From: Greg Kroah-Hartman Date: Sun, 9 Feb 2020 22:10:44 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.103~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f82147758d19893f7651ace6dcb6651a7e69cc3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bonding-alb-properly-access-headers-in-bond_alb_xmit.patch net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch net-macb-limit-maximum-gem-tx-length-in-tso.patch net-macb-remove-unnecessary-alignment-check-for-tso.patch net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch --- diff --git a/queue-4.14/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch b/queue-4.14/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch new file mode 100644 index 00000000000..c96b2cab5a8 --- /dev/null +++ b/queue-4.14/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch @@ -0,0 +1,176 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Eric Dumazet +Date: Tue, 4 Feb 2020 19:26:05 -0800 +Subject: bonding/alb: properly access headers in bond_alb_xmit() + +From: Eric Dumazet + +[ Upstream commit 38f88c45404293bbc027b956def6c10cbd45c616 ] + +syzbot managed to send an IPX packet through bond_alb_xmit() +and af_packet and triggered a use-after-free. + +First, bond_alb_xmit() was using ipx_hdr() helper to reach +the IPX header, but ipx_hdr() was using the transport offset +instead of the network offset. In the particular syzbot +report transport offset was 0xFFFF + +This patch removes ipx_hdr() since it was only (mis)used from bonding. + +Then we need to make sure IPv4/IPv6/IPX headers are pulled +in skb->head before dereferencing anything. + +BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452 +Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108 + (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...) + +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + [] __dump_stack lib/dump_stack.c:17 [inline] + [] dump_stack+0x14d/0x20b lib/dump_stack.c:53 + [] print_address_description+0x6f/0x20b mm/kasan/report.c:282 + [] kasan_report_error mm/kasan/report.c:380 [inline] + [] kasan_report mm/kasan/report.c:438 [inline] + [] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422 + [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469 + [] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452 + [] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline] + [] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224 + [] __netdev_start_xmit include/linux/netdevice.h:4525 [inline] + [] netdev_start_xmit include/linux/netdevice.h:4539 [inline] + [] xmit_one net/core/dev.c:3611 [inline] + [] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627 + [] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238 + [] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278 + [] packet_snd net/packet/af_packet.c:3226 [inline] + [] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252 + [] sock_sendmsg_nosec net/socket.c:673 [inline] + [] sock_sendmsg+0x12c/0x160 net/socket.c:684 + [] __sys_sendto+0x262/0x380 net/socket.c:1996 + [] SYSC_sendto net/socket.c:2008 [inline] + [] SyS_sendto+0x40/0x60 net/socket.c:2004 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 44 +++++++++++++++++++++++++++++------------ + include/net/ipx.h | 5 ---- + 2 files changed, 32 insertions(+), 17 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1403,26 +1403,31 @@ int bond_alb_xmit(struct sk_buff *skb, s + bool do_tx_balance = true; + u32 hash_index = 0; + const u8 *hash_start = NULL; +- struct ipv6hdr *ip6hdr; + + skb_reset_mac_header(skb); + eth_data = eth_hdr(skb); + + switch (ntohs(skb->protocol)) { + case ETH_P_IP: { +- const struct iphdr *iph = ip_hdr(skb); ++ const struct iphdr *iph; + + if (ether_addr_equal_64bits(eth_data->h_dest, mac_bcast) || +- (iph->daddr == ip_bcast) || +- (iph->protocol == IPPROTO_IGMP)) { ++ (!pskb_network_may_pull(skb, sizeof(*iph)))) { ++ do_tx_balance = false; ++ break; ++ } ++ iph = ip_hdr(skb); ++ if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) { + do_tx_balance = false; + break; + } + hash_start = (char *)&(iph->daddr); + hash_size = sizeof(iph->daddr); +- } + break; +- case ETH_P_IPV6: ++ } ++ case ETH_P_IPV6: { ++ const struct ipv6hdr *ip6hdr; ++ + /* IPv6 doesn't really use broadcast mac address, but leave + * that here just in case. + */ +@@ -1439,7 +1444,11 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + +- /* Additianally, DAD probes should not be tx-balanced as that ++ if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) { ++ do_tx_balance = false; ++ break; ++ } ++ /* Additionally, DAD probes should not be tx-balanced as that + * will lead to false positives for duplicate addresses and + * prevent address configuration from working. + */ +@@ -1449,17 +1458,26 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + +- hash_start = (char *)&(ipv6_hdr(skb)->daddr); +- hash_size = sizeof(ipv6_hdr(skb)->daddr); ++ hash_start = (char *)&ip6hdr->daddr; ++ hash_size = sizeof(ip6hdr->daddr); + break; +- case ETH_P_IPX: +- if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) { ++ } ++ case ETH_P_IPX: { ++ const struct ipxhdr *ipxhdr; ++ ++ if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) { ++ do_tx_balance = false; ++ break; ++ } ++ ipxhdr = (struct ipxhdr *)skb_network_header(skb); ++ ++ if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) { + /* something is wrong with this packet */ + do_tx_balance = false; + break; + } + +- if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) { ++ if (ipxhdr->ipx_type != IPX_TYPE_NCP) { + /* The only protocol worth balancing in + * this family since it has an "ARP" like + * mechanism +@@ -1468,9 +1486,11 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + ++ eth_data = eth_hdr(skb); + hash_start = (char *)eth_data->h_dest; + hash_size = ETH_ALEN; + break; ++ } + case ETH_P_ARP: + do_tx_balance = false; + if (bond_info->rlb_enabled) +--- a/include/net/ipx.h ++++ b/include/net/ipx.h +@@ -47,11 +47,6 @@ struct ipxhdr { + /* From af_ipx.c */ + extern int sysctl_ipx_pprop_broadcasting; + +-static __inline__ struct ipxhdr *ipx_hdr(struct sk_buff *skb) +-{ +- return (struct ipxhdr *)skb_transport_header(skb); +-} +- + struct ipx_interface { + /* IPX address */ + __be32 if_netnum; diff --git a/queue-4.14/net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch b/queue-4.14/net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch new file mode 100644 index 00000000000..9e73b5145c8 --- /dev/null +++ b/queue-4.14/net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch @@ -0,0 +1,34 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Florian Fainelli +Date: Thu, 6 Feb 2020 11:23:52 -0800 +Subject: net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port + +From: Florian Fainelli + +[ Upstream commit de34d7084edd069dac5aa010cfe32bd8c4619fa6 ] + +The 7445 switch clocking profiles do not allow us to run the IMP port at +2Gb/sec in a way that it is reliable and consistent. Make sure that the +setting is only applied to the 7278 family. + +Fixes: 8f1880cbe8d0 ("net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -137,7 +137,9 @@ static void bcm_sf2_imp_setup(struct dsa + + /* Force link status for IMP port */ + reg = core_readl(priv, offset); +- reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G); ++ reg |= (MII_SW_OR | LINK_STS); ++ if (priv->type == BCM7278_DEVICE_ID) ++ reg |= GMII_SPEED_UP_2G; + core_writel(priv, reg, offset); + + /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */ diff --git a/queue-4.14/net-macb-limit-maximum-gem-tx-length-in-tso.patch b/queue-4.14/net-macb-limit-maximum-gem-tx-length-in-tso.patch new file mode 100644 index 00000000000..931e2511383 --- /dev/null +++ b/queue-4.14/net-macb-limit-maximum-gem-tx-length-in-tso.patch @@ -0,0 +1,41 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Harini Katakam +Date: Wed, 5 Feb 2020 18:08:12 +0530 +Subject: net: macb: Limit maximum GEM TX length in TSO + +From: Harini Katakam + +[ Upstream commit f822e9c4ffa511a5c681cf866287d9383a3b6f1b ] + +GEM_MAX_TX_LEN currently resolves to 0x3FF8 for any IP version supporting +TSO with full 14bits of length field in payload descriptor. But an IP +errata causes false amba_error (bit 6 of ISR) when length in payload +descriptors is specified above 16387. The error occurs because the DMA +falsely concludes that there is not enough space in SRAM for incoming +payload. These errors were observed continuously under stress of large +packets using iperf on a version where SRAM was 16K for each queue. This +errata will be documented shortly and affects all versions since TSO +functionality was added. Hence limit the max length to 0x3FC0 (rounded). + +Signed-off-by: Harini Katakam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -66,7 +66,11 @@ + /* Max length of transmit frame must be a multiple of 8 bytes */ + #define MACB_TX_LEN_ALIGN 8 + #define MACB_MAX_TX_LEN ((unsigned int)((1 << MACB_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1))) +-#define GEM_MAX_TX_LEN ((unsigned int)((1 << GEM_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1))) ++/* Limit maximum TX length as per Cadence TSO errata. This is to avoid a ++ * false amba_error in TX path from the DMA assuming there is not enough ++ * space in the SRAM (16KB) even when there is. ++ */ ++#define GEM_MAX_TX_LEN (unsigned int)(0x3FC0) + + #define GEM_MTU_MIN_SIZE ETH_MIN_MTU + #define MACB_NETIF_LSO NETIF_F_TSO diff --git a/queue-4.14/net-macb-remove-unnecessary-alignment-check-for-tso.patch b/queue-4.14/net-macb-remove-unnecessary-alignment-check-for-tso.patch new file mode 100644 index 00000000000..b4313dcca68 --- /dev/null +++ b/queue-4.14/net-macb-remove-unnecessary-alignment-check-for-tso.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Harini Katakam +Date: Wed, 5 Feb 2020 18:08:11 +0530 +Subject: net: macb: Remove unnecessary alignment check for TSO + +From: Harini Katakam + +[ Upstream commit 41c1ef978c8d0259c6636e6d2d854777e92650eb ] + +The IP TSO implementation does NOT require the length to be a +multiple of 8. That is only a requirement for UFO as per IP +documentation. Hence, exit macb_features_check function in the +beginning if the protocol is not UDP. Only when it is UDP, +proceed further to the alignment checks. Update comments to +reflect the same. Also remove dead code checking for protocol +TCP when calculating header length. + +Fixes: 1629dd4f763c ("cadence: Add LSO support.") +Signed-off-by: Harini Katakam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1577,16 +1577,14 @@ static netdev_features_t macb_features_c + + /* Validate LSO compatibility */ + +- /* there is only one buffer */ +- if (!skb_is_nonlinear(skb)) ++ /* there is only one buffer or protocol is not UDP */ ++ if (!skb_is_nonlinear(skb) || (ip_hdr(skb)->protocol != IPPROTO_UDP)) + return features; + + /* length of header */ + hdrlen = skb_transport_offset(skb); +- if (ip_hdr(skb)->protocol == IPPROTO_TCP) +- hdrlen += tcp_hdrlen(skb); + +- /* For LSO: ++ /* For UFO only: + * When software supplies two or more payload buffers all payload buffers + * apart from the last must be a multiple of 8 bytes in size. + */ diff --git a/queue-4.14/net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch b/queue-4.14/net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch new file mode 100644 index 00000000000..56fc6cbbe33 --- /dev/null +++ b/queue-4.14/net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch @@ -0,0 +1,37 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Florian Fainelli +Date: Wed, 5 Feb 2020 12:32:04 -0800 +Subject: net: systemport: Avoid RBUF stuck in Wake-on-LAN mode + +From: Florian Fainelli + +[ Upstream commit 263a425a482fc495d6d3f9a29b9103a664c38b69 ] + +After a number of suspend and resume cycles, it is possible for the RBUF +to be stuck in Wake-on-LAN mode, despite the MPD enable bit being +cleared which instructed the RBUF to exit that mode. + +Avoid creating that problematic condition by clearing the RX_EN and +TX_EN bits in the UniMAC prior to disable the Magic Packet Detector +logic which is guaranteed to make the RBUF exit Wake-on-LAN mode. + +Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2329,6 +2329,9 @@ static int bcm_sysport_resume(struct dev + + umac_reset(priv); + ++ /* Disable the UniMAC RX/TX */ ++ umac_enable_set(priv, CMD_RX_EN | CMD_TX_EN, 0); ++ + /* We may have been suspended and never received a WOL event that + * would turn off MPD detection, take care of that now + */ diff --git a/queue-4.14/net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch b/queue-4.14/net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch new file mode 100644 index 00000000000..d12acab7f9b --- /dev/null +++ b/queue-4.14/net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 09 Feb 2020 11:04:03 PM CET +From: Cong Wang +Date: Tue, 4 Feb 2020 11:10:12 -0800 +Subject: net_sched: fix a resource leak in tcindex_set_parms() + +From: Cong Wang + +[ Upstream commit 52b5ae501c045010aeeb1d5ac0373ff161a88291 ] + +Jakub noticed there is a potential resource leak in +tcindex_set_parms(): when tcindex_filter_result_init() fails +and it jumps to 'errout1' which doesn't release the memory +and resources allocated by tcindex_alloc_perfect_hash(). + +We should just jump to 'errout_alloc' which calls +tcindex_free_perfect_hash(). + +Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") +Reported-by: Jakub Kicinski +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_tcindex.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -383,7 +383,7 @@ tcindex_set_parms(struct net *net, struc + + err = tcindex_filter_result_init(&new_filter_result); + if (err < 0) +- goto errout1; ++ goto errout_alloc; + if (old_r) + cr = r->res; + +@@ -502,7 +502,6 @@ errout_alloc: + tcindex_free_perfect_hash(cp); + else if (balloc == 2) + kfree(cp->h); +-errout1: + tcf_exts_destroy(&new_filter_result.exts); + errout: + kfree(cp); diff --git a/queue-4.14/series b/queue-4.14/series index 014198fd9af..df8b23eaa4d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -109,3 +109,9 @@ ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch mfd-da9062-fix-watchdog-compatible-string.patch mfd-rn5t618-mark-adc-control-register-volatile.patch +net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch +net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch +net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch +net-macb-remove-unnecessary-alignment-check-for-tso.patch +net-macb-limit-maximum-gem-tx-length-in-tso.patch +bonding-alb-properly-access-headers-in-bond_alb_xmit.patch