From: Greg Kroah-Hartman Date: Wed, 19 Jun 2019 12:57:56 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v5.1.13~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=176eeebcbf771062473c8f751fa2adb4a8baebb6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch geneve-don-t-assume-linear-buffers-in-error-handler.patch hv_netvsc-set-probe-mode-to-sync.patch ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch lapb-fixed-leak-of-control-blocks.patch mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch mlxsw-spectrum_flower-fix-tos-matching.patch mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch neigh-fix-use-after-free-read-in-pneigh_get_next.patch net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch net-dsa-rtl8366-fix-up-vlan-filtering.patch net-ethtool-allow-matching-on-vlan-dei-bit.patch net-mlx5-avoid-reloading-already-removed-devices.patch net-mlx5-update-pci-error-handler-entries-and-command-translation.patch net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch net-mlx5e-support-tagged-tunnel-over-bond.patch net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch netfilter-nat-fix-udp-checksum-corruption.patch nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch sctp-free-cookie-before-we-memdup-a-new-one.patch sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch vsock-virtio-set-sock_done-on-peer-shutdown.patch vxlan-don-t-assume-linear-buffers-in-error-handler.patch --- diff --git a/queue-5.1/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch b/queue-5.1/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch new file mode 100644 index 00000000000..5b30a98c409 --- /dev/null +++ b/queue-5.1/ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch @@ -0,0 +1,117 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Eric Dumazet +Date: Sat, 15 Jun 2019 16:40:52 -0700 +Subject: ax25: fix inconsistent lock state in ax25_destroy_timer + +From: Eric Dumazet + +[ Upstream commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 ] + +Before thread in process context uses bh_lock_sock() +we must disable bh. + +sysbot reported : + +WARNING: inconsistent lock state +5.2.0-rc3+ #32 Not tainted + +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes: +00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline] +00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 +{SOFTIRQ-ON-W} state was registered at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429 + ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221 + __sys_connect+0x264/0x330 net/socket.c:1834 + __do_sys_connect net/socket.c:1845 [inline] + __se_sys_connect net/socket.c:1842 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:1842 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 2272 +hardirqs last enabled at (2272): [] trace_hardirqs_on_thunk+0x1a/0x1c +hardirqs last disabled at (2271): [] trace_hardirqs_off_thunk+0x1a/0x1c +softirqs last enabled at (1522): [] __do_softirq+0x654/0x94c kernel/softirq.c:320 +softirqs last disabled at (2267): [] invoke_softirq kernel/softirq.c:374 [inline] +softirqs last disabled at (2267): [] irq_exit+0x180/0x1d0 kernel/softirq.c:414 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(slock-AF_AX25); + + lock(slock-AF_AX25); + + *** DEADLOCK *** + +1 lock held by blkid/26581: + #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline] + #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312 + +stack backtrace: +CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935 + valid_state kernel/locking/lockdep.c:2948 [inline] + mark_lock_irq kernel/locking/lockdep.c:3138 [inline] + mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513 + mark_irqflags kernel/locking/lockdep.c:3391 [inline] + __lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745 + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275 + call_timer_fn+0x193/0x720 kernel/time/timer.c:1322 + expire_timers kernel/time/timer.c:1366 [inline] + __run_timers kernel/time/timer.c:1685 [inline] + __run_timers kernel/time/timer.c:1653 [inline] + run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698 + __do_softirq+0x25c/0x94c kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806 + +RIP: 0033:0x7f858d5c3232 +Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24 +RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 +RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8 +RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee +RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480 +R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005 +R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/ax25_route.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ax25/ax25_route.c ++++ b/net/ax25/ax25_route.c +@@ -429,9 +429,11 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25 + } + + if (ax25->sk != NULL) { ++ local_bh_disable(); + bh_lock_sock(ax25->sk); + sock_reset_flag(ax25->sk, SOCK_ZAPPED); + bh_unlock_sock(ax25->sk); ++ local_bh_enable(); + } + + put: diff --git a/queue-5.1/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch b/queue-5.1/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch new file mode 100644 index 00000000000..867876eec0d --- /dev/null +++ b/queue-5.1/be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch @@ -0,0 +1,74 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Ivan Vecera +Date: Fri, 14 Jun 2019 17:48:36 +0200 +Subject: be2net: Fix number of Rx queues used for flow hashing + +From: Ivan Vecera + +[ Upstream commit 718f4a2537089ea41903bf357071306163bc7c04 ] + +Number of Rx queues used for flow hashing returned by the driver is +incorrect and this bug prevents user to use the last Rx queue in +indirection table. + +Let's say we have a NIC with 6 combined queues: + +[root@sm-03 ~]# ethtool -l enp4s0f0 +Channel parameters for enp4s0f0: +Pre-set maximums: +RX: 5 +TX: 5 +Other: 0 +Combined: 6 +Current hardware settings: +RX: 0 +TX: 0 +Other: 0 +Combined: 6 + +Default indirection table maps all (6) queues equally but the driver +reports only 5 rings available. + +[root@sm-03 ~]# ethtool -x enp4s0f0 +RX flow hash indirection table for enp4s0f0 with 5 RX ring(s): + 0: 0 1 2 3 4 5 0 1 + 8: 2 3 4 5 0 1 2 3 + 16: 4 5 0 1 2 3 4 5 + 24: 0 1 2 3 4 5 0 1 +... + +Now change indirection table somehow: + +[root@sm-03 ~]# ethtool -X enp4s0f0 weight 1 1 +[root@sm-03 ~]# ethtool -x enp4s0f0 +RX flow hash indirection table for enp4s0f0 with 6 RX ring(s): + 0: 0 0 0 0 0 0 0 0 +... + 64: 1 1 1 1 1 1 1 1 +... + +Now it is not possible to change mapping back to equal (default) state: + +[root@sm-03 ~]# ethtool -X enp4s0f0 equal 6 +Cannot set RX flow hash configuration: Invalid argument + +Fixes: 594ad54a2c3b ("be2net: Add support for setting and getting rx flow hash options") +Reported-by: Tianhao +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c ++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c +@@ -1105,7 +1105,7 @@ static int be_get_rxnfc(struct net_devic + cmd->data = be_get_rss_hash_opts(adapter, cmd->flow_type); + break; + case ETHTOOL_GRXRINGS: +- cmd->data = adapter->num_rx_qs - 1; ++ cmd->data = adapter->num_rx_qs; + break; + default: + return -EINVAL; diff --git a/queue-5.1/geneve-don-t-assume-linear-buffers-in-error-handler.patch b/queue-5.1/geneve-don-t-assume-linear-buffers-in-error-handler.patch new file mode 100644 index 00000000000..37e17dd3d21 --- /dev/null +++ b/queue-5.1/geneve-don-t-assume-linear-buffers-in-error-handler.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Stefano Brivio +Date: Tue, 11 Jun 2019 00:27:06 +0200 +Subject: geneve: Don't assume linear buffers in error handler + +From: Stefano Brivio + +[ Upstream commit eccc73a6b2cb6c04bfbc40a0769f3c428dfba232 ] + +In commit a07966447f39 ("geneve: ICMP error lookup handler") I wrongly +assumed buffers from icmp_socket_deliver() would be linear. This is not +the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear +data. + +Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac +("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6: +avoid uninit-value in gue_err() and gue6_err()"). + +Use pskb_may_pull() instead of checking skb->len, and take into account +the fact we later access the GENEVE header with udp_hdr(), so we also +need to sum skb_transport_header() here. + +Reported-by: Guillaume Nault +Fixes: a07966447f39 ("geneve: ICMP error lookup handler") +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -396,7 +396,7 @@ static int geneve_udp_encap_err_lookup(s + u8 zero_vni[3] = { 0 }; + u8 *vni = zero_vni; + +- if (skb->len < GENEVE_BASE_HLEN) ++ if (!pskb_may_pull(skb, skb_transport_offset(skb) + GENEVE_BASE_HLEN)) + return -EINVAL; + + geneveh = geneve_hdr(skb); diff --git a/queue-5.1/hv_netvsc-set-probe-mode-to-sync.patch b/queue-5.1/hv_netvsc-set-probe-mode-to-sync.patch new file mode 100644 index 00000000000..9f94bbdb764 --- /dev/null +++ b/queue-5.1/hv_netvsc-set-probe-mode-to-sync.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Haiyang Zhang +Date: Thu, 13 Jun 2019 21:06:53 +0000 +Subject: hv_netvsc: Set probe mode to sync + +From: Haiyang Zhang + +[ Upstream commit 9a33629ba6b26caebd73e3c581ba1e6068c696a7 ] + +For better consistency of synthetic NIC names, we set the probe mode to +PROBE_FORCE_SYNCHRONOUS. So the names can be aligned with the vmbus +channel offer sequence. + +Fixes: af0a5646cb8d ("use the new async probing feature for the hyperv drivers") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2414,7 +2414,7 @@ static struct hv_driver netvsc_drv = { + .probe = netvsc_probe, + .remove = netvsc_remove, + .driver = { +- .probe_type = PROBE_PREFER_ASYNCHRONOUS, ++ .probe_type = PROBE_FORCE_SYNCHRONOUS, + }, + }; + diff --git a/queue-5.1/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch b/queue-5.1/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch new file mode 100644 index 00000000000..59d6fa9e4cf --- /dev/null +++ b/queue-5.1/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch @@ -0,0 +1,47 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Eric Dumazet +Date: Thu, 6 Jun 2019 14:32:34 -0700 +Subject: ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero + +From: Eric Dumazet + +[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ] + +Before taking a refcount, make sure the object is not already +scheduled for deletion. + +Same fix is needed in ipv6_flowlabel_opt() + +Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_flowlabel.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(st + rcu_read_lock_bh(); + for_each_sk_fl_rcu(np, sfl) { + struct ip6_flowlabel *fl = sfl->fl; +- if (fl->label == label) { ++ ++ if (fl->label == label && atomic_inc_not_zero(&fl->users)) { + fl->lastuse = jiffies; +- atomic_inc(&fl->users); + rcu_read_unlock_bh(); + return fl; + } +@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk, + goto done; + } + fl1 = sfl->fl; +- atomic_inc(&fl1->users); ++ if (!atomic_inc_not_zero(&fl1->users)) ++ fl1 = NULL; + break; + } + } diff --git a/queue-5.1/lapb-fixed-leak-of-control-blocks.patch b/queue-5.1/lapb-fixed-leak-of-control-blocks.patch new file mode 100644 index 00000000000..493ecf6d7e9 --- /dev/null +++ b/queue-5.1/lapb-fixed-leak-of-control-blocks.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Jeremy Sowden +Date: Sun, 16 Jun 2019 16:54:37 +0100 +Subject: lapb: fixed leak of control-blocks. + +From: Jeremy Sowden + +[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ] + +lapb_register calls lapb_create_cb, which initializes the control- +block's ref-count to one, and __lapb_insert_cb, which increments it when +adding the new block to the list of blocks. + +lapb_unregister calls __lapb_remove_cb, which decrements the ref-count +when removing control-block from the list of blocks, and calls lapb_put +itself to decrement the ref-count before returning. + +However, lapb_unregister also calls __lapb_devtostruct to look up the +right control-block for the given net_device, and __lapb_devtostruct +also bumps the ref-count, which means that when lapb_unregister returns +the ref-count is still 1 and the control-block is leaked. + +Call lapb_put after __lapb_devtostruct to fix leak. + +Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/lapb/lapb_iface.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/lapb/lapb_iface.c ++++ b/net/lapb/lapb_iface.c +@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *d + lapb = __lapb_devtostruct(dev); + if (!lapb) + goto out; ++ lapb_put(lapb); + + lapb_stop_t1timer(lapb); + lapb_stop_t2timer(lapb); diff --git a/queue-5.1/mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch b/queue-5.1/mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch new file mode 100644 index 00000000000..10908481500 --- /dev/null +++ b/queue-5.1/mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch @@ -0,0 +1,41 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Petr Machata +Date: Tue, 11 Jun 2019 10:19:45 +0300 +Subject: mlxsw: spectrum_buffers: Reduce pool size on Spectrum-2 + +From: Petr Machata + +Due to an issue on Spectrum-2, in front-panel ports split four ways, 2 out +of 32 port buffers cannot be used. To work around this, the next FW release +will mark them as unused, and will report correspondingly lower total +shared buffer size. mlxsw will pick up the new value through a query to +cap_total_buffer_size resource. However the initial size for shared buffer +pool 0 is hard-coded and therefore needs to be updated. + +Thus reduce the pool size by 2.7 MiB (which corresponds to 2/32 of the +total size of 42 MiB), and round down to the whole number of cells. + +Fixes: fe099bf682ab ("mlxsw: spectrum_buffers: Add Spectrum-2 shared buffer configuration") +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c +@@ -411,9 +411,9 @@ static const struct mlxsw_sp_sb_pr mlxsw + MLXSW_SP_SB_PR(MLXSW_REG_SBPR_MODE_STATIC, MLXSW_SP_SB_INFI), + }; + +-#define MLXSW_SP2_SB_PR_INGRESS_SIZE 40960000 ++#define MLXSW_SP2_SB_PR_INGRESS_SIZE 38128752 ++#define MLXSW_SP2_SB_PR_EGRESS_SIZE 38128752 + #define MLXSW_SP2_SB_PR_INGRESS_MNG_SIZE (200 * 1000) +-#define MLXSW_SP2_SB_PR_EGRESS_SIZE 40960000 + + static const struct mlxsw_sp_sb_pr mlxsw_sp2_sb_prs[] = { + /* Ingress pools. */ diff --git a/queue-5.1/mlxsw-spectrum_flower-fix-tos-matching.patch b/queue-5.1/mlxsw-spectrum_flower-fix-tos-matching.patch new file mode 100644 index 00000000000..760441633ba --- /dev/null +++ b/queue-5.1/mlxsw-spectrum_flower-fix-tos-matching.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Jiri Pirko +Date: Tue, 11 Jun 2019 10:19:43 +0300 +Subject: mlxsw: spectrum_flower: Fix TOS matching + +From: Jiri Pirko + +The TOS value was not extracted correctly. Fix it. + +Fixes: 87996f91f739 ("mlxsw: spectrum_flower: Add support for ip tos") +Reported-by: Alexander Petrovskiy +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -247,8 +247,8 @@ static int mlxsw_sp_flower_parse_ip(stru + match.mask->tos & 0x3); + + mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_IP_DSCP, +- match.key->tos >> 6, +- match.mask->tos >> 6); ++ match.key->tos >> 2, ++ match.mask->tos >> 2); + + return 0; + } diff --git a/queue-5.1/mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch b/queue-5.1/mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch new file mode 100644 index 00000000000..c0847ce24d6 --- /dev/null +++ b/queue-5.1/mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch @@ -0,0 +1,134 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Ido Schimmel +Date: Tue, 11 Jun 2019 10:19:41 +0300 +Subject: mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead + +From: Ido Schimmel + +The driver tries to periodically refresh neighbours that are used to +reach nexthops. This is done by periodically calling neigh_event_send(). + +However, if the neighbour becomes dead, there is nothing we can do to +return it to a connected state and the above function call is basically +a NOP. + +This results in the nexthop never being written to the device's +adjacency table and therefore never used to forward packets. + +Fix this by dropping our reference from the dead neighbour and +associating the nexthop with a new neigbhour which we will try to +refresh. + +Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing") +Signed-off-by: Ido Schimmel +Reported-by: Alex Veber +Tested-by: Alex Veber +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 73 +++++++++++++++++- + 1 file changed, 70 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -2363,7 +2363,7 @@ static void mlxsw_sp_router_probe_unreso + static void + mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp, + struct mlxsw_sp_neigh_entry *neigh_entry, +- bool removing); ++ bool removing, bool dead); + + static enum mlxsw_reg_rauht_op mlxsw_sp_rauht_op(bool adding) + { +@@ -2494,7 +2494,8 @@ static void mlxsw_sp_router_neigh_event_ + + memcpy(neigh_entry->ha, ha, ETH_ALEN); + mlxsw_sp_neigh_entry_update(mlxsw_sp, neigh_entry, entry_connected); +- mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected); ++ mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected, ++ dead); + + if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list)) + mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry); +@@ -3458,13 +3459,79 @@ static void __mlxsw_sp_nexthop_neigh_upd + nh->update = 1; + } + ++static int ++mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp, ++ struct mlxsw_sp_neigh_entry *neigh_entry) ++{ ++ struct neighbour *n, *old_n = neigh_entry->key.n; ++ struct mlxsw_sp_nexthop *nh; ++ bool entry_connected; ++ u8 nud_state, dead; ++ int err; ++ ++ nh = list_first_entry(&neigh_entry->nexthop_list, ++ struct mlxsw_sp_nexthop, neigh_list_node); ++ ++ n = neigh_lookup(nh->nh_grp->neigh_tbl, &nh->gw_addr, nh->rif->dev); ++ if (!n) { ++ n = neigh_create(nh->nh_grp->neigh_tbl, &nh->gw_addr, ++ nh->rif->dev); ++ if (IS_ERR(n)) ++ return PTR_ERR(n); ++ neigh_event_send(n, NULL); ++ } ++ ++ mlxsw_sp_neigh_entry_remove(mlxsw_sp, neigh_entry); ++ neigh_entry->key.n = n; ++ err = mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry); ++ if (err) ++ goto err_neigh_entry_insert; ++ ++ read_lock_bh(&n->lock); ++ nud_state = n->nud_state; ++ dead = n->dead; ++ read_unlock_bh(&n->lock); ++ entry_connected = nud_state & NUD_VALID && !dead; ++ ++ list_for_each_entry(nh, &neigh_entry->nexthop_list, ++ neigh_list_node) { ++ neigh_release(old_n); ++ neigh_clone(n); ++ __mlxsw_sp_nexthop_neigh_update(nh, !entry_connected); ++ mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nh_grp); ++ } ++ ++ neigh_release(n); ++ ++ return 0; ++ ++err_neigh_entry_insert: ++ neigh_entry->key.n = old_n; ++ mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry); ++ neigh_release(n); ++ return err; ++} ++ + static void + mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp, + struct mlxsw_sp_neigh_entry *neigh_entry, +- bool removing) ++ bool removing, bool dead) + { + struct mlxsw_sp_nexthop *nh; + ++ if (list_empty(&neigh_entry->nexthop_list)) ++ return; ++ ++ if (dead) { ++ int err; ++ ++ err = mlxsw_sp_nexthop_dead_neigh_replace(mlxsw_sp, ++ neigh_entry); ++ if (err) ++ dev_err(mlxsw_sp->bus_info->dev, "Failed to replace dead neigh\n"); ++ return; ++ } ++ + list_for_each_entry(nh, &neigh_entry->nexthop_list, + neigh_list_node) { + __mlxsw_sp_nexthop_neigh_update(nh, removing); diff --git a/queue-5.1/neigh-fix-use-after-free-read-in-pneigh_get_next.patch b/queue-5.1/neigh-fix-use-after-free-read-in-pneigh_get_next.patch new file mode 100644 index 00000000000..697d3ecf904 --- /dev/null +++ b/queue-5.1/neigh-fix-use-after-free-read-in-pneigh_get_next.patch @@ -0,0 +1,185 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Eric Dumazet +Date: Sat, 15 Jun 2019 16:28:48 -0700 +Subject: neigh: fix use-after-free read in pneigh_get_next + +From: Eric Dumazet + +[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ] + +Nine years ago, I added RCU handling to neighbours, not pneighbours. +(pneigh are not commonly used) + +Unfortunately I missed that /proc dump operations would use a +common entry and exit point : neigh_seq_start() and neigh_seq_stop() + +We need to read_lock(tbl->lock) or risk use-after-free while +iterating the pneigh structures. + +We might later convert pneigh to RCU and revert this patch. + +sysbot reported : + +BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 +Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825 + +CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 + __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + kasan_report+0x12/0x20 mm/kasan/common.c:614 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 + neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240 + seq_read+0x9cf/0x1110 fs/seq_file.c:258 + proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221 + do_loop_readv_writev fs/read_write.c:714 [inline] + do_loop_readv_writev fs/read_write.c:701 [inline] + do_iter_read+0x4a4/0x660 fs/read_write.c:935 + vfs_readv+0xf0/0x160 fs/read_write.c:997 + kernel_readv fs/splice.c:359 [inline] + default_file_splice_read+0x475/0x890 fs/splice.c:414 + do_splice_to+0x127/0x180 fs/splice.c:877 + splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1063 + do_sendfile+0x597/0xd00 fs/read_write.c:1464 + __do_sys_sendfile64 fs/read_write.c:1525 [inline] + __se_sys_sendfile64 fs/read_write.c:1511 [inline] + __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4592c9 +Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4 +R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff + +Allocated by task 9827: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_kmalloc mm/kasan/common.c:489 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 + __do_kmalloc mm/slab.c:3660 [inline] + __kmalloc+0x15c/0x740 mm/slab.c:3669 + kmalloc include/linux/slab.h:552 [inline] + pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731 + arp_req_set_public net/ipv4/arp.c:1010 [inline] + arp_req_set+0x613/0x720 net/ipv4/arp.c:1026 + arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226 + inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926 + sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043 + sock_ioctl+0x3ed/0x780 net/socket.c:1194 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9824: + save_stack+0x23/0x90 mm/kasan/common.c:71 + set_track mm/kasan/common.c:79 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 + __cache_free mm/slab.c:3432 [inline] + kfree+0xcf/0x220 mm/slab.c:3755 + pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline] + __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356 + neigh_ifdown+0x20/0x30 net/core/neighbour.c:372 + arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274 + inetdev_destroy net/ipv4/devinet.c:319 [inline] + inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544 + notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 + __raw_notifier_call_chain kernel/notifier.c:396 [inline] + raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 + call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749 + call_netdevice_notifiers_extack net/core/dev.c:1761 [inline] + call_netdevice_notifiers net/core/dev.c:1775 [inline] + rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178 + rollback_registered+0x109/0x1d0 net/core/dev.c:8220 + unregister_netdevice_queue net/core/dev.c:9267 [inline] + unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260 + unregister_netdevice include/linux/netdevice.h:2631 [inline] + __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724 + tun_detach drivers/net/tun.c:741 [inline] + tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + tracehook_notify_resume include/linux/tracehook.h:185 [inline] + exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168 + prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] + syscall_return_slowpath arch/x86/entry/common.c:279 [inline] + do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff888097f2a700 + which belongs to the cache kmalloc-64 of size 64 +The buggy address is located 0 bytes inside of + 64-byte region [ffff888097f2a700, ffff888097f2a740) +The buggy address belongs to the page: +page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 +flags: 0x1fffc0000000200(slab) +raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340 +raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + +Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -3199,6 +3199,7 @@ static void *neigh_get_idx_any(struct se + } + + void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags) ++ __acquires(tbl->lock) + __acquires(rcu_bh) + { + struct neigh_seq_state *state = seq->private; +@@ -3209,6 +3210,7 @@ void *neigh_seq_start(struct seq_file *s + + rcu_read_lock_bh(); + state->nht = rcu_dereference_bh(tbl->nht); ++ read_lock(&tbl->lock); + + return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN; + } +@@ -3242,8 +3244,13 @@ out: + EXPORT_SYMBOL(neigh_seq_next); + + void neigh_seq_stop(struct seq_file *seq, void *v) ++ __releases(tbl->lock) + __releases(rcu_bh) + { ++ struct neigh_seq_state *state = seq->private; ++ struct neigh_table *tbl = state->tbl; ++ ++ read_unlock(&tbl->lock); + rcu_read_unlock_bh(); + } + EXPORT_SYMBOL(neigh_seq_stop); diff --git a/queue-5.1/net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch b/queue-5.1/net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch new file mode 100644 index 00000000000..207fc3e8d6a --- /dev/null +++ b/queue-5.1/net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch @@ -0,0 +1,54 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Willem de Bruijn +Date: Fri, 7 Jun 2019 17:57:48 -0400 +Subject: net: correct udp zerocopy refcnt also when zerocopy only on append + +From: Willem de Bruijn + +[ Upstream commit 522924b583082f51b8a2406624a2f27c22119b20 ] + +The below patch fixes an incorrect zerocopy refcnt increment when +appending with MSG_MORE to an existing zerocopy udp skb. + + send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1 + send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags) + +But it missed that zerocopy need not be passed at the first send. The +right test whether the uarg is newly allocated and thus has extra +refcnt 1 is not !skb, but !skb_zcopy. + + send(.., MSG_MORE); // + send(.., MSG_ZEROCOPY); // refcnt 1 + +Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -923,7 +923,7 @@ static int __ip_append_data(struct sock + uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb)); + if (!uarg) + return -ENOBUFS; +- extra_uref = !skb; /* only extra ref if !MSG_MORE */ ++ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */ + if (rt->dst.dev->features & NETIF_F_SG && + csummode == CHECKSUM_PARTIAL) { + paged = true; +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1344,7 +1344,7 @@ emsgsize: + uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb)); + if (!uarg) + return -ENOBUFS; +- extra_uref = !skb; /* only extra ref if !MSG_MORE */ ++ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */ + if (rt->dst.dev->features & NETIF_F_SG && + csummode == CHECKSUM_PARTIAL) { + paged = true; diff --git a/queue-5.1/net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch b/queue-5.1/net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch new file mode 100644 index 00000000000..5cd6516cb57 --- /dev/null +++ b/queue-5.1/net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch @@ -0,0 +1,37 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Robert Hancock +Date: Wed, 12 Jun 2019 14:33:32 -0600 +Subject: net: dsa: microchip: Don't try to read stats for unused ports + +From: Robert Hancock + +[ Upstream commit 6bb9e376c2a4cc5120c3bf5fd3048b9a0a6ec1f8 ] + +If some of the switch ports were not listed in the device tree, due to +being unused, the ksz_mib_read_work function ended up accessing a NULL +dp->slave pointer and causing an oops. Skip checking statistics for any +unused ports. + +Fixes: 7c6ff470aa867f53 ("net: dsa: microchip: add MIB counter reading support") +Signed-off-by: Robert Hancock +Reviewed-by: Vivien Didelot +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -83,6 +83,9 @@ static void ksz_mib_read_work(struct wor + int i; + + for (i = 0; i < dev->mib_port_cnt; i++) { ++ if (dsa_is_unused_port(dev->ds, i)) ++ continue; ++ + p = &dev->ports[i]; + mib = &p->mib; + mutex_lock(&mib->cnt_mutex); diff --git a/queue-5.1/net-dsa-rtl8366-fix-up-vlan-filtering.patch b/queue-5.1/net-dsa-rtl8366-fix-up-vlan-filtering.patch new file mode 100644 index 00000000000..c93a8432029 --- /dev/null +++ b/queue-5.1/net-dsa-rtl8366-fix-up-vlan-filtering.patch @@ -0,0 +1,60 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Linus Walleij +Date: Fri, 14 Jun 2019 00:25:20 +0200 +Subject: net: dsa: rtl8366: Fix up VLAN filtering + +From: Linus Walleij + +[ Upstream commit 760c80b70bed2cd01630e8595d1bbde910339f31 ] + +We get this regression when using RTL8366RB as part of a bridge +with OpenWrt: + +WARNING: CPU: 0 PID: 1347 at net/switchdev/switchdev.c:291 + switchdev_port_attr_set_now+0x80/0xa4 +lan0: Commit of attribute (id=7) failed. +(...) +realtek-smi switch lan0: failed to initialize vlan filtering on this port + +This is because it is trying to disable VLAN filtering +on VLAN0, as we have forgot to add 1 to the port number +to get the right VLAN in rtl8366_vlan_filtering(): when +we initialize the VLAN we associate VLAN1 with port 0, +VLAN2 with port 1 etc, so we need to add 1 to the port +offset. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/rtl8366.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -307,7 +307,8 @@ int rtl8366_vlan_filtering(struct dsa_sw + struct rtl8366_vlan_4k vlan4k; + int ret; + +- if (!smi->ops->is_vlan_valid(smi, port)) ++ /* Use VLAN nr port + 1 since VLAN0 is not valid */ ++ if (!smi->ops->is_vlan_valid(smi, port + 1)) + return -EINVAL; + + dev_info(smi->dev, "%s filtering on port %d\n", +@@ -318,12 +319,12 @@ int rtl8366_vlan_filtering(struct dsa_sw + * The hardware support filter ID (FID) 0..7, I have no clue how to + * support this in the driver when the callback only says on/off. + */ +- ret = smi->ops->get_vlan_4k(smi, port, &vlan4k); ++ ret = smi->ops->get_vlan_4k(smi, port + 1, &vlan4k); + if (ret) + return ret; + + /* Just set the filter to FID 1 for now then */ +- ret = rtl8366_set_vlan(smi, port, ++ ret = rtl8366_set_vlan(smi, port + 1, + vlan4k.member, + vlan4k.untag, + 1); diff --git a/queue-5.1/net-ethtool-allow-matching-on-vlan-dei-bit.patch b/queue-5.1/net-ethtool-allow-matching-on-vlan-dei-bit.patch new file mode 100644 index 00000000000..d4ce76a7a59 --- /dev/null +++ b/queue-5.1/net-ethtool-allow-matching-on-vlan-dei-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Maxime Chevallier +Date: Wed, 12 Jun 2019 17:18:38 +0200 +Subject: net: ethtool: Allow matching on vlan DEI bit + +From: Maxime Chevallier + +[ Upstream commit f0d2ca1531377e7da888913e277eefac05a59b6f ] + +Using ethtool, users can specify a classification action matching on the +full vlan tag, which includes the DEI bit (also previously called CFI). + +However, when converting the ethool_flow_spec to a flow_rule, we use +dissector keys to represent the matching patterns. + +Since the vlan dissector key doesn't include the DEI bit, this +information was silently discarded when translating the ethtool +flow spec in to a flow_rule. + +This commit adds the DEI bit into the vlan dissector key, and allows +propagating the information to the driver when parsing the ethtool flow +spec. + +Fixes: eca4205f9ec3 ("ethtool: add ethtool_rx_flow_spec to flow_rule structure translator") +Reported-by: Michał Mirosław +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/flow_dissector.h | 1 + + net/core/ethtool.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -46,6 +46,7 @@ struct flow_dissector_key_tags { + + struct flow_dissector_key_vlan { + u16 vlan_id:12, ++ vlan_dei:1, + vlan_priority:3; + __be16 vlan_tpid; + }; +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -3022,6 +3022,11 @@ ethtool_rx_flow_rule_create(const struct + match->mask.vlan.vlan_id = + ntohs(ext_m_spec->vlan_tci) & 0x0fff; + ++ match->key.vlan.vlan_dei = ++ !!(ext_h_spec->vlan_tci & htons(0x1000)); ++ match->mask.vlan.vlan_dei = ++ !!(ext_m_spec->vlan_tci & htons(0x1000)); ++ + match->key.vlan.vlan_priority = + (ntohs(ext_h_spec->vlan_tci) & 0xe000) >> 13; + match->mask.vlan.vlan_priority = diff --git a/queue-5.1/net-mlx5-avoid-reloading-already-removed-devices.patch b/queue-5.1/net-mlx5-avoid-reloading-already-removed-devices.patch new file mode 100644 index 00000000000..6b94952e2d8 --- /dev/null +++ b/queue-5.1/net-mlx5-avoid-reloading-already-removed-devices.patch @@ -0,0 +1,61 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Alaa Hleihel +Date: Sun, 19 May 2019 11:11:49 +0300 +Subject: net/mlx5: Avoid reloading already removed devices + +From: Alaa Hleihel + +Prior to reloading a device we must first verify that it was not already +removed. Otherwise, the attempt to remove the device will do nothing, and +in that case we will end up proceeding with adding an new device that no +one was expecting to remove, leaving behind used resources such as EQs that +causes a failure to destroy comp EQs and syndrome (0x30f433). + +Fix that by making sure that we try to remove and add a device (based on a +protocol) only if the device is already added. + +Fixes: c5447c70594b ("net/mlx5: E-Switch, Reload IB interface when switching devlink modes") +Signed-off-by: Alaa Hleihel +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -248,11 +248,32 @@ void mlx5_unregister_interface(struct ml + } + EXPORT_SYMBOL(mlx5_unregister_interface); + ++/* Must be called with intf_mutex held */ ++static bool mlx5_has_added_dev_by_protocol(struct mlx5_core_dev *mdev, int protocol) ++{ ++ struct mlx5_device_context *dev_ctx; ++ struct mlx5_interface *intf; ++ bool found = false; ++ ++ list_for_each_entry(intf, &intf_list, list) { ++ if (intf->protocol == protocol) { ++ dev_ctx = mlx5_get_device(intf, &mdev->priv); ++ if (dev_ctx && test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state)) ++ found = true; ++ break; ++ } ++ } ++ ++ return found; ++} ++ + void mlx5_reload_interface(struct mlx5_core_dev *mdev, int protocol) + { + mutex_lock(&mlx5_intf_mutex); +- mlx5_remove_dev_by_protocol(mdev, protocol); +- mlx5_add_dev_by_protocol(mdev, protocol); ++ if (mlx5_has_added_dev_by_protocol(mdev, protocol)) { ++ mlx5_remove_dev_by_protocol(mdev, protocol); ++ mlx5_add_dev_by_protocol(mdev, protocol); ++ } + mutex_unlock(&mlx5_intf_mutex); + } + diff --git a/queue-5.1/net-mlx5-update-pci-error-handler-entries-and-command-translation.patch b/queue-5.1/net-mlx5-update-pci-error-handler-entries-and-command-translation.patch new file mode 100644 index 00000000000..c3a26f27824 --- /dev/null +++ b/queue-5.1/net-mlx5-update-pci-error-handler-entries-and-command-translation.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Edward Srouji +Date: Thu, 23 May 2019 19:45:38 +0300 +Subject: net/mlx5: Update pci error handler entries and command translation + +From: Edward Srouji + +Add missing entries for create/destroy UCTX and UMEM commands. +This could get us wrong "unknown FW command" error in flows +where we unbind the device or reset the driver. + +Also the translation of these commands from opcodes to string +was missing. + +Fixes: 6e3722baac04 ("IB/mlx5: Use the correct commands for UMEM and UCTX allocation") +Signed-off-by: Edward Srouji +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -441,6 +441,10 @@ static int mlx5_internal_err_ret_value(s + case MLX5_CMD_OP_CREATE_GENERAL_OBJECT: + case MLX5_CMD_OP_MODIFY_GENERAL_OBJECT: + case MLX5_CMD_OP_QUERY_GENERAL_OBJECT: ++ case MLX5_CMD_OP_CREATE_UCTX: ++ case MLX5_CMD_OP_DESTROY_UCTX: ++ case MLX5_CMD_OP_CREATE_UMEM: ++ case MLX5_CMD_OP_DESTROY_UMEM: + case MLX5_CMD_OP_ALLOC_MEMIC: + *status = MLX5_DRIVER_STATUS_ABORTED; + *synd = MLX5_DRIVER_SYND; +@@ -629,6 +633,10 @@ const char *mlx5_command_str(int command + MLX5_COMMAND_STR_CASE(ALLOC_MEMIC); + MLX5_COMMAND_STR_CASE(DEALLOC_MEMIC); + MLX5_COMMAND_STR_CASE(QUERY_HOST_PARAMS); ++ MLX5_COMMAND_STR_CASE(CREATE_UCTX); ++ MLX5_COMMAND_STR_CASE(DESTROY_UCTX); ++ MLX5_COMMAND_STR_CASE(CREATE_UMEM); ++ MLX5_COMMAND_STR_CASE(DESTROY_UMEM); + default: return "unknown command opcode"; + } + } diff --git a/queue-5.1/net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch b/queue-5.1/net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch new file mode 100644 index 00000000000..3a508af90b3 --- /dev/null +++ b/queue-5.1/net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch @@ -0,0 +1,82 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Chris Mi +Date: Thu, 16 May 2019 17:36:43 +0800 +Subject: net/mlx5e: Add ndo_set_feature for uplink representor + +From: Chris Mi + +After we have a dedicated uplink representor, the new netdev ops +doesn't support ndo_set_feature. Because of that, we can't change +some features, eg. rxvlan. Now add it back. + +In this patch, I also do a cleanup for the features flag handling, +eg. remove duplicate NETIF_F_HW_TC flag setting. + +Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 + + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +-- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 10 ++++++---- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -1059,6 +1059,7 @@ void mlx5e_del_vxlan_port(struct net_dev + netdev_features_t mlx5e_features_check(struct sk_buff *skb, + struct net_device *netdev, + netdev_features_t features); ++int mlx5e_set_features(struct net_device *netdev, netdev_features_t features); + #ifdef CONFIG_MLX5_ESWITCH + int mlx5e_set_vf_mac(struct net_device *dev, int vf, u8 *mac); + int mlx5e_set_vf_rate(struct net_device *dev, int vf, int min_tx_rate, int max_tx_rate); +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3698,8 +3698,7 @@ static int mlx5e_handle_feature(struct n + return 0; + } + +-static int mlx5e_set_features(struct net_device *netdev, +- netdev_features_t features) ++int mlx5e_set_features(struct net_device *netdev, netdev_features_t features) + { + netdev_features_t oper_features = netdev->features; + int err = 0; +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1350,6 +1350,7 @@ static const struct net_device_ops mlx5e + .ndo_get_vf_stats = mlx5e_get_vf_stats, + .ndo_set_vf_vlan = mlx5e_uplink_rep_set_vf_vlan, + .ndo_get_port_parent_id = mlx5e_rep_get_port_parent_id, ++ .ndo_set_features = mlx5e_set_features, + }; + + bool mlx5e_eswitch_rep(struct net_device *netdev) +@@ -1423,10 +1424,9 @@ static void mlx5e_build_rep_netdev(struc + + netdev->watchdog_timeo = 15 * HZ; + ++ netdev->features |= NETIF_F_NETNS_LOCAL; + +- netdev->features |= NETIF_F_HW_TC | NETIF_F_NETNS_LOCAL; +- netdev->hw_features |= NETIF_F_HW_TC; +- ++ netdev->hw_features |= NETIF_F_HW_TC; + netdev->hw_features |= NETIF_F_SG; + netdev->hw_features |= NETIF_F_IP_CSUM; + netdev->hw_features |= NETIF_F_IPV6_CSUM; +@@ -1435,7 +1435,9 @@ static void mlx5e_build_rep_netdev(struc + netdev->hw_features |= NETIF_F_TSO6; + netdev->hw_features |= NETIF_F_RXCSUM; + +- if (rep->vport != MLX5_VPORT_UPLINK) ++ if (rep->vport == MLX5_VPORT_UPLINK) ++ netdev->hw_features |= NETIF_F_HW_VLAN_CTAG_RX; ++ else + netdev->features |= NETIF_F_VLAN_CHALLENGED; + + netdev->features |= netdev->hw_features; diff --git a/queue-5.1/net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch b/queue-5.1/net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch new file mode 100644 index 00000000000..0602c0ec57c --- /dev/null +++ b/queue-5.1/net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Alaa Hleihel +Date: Sun, 26 May 2019 11:56:27 +0300 +Subject: net/mlx5e: Avoid detaching non-existing netdev under switchdev mode + +From: Alaa Hleihel + +After introducing dedicated uplink representor, the netdev instance +set over the esw manager vport (PF) became no longer in use, so it was +removed in the cited commit once we're on switchdev mode. +However, the mlx5e_detach function was not updated accordingly, and it +still tries to detach a non-existing netdev, causing a kernel crash. + +This patch fixes this issue. + +Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode") +Signed-off-by: Alaa Hleihel +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5165,6 +5165,11 @@ static void mlx5e_detach(struct mlx5_cor + struct mlx5e_priv *priv = vpriv; + struct net_device *netdev = priv->netdev; + ++#ifdef CONFIG_MLX5_ESWITCH ++ if (MLX5_ESWITCH_MANAGER(mdev) && vpriv == mdev) ++ return; ++#endif ++ + if (!netif_device_present(netdev)) + return; + diff --git a/queue-5.1/net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch b/queue-5.1/net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch new file mode 100644 index 00000000000..498e6acf0cc --- /dev/null +++ b/queue-5.1/net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Raed Salem +Date: Sun, 2 Jun 2019 12:04:08 +0300 +Subject: net/mlx5e: Fix source port matching in fdb peer flow rule + +From: Raed Salem + +The cited commit changed the initialization placement of the eswitch +attributes so it is done prior to parse tc actions function call, +including among others the in_rep and in_mdev fields which are mistakenly +reassigned inside the parse actions function. + +This breaks the source port matching criteria of the peer redirect rule. + +Fix by removing the now redundant reassignment of the already initialized +fields. + +Fixes: 988ab9c7363a ("net/mlx5e: Introduce mlx5e_flow_esw_attr_init() helper") +Signed-off-by: Raed Salem +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2572,9 +2572,6 @@ static int parse_tc_fdb_actions(struct m + if (!flow_action_has_entries(flow_action)) + return -EINVAL; + +- attr->in_rep = rpriv->rep; +- attr->in_mdev = priv->mdev; +- + flow_action_for_each(i, act, flow_action) { + switch (act->id) { + case FLOW_ACTION_DROP: diff --git a/queue-5.1/net-mlx5e-support-tagged-tunnel-over-bond.patch b/queue-5.1/net-mlx5e-support-tagged-tunnel-over-bond.patch new file mode 100644 index 00000000000..0fb120caa46 --- /dev/null +++ b/queue-5.1/net-mlx5e-support-tagged-tunnel-over-bond.patch @@ -0,0 +1,53 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Eli Britstein +Date: Sun, 2 Jun 2019 13:47:59 +0000 +Subject: net/mlx5e: Support tagged tunnel over bond + +From: Eli Britstein + +Stacked devices like bond interface may have a VLAN device on top of +them. Detect lag state correctly under this condition, and return the +correct routed net device, according to it the encap header is built. + +Fixes: e32ee6c78efa ("net/mlx5e: Support tunnel encap over tagged Ethernet") +Signed-off-by: Eli Britstein +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c +@@ -11,24 +11,25 @@ static int get_route_and_out_devs(struct + struct net_device **route_dev, + struct net_device **out_dev) + { ++ struct net_device *uplink_dev, *uplink_upper, *real_dev; + struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; +- struct net_device *uplink_dev, *uplink_upper; + bool dst_is_lag_dev; + ++ real_dev = is_vlan_dev(dev) ? vlan_dev_real_dev(dev) : dev; + uplink_dev = mlx5_eswitch_uplink_get_proto_dev(esw, REP_ETH); + uplink_upper = netdev_master_upper_dev_get(uplink_dev); + dst_is_lag_dev = (uplink_upper && + netif_is_lag_master(uplink_upper) && +- dev == uplink_upper && ++ real_dev == uplink_upper && + mlx5_lag_is_sriov(priv->mdev)); + + /* if the egress device isn't on the same HW e-switch or + * it's a LAG device, use the uplink + */ +- if (!netdev_port_same_parent_id(priv->netdev, dev) || ++ if (!netdev_port_same_parent_id(priv->netdev, real_dev) || + dst_is_lag_dev) { +- *route_dev = uplink_dev; +- *out_dev = *route_dev; ++ *route_dev = dev; ++ *out_dev = uplink_dev; + } else { + *route_dev = dev; + if (is_vlan_dev(*route_dev)) diff --git a/queue-5.1/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch b/queue-5.1/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch new file mode 100644 index 00000000000..49e7d350539 --- /dev/null +++ b/queue-5.1/net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch @@ -0,0 +1,77 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Maxime Chevallier +Date: Tue, 11 Jun 2019 11:51:42 +0200 +Subject: net: mvpp2: prs: Fix parser range for VID filtering + +From: Maxime Chevallier + +[ Upstream commit 46b0090a6636cf34c0e856f15dd03e15ba4cdda6 ] + +VID filtering is implemented in the Header Parser, with one range of 11 +vids being assigned for each no-loopback port. + +Make sure we use the per-port range when looking for existing entries in +the Parser. + +Since we used a global range instead of a per-port one, this causes VIDs +to be removed from the whitelist from all ports of the same PPv2 +instance. + +Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") +Suggested-by: Yuri Chipchev +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -1905,8 +1905,7 @@ static int mvpp2_prs_ip6_init(struct mvp + } + + /* Find tcam entry with matched pair */ +-static int mvpp2_prs_vid_range_find(struct mvpp2 *priv, int pmap, u16 vid, +- u16 mask) ++static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask) + { + unsigned char byte[2], enable[2]; + struct mvpp2_prs_entry pe; +@@ -1914,13 +1913,13 @@ static int mvpp2_prs_vid_range_find(stru + int tid; + + /* Go through the all entries with MVPP2_PRS_LU_VID */ +- for (tid = MVPP2_PE_VID_FILT_RANGE_START; +- tid <= MVPP2_PE_VID_FILT_RANGE_END; tid++) { +- if (!priv->prs_shadow[tid].valid || +- priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) ++ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); ++ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { ++ if (!port->priv->prs_shadow[tid].valid || ++ port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ mvpp2_prs_init_from_hw(port->priv, &pe, tid); + + mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]); + mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]); +@@ -1950,7 +1949,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2 + memset(&pe, 0, sizeof(pe)); + + /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, mask); ++ tid = mvpp2_prs_vid_range_find(port, vid, mask); + + reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id)); + if (reg_val & MVPP2_DSA_EXTENDED) +@@ -2008,7 +2007,7 @@ void mvpp2_prs_vid_entry_remove(struct m + int tid; + + /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, 0xfff); ++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); + + /* No such entry */ + if (tid < 0) diff --git a/queue-5.1/net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch b/queue-5.1/net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch new file mode 100644 index 00000000000..eea7b535e44 --- /dev/null +++ b/queue-5.1/net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch @@ -0,0 +1,39 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Maxime Chevallier +Date: Tue, 11 Jun 2019 11:51:43 +0200 +Subject: net: mvpp2: prs: Use the correct helpers when removing all VID filters + +From: Maxime Chevallier + +[ Upstream commit 6b7a3430c163455cf8a514d636bda52b04654972 ] + +When removing all VID filters, the mvpp2_prs_vid_entry_remove would be +called with the TCAM id incorrectly used as a VID, causing the wrong +TCAM entries to be invalidated. + +Fix this by directly invalidating entries in the VID range. + +Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering") +Suggested-by: Yuri Chipchev +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -2025,8 +2025,10 @@ void mvpp2_prs_vid_remove_all(struct mvp + + for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); + tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { +- if (priv->prs_shadow[tid].valid) +- mvpp2_prs_vid_entry_remove(port, tid); ++ if (priv->prs_shadow[tid].valid) { ++ mvpp2_prs_hw_inv(priv, tid); ++ priv->prs_shadow[tid].valid = false; ++ } + } + } + diff --git a/queue-5.1/net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch b/queue-5.1/net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch new file mode 100644 index 00000000000..37a0ed857b6 --- /dev/null +++ b/queue-5.1/net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch @@ -0,0 +1,108 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Taehee Yoo +Date: Sun, 9 Jun 2019 23:26:21 +0900 +Subject: net: openvswitch: do not free vport if register_netdevice() is failed. + +From: Taehee Yoo + +[ Upstream commit 309b66970ee2abf721ecd0876a48940fa0b99a35 ] + +In order to create an internal vport, internal_dev_create() is used and +that calls register_netdevice() internally. +If register_netdevice() fails, it calls dev->priv_destructor() to free +private data of netdev. actually, a private data of this is a vport. + +Hence internal_dev_create() should not free and use a vport after failure +of register_netdevice(). + +Test command + ovs-dpctl add-dp bonding_masters + +Splat looks like: +[ 1035.667767] kasan: GPF could be caused by NULL-ptr deref or user memory access +[ 1035.675958] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 1035.676916] CPU: 1 PID: 1028 Comm: ovs-vswitchd Tainted: G B 5.2.0-rc3+ #240 +[ 1035.676916] RIP: 0010:internal_dev_create+0x2e5/0x4e0 [openvswitch] +[ 1035.676916] Code: 48 c1 ea 03 80 3c 02 00 0f 85 9f 01 00 00 4c 8b 23 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 60 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 86 01 00 00 49 8b bc 24 60 05 00 00 e8 e4 68 f4 +[ 1035.713720] RSP: 0018:ffff88810dcb7578 EFLAGS: 00010206 +[ 1035.713720] RAX: dffffc0000000000 RBX: ffff88810d13fe08 RCX: ffffffff84297704 +[ 1035.713720] RDX: 00000000000000ac RSI: 0000000000000000 RDI: 0000000000000560 +[ 1035.713720] RBP: 00000000ffffffef R08: fffffbfff0d3b881 R09: fffffbfff0d3b881 +[ 1035.713720] R10: 0000000000000001 R11: fffffbfff0d3b880 R12: 0000000000000000 +[ 1035.768776] R13: 0000607ee460b900 R14: ffff88810dcb7690 R15: ffff88810dcb7698 +[ 1035.777709] FS: 00007f02095fc980(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000 +[ 1035.777709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1035.777709] CR2: 00007ffdf01d2f28 CR3: 0000000108258000 CR4: 00000000001006e0 +[ 1035.777709] Call Trace: +[ 1035.777709] ovs_vport_add+0x267/0x4f0 [openvswitch] +[ 1035.777709] new_vport+0x15/0x1e0 [openvswitch] +[ 1035.777709] ovs_vport_cmd_new+0x567/0xd10 [openvswitch] +[ 1035.777709] ? ovs_dp_cmd_dump+0x490/0x490 [openvswitch] +[ 1035.777709] ? __kmalloc+0x131/0x2e0 +[ 1035.777709] ? genl_family_rcv_msg+0xa54/0x1030 +[ 1035.777709] genl_family_rcv_msg+0x63a/0x1030 +[ 1035.777709] ? genl_unregister_family+0x630/0x630 +[ 1035.841681] ? debug_show_all_locks+0x2d0/0x2d0 +[ ... ] + +Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") +Signed-off-by: Taehee Yoo +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/vport-internal_dev.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/net/openvswitch/vport-internal_dev.c ++++ b/net/openvswitch/vport-internal_dev.c +@@ -170,7 +170,9 @@ static struct vport *internal_dev_create + { + struct vport *vport; + struct internal_dev *internal_dev; ++ struct net_device *dev; + int err; ++ bool free_vport = true; + + vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms); + if (IS_ERR(vport)) { +@@ -178,8 +180,9 @@ static struct vport *internal_dev_create + goto error; + } + +- vport->dev = alloc_netdev(sizeof(struct internal_dev), +- parms->name, NET_NAME_USER, do_setup); ++ dev = alloc_netdev(sizeof(struct internal_dev), ++ parms->name, NET_NAME_USER, do_setup); ++ vport->dev = dev; + if (!vport->dev) { + err = -ENOMEM; + goto error_free_vport; +@@ -200,8 +203,10 @@ static struct vport *internal_dev_create + + rtnl_lock(); + err = register_netdevice(vport->dev); +- if (err) ++ if (err) { ++ free_vport = false; + goto error_unlock; ++ } + + dev_set_promiscuity(vport->dev, 1); + rtnl_unlock(); +@@ -211,11 +216,12 @@ static struct vport *internal_dev_create + + error_unlock: + rtnl_unlock(); +- free_percpu(vport->dev->tstats); ++ free_percpu(dev->tstats); + error_free_netdev: +- free_netdev(vport->dev); ++ free_netdev(dev); + error_free_vport: +- ovs_vport_free(vport); ++ if (free_vport) ++ ovs_vport_free(vport); + error: + return ERR_PTR(err); + } diff --git a/queue-5.1/net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch b/queue-5.1/net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch new file mode 100644 index 00000000000..04688fac451 --- /dev/null +++ b/queue-5.1/net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Ioana Ciornei +Date: Thu, 13 Jun 2019 09:37:51 +0300 +Subject: net: phylink: set the autoneg state in phylink_phy_change + +From: Ioana Ciornei + +[ Upstream commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb ] + +The phy_state field of phylink should carry only valid information +especially when this can be passed to the .mac_config callback. +Update the an_enabled field with the autoneg state in the +phylink_phy_change function. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -638,6 +638,7 @@ static void phylink_phy_change(struct ph + pl->phy_state.pause |= MLO_PAUSE_ASYM; + pl->phy_state.interface = phydev->interface; + pl->phy_state.link = up; ++ pl->phy_state.an_enabled = phydev->autoneg; + mutex_unlock(&pl->state_mutex); + + phylink_run_resolve(pl); diff --git a/queue-5.1/net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch b/queue-5.1/net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch new file mode 100644 index 00000000000..09d41d93f23 --- /dev/null +++ b/queue-5.1/net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch @@ -0,0 +1,51 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: John Fastabend +Date: Wed, 12 Jun 2019 17:23:57 +0000 +Subject: net: tls, correctly account for copied bytes with multiple sk_msgs + +From: John Fastabend + +[ Upstream commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4 ] + +tls_sw_do_sendpage needs to return the total number of bytes sent +regardless of how many sk_msgs are allocated. Unfortunately, copied +(the value we return up the stack) is zero'd before each new sk_msg +is allocated so we only return the copied size of the last sk_msg used. + +The caller (splice, etc.) of sendpage will then believe only part +of its data was sent and send the missing chunks again. However, +because the data actually was sent the receiver will get multiple +copies of the same data. + +To reproduce this do multiple sendfile calls with a length close to +the max record size. This will in turn call splice/sendpage, sendpage +may use multiple sk_msg in this case and then returns the incorrect +number of bytes. This will cause splice to resend creating duplicate +data on the receiver. Andre created a C program that can easily +generate this case so we will push a similar selftest for this to +bpf-next shortly. + +The fix is to _not_ zero the copied field so that the total sent +bytes is returned. + +Reported-by: Steinar H. Gunderson +Reported-by: Andre Tomt +Tested-by: Andre Tomt +Fixes: d829e9c4112b ("tls: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1128,7 +1128,6 @@ static int tls_sw_do_sendpage(struct soc + + full_record = false; + record_room = TLS_MAX_PAYLOAD_SIZE - msg_pl->sg.size; +- copied = 0; + copy = size; + if (copy >= record_room) { + copy = record_room; diff --git a/queue-5.1/netfilter-nat-fix-udp-checksum-corruption.patch b/queue-5.1/netfilter-nat-fix-udp-checksum-corruption.patch new file mode 100644 index 00000000000..789f133e975 --- /dev/null +++ b/queue-5.1/netfilter-nat-fix-udp-checksum-corruption.patch @@ -0,0 +1,34 @@ +From 6bac76db1da3cb162c425d58ae421486f8e43955 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 20 May 2019 13:48:10 +0200 +Subject: netfilter: nat: fix udp checksum corruption + +From: Florian Westphal + +commit 6bac76db1da3cb162c425d58ae421486f8e43955 upstream. + +Due to copy&paste error nf_nat_mangle_udp_packet passes IPPROTO_TCP, +resulting in incorrect udp checksum when payload had to be mangled. + +Fixes: dac3fe72596f9 ("netfilter: nat: remove csum_recalc hook") +Reported-by: Marc Haber +Tested-by: Marc Haber +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_nat_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_nat_helper.c ++++ b/net/netfilter/nf_nat_helper.c +@@ -170,7 +170,7 @@ nf_nat_mangle_udp_packet(struct sk_buff + if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL) + return true; + +- nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP, ++ nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_UDP, + udph, &udph->check, datalen, oldlen); + + return true; diff --git a/queue-5.1/nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch b/queue-5.1/nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch new file mode 100644 index 00000000000..14baea71924 --- /dev/null +++ b/queue-5.1/nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Young Xiao <92siuyang@gmail.com> +Date: Fri, 14 Jun 2019 15:13:02 +0800 +Subject: nfc: Ensure presence of required attributes in the deactivate_target handler + +From: Young Xiao <92siuyang@gmail.com> + +[ Upstream commit 385097a3675749cbc9e97c085c0e5dfe4269ca51 ] + +Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to +NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to +accessing them. This prevents potential unhandled NULL pointer dereference +exceptions which can be triggered by malicious user-mode programs, +if they omit one or both of these attributes. + +Signed-off-by: Young Xiao <92siuyang@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -922,7 +922,8 @@ static int nfc_genl_deactivate_target(st + u32 device_idx, target_idx; + int rc; + +- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) ++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || ++ !info->attrs[NFC_ATTR_TARGET_INDEX]) + return -EINVAL; + + device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); diff --git a/queue-5.1/sctp-free-cookie-before-we-memdup-a-new-one.patch b/queue-5.1/sctp-free-cookie-before-we-memdup-a-new-one.patch new file mode 100644 index 00000000000..20f9c73e9d9 --- /dev/null +++ b/queue-5.1/sctp-free-cookie-before-we-memdup-a-new-one.patch @@ -0,0 +1,82 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Neil Horman +Date: Thu, 13 Jun 2019 06:35:59 -0400 +Subject: sctp: Free cookie before we memdup a new one + +From: Neil Horman + +[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ] + +Based on comments from Xin, even after fixes for our recent syzbot +report of cookie memory leaks, its possible to get a resend of an INIT +chunk which would lead to us leaking cookie memory. + +To ensure that we don't leak cookie memory, free any previously +allocated cookie first. + +Change notes +v1->v2 +update subsystem tag in subject (davem) +repeat kfree check for peer_random and peer_hmacs (xin) + +v2->v3 +net->sctp +also free peer_chunks + +v3->v4 +fix subject tags + +v4->v5 +remove cut line + +Signed-off-by: Neil Horman +Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com +CC: Marcelo Ricardo Leitner +CC: Xin Long +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2600,6 +2600,8 @@ do_addr_param: + case SCTP_PARAM_STATE_COOKIE: + asoc->peer.cookie_len = + ntohs(param.p->length) - sizeof(struct sctp_paramhdr); ++ if (asoc->peer.cookie) ++ kfree(asoc->peer.cookie); + asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp); + if (!asoc->peer.cookie) + retval = 0; +@@ -2664,6 +2666,8 @@ do_addr_param: + goto fall_through; + + /* Save peer's random parameter */ ++ if (asoc->peer.peer_random) ++ kfree(asoc->peer.peer_random); + asoc->peer.peer_random = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_random) { +@@ -2677,6 +2681,8 @@ do_addr_param: + goto fall_through; + + /* Save peer's HMAC list */ ++ if (asoc->peer.peer_hmacs) ++ kfree(asoc->peer.peer_hmacs); + asoc->peer.peer_hmacs = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_hmacs) { +@@ -2692,6 +2698,8 @@ do_addr_param: + if (!ep->auth_enable) + goto fall_through; + ++ if (asoc->peer.peer_chunks) ++ kfree(asoc->peer.peer_chunks); + asoc->peer.peer_chunks = kmemdup(param.p, + ntohs(param.p->length), gfp); + if (!asoc->peer.peer_chunks) diff --git a/queue-5.1/series b/queue-5.1/series new file mode 100644 index 00000000000..b59242413ec --- /dev/null +++ b/queue-5.1/series @@ -0,0 +1,32 @@ +netfilter-nat-fix-udp-checksum-corruption.patch +ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch +be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch +hv_netvsc-set-probe-mode-to-sync.patch +ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch +lapb-fixed-leak-of-control-blocks.patch +neigh-fix-use-after-free-read-in-pneigh_get_next.patch +net-dsa-rtl8366-fix-up-vlan-filtering.patch +net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch +net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch +net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch +nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch +sctp-free-cookie-before-we-memdup-a-new-one.patch +sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch +tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch +vsock-virtio-set-sock_done-on-peer-shutdown.patch +net-mlx5-avoid-reloading-already-removed-devices.patch +vxlan-don-t-assume-linear-buffers-in-error-handler.patch +geneve-don-t-assume-linear-buffers-in-error-handler.patch +net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch +net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch +net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch +net-ethtool-allow-matching-on-vlan-dei-bit.patch +net-mlx5-update-pci-error-handler-entries-and-command-translation.patch +mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch +net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch +mlxsw-spectrum_flower-fix-tos-matching.patch +net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch +mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch +net-mlx5e-support-tagged-tunnel-over-bond.patch +net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch +net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch diff --git a/queue-5.1/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch b/queue-5.1/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch new file mode 100644 index 00000000000..8bb72a283b4 --- /dev/null +++ b/queue-5.1/sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch @@ -0,0 +1,61 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: John Paul Adrian Glaubitz +Date: Tue, 11 Jun 2019 17:38:37 +0200 +Subject: sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg + +From: John Paul Adrian Glaubitz + +[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ] + +In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS" +to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged. + +This results in the hypervisor console device to be listed as "ttyHV0" under +/proc/consoles while the device node is still named "ttyS0": + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyS0 +root@osaka:~# + +This means that any userland code which tries to determine the name of the +device file of the hypervisor console device can not rely on the information +provided by /proc/consoles. In particular, booting current versions of debian- +installer inside a SPARC LDOM will fail with the installer unable to determine +the console device. + +After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well, +the inconsistency is fixed and it is possible again to determine the name +of the device file of the hypervisor console device by reading the contents +of /proc/console: + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyHV0 +root@osaka:~# + +With this change, debian-installer works correctly when installing inside +a SPARC LDOM. + +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sunhv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sunhv.c ++++ b/drivers/tty/serial/sunhv.c +@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops + static struct uart_driver sunhv_reg = { + .owner = THIS_MODULE, + .driver_name = "sunhv", +- .dev_name = "ttyS", ++ .dev_name = "ttyHV", + .major = TTY_MAJOR, + }; + diff --git a/queue-5.1/tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch b/queue-5.1/tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch new file mode 100644 index 00000000000..881eb11e620 --- /dev/null +++ b/queue-5.1/tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Xin Long +Date: Sun, 16 Jun 2019 17:24:07 +0800 +Subject: tipc: purge deferredq list for each grp member in tipc_group_delete + +From: Xin Long + +[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ] + +Syzbot reported a memleak caused by grp members' deferredq list not +purged when the grp is be deleted. + +The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in +tipc_group_filter_msg() and the skb will stay in deferredq. + +So fix it by calling __skb_queue_purge for each member's deferredq +in tipc_group_delete() when a tipc sk leaves the grp. + +Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast") +Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, + + rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) { + tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq); ++ __skb_queue_purge(&m->deferredq); + list_del(&m->list); + kfree(m); + } diff --git a/queue-5.1/vsock-virtio-set-sock_done-on-peer-shutdown.patch b/queue-5.1/vsock-virtio-set-sock_done-on-peer-shutdown.patch new file mode 100644 index 00000000000..23af1a90c56 --- /dev/null +++ b/queue-5.1/vsock-virtio-set-sock_done-on-peer-shutdown.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Stephen Barber +Date: Fri, 14 Jun 2019 23:42:37 -0700 +Subject: vsock/virtio: set SOCK_DONE on peer shutdown + +From: Stephen Barber + +[ Upstream commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c ] + +Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has +shut down and there is nothing left to read. + +This fixes the following bug: +1) Peer sends SHUTDOWN(RDWR). +2) Socket enters TCP_CLOSING but SOCK_DONE is not set. +3) read() returns -ENOTCONN until close() is called, then returns 0. + +Signed-off-by: Stephen Barber +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -871,8 +871,10 @@ virtio_transport_recv_connected(struct s + if (le32_to_cpu(pkt->hdr.flags) & VIRTIO_VSOCK_SHUTDOWN_SEND) + vsk->peer_shutdown |= SEND_SHUTDOWN; + if (vsk->peer_shutdown == SHUTDOWN_MASK && +- vsock_stream_has_data(vsk) <= 0) ++ vsock_stream_has_data(vsk) <= 0) { ++ sock_set_flag(sk, SOCK_DONE); + sk->sk_state = TCP_CLOSING; ++ } + if (le32_to_cpu(pkt->hdr.flags)) + sk->sk_state_change(sk); + break; diff --git a/queue-5.1/vxlan-don-t-assume-linear-buffers-in-error-handler.patch b/queue-5.1/vxlan-don-t-assume-linear-buffers-in-error-handler.patch new file mode 100644 index 00000000000..5286d4576e2 --- /dev/null +++ b/queue-5.1/vxlan-don-t-assume-linear-buffers-in-error-handler.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST +From: Stefano Brivio +Date: Tue, 11 Jun 2019 00:27:05 +0200 +Subject: vxlan: Don't assume linear buffers in error handler + +From: Stefano Brivio + +[ Upstream commit 8399a6930d12f5965230f4ff058228a4cc80c0b9 ] + +In commit c3a43b9fec8a ("vxlan: ICMP error lookup handler") I wrongly +assumed buffers from icmp_socket_deliver() would be linear. This is not +the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear +data. + +Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac +("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6: +avoid uninit-value in gue_err() and gue6_err()"). + +Use pskb_may_pull() instead of checking skb->len, and take into account +the fact we later access the VXLAN header with udp_hdr(), so we also +need to sum skb_transport_header() here. + +Reported-by: Guillaume Nault +Fixes: c3a43b9fec8a ("vxlan: ICMP error lookup handler") +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1765,7 +1765,7 @@ static int vxlan_err_lookup(struct sock + struct vxlanhdr *hdr; + __be32 vni; + +- if (skb->len < VXLAN_HLEN) ++ if (!pskb_may_pull(skb, skb_transport_offset(skb) + VXLAN_HLEN)) + return -EINVAL; + + hdr = vxlan_hdr(skb);