-use-mac-link-status-for-fixed-phy.patch net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch net-ipv6-only-update-mtu-metric-if-it-set.patch net-ipv6-put-lwtstate-when-destroying-fib6_info.patch net-macb-do-not-disable-mdio-bus-at-open-close-time.patch net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch net-sched-act_pedit-fix-dump-of-extended-layered-op.patch net-sched-action_ife-take-reference-to-meta-module.patch net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch qlge-fix-netdev-features-configuration.patch r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch r8169-add-support-for-ncube-8168-network-card.patch r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch tcp-do-not-restart-timewait-timer-on-rst-reception.patch tipc-fix-a-missing-rhashtable_walk_exit.patch tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch --- diff --git a/queue-4.18/act_ife-fix-a-potential-deadlock.patch b/queue-4.18/act_ife-fix-a-potential-deadlock.patch new file mode 100644 index 00000000000..b7d87a0fbf6 --- /dev/null +++ b/queue-4.18/act_ife-fix-a-potential-deadlock.patch @@ -0,0 +1,108 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Cong Wang +Date: Sun, 19 Aug 2018 12:22:13 -0700 +Subject: act_ife: fix a potential deadlock + +From: Cong Wang + +[ Upstream commit 5ffe57da29b3802baeddaa40909682bbb4cb4d48 ] + +use_all_metadata() acquires read_lock(&ife_mod_lock), then calls +add_metainfo() which calls find_ife_oplist() which acquires the same +lock again. Deadlock! + +Introduce __add_metainfo() which accepts struct tcf_meta_ops *ops +as an additional parameter and let its callers to decide how +to find it. For use_all_metadata(), it already has ops, no +need to find it again, just call __add_metainfo() directly. + +And, as ife_mod_lock is only needed for find_ife_oplist(), +this means we can make non-atomic allocation for populate_metalist() +now. + +Fixes: 817e9f2c5c26 ("act_ife: acquire ife_mod_lock before reading ifeoplist") +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -294,22 +294,16 @@ static int load_metaops_and_vet(u32 meta + + /* called when adding new meta information + */ +-static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval, +- int len, bool atomic, bool exists) ++static int __add_metainfo(const struct tcf_meta_ops *ops, ++ struct tcf_ife_info *ife, u32 metaid, void *metaval, ++ int len, bool atomic, bool exists) + { + struct tcf_meta_info *mi = NULL; +- struct tcf_meta_ops *ops = find_ife_oplist(metaid); + int ret = 0; + +- if (!ops) +- return -ENOENT; +- + mi = kzalloc(sizeof(*mi), atomic ? GFP_ATOMIC : GFP_KERNEL); +- if (!mi) { +- /*put back what find_ife_oplist took */ +- module_put(ops->owner); ++ if (!mi) + return -ENOMEM; +- } + + mi->metaid = metaid; + mi->ops = ops; +@@ -317,7 +311,6 @@ static int add_metainfo(struct tcf_ife_i + ret = ops->alloc(mi, metaval, atomic ? GFP_ATOMIC : GFP_KERNEL); + if (ret != 0) { + kfree(mi); +- module_put(ops->owner); + return ret; + } + } +@@ -331,6 +324,21 @@ static int add_metainfo(struct tcf_ife_i + return ret; + } + ++static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval, ++ int len, bool exists) ++{ ++ const struct tcf_meta_ops *ops = find_ife_oplist(metaid); ++ int ret; ++ ++ if (!ops) ++ return -ENOENT; ++ ret = __add_metainfo(ops, ife, metaid, metaval, len, false, exists); ++ if (ret) ++ /*put back what find_ife_oplist took */ ++ module_put(ops->owner); ++ return ret; ++} ++ + static int use_all_metadata(struct tcf_ife_info *ife, bool exists) + { + struct tcf_meta_ops *o; +@@ -339,7 +347,7 @@ static int use_all_metadata(struct tcf_i + + read_lock(&ife_mod_lock); + list_for_each_entry(o, &ifeoplist, list) { +- rc = add_metainfo(ife, o->metaid, NULL, 0, true, exists); ++ rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists); + if (rc == 0) + installed += 1; + } +@@ -433,7 +441,7 @@ static int populate_metalist(struct tcf_ + if (rc != 0) + return rc; + +- rc = add_metainfo(ife, i, val, len, false, exists); ++ rc = add_metainfo(ife, i, val, len, exists); + if (rc) + return rc; + } diff --git a/queue-4.18/act_ife-fix-a-potential-use-after-free.patch b/queue-4.18/act_ife-fix-a-potential-use-after-free.patch new file mode 100644 index 00000000000..2db740d95e1 --- /dev/null +++ b/queue-4.18/act_ife-fix-a-potential-use-after-free.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Cong Wang +Date: Mon, 3 Sep 2018 11:08:15 -0700 +Subject: act_ife: fix a potential use-after-free + +From: Cong Wang + +[ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ] + +Immediately after module_put(), user could delete this +module, so e->ops could be already freed before we call +e->ops->release(). + +Fix this by moving module_put() after ops->release(). + +Fixes: ef6980b6becb ("introduce IFE action") +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -393,7 +393,6 @@ static void _tcf_ife_cleanup(struct tc_a + struct tcf_meta_info *e, *n; + + list_for_each_entry_safe(e, n, &ife->metalist, metalist) { +- module_put(e->ops->owner); + list_del(&e->metalist); + if (e->metaval) { + if (e->ops->release) +@@ -401,6 +400,7 @@ static void _tcf_ife_cleanup(struct tc_a + else + kfree(e->metaval); + } ++ module_put(e->ops->owner); + kfree(e); + } + } diff --git a/queue-4.18/act_ife-move-tcfa_lock-down-to-where-necessary.patch b/queue-4.18/act_ife-move-tcfa_lock-down-to-where-necessary.patch new file mode 100644 index 00000000000..e9ece866296 --- /dev/null +++ b/queue-4.18/act_ife-move-tcfa_lock-down-to-where-necessary.patch @@ -0,0 +1,157 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Cong Wang +Date: Sun, 19 Aug 2018 12:22:12 -0700 +Subject: act_ife: move tcfa_lock down to where necessary + +From: Cong Wang + +[ Upstream commit 4e407ff5cd67ec76eeeea1deec227b7982dc7f66 ] + +The only time we need to take tcfa_lock is when adding +a new metainfo to an existing ife->metalist. We don't need +to take tcfa_lock so early and so broadly in tcf_ife_init(). + +This means we can always take ife_mod_lock first, avoid the +reverse locking ordering warning as reported by Vlad. + +Reported-by: Vlad Buslov +Tested-by: Vlad Buslov +Cc: Vlad Buslov +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -265,10 +265,8 @@ static const char *ife_meta_id2name(u32 + #endif + + /* called when adding new meta information +- * under ife->tcf_lock for existing action + */ +-static int load_metaops_and_vet(struct tcf_ife_info *ife, u32 metaid, +- void *val, int len, bool exists) ++static int load_metaops_and_vet(u32 metaid, void *val, int len) + { + struct tcf_meta_ops *ops = find_ife_oplist(metaid); + int ret = 0; +@@ -276,13 +274,9 @@ static int load_metaops_and_vet(struct t + if (!ops) { + ret = -ENOENT; + #ifdef CONFIG_MODULES +- if (exists) +- spin_unlock_bh(&ife->tcf_lock); + rtnl_unlock(); + request_module("ife-meta-%s", ife_meta_id2name(metaid)); + rtnl_lock(); +- if (exists) +- spin_lock_bh(&ife->tcf_lock); + ops = find_ife_oplist(metaid); + #endif + } +@@ -299,10 +293,9 @@ static int load_metaops_and_vet(struct t + } + + /* called when adding new meta information +- * under ife->tcf_lock for existing action + */ + static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval, +- int len, bool atomic) ++ int len, bool atomic, bool exists) + { + struct tcf_meta_info *mi = NULL; + struct tcf_meta_ops *ops = find_ife_oplist(metaid); +@@ -329,12 +322,16 @@ static int add_metainfo(struct tcf_ife_i + } + } + ++ if (exists) ++ spin_lock_bh(&ife->tcf_lock); + list_add_tail(&mi->metalist, &ife->metalist); ++ if (exists) ++ spin_unlock_bh(&ife->tcf_lock); + + return ret; + } + +-static int use_all_metadata(struct tcf_ife_info *ife) ++static int use_all_metadata(struct tcf_ife_info *ife, bool exists) + { + struct tcf_meta_ops *o; + int rc = 0; +@@ -342,7 +339,7 @@ static int use_all_metadata(struct tcf_i + + read_lock(&ife_mod_lock); + list_for_each_entry(o, &ifeoplist, list) { +- rc = add_metainfo(ife, o->metaid, NULL, 0, true); ++ rc = add_metainfo(ife, o->metaid, NULL, 0, true, exists); + if (rc == 0) + installed += 1; + } +@@ -419,7 +416,6 @@ static void tcf_ife_cleanup(struct tc_ac + kfree_rcu(p, rcu); + } + +-/* under ife->tcf_lock for existing action */ + static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb, + bool exists) + { +@@ -433,11 +429,11 @@ static int populate_metalist(struct tcf_ + val = nla_data(tb[i]); + len = nla_len(tb[i]); + +- rc = load_metaops_and_vet(ife, i, val, len, exists); ++ rc = load_metaops_and_vet(i, val, len); + if (rc != 0) + return rc; + +- rc = add_metainfo(ife, i, val, len, exists); ++ rc = add_metainfo(ife, i, val, len, false, exists); + if (rc) + return rc; + } +@@ -531,8 +527,6 @@ static int tcf_ife_init(struct net *net, + p->eth_type = ife_type; + } + +- if (exists) +- spin_lock_bh(&ife->tcf_lock); + + if (ret == ACT_P_CREATED) + INIT_LIST_HEAD(&ife->metalist); +@@ -544,9 +538,6 @@ static int tcf_ife_init(struct net *net, + metadata_parse_err: + if (ret == ACT_P_CREATED) + tcf_idr_release(*a, bind); +- +- if (exists) +- spin_unlock_bh(&ife->tcf_lock); + kfree(p); + return err; + } +@@ -561,18 +552,17 @@ metadata_parse_err: + * as we can. You better have at least one else we are + * going to bail out + */ +- err = use_all_metadata(ife); ++ err = use_all_metadata(ife, exists); + if (err) { + if (ret == ACT_P_CREATED) + tcf_idr_release(*a, bind); +- +- if (exists) +- spin_unlock_bh(&ife->tcf_lock); + kfree(p); + return err; + } + } + ++ if (exists) ++ spin_lock_bh(&ife->tcf_lock); + ife->tcf_action = parm->action; + if (exists) + spin_unlock_bh(&ife->tcf_lock); diff --git a/queue-4.18/bnxt_en-clean-up-unused-functions.patch b/queue-4.18/bnxt_en-clean-up-unused-functions.patch new file mode 100644 index 00000000000..aae61e65eaf --- /dev/null +++ b/queue-4.18/bnxt_en-clean-up-unused-functions.patch @@ -0,0 +1,77 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Michael Chan +Date: Mon, 3 Sep 2018 04:23:18 -0400 +Subject: bnxt_en: Clean up unused functions. + +From: Michael Chan + +[ Upstream commit ad95c27bdb930105f3eea02621bda157caf2862d ] + +Remove unused bnxt_subtract_ulp_resources(). Change +bnxt_get_max_func_irqs() to static since it is only locally used. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 - + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 15 --------------- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h | 1 - + 4 files changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5912,7 +5912,7 @@ void bnxt_set_max_func_cp_rings(struct b + bp->hw_resc.max_cp_rings = max; + } + +-unsigned int bnxt_get_max_func_irqs(struct bnxt *bp) ++static unsigned int bnxt_get_max_func_irqs(struct bnxt *bp) + { + struct bnxt_hw_resc *hw_resc = &bp->hw_resc; + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1469,7 +1469,6 @@ unsigned int bnxt_get_max_func_stat_ctxs + void bnxt_set_max_func_stat_ctxs(struct bnxt *bp, unsigned int max); + unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp); + void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max); +-unsigned int bnxt_get_max_func_irqs(struct bnxt *bp); + int bnxt_get_avail_msix(struct bnxt *bp, int num); + int bnxt_reserve_rings(struct bnxt *bp); + void bnxt_tx_disable(struct bnxt *bp); +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -220,21 +220,6 @@ int bnxt_get_ulp_msix_base(struct bnxt * + return 0; + } + +-void bnxt_subtract_ulp_resources(struct bnxt *bp, int ulp_id) +-{ +- ASSERT_RTNL(); +- if (bnxt_ulp_registered(bp->edev, ulp_id)) { +- struct bnxt_en_dev *edev = bp->edev; +- unsigned int msix_req, max; +- +- msix_req = edev->ulp_tbl[ulp_id].msix_requested; +- max = bnxt_get_max_func_cp_rings(bp); +- bnxt_set_max_func_cp_rings(bp, max - msix_req); +- max = bnxt_get_max_func_stat_ctxs(bp); +- bnxt_set_max_func_stat_ctxs(bp, max - 1); +- } +-} +- + static int bnxt_send_msg(struct bnxt_en_dev *edev, int ulp_id, + struct bnxt_fw_msg *fw_msg) + { +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h +@@ -90,7 +90,6 @@ static inline bool bnxt_ulp_registered(s + + int bnxt_get_ulp_msix_num(struct bnxt *bp); + int bnxt_get_ulp_msix_base(struct bnxt *bp); +-void bnxt_subtract_ulp_resources(struct bnxt *bp, int ulp_id); + void bnxt_ulp_stop(struct bnxt *bp); + void bnxt_ulp_start(struct bnxt *bp); + void bnxt_ulp_sriov_cfg(struct bnxt *bp, int num_vfs); diff --git a/queue-4.18/bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch b/queue-4.18/bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch new file mode 100644 index 00000000000..edaf3636cb1 --- /dev/null +++ b/queue-4.18/bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch @@ -0,0 +1,123 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Michael Chan +Date: Mon, 3 Sep 2018 04:23:19 -0400 +Subject: bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA. + +From: Michael Chan + +[ Upstream commit 00fe9c326d2027f2437dea38ef0e82f9d02d94c0 ] + +Currently, the driver adjusts the bp->hw_resc.max_cp_rings by the number +of MSIX vectors used by RDMA. There is one code path in open that needs +to check the true max_cp_rings including any used by RDMA. This code +is now checking for the reduced max_cp_rings which will fail when the +number of cp rings is very small. + +To fix this in a clean way, we don't adjust max_cp_rings anymore. +Instead, we add a helper bnxt_get_max_func_cp_rings_for_en() to get the +reduced max_cp_rings when appropriate. + +Fixes: ec86f14ea506 ("bnxt_en: Add ULP calls to stop and restart IRQs.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 ++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 7 ++++--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 5 ----- + 4 files changed, 9 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5907,9 +5907,9 @@ unsigned int bnxt_get_max_func_cp_rings( + return bp->hw_resc.max_cp_rings; + } + +-void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max) ++unsigned int bnxt_get_max_func_cp_rings_for_en(struct bnxt *bp) + { +- bp->hw_resc.max_cp_rings = max; ++ return bp->hw_resc.max_cp_rings - bnxt_get_ulp_msix_num(bp); + } + + static unsigned int bnxt_get_max_func_irqs(struct bnxt *bp) +@@ -8492,7 +8492,8 @@ static void _bnxt_get_max_rings(struct b + + *max_tx = hw_resc->max_tx_rings; + *max_rx = hw_resc->max_rx_rings; +- *max_cp = min_t(int, hw_resc->max_irqs, hw_resc->max_cp_rings); ++ *max_cp = min_t(int, bnxt_get_max_func_cp_rings_for_en(bp), ++ hw_resc->max_irqs); + *max_cp = min_t(int, *max_cp, hw_resc->max_stat_ctxs); + max_ring_grps = hw_resc->max_hw_ring_grps; + if (BNXT_CHIP_TYPE_NITRO_A0(bp) && BNXT_PF(bp)) { +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1468,7 +1468,7 @@ int bnxt_hwrm_set_coal(struct bnxt *); + unsigned int bnxt_get_max_func_stat_ctxs(struct bnxt *bp); + void bnxt_set_max_func_stat_ctxs(struct bnxt *bp, unsigned int max); + unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp); +-void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max); ++unsigned int bnxt_get_max_func_cp_rings_for_en(struct bnxt *bp); + int bnxt_get_avail_msix(struct bnxt *bp, int num); + int bnxt_reserve_rings(struct bnxt *bp); + void bnxt_tx_disable(struct bnxt *bp); +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -451,7 +451,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(st + + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_VF_RESOURCE_CFG, -1, -1); + +- vf_cp_rings = hw_resc->max_cp_rings - bp->cp_nr_rings; ++ vf_cp_rings = bnxt_get_max_func_cp_rings_for_en(bp) - bp->cp_nr_rings; + vf_stat_ctx = hw_resc->max_stat_ctxs - bp->num_stat_ctxs; + if (bp->flags & BNXT_FLAG_AGG_RINGS) + vf_rx_rings = hw_resc->max_rx_rings - bp->rx_nr_rings * 2; +@@ -544,7 +544,8 @@ static int bnxt_hwrm_func_cfg(struct bnx + max_stat_ctxs = hw_resc->max_stat_ctxs; + + /* Remaining rings are distributed equally amongs VF's for now */ +- vf_cp_rings = (hw_resc->max_cp_rings - bp->cp_nr_rings) / num_vfs; ++ vf_cp_rings = (bnxt_get_max_func_cp_rings_for_en(bp) - ++ bp->cp_nr_rings) / num_vfs; + vf_stat_ctx = (max_stat_ctxs - bp->num_stat_ctxs) / num_vfs; + if (bp->flags & BNXT_FLAG_AGG_RINGS) + vf_rx_rings = (hw_resc->max_rx_rings - bp->rx_nr_rings * 2) / +@@ -638,7 +639,7 @@ static int bnxt_sriov_enable(struct bnxt + */ + vfs_supported = *num_vfs; + +- avail_cp = hw_resc->max_cp_rings - bp->cp_nr_rings; ++ avail_cp = bnxt_get_max_func_cp_rings_for_en(bp) - bp->cp_nr_rings; + avail_stat = hw_resc->max_stat_ctxs - bp->num_stat_ctxs; + avail_cp = min_t(int, avail_cp, avail_stat); + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c +@@ -169,7 +169,6 @@ static int bnxt_req_msix_vecs(struct bnx + edev->ulp_tbl[ulp_id].msix_requested = avail_msix; + } + bnxt_fill_msix_vecs(bp, ent); +- bnxt_set_max_func_cp_rings(bp, max_cp_rings - avail_msix); + edev->flags |= BNXT_EN_FLAG_MSIX_REQUESTED; + return avail_msix; + } +@@ -178,7 +177,6 @@ static int bnxt_free_msix_vecs(struct bn + { + struct net_device *dev = edev->net; + struct bnxt *bp = netdev_priv(dev); +- int max_cp_rings, msix_requested; + + ASSERT_RTNL(); + if (ulp_id != BNXT_ROCE_ULP) +@@ -187,9 +185,6 @@ static int bnxt_free_msix_vecs(struct bn + if (!(edev->flags & BNXT_EN_FLAG_MSIX_REQUESTED)) + return 0; + +- max_cp_rings = bnxt_get_max_func_cp_rings(bp); +- msix_requested = edev->ulp_tbl[ulp_id].msix_requested; +- bnxt_set_max_func_cp_rings(bp, max_cp_rings + msix_requested); + edev->ulp_tbl[ulp_id].msix_requested = 0; + edev->flags &= ~BNXT_EN_FLAG_MSIX_REQUESTED; + if (netif_running(dev)) { diff --git a/queue-4.18/erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch b/queue-4.18/erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch new file mode 100644 index 00000000000..66460403168 --- /dev/null +++ b/queue-4.18/erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Xin Long +Date: Mon, 27 Aug 2018 18:41:32 +0800 +Subject: erspan: set erspan_ver to 1 by default when adding an erspan dev + +From: Xin Long + +[ Upstream commit 84581bdae9587023cea1d139523f0ef0f28bd88d ] + +After erspan_ver is introudced, if erspan_ver is not set in iproute, its +value will be left 0 by default. Since Commit 02f99df1875c ("erspan: fix +invalid erspan version."), it has broken the traffic due to the version +check in erspan_xmit if users are not aware of 'erspan_ver' param, like +using an old version of iproute. + +To fix this compatibility problem, it sets erspan_ver to 1 by default +when adding an erspan dev in erspan_setup. Note that we can't do it in +ipgre_netlink_parms, as this function is also used by ipgre_changelink. + +Fixes: 02f99df1875c ("erspan: fix invalid erspan version.") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 3 +++ + net/ipv6/ip6_gre.c | 1 + + 2 files changed, 4 insertions(+) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1511,11 +1511,14 @@ nla_put_failure: + + static void erspan_setup(struct net_device *dev) + { ++ struct ip_tunnel *t = netdev_priv(dev); ++ + ether_setup(dev); + dev->netdev_ops = &erspan_netdev_ops; + dev->priv_flags &= ~IFF_TX_SKB_SHARING; + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + ip_tunnel_setup(dev, erspan_net_id); ++ t->erspan_ver = 1; + } + + static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1776,6 +1776,7 @@ static void ip6gre_netlink_parms(struct + if (data[IFLA_GRE_COLLECT_METADATA]) + parms->collect_md = true; + ++ parms->erspan_ver = 1; + if (data[IFLA_GRE_ERSPAN_VER]) + parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]); + diff --git a/queue-4.18/hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch b/queue-4.18/hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch new file mode 100644 index 00000000000..f99806166af --- /dev/null +++ b/queue-4.18/hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch @@ -0,0 +1,117 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Dexuan Cui +Date: Thu, 30 Aug 2018 05:42:13 +0000 +Subject: hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() + +From: Dexuan Cui + +[ Upstream commit e04e7a7bbd4bbabef4e1a58367e5fc9b2edc3b10 ] + +This patch fixes the race between netvsc_probe() and +rndis_set_subchannel(), which can cause a deadlock. + +These are the related 3 paths which show the deadlock: + +path #1: + Workqueue: hv_vmbus_con vmbus_onmessage_work [hv_vmbus] + Call Trace: + schedule + schedule_preempt_disabled + __mutex_lock + __device_attach + bus_probe_device + device_add + vmbus_device_register + vmbus_onoffer + vmbus_onmessage_work + process_one_work + worker_thread + kthread + ret_from_fork + +path #2: + schedule + schedule_preempt_disabled + __mutex_lock + netvsc_probe + vmbus_probe + really_probe + __driver_attach + bus_for_each_dev + driver_attach_async + async_run_entry_fn + process_one_work + worker_thread + kthread + ret_from_fork + +path #3: + Workqueue: events netvsc_subchan_work [hv_netvsc] + Call Trace: + schedule + rndis_set_subchannel + netvsc_subchan_work + process_one_work + worker_thread + kthread + ret_from_fork + +Before path #1 finishes, path #2 can start to run, because just before +the "bus_probe_device(dev);" in device_add() in path #1, there is a line +"object_uevent(&dev->kobj, KOBJ_ADD);", so systemd-udevd can +immediately try to load hv_netvsc and hence path #2 can start to run. + +Next, path #2 offloads the subchannal's initialization to a workqueue, +i.e. path #3, so we can end up in a deadlock situation like this: + +Path #2 gets the device lock, and is trying to get the rtnl lock; +Path #3 gets the rtnl lock and is waiting for all the subchannel messages +to be processed; +Path #1 is trying to get the device lock, but since #2 is not releasing +the device lock, path #1 has to sleep; since the VMBus messages are +processed one by one, this means the sub-channel messages can't be +procedded, so #3 has to sleep with the rtnl lock held, and finally #2 +has to sleep... Now all the 3 paths are sleeping and we hit the deadlock. + +With the patch, we can make sure #2 gets both the device lock and the +rtnl lock together, gets its job done, and releases the locks, so #1 +and #3 will not be blocked for ever. + +Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug") +Signed-off-by: Dexuan Cui +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2101,6 +2101,16 @@ static int netvsc_probe(struct hv_device + + memcpy(net->dev_addr, device_info.mac_adr, ETH_ALEN); + ++ /* We must get rtnl lock before scheduling nvdev->subchan_work, ++ * otherwise netvsc_subchan_work() can get rtnl lock first and wait ++ * all subchannels to show up, but that may not happen because ++ * netvsc_probe() can't get rtnl lock and as a result vmbus_onoffer() ++ * -> ... -> device_add() -> ... -> __device_attach() can't get ++ * the device lock, so all the subchannels can't be processed -- ++ * finally netvsc_subchan_work() hangs for ever. ++ */ ++ rtnl_lock(); ++ + if (nvdev->num_chn > 1) + schedule_work(&nvdev->subchan_work); + +@@ -2119,7 +2129,6 @@ static int netvsc_probe(struct hv_device + else + net->max_mtu = ETH_DATA_LEN; + +- rtnl_lock(); + ret = register_netdevice(net); + if (ret != 0) { + pr_err("Unable to register netdev.\n"); diff --git a/queue-4.18/hv_netvsc-ignore-devices-that-are-not-pci.patch b/queue-4.18/hv_netvsc-ignore-devices-that-are-not-pci.patch new file mode 100644 index 00000000000..10ff259fcd2 --- /dev/null +++ b/queue-4.18/hv_netvsc-ignore-devices-that-are-not-pci.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Stephen Hemminger +Date: Tue, 21 Aug 2018 10:40:38 -0700 +Subject: hv_netvsc: ignore devices that are not PCI + +From: Stephen Hemminger + +[ Upstream commit b93c1b5ac8643cc08bb74fa8ae21d6c63dfcb23d ] + +Registering another device with same MAC address (such as TAP, VPN or +DPDK KNI) will confuse the VF autobinding logic. Restrict the search +to only run if the device is known to be a PCI attached VF. + +Fixes: e8ff40d4bff1 ("hv_netvsc: improve VF device matching") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1939,12 +1940,16 @@ static int netvsc_register_vf(struct net + { + struct net_device *ndev; + struct net_device_context *net_device_ctx; ++ struct device *pdev = vf_netdev->dev.parent; + struct netvsc_device *netvsc_dev; + int ret; + + if (vf_netdev->addr_len != ETH_ALEN) + return NOTIFY_DONE; + ++ if (!pdev || !dev_is_pci(pdev) || dev_is_pf(pdev)) ++ return NOTIFY_DONE; ++ + /* + * We will use the MAC address to locate the synthetic interface to + * associate with the VF interface. If we don't find a matching diff --git a/queue-4.18/ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch b/queue-4.18/ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch new file mode 100644 index 00000000000..c9ca74074f5 --- /dev/null +++ b/queue-4.18/ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch @@ -0,0 +1,69 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Haishuang Yan +Date: Mon, 20 Aug 2018 10:51:05 +0800 +Subject: ip6_vti: fix a null pointer deference when destroy vti6 tunnel + +From: Haishuang Yan + +[ Upstream commit 9c86336c15db1c48cbaddff56caf2be0a930e991 ] + +If load ip6_vti module and create a network namespace when set +fb_tunnels_only_for_init_net to 1, then exit the namespace will +cause following crash: + +[ 6601.677036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 6601.679057] PGD 8000000425eca067 P4D 8000000425eca067 PUD 424292067 PMD 0 +[ 6601.680483] Oops: 0000 [#1] SMP PTI +[ 6601.681223] CPU: 7 PID: 93 Comm: kworker/u16:1 Kdump: loaded Tainted: G E 4.18.0+ #3 +[ 6601.683153] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014 +[ 6601.684919] Workqueue: netns cleanup_net +[ 6601.685742] RIP: 0010:vti6_exit_batch_net+0x87/0xd0 [ip6_vti] +[ 6601.686932] Code: 7b 08 48 89 e6 e8 b9 ea d3 dd 48 8b 1b 48 85 db 75 ec 48 83 c5 08 48 81 fd 00 01 00 00 75 d5 49 8b 84 24 08 01 00 00 48 89 e6 <48> 8b 78 08 e8 90 ea d3 dd 49 8b 45 28 49 39 c6 4c 8d 68 d8 75 a1 +[ 6601.690735] RSP: 0018:ffffa897c2737de0 EFLAGS: 00010246 +[ 6601.691846] RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000000200 +[ 6601.693324] RDX: 0000000000000015 RSI: ffffa897c2737de0 RDI: ffffffff9f2ea9e0 +[ 6601.694824] RBP: 0000000000000100 R08: 0000000000000000 R09: 0000000000000000 +[ 6601.696314] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8dc323c07e00 +[ 6601.697812] R13: ffff8dc324a63100 R14: ffffa897c2737e30 R15: ffffa897c2737e30 +[ 6601.699345] FS: 0000000000000000(0000) GS:ffff8dc33fdc0000(0000) knlGS:0000000000000000 +[ 6601.701068] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6601.702282] CR2: 0000000000000008 CR3: 0000000424966002 CR4: 00000000001606e0 +[ 6601.703791] Call Trace: +[ 6601.704329] cleanup_net+0x1b4/0x2c0 +[ 6601.705268] process_one_work+0x16c/0x370 +[ 6601.706145] worker_thread+0x49/0x3e0 +[ 6601.706942] kthread+0xf8/0x130 +[ 6601.707626] ? rescuer_thread+0x340/0x340 +[ 6601.708476] ? kthread_bind+0x10/0x10 +[ 6601.709266] ret_from_fork+0x35/0x40 + +Reproduce: +modprobe ip6_vti +echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net +unshare -n +exit + +This because ip6n->tnls_wc[0] point to fallback device in default, but +in non-default namespace, ip6n->tnls_wc[0] will be NULL, so add the NULL +check comparatively. + +Fixes: e2948e5af8ee ("ip6_vti: fix creating fallback tunnel device for vti6") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -1102,7 +1102,8 @@ static void __net_exit vti6_destroy_tunn + } + + t = rtnl_dereference(ip6n->tnls_wc[0]); +- unregister_netdevice_queue(t->dev, list); ++ if (t) ++ unregister_netdevice_queue(t->dev, list); + } + + static int __net_init vti6_init_net(struct net *net) diff --git a/queue-4.18/ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch b/queue-4.18/ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch new file mode 100644 index 00000000000..d146c3cbca8 --- /dev/null +++ b/queue-4.18/ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Haishuang Yan +Date: Sun, 19 Aug 2018 15:05:05 +0800 +Subject: ip6_vti: fix creating fallback tunnel device for vti6 + +From: Haishuang Yan + +[ Upstream commit e2948e5af8eeb6c945000772b7613b0323a0a203 ] + +When set fb_tunnels_only_for_init_net to 1, don't create fallback tunnel +device for vti6 when a new namespace is created. + +Tested: +[root@builder2 ~]# modprobe ip6_tunnel +[root@builder2 ~]# modprobe ip6_vti +[root@builder2 ~]# echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net +[root@builder2 ~]# unshare -n +[root@builder2 ~]# ip link +1: lo: mtu 65536 qdisc noop state DOWN mode DEFAULT group +default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -1114,6 +1114,8 @@ static int __net_init vti6_init_net(stru + ip6n->tnls[0] = ip6n->tnls_wc; + ip6n->tnls[1] = ip6n->tnls_r_l; + ++ if (!net_has_fallback_tunnels(net)) ++ return 0; + err = -ENOMEM; + ip6n->fb_tnl_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6_vti0", + NET_NAME_UNKNOWN, vti6_dev_setup); diff --git a/queue-4.18/ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch b/queue-4.18/ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch new file mode 100644 index 00000000000..bc6f8e704d2 --- /dev/null +++ b/queue-4.18/ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Eric Dumazet +Date: Wed, 22 Aug 2018 13:30:45 -0700 +Subject: ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state + +From: Eric Dumazet + +[ Upstream commit 431280eebed9f5079553daf003011097763e71fd ] + +tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally +to send some control packets. + +1) RST packets, through tcp_v4_send_reset() +2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack() + +These packets assert IP_DF, and also use the hashed IP ident generator +to provide an IPv4 ID number. + +Geoff Alexander reported this could be used to build off-path attacks. + +These packets should not be fragmented, since their size is smaller than +IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment, +regardless of inner IPID. + +We really can use zero IPID, to address the flaw, and as a bonus, +avoid a couple of atomic operations in ip_idents_reserve() + +Signed-off-by: Eric Dumazet +Reported-by: Geoff Alexander +Tested-by: Geoff Alexander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2516,6 +2516,12 @@ static int __net_init tcp_sk_init(struct + if (res) + goto fail; + sock_set_flag(sk, SOCK_USE_WRITE_QUEUE); ++ ++ /* Please enforce IP_DF and IPID==0 for RST and ++ * ACK sent in SYN-RECV and TIME-WAIT state. ++ */ ++ inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO; ++ + *per_cpu_ptr(net->ipv4.tcp_sk, cpu) = sk; + } + diff --git a/queue-4.18/ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch b/queue-4.18/ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch new file mode 100644 index 00000000000..cbcf7691701 --- /dev/null +++ b/queue-4.18/ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Alexey Kodanev +Date: Thu, 30 Aug 2018 19:11:24 +0300 +Subject: ipv6: don't get lwtstate twice in ip6_rt_copy_init() + +From: Alexey Kodanev + +[ Upstream commit 93bbadd6e0a2a58e49d265b9b1aa58e621b60a26 ] + +Commit 80f1a0f4e0cd ("net/ipv6: Put lwtstate when destroying fib6_info") +partially fixed the kmemleak [1], lwtstate can be copied from fib6_info, +with ip6_rt_copy_init(), and it should be done only once there. + +rt->dst.lwtstate is set by ip6_rt_init_dst(), at the start of the function +ip6_rt_copy_init(), so there is no need to get it again at the end. + +With this patch, lwtstate also isn't copied from RTF_REJECT routes. + +[1]: +unreferenced object 0xffff880b6aaa14e0 (size 64): + comm "ip", pid 10577, jiffies 4295149341 (age 1273.903s) + hex dump (first 32 bytes): + 01 00 04 00 04 00 00 00 10 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000018664623>] lwtunnel_build_state+0x1bc/0x420 + [<00000000b73aa29a>] ip6_route_info_create+0x9f7/0x1fd0 + [<00000000ee2c5d1f>] ip6_route_add+0x14/0x70 + [<000000008537b55c>] inet6_rtm_newroute+0xd9/0xe0 + [<000000002acc50f5>] rtnetlink_rcv_msg+0x66f/0x8e0 + [<000000008d9cd381>] netlink_rcv_skb+0x268/0x3b0 + [<000000004c893c76>] netlink_unicast+0x417/0x5a0 + [<00000000f2ab1afb>] netlink_sendmsg+0x70b/0xc30 + [<00000000890ff0aa>] sock_sendmsg+0xb1/0xf0 + [<00000000a2e7b66f>] ___sys_sendmsg+0x659/0x950 + [<000000001e7426c8>] __sys_sendmsg+0xde/0x170 + [<00000000fe411443>] do_syscall_64+0x9f/0x4a0 + [<000000001be7b28b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<000000006d21f353>] 0xffffffffffffffff + +Fixes: 6edb3c96a5f0 ("net/ipv6: Defer initialization of dst to data path") +Signed-off-by: Alexey Kodanev +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -996,7 +996,6 @@ static void ip6_rt_copy_init(struct rt6_ + rt->rt6i_src = ort->fib6_src; + #endif + rt->rt6i_prefsrc = ort->fib6_prefsrc; +- rt->dst.lwtstate = lwtstate_get(ort->fib6_nh.nh_lwtstate); + } + + static struct fib6_node* fib6_backtrack(struct fib6_node *fn, diff --git a/queue-4.18/mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch b/queue-4.18/mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch new file mode 100644 index 00000000000..e0f45ddf111 --- /dev/null +++ b/queue-4.18/mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch @@ -0,0 +1,108 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Ido Schimmel +Date: Fri, 24 Aug 2018 15:41:35 +0300 +Subject: mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge + +From: Ido Schimmel + +[ Upstream commit 602b74eda81311dbdb5dbab08c30f789f648ebdc ] + +When a bridge device is removed, the VLANs are flushed from each +configured port. This causes the ports to decrement the reference count +on the associated FIDs (filtering identifier). If the reference count of +a FID is 1 and it has a RIF (router interface), then this RIF is +destroyed. + +However, if no port is member in the VLAN for which a RIF exists, then +the RIF will continue to exist after the removal of the bridge. To +reproduce: + +# ip link add name br0 type bridge vlan_filtering 1 +# ip link set dev swp1 master br0 +# ip link add link br0 name br0.10 type vlan id 10 +# ip address add 192.0.2.0/24 dev br0.10 +# ip link del dev br0 + +The RIF associated with br0.10 continues to exist. + +Fix this by iterating over all the bridge device uppers when it is +destroyed and take care of destroying their RIFs. + +Fixes: 99f44bb3527b ("mlxsw: spectrum: Enable L3 interfaces on top of bridge devices") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 + + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 11 ++++++++ + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 20 +++++++++++++++ + 3 files changed, 33 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h +@@ -433,6 +433,8 @@ mlxsw_sp_netdevice_ipip_ul_event(struct + void + mlxsw_sp_port_vlan_router_leave(struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan); + void mlxsw_sp_rif_destroy(struct mlxsw_sp_rif *rif); ++void mlxsw_sp_rif_destroy_by_dev(struct mlxsw_sp *mlxsw_sp, ++ struct net_device *dev); + + /* spectrum_kvdl.c */ + int mlxsw_sp_kvdl_init(struct mlxsw_sp *mlxsw_sp); +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -6228,6 +6228,17 @@ void mlxsw_sp_rif_destroy(struct mlxsw_s + mlxsw_sp_vr_put(mlxsw_sp, vr); + } + ++void mlxsw_sp_rif_destroy_by_dev(struct mlxsw_sp *mlxsw_sp, ++ struct net_device *dev) ++{ ++ struct mlxsw_sp_rif *rif; ++ ++ rif = mlxsw_sp_rif_find_by_dev(mlxsw_sp, dev); ++ if (!rif) ++ return; ++ mlxsw_sp_rif_destroy(rif); ++} ++ + static void + mlxsw_sp_rif_subport_params_init(struct mlxsw_sp_rif_params *params, + struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan) +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -160,6 +160,24 @@ bool mlxsw_sp_bridge_device_is_offloaded + return !!mlxsw_sp_bridge_device_find(mlxsw_sp->bridge, br_dev); + } + ++static int mlxsw_sp_bridge_device_upper_rif_destroy(struct net_device *dev, ++ void *data) ++{ ++ struct mlxsw_sp *mlxsw_sp = data; ++ ++ mlxsw_sp_rif_destroy_by_dev(mlxsw_sp, dev); ++ return 0; ++} ++ ++static void mlxsw_sp_bridge_device_rifs_destroy(struct mlxsw_sp *mlxsw_sp, ++ struct net_device *dev) ++{ ++ mlxsw_sp_rif_destroy_by_dev(mlxsw_sp, dev); ++ netdev_walk_all_upper_dev_rcu(dev, ++ mlxsw_sp_bridge_device_upper_rif_destroy, ++ mlxsw_sp); ++} ++ + static struct mlxsw_sp_bridge_device * + mlxsw_sp_bridge_device_create(struct mlxsw_sp_bridge *bridge, + struct net_device *br_dev) +@@ -198,6 +216,8 @@ static void + mlxsw_sp_bridge_device_destroy(struct mlxsw_sp_bridge *bridge, + struct mlxsw_sp_bridge_device *bridge_device) + { ++ mlxsw_sp_bridge_device_rifs_destroy(bridge->mlxsw_sp, ++ bridge_device->dev); + list_del(&bridge_device->list); + if (bridge_device->vlan_enabled) + bridge->vlan_enabled_exists = false; diff --git a/queue-4.18/net-bcmgenet-use-mac-link-status-for-fixed-phy.patch b/queue-4.18/net-bcmgenet-use-mac-link-status-for-fixed-phy.patch new file mode 100644 index 00000000000..ed671a6ce11 --- /dev/null +++ b/queue-4.18/net-bcmgenet-use-mac-link-status-for-fixed-phy.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Doug Berger +Date: Tue, 28 Aug 2018 12:33:15 -0700 +Subject: net: bcmgenet: use MAC link status for fixed phy + +From: Doug Berger + +[ Upstream commit c3c397c1f16c51601a3fac4fe0c63ad8aa85a904 ] + +When using the fixed PHY with GENET (e.g. MOCA) the PHY link +status can be determined from the internal link status captured +by the MAC. This allows the PHY state machine to use the correct +link state with the fixed PHY even if MAC link event interrupts +are missed when the net device is opened. + +Fixes: 8d88c6ebb34c ("net: bcmgenet: enable MoCA link state change detection") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +++ + drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 ++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -186,6 +186,9 @@ struct bcmgenet_mib_counters { + #define UMAC_MAC1 0x010 + #define UMAC_MAX_FRAME_LEN 0x014 + ++#define UMAC_MODE 0x44 ++#define MODE_LINK_STATUS (1 << 5) ++ + #define UMAC_EEE_CTRL 0x064 + #define EN_LPI_RX_PAUSE (1 << 0) + #define EN_LPI_TX_PFC (1 << 1) +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -115,8 +115,14 @@ void bcmgenet_mii_setup(struct net_devic + static int bcmgenet_fixed_phy_link_update(struct net_device *dev, + struct fixed_phy_status *status) + { +- if (dev && dev->phydev && status) +- status->link = dev->phydev->link; ++ struct bcmgenet_priv *priv; ++ u32 reg; ++ ++ if (dev && dev->phydev && status) { ++ priv = netdev_priv(dev); ++ reg = bcmgenet_umac_readl(priv, UMAC_MODE); ++ status->link = !!(reg & MODE_LINK_STATUS); ++ } + + return 0; + } diff --git a/queue-4.18/net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch b/queue-4.18/net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch new file mode 100644 index 00000000000..a7ee9f59249 --- /dev/null +++ b/queue-4.18/net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Hangbin Liu +Date: Thu, 23 Aug 2018 11:31:37 +0800 +Subject: net/ipv6: init ip6 anycast rt->dst.input as ip6_input + +From: Hangbin Liu + +[ Upstream commit d23c4b6336ef30898dcdff351f21e633e7a64930 ] + +Commit 6edb3c96a5f02 ("net/ipv6: Defer initialization of dst to data path") +forgot to handle anycast route and init anycast rt->dst.input to ip6_forward. +Fix it by setting anycast rt->dst.input back to ip6_input. + +Fixes: 6edb3c96a5f02 ("net/ipv6: Defer initialization of dst to data path") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -956,7 +956,7 @@ static void ip6_rt_init_dst(struct rt6_i + rt->dst.error = 0; + rt->dst.output = ip6_output; + +- if (ort->fib6_type == RTN_LOCAL) { ++ if (ort->fib6_type == RTN_LOCAL || ort->fib6_type == RTN_ANYCAST) { + rt->dst.input = ip6_input; + } else if (ipv6_addr_type(&ort->fib6_dst.addr) & IPV6_ADDR_MULTICAST) { + rt->dst.input = ip6_mc_input; diff --git a/queue-4.18/net-ipv6-only-update-mtu-metric-if-it-set.patch b/queue-4.18/net-ipv6-only-update-mtu-metric-if-it-set.patch new file mode 100644 index 00000000000..120d75026c5 --- /dev/null +++ b/queue-4.18/net-ipv6-only-update-mtu-metric-if-it-set.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: David Ahern +Date: Thu, 30 Aug 2018 14:15:43 -0700 +Subject: net/ipv6: Only update MTU metric if it set + +From: David Ahern + +[ Upstream commit 15a81b418e22a9aa4a0504471fdcb0f4ebf69b96 ] + +Jan reported a regression after an update to 4.18.5. In this case ipv6 +default route is setup by systemd-networkd based on data from an RA. The +RA contains an MTU of 1492 which is used when the route is first inserted +but then systemd-networkd pushes down updates to the default route +without the mtu set. + +Prior to the change to fib6_info, metrics such as MTU were held in the +dst_entry and rt6i_pmtu in rt6_info contained an update to the mtu if +any. ip6_mtu would look at rt6i_pmtu first and use it if set. If not, +the value from the metrics is used if it is set and finally falling +back to the idev value. + +After the fib6_info change metrics are contained in the fib6_info struct +and there is no equivalent to rt6i_pmtu. To maintain consistency with +the old behavior the new code should only reset the MTU in the metrics +if the route update has it set. + +Fixes: d4ead6b34b67 ("net/ipv6: move metrics from dst to rt6_info") +Reported-by: Jan Janssen +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -987,7 +987,10 @@ static int fib6_add_rt2node(struct fib6_ + fib6_clean_expires(iter); + else + fib6_set_expires(iter, rt->expires); +- fib6_metric_set(iter, RTAX_MTU, rt->fib6_pmtu); ++ ++ if (rt->fib6_pmtu) ++ fib6_metric_set(iter, RTAX_MTU, ++ rt->fib6_pmtu); + return -EEXIST; + } + /* If we have the same destination and the same metric, diff --git a/queue-4.18/net-ipv6-put-lwtstate-when-destroying-fib6_info.patch b/queue-4.18/net-ipv6-put-lwtstate-when-destroying-fib6_info.patch new file mode 100644 index 00000000000..0efb2f3ece6 --- /dev/null +++ b/queue-4.18/net-ipv6-put-lwtstate-when-destroying-fib6_info.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: David Ahern +Date: Mon, 20 Aug 2018 13:02:41 -0700 +Subject: net/ipv6: Put lwtstate when destroying fib6_info + +From: David Ahern + +[ Upstream commit 80f1a0f4e0cd4bfc8a74fc1c39843a6e7b206b95 ] + +Prior to the introduction of fib6_info lwtstate was managed by the dst +code. With fib6_info releasing lwtstate needs to be done when the struct +is freed. + +Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -198,6 +198,8 @@ void fib6_info_destroy_rcu(struct rcu_he + } + } + ++ lwtstate_put(f6i->fib6_nh.nh_lwtstate); ++ + if (f6i->fib6_nh.nh_dev) + dev_put(f6i->fib6_nh.nh_dev); + diff --git a/queue-4.18/net-macb-do-not-disable-mdio-bus-at-open-close-time.patch b/queue-4.18/net-macb-do-not-disable-mdio-bus-at-open-close-time.patch new file mode 100644 index 00000000000..fb6acc920ac --- /dev/null +++ b/queue-4.18/net-macb-do-not-disable-mdio-bus-at-open-close-time.patch @@ -0,0 +1,66 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Anssi Hannula +Date: Thu, 23 Aug 2018 10:45:22 +0300 +Subject: net: macb: do not disable MDIO bus at open/close time + +From: Anssi Hannula + +[ Upstream commit 0da70f808029476001109b6cb076737bc04cea2e ] + +macb_reset_hw() is called from macb_close() and indirectly from +macb_open(). macb_reset_hw() zeroes the NCR register, including the MPE +(Management Port Enable) bit. + +This will prevent accessing any other PHYs for other Ethernet MACs on +the MDIO bus, which remains registered at macb_reset_hw() time, until +macb_init_hw() is called from macb_open() which sets the MPE bit again. + +I.e. currently the MDIO bus has a short disruption at open time and is +disabled at close time until the interface is opened again. + +Fix that by only touching the RE and TE bits when enabling and disabling +RX/TX. + +v2: Make macb_init_hw() NCR write a single statement. + +Fixes: 6c36a7074436 ("macb: Use generic PHY layer") +Signed-off-by: Anssi Hannula +Reviewed-by: Claudiu Beznea +Tested-by: Claudiu Beznea +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1957,14 +1957,17 @@ static void macb_reset_hw(struct macb *b + { + struct macb_queue *queue; + unsigned int q; ++ u32 ctrl = macb_readl(bp, NCR); + + /* Disable RX and TX (XXX: Should we halt the transmission + * more gracefully?) + */ +- macb_writel(bp, NCR, 0); ++ ctrl &= ~(MACB_BIT(RE) | MACB_BIT(TE)); + + /* Clear the stats registers (XXX: Update stats first?) */ +- macb_writel(bp, NCR, MACB_BIT(CLRSTAT)); ++ ctrl |= MACB_BIT(CLRSTAT); ++ ++ macb_writel(bp, NCR, ctrl); + + /* Clear all status flags */ + macb_writel(bp, TSR, -1); +@@ -2152,7 +2155,7 @@ static void macb_init_hw(struct macb *bp + } + + /* Enable TX and RX */ +- macb_writel(bp, NCR, MACB_BIT(RE) | MACB_BIT(TE) | MACB_BIT(MPE)); ++ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(RE) | MACB_BIT(TE)); + } + + /* The hash address register is 64 bits long and takes up two diff --git a/queue-4.18/net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch b/queue-4.18/net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch new file mode 100644 index 00000000000..26947cd87a0 --- /dev/null +++ b/queue-4.18/net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch @@ -0,0 +1,96 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Ahmad Fatoum +Date: Tue, 21 Aug 2018 17:35:48 +0200 +Subject: net: macb: Fix regression breaking non-MDIO fixed-link PHYs + +From: Ahmad Fatoum + +[ Upstream commit ab5f11055fdf8dfc3ddbd89e8e3cc550de41d1d3 ] + +commit 739de9a1563a ("net: macb: Reorganize macb_mii bringup") broke +initializing macb on the EVB-KSZ9477 eval board. +There, of_mdiobus_register was called even for the fixed-link representing +the RGMII-link to the switch with the result that the driver attempts to +enumerate PHYs on a non-existent MDIO bus: + + libphy: MACB_mii_bus: probed + mdio_bus f0028000.ethernet-ffffffff: fixed-link has invalid PHY address + mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 0 + [snip] + mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 31 + +The "MDIO" bus registration succeeds regardless, having claimed the reset GPIO, +and calling of_phy_register_fixed_link later on fails because it tries +to claim the same GPIO: + + macb f0028000.ethernet: broken fixed-link specification + +Fix this by registering the fixed-link before calling mdiobus_register. + +Fixes: 739de9a1563a ("net: macb: Reorganize macb_mii bringup") +Signed-off-by: Ahmad Fatoum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -481,11 +481,6 @@ static int macb_mii_probe(struct net_dev + + if (np) { + if (of_phy_is_fixed_link(np)) { +- if (of_phy_register_fixed_link(np) < 0) { +- dev_err(&bp->pdev->dev, +- "broken fixed-link specification\n"); +- return -ENODEV; +- } + bp->phy_node = of_node_get(np); + } else { + bp->phy_node = of_parse_phandle(np, "phy-handle", 0); +@@ -568,7 +563,7 @@ static int macb_mii_init(struct macb *bp + { + struct macb_platform_data *pdata; + struct device_node *np; +- int err; ++ int err = -ENXIO; + + /* Enable management port */ + macb_writel(bp, NCR, MACB_BIT(MPE)); +@@ -591,12 +586,23 @@ static int macb_mii_init(struct macb *bp + dev_set_drvdata(&bp->dev->dev, bp->mii_bus); + + np = bp->pdev->dev.of_node; +- if (pdata) +- bp->mii_bus->phy_mask = pdata->phy_mask; ++ if (np && of_phy_is_fixed_link(np)) { ++ if (of_phy_register_fixed_link(np) < 0) { ++ dev_err(&bp->pdev->dev, ++ "broken fixed-link specification %pOF\n", np); ++ goto err_out_free_mdiobus; ++ } ++ ++ err = mdiobus_register(bp->mii_bus); ++ } else { ++ if (pdata) ++ bp->mii_bus->phy_mask = pdata->phy_mask; ++ ++ err = of_mdiobus_register(bp->mii_bus, np); ++ } + +- err = of_mdiobus_register(bp->mii_bus, np); + if (err) +- goto err_out_free_mdiobus; ++ goto err_out_free_fixed_link; + + err = macb_mii_probe(bp->dev); + if (err) +@@ -606,6 +612,7 @@ static int macb_mii_init(struct macb *bp + + err_out_unregister_bus: + mdiobus_unregister(bp->mii_bus); ++err_out_free_fixed_link: + if (np && of_phy_is_fixed_link(np)) + of_phy_deregister_fixed_link(np); + err_out_free_mdiobus: diff --git a/queue-4.18/net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch b/queue-4.18/net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch new file mode 100644 index 00000000000..bd67ef6bb44 --- /dev/null +++ b/queue-4.18/net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Tariq Toukan +Date: Mon, 3 Sep 2018 18:06:24 +0300 +Subject: net/mlx5: Fix SQ offset in QPs with small RQ + +From: Tariq Toukan + +[ Upstream commit 639505d4397b8c654a8e2616f9cb70ece40c83f9 ] + +Correct the formula for calculating the RQ page remainder, +which should be in byte granularity. The result will be +non-zero only for RQs smaller than PAGE_SIZE, as an RQ size +is a power of 2. + +Divide this by the SQ stride (MLX5_SEND_WQE_BB) to get the +SQ offset in strides granularity. + +Fixes: d7037ad73daa ("net/mlx5: Fix QP fragmented buffer allocation") +Signed-off-by: Tariq Toukan +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/wq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/wq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/wq.c +@@ -139,14 +139,15 @@ int mlx5_wq_qp_create(struct mlx5_core_d + struct mlx5_wq_ctrl *wq_ctrl) + { + u32 sq_strides_offset; ++ u32 rq_pg_remainder; + int err; + + mlx5_fill_fbc(MLX5_GET(qpc, qpc, log_rq_stride) + 4, + MLX5_GET(qpc, qpc, log_rq_size), + &wq->rq.fbc); + +- sq_strides_offset = +- ((wq->rq.fbc.frag_sz_m1 + 1) % PAGE_SIZE) / MLX5_SEND_WQE_BB; ++ rq_pg_remainder = mlx5_wq_cyc_get_byte_size(&wq->rq) % PAGE_SIZE; ++ sq_strides_offset = rq_pg_remainder / MLX5_SEND_WQE_BB; + + mlx5_fill_fbc_offset(ilog2(MLX5_SEND_WQE_BB), + MLX5_GET(qpc, qpc, log_sq_size), diff --git a/queue-4.18/net-sched-act_pedit-fix-dump-of-extended-layered-op.patch b/queue-4.18/net-sched-act_pedit-fix-dump-of-extended-layered-op.patch new file mode 100644 index 00000000000..90f0f570e84 --- /dev/null +++ b/queue-4.18/net-sched-act_pedit-fix-dump-of-extended-layered-op.patch @@ -0,0 +1,124 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Davide Caratti +Date: Mon, 27 Aug 2018 22:56:22 +0200 +Subject: net/sched: act_pedit: fix dump of extended layered op + +From: Davide Caratti + +[ Upstream commit 85eb9af182243ce9a8b72410d5321c440ac5f8d7 ] + +in the (rare) case of failure in nla_nest_start(), missing NULL checks in +tcf_pedit_key_ex_dump() can make the following command + + # tc action add action pedit ex munge ip ttl set 64 + +dereference a NULL pointer: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 800000007d1cd067 P4D 800000007d1cd067 PUD 7acd3067 PMD 0 + Oops: 0002 [#1] SMP PTI + CPU: 0 PID: 3336 Comm: tc Tainted: G E 4.18.0.pedit+ #425 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:tcf_pedit_dump+0x19d/0x358 [act_pedit] + Code: be 02 00 00 00 48 89 df 66 89 44 24 20 e8 9b b1 fd e0 85 c0 75 46 8b 83 c8 00 00 00 49 83 c5 08 48 03 83 d0 00 00 00 4d 39 f5 <66> 89 04 25 00 00 00 00 0f 84 81 01 00 00 41 8b 45 00 48 8d 4c 24 + RSP: 0018:ffffb5d4004478a8 EFLAGS: 00010246 + RAX: ffff8880fcda2070 RBX: ffff8880fadd2900 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: ffffb5d4004478ca RDI: ffff8880fcda206e + RBP: ffff8880fb9cb900 R08: 0000000000000008 R09: ffff8880fcda206e + R10: ffff8880fadd2900 R11: 0000000000000000 R12: ffff8880fd26cf40 + R13: ffff8880fc957430 R14: ffff8880fc957430 R15: ffff8880fb9cb988 + FS: 00007f75a537a740(0000) GS:ffff8880fda00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000007a2fa005 CR4: 00000000001606f0 + Call Trace: + ? __nla_reserve+0x38/0x50 + tcf_action_dump_1+0xd2/0x130 + tcf_action_dump+0x6a/0xf0 + tca_get_fill.constprop.31+0xa3/0x120 + tcf_action_add+0xd1/0x170 + tc_ctl_action+0x137/0x150 + rtnetlink_rcv_msg+0x263/0x2d0 + ? _cond_resched+0x15/0x40 + ? rtnl_calcit.isra.30+0x110/0x110 + netlink_rcv_skb+0x4d/0x130 + netlink_unicast+0x1a3/0x250 + netlink_sendmsg+0x2ae/0x3a0 + sock_sendmsg+0x36/0x40 + ___sys_sendmsg+0x26f/0x2d0 + ? do_wp_page+0x8e/0x5f0 + ? handle_pte_fault+0x6c3/0xf50 + ? __handle_mm_fault+0x38e/0x520 + ? __sys_sendmsg+0x5e/0xa0 + __sys_sendmsg+0x5e/0xa0 + do_syscall_64+0x5b/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f75a4583ba0 + Code: c3 48 8b 05 f2 62 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d fd c3 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae cc 00 00 48 89 04 24 + RSP: 002b:00007fff60ee7418 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007fff60ee7540 RCX: 00007f75a4583ba0 + RDX: 0000000000000000 RSI: 00007fff60ee7490 RDI: 0000000000000003 + RBP: 000000005b842d3e R08: 0000000000000002 R09: 0000000000000000 + R10: 00007fff60ee6ea0 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007fff60ee7554 R14: 0000000000000001 R15: 000000000066c100 + Modules linked in: act_pedit(E) ip6table_filter ip6_tables iptable_filter binfmt_misc crct10dif_pclmul ext4 crc32_pclmul mbcache ghash_clmulni_intel jbd2 pcbc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer cryptd glue_helper snd joydev pcspkr soundcore virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk virtio_console failover qxl crc32c_intel drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix virtio_pci libata virtio_ring i2c_core virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_pedit] + CR2: 0000000000000000 + +Like it's done for other TC actions, give up dumping pedit rules and return +an error if nla_nest_start() returns NULL. + +Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") +Signed-off-by: Davide Caratti +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_pedit.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -109,16 +109,18 @@ static int tcf_pedit_key_ex_dump(struct + { + struct nlattr *keys_start = nla_nest_start(skb, TCA_PEDIT_KEYS_EX); + ++ if (!keys_start) ++ goto nla_failure; + for (; n > 0; n--) { + struct nlattr *key_start; + + key_start = nla_nest_start(skb, TCA_PEDIT_KEY_EX); ++ if (!key_start) ++ goto nla_failure; + + if (nla_put_u16(skb, TCA_PEDIT_KEY_EX_HTYPE, keys_ex->htype) || +- nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) { +- nlmsg_trim(skb, keys_start); +- return -EINVAL; +- } ++ nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) ++ goto nla_failure; + + nla_nest_end(skb, key_start); + +@@ -128,6 +130,9 @@ static int tcf_pedit_key_ex_dump(struct + nla_nest_end(skb, keys_start); + + return 0; ++nla_failure: ++ nla_nest_cancel(skb, keys_start); ++ return -EINVAL; + } + + static int tcf_pedit_init(struct net *net, struct nlattr *nla, +@@ -395,7 +400,10 @@ static int tcf_pedit_dump(struct sk_buff + opt->bindcnt = p->tcf_bindcnt - bind; + + if (p->tcfp_keys_ex) { +- tcf_pedit_key_ex_dump(skb, p->tcfp_keys_ex, p->tcfp_nkeys); ++ if (tcf_pedit_key_ex_dump(skb, ++ p->tcfp_keys_ex, ++ p->tcfp_nkeys)) ++ goto nla_put_failure; + + if (nla_put(skb, TCA_PEDIT_PARMS_EX, s, opt)) + goto nla_put_failure; diff --git a/queue-4.18/net-sched-action_ife-take-reference-to-meta-module.patch b/queue-4.18/net-sched-action_ife-take-reference-to-meta-module.patch new file mode 100644 index 00000000000..d9f4e9ea38e --- /dev/null +++ b/queue-4.18/net-sched-action_ife-take-reference-to-meta-module.patch @@ -0,0 +1,144 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Vlad Buslov +Date: Tue, 4 Sep 2018 00:44:42 +0300 +Subject: net: sched: action_ife: take reference to meta module + +From: Vlad Buslov + +[ Upstream commit 84cb8eb26cb9ce3c79928094962a475a9d850a53 ] + +Recent refactoring of add_metainfo() caused use_all_metadata() to add +metainfo to ife action metalist without taking reference to module. This +causes warning in module_put called from ife action cleanup function. + +Implement add_metainfo_and_get_ops() function that returns with reference +to module taken if metainfo was added successfully, and call it from +use_all_metadata(), instead of calling __add_metainfo() directly. + +Example warning: + +[ 646.344393] WARNING: CPU: 1 PID: 2278 at kernel/module.c:1139 module_put+0x1cb/0x230 +[ 646.352437] Modules linked in: act_meta_skbtcindex act_meta_mark act_meta_skbprio act_ife ife veth nfsv3 nfs fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c tun ebtable_filter ebtables ip6table_filter ip6_tables bridge stp llc mlx5_ib ib_uverbs ib_core intel_rapl sb_edac x86_pkg_temp_thermal mlx5_core coretemp kvm_intel kvm nfsd igb irqbypass crct10dif_pclmul devlink crc32_pclmul mei_me joydev ses crc32c_intel enclosure auth_rpcgss i2c_algo_bit ioatdma ptp mei pps_core ghash_clmulni_intel iTCO_wdt iTCO_vendor_support pcspkr dca ipmi_ssif lpc_ich target_core_mod i2c_i801 ipmi_si ipmi_devintf pcc_cpufreq wmi ipmi_msghandler nfs_acl lockd acpi_pad acpi_power_meter grace sunrpc mpt3sas raid_class scsi_transport_sas +[ 646.425631] CPU: 1 PID: 2278 Comm: tc Not tainted 4.19.0-rc1+ #799 +[ 646.432187] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017 +[ 646.440595] RIP: 0010:module_put+0x1cb/0x230 +[ 646.445238] Code: f3 66 94 02 e8 26 ff fa ff 85 c0 74 11 0f b6 1d 51 30 94 02 80 fb 01 77 60 83 e3 01 74 13 65 ff 0d 3a 83 db 73 e9 2b ff ff ff <0f> 0b e9 00 ff ff ff e8 59 01 fb ff 85 c0 75 e4 48 c7 c2 20 62 6b +[ 646.464997] RSP: 0018:ffff880354d37068 EFLAGS: 00010286 +[ 646.470599] RAX: 0000000000000000 RBX: ffffffffc0a52518 RCX: ffffffff8c2668db +[ 646.478118] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffc0a52518 +[ 646.485641] RBP: ffffffffc0a52180 R08: fffffbfff814a4a4 R09: fffffbfff814a4a3 +[ 646.493164] R10: ffffffffc0a5251b R11: fffffbfff814a4a4 R12: 1ffff1006a9a6e0d +[ 646.500687] R13: 00000000ffffffff R14: ffff880362bab890 R15: dead000000000100 +[ 646.508213] FS: 00007f4164c99800(0000) GS:ffff88036fe40000(0000) knlGS:0000000000000000 +[ 646.516961] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 646.523080] CR2: 00007f41638b8420 CR3: 0000000351df0004 CR4: 00000000001606e0 +[ 646.530595] Call Trace: +[ 646.533408] ? find_symbol_in_section+0x260/0x260 +[ 646.538509] tcf_ife_cleanup+0x11b/0x200 [act_ife] +[ 646.543695] tcf_action_cleanup+0x29/0xa0 +[ 646.548078] __tcf_action_put+0x5a/0xb0 +[ 646.552289] ? nla_put+0x65/0xe0 +[ 646.555889] __tcf_idr_release+0x48/0x60 +[ 646.560187] tcf_generic_walker+0x448/0x6b0 +[ 646.564764] ? tcf_action_dump_1+0x450/0x450 +[ 646.569411] ? __lock_is_held+0x84/0x110 +[ 646.573720] ? tcf_ife_walker+0x10c/0x20f [act_ife] +[ 646.578982] tca_action_gd+0x972/0xc40 +[ 646.583129] ? tca_get_fill.constprop.17+0x250/0x250 +[ 646.588471] ? mark_lock+0xcf/0x980 +[ 646.592324] ? check_chain_key+0x140/0x1f0 +[ 646.596832] ? debug_show_all_locks+0x240/0x240 +[ 646.601839] ? memset+0x1f/0x40 +[ 646.605350] ? nla_parse+0xca/0x1a0 +[ 646.609217] tc_ctl_action+0x215/0x230 +[ 646.613339] ? tcf_action_add+0x220/0x220 +[ 646.617748] rtnetlink_rcv_msg+0x56a/0x6d0 +[ 646.622227] ? rtnl_fdb_del+0x3f0/0x3f0 +[ 646.626466] netlink_rcv_skb+0x18d/0x200 +[ 646.630752] ? rtnl_fdb_del+0x3f0/0x3f0 +[ 646.634959] ? netlink_ack+0x500/0x500 +[ 646.639106] netlink_unicast+0x2d0/0x370 +[ 646.643409] ? netlink_attachskb+0x340/0x340 +[ 646.648050] ? _copy_from_iter_full+0xe9/0x3e0 +[ 646.652870] ? import_iovec+0x11e/0x1c0 +[ 646.657083] netlink_sendmsg+0x3b9/0x6a0 +[ 646.661388] ? netlink_unicast+0x370/0x370 +[ 646.665877] ? netlink_unicast+0x370/0x370 +[ 646.670351] sock_sendmsg+0x6b/0x80 +[ 646.674212] ___sys_sendmsg+0x4a1/0x520 +[ 646.678443] ? copy_msghdr_from_user+0x210/0x210 +[ 646.683463] ? lock_downgrade+0x320/0x320 +[ 646.687849] ? debug_show_all_locks+0x240/0x240 +[ 646.692760] ? do_raw_spin_unlock+0xa2/0x130 +[ 646.697418] ? _raw_spin_unlock+0x24/0x30 +[ 646.701798] ? __handle_mm_fault+0x1819/0x1c10 +[ 646.706619] ? __pmd_alloc+0x320/0x320 +[ 646.710738] ? debug_show_all_locks+0x240/0x240 +[ 646.715649] ? restore_nameidata+0x7b/0xa0 +[ 646.720117] ? check_chain_key+0x140/0x1f0 +[ 646.724590] ? check_chain_key+0x140/0x1f0 +[ 646.729070] ? __fget_light+0xbc/0xd0 +[ 646.733121] ? __sys_sendmsg+0xd7/0x150 +[ 646.737329] __sys_sendmsg+0xd7/0x150 +[ 646.741359] ? __ia32_sys_shutdown+0x30/0x30 +[ 646.746003] ? up_read+0x53/0x90 +[ 646.749601] ? __do_page_fault+0x484/0x780 +[ 646.754105] ? do_syscall_64+0x1e/0x2c0 +[ 646.758320] do_syscall_64+0x72/0x2c0 +[ 646.762353] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 646.767776] RIP: 0033:0x7f4163872150 +[ 646.771713] Code: 8b 15 3c 7d 2b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d b9 d5 2b 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be cd 00 00 48 89 04 24 +[ 646.791474] RSP: 002b:00007ffdef7d6b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 646.799721] RAX: ffffffffffffffda RBX: 0000000000000024 RCX: 00007f4163872150 +[ 646.807240] RDX: 0000000000000000 RSI: 00007ffdef7d6bd0 RDI: 0000000000000003 +[ 646.814760] RBP: 000000005b8b9482 R08: 0000000000000001 R09: 0000000000000000 +[ 646.822286] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007ffdef7dad20 +[ 646.829807] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000679bc0 +[ 646.837360] irq event stamp: 6083 +[ 646.841043] hardirqs last enabled at (6081): [] __call_rcu+0x17d/0x500 +[ 646.849882] hardirqs last disabled at (6083): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 646.859775] softirqs last enabled at (5968): [] __do_softirq+0x4a1/0x6ee +[ 646.868784] softirqs last disabled at (6082): [] tcf_ife_cleanup+0x39/0x200 [act_ife] +[ 646.878845] ---[ end trace b1b8c12ffe51e657 ]--- + +Fixes: 5ffe57da29b3 ("act_ife: fix a potential deadlock") +Signed-off-by: Vlad Buslov +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -324,6 +324,20 @@ static int __add_metainfo(const struct t + return ret; + } + ++static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops, ++ struct tcf_ife_info *ife, u32 metaid, ++ bool exists) ++{ ++ int ret; ++ ++ if (!try_module_get(ops->owner)) ++ return -ENOENT; ++ ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists); ++ if (ret) ++ module_put(ops->owner); ++ return ret; ++} ++ + static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval, + int len, bool exists) + { +@@ -347,7 +361,7 @@ static int use_all_metadata(struct tcf_i + + read_lock(&ife_mod_lock); + list_for_each_entry(o, &ifeoplist, list) { +- rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists); ++ rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists); + if (rc == 0) + installed += 1; + } diff --git a/queue-4.18/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch b/queue-4.18/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch new file mode 100644 index 00000000000..7a71af18b8a --- /dev/null +++ b/queue-4.18/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch @@ -0,0 +1,64 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Kees Cook +Date: Sat, 25 Aug 2018 22:58:01 -0700 +Subject: net: sched: Fix memory exposure from short TCA_U32_SEL + +From: Kees Cook + +[ Upstream commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 ] + +Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink +policy, so max length isn't enforced, only minimum. This means nkeys +(from userspace) was being trusted without checking the actual size of +nla_len(), which could lead to a memory over-read, and ultimately an +exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within +a namespace. + +Reported-by: Al Viro +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_u32.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -912,6 +912,7 @@ static int u32_change(struct net *net, s + struct nlattr *opt = tca[TCA_OPTIONS]; + struct nlattr *tb[TCA_U32_MAX + 1]; + u32 htid, flags = 0; ++ size_t sel_size; + int err; + #ifdef CONFIG_CLS_U32_PERF + size_t size; +@@ -1074,8 +1075,13 @@ static int u32_change(struct net *net, s + } + + s = nla_data(tb[TCA_U32_SEL]); ++ sel_size = struct_size(s, keys, s->nkeys); ++ if (nla_len(tb[TCA_U32_SEL]) < sel_size) { ++ err = -EINVAL; ++ goto erridr; ++ } + +- n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL); ++ n = kzalloc(offsetof(typeof(*n), sel) + sel_size, GFP_KERNEL); + if (n == NULL) { + err = -ENOBUFS; + goto erridr; +@@ -1090,7 +1096,7 @@ static int u32_change(struct net *net, s + } + #endif + +- memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key)); ++ memcpy(&n->sel, s, sel_size); + RCU_INIT_POINTER(n->ht_up, ht); + n->handle = handle; + n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; diff --git a/queue-4.18/nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch b/queue-4.18/nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch new file mode 100644 index 00000000000..d414cbdb66e --- /dev/null +++ b/queue-4.18/nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch @@ -0,0 +1,122 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Jakub Kicinski +Date: Wed, 29 Aug 2018 12:46:08 -0700 +Subject: nfp: wait for posted reconfigs when disabling the device + +From: Jakub Kicinski + +[ Upstream commit 9ad716b95fd6c6be46a4f2d5936e514b5bcd744d ] + +To avoid leaking a running timer we need to wait for the +posted reconfigs after netdev is unregistered. In common +case the process of deinitializing the device will perform +synchronous reconfigs which wait for posted requests, but +especially with VXLAN ports being actively added and removed +there can be a race condition leaving a timer running after +adapter structure is freed leading to a crash. + +Add an explicit flush after deregistering and for a good +measure a warning to check if timer is running just before +structures are freed. + +Fixes: 3d780b926a12 ("nfp: add async reconfiguration mechanism") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 48 +++++++++++++------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -227,29 +227,16 @@ done: + spin_unlock_bh(&nn->reconfig_lock); + } + +-/** +- * nfp_net_reconfig() - Reconfigure the firmware +- * @nn: NFP Net device to reconfigure +- * @update: The value for the update field in the BAR config +- * +- * Write the update word to the BAR and ping the reconfig queue. The +- * poll until the firmware has acknowledged the update by zeroing the +- * update word. +- * +- * Return: Negative errno on error, 0 on success +- */ +-int nfp_net_reconfig(struct nfp_net *nn, u32 update) ++static void nfp_net_reconfig_sync_enter(struct nfp_net *nn) + { + bool cancelled_timer = false; + u32 pre_posted_requests; +- int ret; + + spin_lock_bh(&nn->reconfig_lock); + + nn->reconfig_sync_present = true; + + if (nn->reconfig_timer_active) { +- del_timer(&nn->reconfig_timer); + nn->reconfig_timer_active = false; + cancelled_timer = true; + } +@@ -258,14 +245,43 @@ int nfp_net_reconfig(struct nfp_net *nn, + + spin_unlock_bh(&nn->reconfig_lock); + +- if (cancelled_timer) ++ if (cancelled_timer) { ++ del_timer_sync(&nn->reconfig_timer); + nfp_net_reconfig_wait(nn, nn->reconfig_timer.expires); ++ } + + /* Run the posted reconfigs which were issued before we started */ + if (pre_posted_requests) { + nfp_net_reconfig_start(nn, pre_posted_requests); + nfp_net_reconfig_wait(nn, jiffies + HZ * NFP_NET_POLL_TIMEOUT); + } ++} ++ ++static void nfp_net_reconfig_wait_posted(struct nfp_net *nn) ++{ ++ nfp_net_reconfig_sync_enter(nn); ++ ++ spin_lock_bh(&nn->reconfig_lock); ++ nn->reconfig_sync_present = false; ++ spin_unlock_bh(&nn->reconfig_lock); ++} ++ ++/** ++ * nfp_net_reconfig() - Reconfigure the firmware ++ * @nn: NFP Net device to reconfigure ++ * @update: The value for the update field in the BAR config ++ * ++ * Write the update word to the BAR and ping the reconfig queue. The ++ * poll until the firmware has acknowledged the update by zeroing the ++ * update word. ++ * ++ * Return: Negative errno on error, 0 on success ++ */ ++int nfp_net_reconfig(struct nfp_net *nn, u32 update) ++{ ++ int ret; ++ ++ nfp_net_reconfig_sync_enter(nn); + + nfp_net_reconfig_start(nn, update); + ret = nfp_net_reconfig_wait(nn, jiffies + HZ * NFP_NET_POLL_TIMEOUT); +@@ -3609,6 +3625,7 @@ struct nfp_net *nfp_net_alloc(struct pci + */ + void nfp_net_free(struct nfp_net *nn) + { ++ WARN_ON(timer_pending(&nn->reconfig_timer) || nn->reconfig_posted); + if (nn->dp.netdev) + free_netdev(nn->dp.netdev); + else +@@ -3893,4 +3910,5 @@ void nfp_net_clean(struct nfp_net *nn) + return; + + unregister_netdev(nn->dp.netdev); ++ nfp_net_reconfig_wait_posted(nn); + } diff --git a/queue-4.18/qlge-fix-netdev-features-configuration.patch b/queue-4.18/qlge-fix-netdev-features-configuration.patch new file mode 100644 index 00000000000..6e6160b9287 --- /dev/null +++ b/queue-4.18/qlge-fix-netdev-features-configuration.patch @@ -0,0 +1,77 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Manish Chopra +Date: Thu, 23 Aug 2018 13:20:52 -0700 +Subject: qlge: Fix netdev features configuration. + +From: Manish Chopra + +[ Upstream commit 6750c87074c5b534d82fdaabb1deb45b8f1f57de ] + +qlge_fix_features() is not supposed to modify hardware or +driver state, rather it is supposed to only fix requested +fetures bits. Currently qlge_fix_features() also goes for +interface down and up unnecessarily if there is not even +any change in features set. + +This patch changes/fixes following - + +1) Move reload of interface or device re-config from + qlge_fix_features() to qlge_set_features(). +2) Reload of interface in qlge_set_features() only if + relevant feature bit (NETIF_F_HW_VLAN_CTAG_RX) is changed. +3) Get rid of qlge_fix_features() since driver is not really + required to fix any features bit. + +Signed-off-by: Manish +Reviewed-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge_main.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +@@ -2384,26 +2384,20 @@ static int qlge_update_hw_vlan_features( + return status; + } + +-static netdev_features_t qlge_fix_features(struct net_device *ndev, +- netdev_features_t features) +-{ +- int err; +- +- /* Update the behavior of vlan accel in the adapter */ +- err = qlge_update_hw_vlan_features(ndev, features); +- if (err) +- return err; +- +- return features; +-} +- + static int qlge_set_features(struct net_device *ndev, + netdev_features_t features) + { + netdev_features_t changed = ndev->features ^ features; ++ int err; ++ ++ if (changed & NETIF_F_HW_VLAN_CTAG_RX) { ++ /* Update the behavior of vlan accel in the adapter */ ++ err = qlge_update_hw_vlan_features(ndev, features); ++ if (err) ++ return err; + +- if (changed & NETIF_F_HW_VLAN_CTAG_RX) + qlge_vlan_mode(ndev, features); ++ } + + return 0; + } +@@ -4719,7 +4713,6 @@ static const struct net_device_ops qlge_ + .ndo_set_mac_address = qlge_set_mac_address, + .ndo_validate_addr = eth_validate_addr, + .ndo_tx_timeout = qlge_tx_timeout, +- .ndo_fix_features = qlge_fix_features, + .ndo_set_features = qlge_set_features, + .ndo_vlan_rx_add_vid = qlge_vlan_rx_add_vid, + .ndo_vlan_rx_kill_vid = qlge_vlan_rx_kill_vid, diff --git a/queue-4.18/r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch b/queue-4.18/r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch new file mode 100644 index 00000000000..ee4422f9335 --- /dev/null +++ b/queue-4.18/r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Kai-Heng Feng +Date: Mon, 20 Aug 2018 12:43:51 +0800 +Subject: r8152: disable RX aggregation on new Dell TB16 dock + +From: Kai-Heng Feng + +[ Upstream commit 176eb614b118c96e7797f5ddefd10708c316f621 ] + +There's a new Dell TB16 dock with a different iSerialNumber. + +Apply the same fix from commit 0b1655143df0 ("r8152: disable RX +aggregation on Dell TB16 dock") to this model. + +BugLink: https://bugs.launchpad.net/bugs/1785780 +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5214,8 +5214,8 @@ static int rtl8152_probe(struct usb_inte + netdev->hw_features &= ~NETIF_F_RXCSUM; + } + +- if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 && +- udev->serial && !strcmp(udev->serial, "000001000000")) { ++ if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 && udev->serial && ++ (!strcmp(udev->serial, "000001000000") || !strcmp(udev->serial, "000002000000"))) { + dev_info(&udev->dev, "Dell TB16 Dock, disable RX aggregation"); + set_bit(DELL_TB_RX_AGG_BUG, &tp->flags); + } diff --git a/queue-4.18/r8169-add-support-for-ncube-8168-network-card.patch b/queue-4.18/r8169-add-support-for-ncube-8168-network-card.patch new file mode 100644 index 00000000000..1282104d121 --- /dev/null +++ b/queue-4.18/r8169-add-support-for-ncube-8168-network-card.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Anthony Wong +Date: Fri, 31 Aug 2018 20:06:42 +0800 +Subject: r8169: add support for NCube 8168 network card + +From: Anthony Wong + +[ Upstream commit 9fd0e09a4e86499639653243edfcb417a05c5c46 ] + +This card identifies itself as: + Ethernet controller [0200]: NCube Device [10ff:8168] (rev 06) + Subsystem: TP-LINK Technologies Co., Ltd. Device [7470:3468] + +Adding a new entry to rtl8169_pci_tbl makes the card work. + +Link: http://launchpad.net/bugs/1788730 +Signed-off-by: Anthony Wong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 1 + + include/linux/pci_ids.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -303,6 +303,7 @@ static const struct pci_device_id rtl816 + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8161), 0, 0, RTL_CFG_1 }, + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8167), 0, 0, RTL_CFG_0 }, + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8168), 0, 0, RTL_CFG_1 }, ++ { PCI_DEVICE(PCI_VENDOR_ID_NCUBE, 0x8168), 0, 0, RTL_CFG_1 }, + { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8169), 0, 0, RTL_CFG_0 }, + { PCI_VENDOR_ID_DLINK, 0x4300, + PCI_VENDOR_ID_DLINK, 0x4b10, 0, 0, RTL_CFG_1 }, +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -3082,4 +3082,6 @@ + + #define PCI_VENDOR_ID_OCZ 0x1b85 + ++#define PCI_VENDOR_ID_NCUBE 0x10ff ++ + #endif /* _LINUX_PCI_IDS_H */ diff --git a/queue-4.18/r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch b/queue-4.18/r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch new file mode 100644 index 00000000000..1524f1ad513 --- /dev/null +++ b/queue-4.18/r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch @@ -0,0 +1,72 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Azat Khuzhin +Date: Sun, 26 Aug 2018 17:03:09 +0300 +Subject: r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices + +From: Azat Khuzhin + +[ Upstream commit 05212ba8132b42047ab5d63d759c6f9c28e7eab5 ] + +I have two Ethernet adapters: + r8169 0000:03:01.0 eth0: RTL8169sb/8110sb, 00:14:d1:14:2d:49, XID 10000000, IRQ 18 + r8169 0000:01:00.0 eth0: RTL8168e/8111e, 64:66:b3:11:14:5d, XID 2c200000, IRQ 30 +And after upgrading from linux 4.15 [1] to linux 4.18+ [2] RTL8169sb failed to +receive any packets. tcpdump shows a lot of checksum mismatch. + + [1]: a0f79386a4968b4925da6db2d1daffd0605a4402 + [2]: 0519359784328bfa92bf0931bf0cff3b58c16932 (4.19 merge window opened) + +I started bisecting and the found that [3] breaks it. According to [4]: + "For 8110S, 8110SB, and 8110SC series, the initial value of RxConfig + needs to be set after the tx/rx is enabled." +So I moved rtl_init_rxcfg() after enabling tx/rs and now my adapter works +(RTL8168e works too). + + [3]: 3559d81e76bfe3803e89f2e04cf6ef7ab4f3aace + [4]: e542a2269f232d61270ceddd42b73a4348dee2bb ("r8169: adjust the RxConfig +settings.") + +Also drop "rx" from rtl_set_rx_tx_config_registers(), since it does nothing +with it already. + +Fixes: 3559d81e76bfe3803e89f2e04cf6ef7ab4f3aace ("r8169: simplify +rtl_hw_start_8169") + +Cc: Heiner Kallweit +Cc: David S. Miller +Cc: netdev@vger.kernel.org +Cc: Realtek linux nic maintainers +Signed-off-by: Azat Khuzhin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -5039,7 +5039,7 @@ static void rtl8169_hw_reset(struct rtl8 + rtl_hw_reset(tp); + } + +-static void rtl_set_rx_tx_config_registers(struct rtl8169_private *tp) ++static void rtl_set_tx_config_registers(struct rtl8169_private *tp) + { + /* Set DMA burst size and Interframe Gap Time */ + RTL_W32(tp, TxConfig, (TX_DMA_BURST << TxDMAShift) | +@@ -5150,12 +5150,14 @@ static void rtl_hw_start(struct rtl8169 + + rtl_set_rx_max_size(tp); + rtl_set_rx_tx_desc_registers(tp); +- rtl_set_rx_tx_config_registers(tp); ++ rtl_set_tx_config_registers(tp); + RTL_W8(tp, Cfg9346, Cfg9346_Lock); + + /* Initially a 10 us delay. Turned it into a PCI commit. - FR */ + RTL_R8(tp, IntrMask); + RTL_W8(tp, ChipCmd, CmdTxEnb | CmdRxEnb); ++ rtl_init_rxcfg(tp); ++ + rtl_set_rx_mode(tp->dev); + /* no early-rx interrupts */ + RTL_W16(tp, MultiIntr, RTL_R16(tp, MultiIntr) & 0xf000); diff --git a/queue-4.18/revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch b/queue-4.18/revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch new file mode 100644 index 00000000000..46b6d12c610 --- /dev/null +++ b/queue-4.18/revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Jerome Brunet +Date: Fri, 24 Aug 2018 11:04:40 +0200 +Subject: Revert "net: stmmac: Do not keep rearming the coalesce timer in stmmac_xmit" + +From: Jerome Brunet + +[ Upstream commit e5133f2f1261f8ab412e7fc5e3694c9f84328f89 ] + +This reverts commit 4ae0169fd1b3c792b66be58995b7e6b629919ecf. + +This change in the handling of the coalesce timer is causing regression on +(at least) amlogic platforms. + +Network will break down very quickly (a few seconds) after starting +a download. This can easily be reproduced using iperf3 for example. + +The problem has been reported on the S805, S905, S912 and A113 SoCs +(Realtek and Micrel PHYs) and it is likely impacting all Amlogics +platforms using Gbit ethernet + +No problem was seen with the platform using 10/100 only PHYs (GXL internal) + +Reverting change brings things back to normal and allows to use network +again until we better understand the problem with the coalesce timer. + +Cc: Jose Abreu +Cc: Joao Pinto +Cc: Vitor Soares +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Cc: Corentin Labbe +Signed-off-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 1 - + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -112,7 +112,6 @@ struct stmmac_priv { + u32 tx_count_frames; + u32 tx_coal_frames; + u32 tx_coal_timer; +- bool tx_timer_armed; + + int tx_coalesce; + int hwts_tx_en; +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3126,16 +3126,13 @@ static netdev_tx_t stmmac_xmit(struct sk + * element in case of no SG. + */ + priv->tx_count_frames += nfrags + 1; +- if (likely(priv->tx_coal_frames > priv->tx_count_frames) && +- !priv->tx_timer_armed) { ++ if (likely(priv->tx_coal_frames > priv->tx_count_frames)) { + mod_timer(&priv->txtimer, + STMMAC_COAL_TIMER(priv->tx_coal_timer)); +- priv->tx_timer_armed = true; + } else { + priv->tx_count_frames = 0; + stmmac_set_tx_ic(priv, desc); + priv->xstats.tx_set_ic_bit++; +- priv->tx_timer_armed = false; + } + + skb_tx_timestamp(skb); diff --git a/queue-4.18/sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch b/queue-4.18/sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch new file mode 100644 index 00000000000..e3bd79ab315 --- /dev/null +++ b/queue-4.18/sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch @@ -0,0 +1,99 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Xin Long +Date: Mon, 27 Aug 2018 18:38:31 +0800 +Subject: sctp: hold transport before accessing its asoc in sctp_transport_get_next + +From: Xin Long + +[ Upstream commit bab1be79a5169ac748d8292b20c86d874022d7ba ] + +As Marcelo noticed, in sctp_transport_get_next, it is iterating over +transports but then also accessing the association directly, without +checking any refcnts before that, which can cause an use-after-free +Read. + +So fix it by holding transport before accessing the association. With +that, sctp_transport_hold calls can be removed in the later places. + +Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") +Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/proc.c | 4 ---- + net/sctp/socket.c | 22 +++++++++++++++------- + 2 files changed, 15 insertions(+), 11 deletions(-) + +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -260,8 +260,6 @@ static int sctp_assocs_seq_show(struct s + } + + transport = (struct sctp_transport *)v; +- if (!sctp_transport_hold(transport)) +- return 0; + assoc = transport->asoc; + epb = &assoc->base; + sk = epb->sk; +@@ -318,8 +316,6 @@ static int sctp_remaddr_seq_show(struct + } + + transport = (struct sctp_transport *)v; +- if (!sctp_transport_hold(transport)) +- return 0; + assoc = transport->asoc; + + list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list, +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4881,9 +4881,14 @@ struct sctp_transport *sctp_transport_ge + break; + } + ++ if (!sctp_transport_hold(t)) ++ continue; ++ + if (net_eq(sock_net(t->asoc->base.sk), net) && + t->asoc->peer.primary_path == t) + break; ++ ++ sctp_transport_put(t); + } + + return t; +@@ -4893,13 +4898,18 @@ struct sctp_transport *sctp_transport_ge + struct rhashtable_iter *iter, + int pos) + { +- void *obj = SEQ_START_TOKEN; ++ struct sctp_transport *t; ++ ++ if (!pos) ++ return SEQ_START_TOKEN; + +- while (pos && (obj = sctp_transport_get_next(net, iter)) && +- !IS_ERR(obj)) +- pos--; ++ while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) { ++ if (!--pos) ++ break; ++ sctp_transport_put(t); ++ } + +- return obj; ++ return t; + } + + int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *), +@@ -4958,8 +4968,6 @@ again: + + tsp = sctp_transport_get_idx(net, &hti, *pos + 1); + for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) { +- if (!sctp_transport_hold(tsp)) +- continue; + ret = cb(tsp, p); + if (ret) + break; diff --git a/queue-4.18/sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch b/queue-4.18/sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch new file mode 100644 index 00000000000..7eea7019b3f --- /dev/null +++ b/queue-4.18/sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Xin Long +Date: Mon, 27 Aug 2018 18:40:18 +0800 +Subject: sctp: remove useless start_fail from sctp_ht_iter in proc + +From: Xin Long + +[ Upstream commit 834539e69a5fe2aab33cc777ccfd4a4fcc5b9770 ] + +After changing rhashtable_walk_start to return void, start_fail would +never be set other value than 0, and the checking for start_fail is +pointless, so remove it. + +Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void") +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/proc.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/sctp/proc.c ++++ b/net/sctp/proc.c +@@ -215,7 +215,6 @@ static const struct seq_operations sctp_ + struct sctp_ht_iter { + struct seq_net_private p; + struct rhashtable_iter hti; +- int start_fail; + }; + + static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos) +@@ -224,7 +223,6 @@ static void *sctp_transport_seq_start(st + + sctp_transport_walk_start(&iter->hti); + +- iter->start_fail = 0; + return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos); + } + +@@ -232,8 +230,6 @@ static void sctp_transport_seq_stop(stru + { + struct sctp_ht_iter *iter = seq->private; + +- if (iter->start_fail) +- return; + sctp_transport_walk_stop(&iter->hti); + } + diff --git a/queue-4.18/series b/queue-4.18/series index e69de29bb2d..1d2de5e0131 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -0,0 +1,36 @@ +act_ife-fix-a-potential-use-after-free.patch +ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch +net-bcmgenet-use-mac-link-status-for-fixed-phy.patch +net-macb-do-not-disable-mdio-bus-at-open-close-time.patch +net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch +qlge-fix-netdev-features-configuration.patch +r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch +r8169-add-support-for-ncube-8168-network-card.patch +tcp-do-not-restart-timewait-timer-on-rst-reception.patch +vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch +act_ife-move-tcfa_lock-down-to-where-necessary.patch +act_ife-fix-a-potential-deadlock.patch +net-sched-action_ife-take-reference-to-meta-module.patch +bnxt_en-clean-up-unused-functions.patch +bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch +net-sched-act_pedit-fix-dump-of-extended-layered-op.patch +tipc-fix-a-missing-rhashtable_walk_exit.patch +hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch +tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch +sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch +erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch +net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch +ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch +net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch +net-ipv6-only-update-mtu-metric-if-it-set.patch +net-ipv6-put-lwtstate-when-destroying-fib6_info.patch +net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch +r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch +revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch +ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch +ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch +nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch +sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch +mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch +vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch +hv_netvsc-ignore-devices-that-are-not-pci.patch diff --git a/queue-4.18/tcp-do-not-restart-timewait-timer-on-rst-reception.patch b/queue-4.18/tcp-do-not-restart-timewait-timer-on-rst-reception.patch new file mode 100644 index 00000000000..3ccfe521cc9 --- /dev/null +++ b/queue-4.18/tcp-do-not-restart-timewait-timer-on-rst-reception.patch @@ -0,0 +1,122 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Florian Westphal +Date: Thu, 30 Aug 2018 14:24:29 +0200 +Subject: tcp: do not restart timewait timer on rst reception + +From: Florian Westphal + +[ Upstream commit 63cc357f7bba6729869565a12df08441a5995d9a ] + +RFC 1337 says: + ''Ignore RST segments in TIME-WAIT state. + If the 2 minute MSL is enforced, this fix avoids all three hazards.'' + +So with net.ipv4.tcp_rfc1337=1, expected behaviour is to have TIME-WAIT sk +expire rather than removing it instantly when a reset is received. + +However, Linux will also re-start the TIME-WAIT timer. + +This causes connect to fail when tying to re-use ports or very long +delays (until syn retry interval exceeds MSL). + +packetdrill test case: +// Demonstrate bogus rearming of TIME-WAIT timer in rfc1337 mode. +`sysctl net.ipv4.tcp_rfc1337=1` + +0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0.000 bind(3, ..., ...) = 0 +0.000 listen(3, 1) = 0 + +0.100 < S 0:0(0) win 29200 +0.100 > S. 0:0(0) ack 1 +0.200 < . 1:1(0) ack 1 win 257 +0.200 accept(3, ..., ...) = 4 + +// Receive first segment +0.310 < P. 1:1001(1000) ack 1 win 46 + +// Send one ACK +0.310 > . 1:1(0) ack 1001 + +// read 1000 byte +0.310 read(4, ..., 1000) = 1000 + +// Application writes 100 bytes +0.350 write(4, ..., 100) = 100 +0.350 > P. 1:101(100) ack 1001 + +// ACK +0.500 < . 1001:1001(0) ack 101 win 257 + +// close the connection +0.600 close(4) = 0 +0.600 > F. 101:101(0) ack 1001 win 244 + +// Our side is in FIN_WAIT_1 & waits for ack to fin +0.7 < . 1001:1001(0) ack 102 win 244 + +// Our side is in FIN_WAIT_2 with no outstanding data. +0.8 < F. 1001:1001(0) ack 102 win 244 +0.8 > . 102:102(0) ack 1002 win 244 + +// Our side is now in TIME_WAIT state, send ack for fin. +0.9 < F. 1002:1002(0) ack 102 win 244 +0.9 > . 102:102(0) ack 1002 win 244 + +// Peer reopens with in-window SYN: +1.000 < S 1000:1000(0) win 9200 + +// Therefore, reply with ACK. +1.000 > . 102:102(0) ack 1002 win 244 + +// Peer sends RST for this ACK. Normally this RST results +// in tw socket removal, but rfc1337=1 setting prevents this. +1.100 < R 1002:1002(0) win 244 + +// second syn. Due to rfc1337=1 expect another pure ACK. +31.0 < S 1000:1000(0) win 9200 +31.0 > . 102:102(0) ack 1002 win 244 + +// .. and another RST from peer. +31.1 < R 1002:1002(0) win 244 +31.2 `echo no timer restart;ss -m -e -a -i -n -t -o state TIME-WAIT` + +// third syn after one minute. Time-Wait socket should have expired by now. +63.0 < S 1000:1000(0) win 9200 + +// so we expect a syn-ack & 3whs to proceed from here on. +63.0 > S. 0:0(0) ack 1 + +Without this patch, 'ss' shows restarts of tw timer and last packet is +thus just another pure ack, more than one minute later. + +This restores the original code from commit 283fd6cf0be690a83 +("Merge in ANK networking jumbo patch") in netdev-vger-cvs.git . + +For some reason the else branch was removed/lost in 1f28b683339f7 +("Merge in TCP/UDP optimizations and [..]") and timer restart became +unconditional. + +Reported-by: Michal Tesar +Signed-off-by: Florian Westphal +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_minisocks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -184,8 +184,9 @@ kill: + inet_twsk_deschedule_put(tw); + return TCP_TW_SUCCESS; + } ++ } else { ++ inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN); + } +- inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN); + + if (tmp_opt.saw_tstamp) { + tcptw->tw_ts_recent = tmp_opt.rcv_tsval; diff --git a/queue-4.18/tipc-fix-a-missing-rhashtable_walk_exit.patch b/queue-4.18/tipc-fix-a-missing-rhashtable_walk_exit.patch new file mode 100644 index 00000000000..8126e940595 --- /dev/null +++ b/queue-4.18/tipc-fix-a-missing-rhashtable_walk_exit.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Cong Wang +Date: Thu, 23 Aug 2018 16:19:44 -0700 +Subject: tipc: fix a missing rhashtable_walk_exit() + +From: Cong Wang + +[ Upstream commit bd583fe30427500a2d0abe25724025b1cb5e2636 ] + +rhashtable_walk_exit() must be paired with rhashtable_walk_enter(). + +Fixes: 40f9f4397060 ("tipc: Fix tipc_sk_reinit race conditions") +Cc: Herbert Xu +Cc: Ying Xue +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2675,6 +2675,8 @@ void tipc_sk_reinit(struct net *net) + + rhashtable_walk_stop(&iter); + } while (tsk == ERR_PTR(-EAGAIN)); ++ ++ rhashtable_walk_exit(&iter); + } + + static struct tipc_sock *tipc_sk_lookup(struct net *net, u32 portid) diff --git a/queue-4.18/tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch b/queue-4.18/tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch new file mode 100644 index 00000000000..57588a6fc51 --- /dev/null +++ b/queue-4.18/tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch @@ -0,0 +1,91 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Haiqing Bai +Date: Mon, 27 Aug 2018 09:32:26 +0800 +Subject: tipc: fix the big/little endian issue in tipc_dest + +From: Haiqing Bai + +[ Upstream commit 30935198b7d0be12b1c45c328b66a7fdefb16256 ] + +In function tipc_dest_push, the 32bit variables 'node' and 'port' +are stored separately in uppper and lower part of 64bit 'value'. +Then this value is assigned to dst->value which is a union like: +union +{ + struct { + u32 port; + u32 node; + }; + u64 value; +} +This works on little-endian machines like x86 but fails on big-endian +machines. + +The fix remove the 'value' stack parameter and even the 'value' +member of the union in tipc_dest, assign the 'node' and 'port' member +directly with the input parameter to avoid the endian issue. + +Fixes: a80ae5306a73 ("tipc: improve destination linked list") +Signed-off-by: Zhenbo Gao +Acked-by: Jon Maloy +Signed-off-by: Haiqing Bai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/name_table.c | 10 ++++------ + net/tipc/name_table.h | 9 ++------- + 2 files changed, 6 insertions(+), 13 deletions(-) + +--- a/net/tipc/name_table.c ++++ b/net/tipc/name_table.c +@@ -980,20 +980,17 @@ int tipc_nl_name_table_dump(struct sk_bu + + struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port) + { +- u64 value = (u64)node << 32 | port; + struct tipc_dest *dst; + + list_for_each_entry(dst, l, list) { +- if (dst->value != value) +- continue; +- return dst; ++ if (dst->node == node && dst->port == port) ++ return dst; + } + return NULL; + } + + bool tipc_dest_push(struct list_head *l, u32 node, u32 port) + { +- u64 value = (u64)node << 32 | port; + struct tipc_dest *dst; + + if (tipc_dest_find(l, node, port)) +@@ -1002,7 +999,8 @@ bool tipc_dest_push(struct list_head *l, + dst = kmalloc(sizeof(*dst), GFP_ATOMIC); + if (unlikely(!dst)) + return false; +- dst->value = value; ++ dst->node = node; ++ dst->port = port; + list_add(&dst->list, l); + return true; + } +--- a/net/tipc/name_table.h ++++ b/net/tipc/name_table.h +@@ -133,13 +133,8 @@ void tipc_nametbl_stop(struct net *net); + + struct tipc_dest { + struct list_head list; +- union { +- struct { +- u32 port; +- u32 node; +- }; +- u64 value; +- }; ++ u32 port; ++ u32 node; + }; + + struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port); diff --git a/queue-4.18/vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch b/queue-4.18/vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch new file mode 100644 index 00000000000..fa38aa5a995 --- /dev/null +++ b/queue-4.18/vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Jason Wang +Date: Fri, 24 Aug 2018 16:53:13 +0800 +Subject: vhost: correctly check the iova range when waking virtqueue + +From: Jason Wang + +[ Upstream commit 2d66f997f0545c8f7fc5cf0b49af1decb35170e7 ] + +We don't wakeup the virtqueue if the first byte of pending iova range +is the last byte of the range we just got updated. This will lead a +virtqueue to wait for IOTLB updating forever. Fixing by correct the +check and wake up the virtqueue in this case. + +Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API") +Reported-by: Peter Xu +Signed-off-by: Jason Wang +Reviewed-by: Peter Xu +Tested-by: Peter Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -951,7 +951,7 @@ static void vhost_iotlb_notify_vq(struct + list_for_each_entry_safe(node, n, &d->pending_list, node) { + struct vhost_iotlb_msg *vq_msg = &node->msg.iotlb; + if (msg->iova <= vq_msg->iova && +- msg->iova + msg->size - 1 > vq_msg->iova && ++ msg->iova + msg->size - 1 >= vq_msg->iova && + vq_msg->type == VHOST_IOTLB_MISS) { + vhost_poll_queue(&node->vq->poll); + list_del(&node->node); diff --git a/queue-4.18/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch b/queue-4.18/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch new file mode 100644 index 00000000000..e373a1a835d --- /dev/null +++ b/queue-4.18/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 10:24:52 CEST 2018 +From: Alexey Kodanev +Date: Thu, 23 Aug 2018 19:49:54 +0300 +Subject: vti6: remove !skb->ignore_df check from vti6_xmit() + +From: Alexey Kodanev + +[ Upstream commit 9f2895461439fda2801a7906fb4c5fb3dbb37a0a ] + +Before the commit d6990976af7c ("vti6: fix PMTU caching and reporting +on xmit") '!skb->ignore_df' check was always true because the function +skb_scrub_packet() was called before it, resetting ignore_df to zero. + +In the commit, skb_scrub_packet() was moved below, and now this check +can be false for the packet, e.g. when sending it in the two fragments, +this prevents successful PMTU updates in such case. The next attempts +to send the packet lead to the same tx error. Moreover, vti6 initial +MTU value relies on PMTU adjustments. + +This issue can be reproduced with the following LTP test script: + udp_ipsec_vti.sh -6 -p ah -m tunnel -s 2000 + +Fixes: ccd740cbc6e0 ("vti6: Add pmtu handling to vti6_xmit.") +Signed-off-by: Alexey Kodanev +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -481,7 +481,7 @@ vti6_xmit(struct sk_buff *skb, struct ne + } + + mtu = dst_mtu(dst); +- if (!skb->ignore_df && skb->len > mtu) { ++ if (skb->len > mtu) { + skb_dst_update_pmtu(skb, mtu); + + if (skb->protocol == htons(ETH_P_IPV6)) {