From: Greg Kroah-Hartman Date: Thu, 8 Aug 2019 06:51:19 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v5.2.8~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1fbb5d0db69ffa5590ae84cace3594d073a35645;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: atm-iphase-fix-spectre-v1-vulnerability.patch bnx2x-disable-multi-cos-feature.patch bpf-fix-xdp-vlan-selftests-test_xdp_vlan.sh.patch compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch hv_sock-fix-hang-when-a-connection-is-closed.patch ife-error-out-when-nla-attributes-are-empty.patch ip6_gre-reload-ipv6h-in-prepare_ip6gre_xmit_ipv6.patch ip6_tunnel-fix-possible-use-after-free-on-xmit.patch ipip-validate-header-length-in-ipip_tunnel_xmit.patch mlxsw-spectrum-fix-error-path-in-mlxsw_sp_module_init.patch mlxsw-spectrum_buffers-further-reduce-pool-size-on-spectrum-2.patch mvpp2-fix-panic-on-module-removal.patch mvpp2-refactor-mtu-change-code.patch net-bridge-delete-local-fdb-on-device-init-failure.patch net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch net-bridge-move-default-pvid-init-deinit-to-netdev_register-unregister.patch net-fix-bpf_xdp_adjust_head-regression-for-generic-xdp.patch net-fix-ifindex-collision-during-namespace-removal.patch net-mlx5-add-missing-rdma_rx-capabilities.patch net-mlx5-fix-modify_cq_in-alignment.patch net-mlx5-use-reversed-order-when-unregister-devices.patch net-mlx5e-always-initialize-frag-last_in_page.patch net-mlx5e-fix-matching-of-speed-to-prm-link-modes.patch net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch net-phy-fix-race-in-genphy_update_link.patch net-phy-fixed_phy-print-gpio-error-only-if-gpio-node-is-present.patch net-phy-mscc-initialize-stats-array.patch net-phylink-don-t-start-and-stop-sgmii-phys-in-sfp-modules-twice.patch net-phylink-fix-flow-control-for-fixed-link.patch net-qualcomm-rmnet-fix-incorrect-ul-checksum-offload-logic.patch net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch net-sched-update-vlan-action-for-batched-events-operations.patch net-sched-use-temporary-variable-for-actions-indexes.patch net-smc-avoid-fallback-in-case-of-non-blocking-connect.patch net-smc-do-not-schedule-tx_work-in-smc_closed-state.patch net-stmmac-use-netif_tx_napi_add-for-tx-polling-function.patch nfc-nfcmrvl-fix-gpio-handling-regression.patch ocelot-cancel-delayed-work-before-wq-destruction.patch r8169-don-t-use-msi-before-rtl8168d.patch rocker-fix-memory-leaks-of-fib_work-on-two-error-return-paths.patch selftests-bpf-add-wrapper-scripts-for-test_xdp_vlan.sh.patch selftests-bpf-reduce-time-to-execute-test_xdp_vlan.sh.patch tipc-compat-allow-tipc-commands-without-arguments.patch tipc-fix-unitilized-skb-list-crash.patch tun-mark-small-packets-as-owned-by-the-tap-sock.patch --- diff --git a/queue-5.2/atm-iphase-fix-spectre-v1-vulnerability.patch b/queue-5.2/atm-iphase-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..703fa49df7b --- /dev/null +++ b/queue-5.2/atm-iphase-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,62 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: "Gustavo A. R. Silva" +Date: Tue, 30 Jul 2019 22:21:41 -0500 +Subject: atm: iphase: Fix Spectre v1 vulnerability + +From: "Gustavo A. R. Silva" + +[ Upstream commit ea443e5e98b5b74e317ef3d26bcaea54931ccdee ] + +board is controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/atm/iphase.c:2765 ia_ioctl() warn: potential spectre issue 'ia_dev' [r] (local cap) +drivers/atm/iphase.c:2774 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2782 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2816 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2823 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2830 ia_ioctl() warn: potential spectre issue '_ia_dev' [r] (local cap) +drivers/atm/iphase.c:2845 ia_ioctl() warn: possible spectre second half. 'iadev' +drivers/atm/iphase.c:2856 ia_ioctl() warn: possible spectre second half. 'iadev' + +Fix this by sanitizing board before using it to index ia_dev and _ia_dev + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/iphase.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + #include "iphase.h" + #include "suni.h" + #define swap_byte_order(x) (((x & 0xff) << 8) | ((x & 0xff00) >> 8)) +@@ -2760,8 +2761,11 @@ static int ia_ioctl(struct atm_dev *dev, + } + if (copy_from_user(&ia_cmds, arg, sizeof ia_cmds)) return -EFAULT; + board = ia_cmds.status; +- if ((board < 0) || (board > iadev_count)) +- board = 0; ++ ++ if ((board < 0) || (board > iadev_count)) ++ board = 0; ++ board = array_index_nospec(board, iadev_count + 1); ++ + iadev = ia_dev[board]; + switch (ia_cmds.cmd) { + case MEMDUMP: diff --git a/queue-5.2/bnx2x-disable-multi-cos-feature.patch b/queue-5.2/bnx2x-disable-multi-cos-feature.patch new file mode 100644 index 00000000000..3baf9739351 --- /dev/null +++ b/queue-5.2/bnx2x-disable-multi-cos-feature.patch @@ -0,0 +1,36 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Sudarsana Reddy Kalluru +Date: Tue, 23 Jul 2019 19:32:41 -0700 +Subject: bnx2x: Disable multi-cos feature. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ] + +Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos +feature after prolonged time in driver added some regression causing +numerous issues (sudden reboots, tx timeout etc.) reported by customers. +We plan to backout this commit and submit proper fix once we have root +cause of issues reported with this feature enabled. + +Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1934,8 +1934,7 @@ u16 bnx2x_select_queue(struct net_device + } + + /* select a non-FCoE queue */ +- return netdev_pick_tx(dev, skb, NULL) % +- (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos); ++ return netdev_pick_tx(dev, skb, NULL) % (BNX2X_NUM_ETH_QUEUES(bp)); + } + + void bnx2x_set_num_queues(struct bnx2x *bp) diff --git a/queue-5.2/bpf-fix-xdp-vlan-selftests-test_xdp_vlan.sh.patch b/queue-5.2/bpf-fix-xdp-vlan-selftests-test_xdp_vlan.sh.patch new file mode 100644 index 00000000000..6b11a1694d5 --- /dev/null +++ b/queue-5.2/bpf-fix-xdp-vlan-selftests-test_xdp_vlan.sh.patch @@ -0,0 +1,127 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jesper Dangaard Brouer +Date: Thu, 1 Aug 2019 20:00:16 +0200 +Subject: bpf: fix XDP vlan selftests test_xdp_vlan.sh + +From: Jesper Dangaard Brouer + +[ Upstream commit 4de9c89a4982431c4a02739743fd360dc5581f22 ] + +Change BPF selftest test_xdp_vlan.sh to (default) use generic XDP. + +This selftest was created together with a fix for generic XDP, in commit +297249569932 ("net: fix generic XDP to handle if eth header was +mangled"). And was suppose to catch if generic XDP was broken again. + +The tests are using veth and assumed that veth driver didn't support +native driver XDP, thus it used the (ip link set) 'xdp' attach that fell +back to generic-XDP. But veth gained native-XDP support in 948d4f214fde +("veth: Add driver XDP"), which caused this test script to use +native-XDP. + +Fixes: 948d4f214fde ("veth: Add driver XDP") +Fixes: 97396ff0bc2d ("selftests/bpf: add XDP selftests for modifying and popping VLAN headers") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_xdp_vlan.sh | 42 +++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/bpf/test_xdp_vlan.sh ++++ b/tools/testing/selftests/bpf/test_xdp_vlan.sh +@@ -1,7 +1,12 @@ + #!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++# Author: Jesper Dangaard Brouer + + TESTNAME=xdp_vlan + ++# Default XDP mode ++XDP_MODE=xdpgeneric ++ + usage() { + echo "Testing XDP + TC eBPF VLAN manipulations: $TESTNAME" + echo "" +@@ -9,9 +14,23 @@ usage() { + echo " -v | --verbose : Verbose" + echo " --flush : Flush before starting (e.g. after --interactive)" + echo " --interactive : Keep netns setup running after test-run" ++ echo " --mode=XXX : Choose XDP mode (xdp | xdpgeneric | xdpdrv)" + echo "" + } + ++valid_xdp_mode() ++{ ++ local mode=$1 ++ ++ case "$mode" in ++ xdpgeneric | xdpdrv | xdp) ++ return 0 ++ ;; ++ *) ++ return 1 ++ esac ++} ++ + cleanup() + { + local status=$? +@@ -37,7 +56,7 @@ cleanup() + + # Using external program "getopt" to get --long-options + OPTIONS=$(getopt -o hvfi: \ +- --long verbose,flush,help,interactive,debug -- "$@") ++ --long verbose,flush,help,interactive,debug,mode: -- "$@") + if (( $? != 0 )); then + usage + echo "selftests: $TESTNAME [FAILED] Error calling getopt, unknown option?" +@@ -60,6 +79,11 @@ while true; do + cleanup + shift + ;; ++ --mode ) ++ shift ++ XDP_MODE=$1 ++ shift ++ ;; + -- ) + shift + break +@@ -81,8 +105,14 @@ if [ "$EUID" -ne 0 ]; then + exit 1 + fi + +-ip link set dev lo xdp off 2>/dev/null > /dev/null +-if [ $? -ne 0 ];then ++valid_xdp_mode $XDP_MODE ++if [ $? -ne 0 ]; then ++ echo "selftests: $TESTNAME [FAILED] unknown XDP mode ($XDP_MODE)" ++ exit 1 ++fi ++ ++ip link set dev lo xdpgeneric off 2>/dev/null > /dev/null ++if [ $? -ne 0 ]; then + echo "selftests: $TESTNAME [SKIP] need ip xdp support" + exit 0 + fi +@@ -166,7 +196,7 @@ export FILE=test_xdp_vlan.o + + # First test: Remove VLAN by setting VLAN ID 0, using "xdp_vlan_change" + export XDP_PROG=xdp_vlan_change +-ip netns exec ns1 ip link set $DEVNS1 xdp object $FILE section $XDP_PROG ++ip netns exec ns1 ip link set $DEVNS1 $XDP_MODE object $FILE section $XDP_PROG + + # In ns1: egress use TC to add back VLAN tag 4011 + # (del cmd) +@@ -187,8 +217,8 @@ ip netns exec ns1 ping -W 2 -c 3 $IPADDR + # ETH_P_8021Q indication, and this cause overwriting of our changes. + # + export XDP_PROG=xdp_vlan_remove_outer2 +-ip netns exec ns1 ip link set $DEVNS1 xdp off +-ip netns exec ns1 ip link set $DEVNS1 xdp object $FILE section $XDP_PROG ++ip netns exec ns1 ip link set $DEVNS1 $XDP_MODE off ++ip netns exec ns1 ip link set $DEVNS1 $XDP_MODE object $FILE section $XDP_PROG + + # Now the namespaces should still be able reach each-other, test with ping: + ip netns exec ns2 ping -W 2 -c 3 $IPADDR1 diff --git a/queue-5.2/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch b/queue-5.2/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch new file mode 100644 index 00000000000..a9ba7709ae6 --- /dev/null +++ b/queue-5.2/compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Arnd Bergmann +Date: Tue, 30 Jul 2019 21:25:20 +0200 +Subject: compat_ioctl: pppoe: fix PPPOEIOCSFWD handling + +From: Arnd Bergmann + +[ Upstream commit 055d88242a6046a1ceac3167290f054c72571cd9 ] + +Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in +linux-2.5.69 along with hundreds of other commands, but was always broken +sincen only the structure is compatible, but the command number is not, +due to the size being sizeof(size_t), or at first sizeof(sizeof((struct +sockaddr_pppox)), which is different on 64-bit architectures. + +Guillaume Nault adds: + + And the implementation was broken until 2016 (see 29e73269aa4d ("pppoe: + fix reference counting in PPPoE proxy")), and nobody ever noticed. I + should probably have removed this ioctl entirely instead of fixing it. + Clearly, it has never been used. + +Fix it by adding a compat_ioctl handler for all pppoe variants that +translates the command number and then calls the regular ioctl function. + +All other ioctl commands handled by pppoe are compatible between 32-bit +and 64-bit, and require compat_ptr() conversion. + +This should apply to all stable kernels. + +Acked-by: Guillaume Nault +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 3 +++ + drivers/net/ppp/pppox.c | 13 +++++++++++++ + drivers/net/ppp/pptp.c | 3 +++ + fs/compat_ioctl.c | 3 --- + include/linux/if_pppox.h | 3 +++ + net/l2tp/l2tp_ppp.c | 3 +++ + 6 files changed, 25 insertions(+), 3 deletions(-) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -1115,6 +1115,9 @@ static const struct proto_ops pppoe_ops + .recvmsg = pppoe_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppoe_proto = { +--- a/drivers/net/ppp/pppox.c ++++ b/drivers/net/ppp/pppox.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -98,6 +99,18 @@ int pppox_ioctl(struct socket *sock, uns + + EXPORT_SYMBOL(pppox_ioctl); + ++#ifdef CONFIG_COMPAT ++int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ++{ ++ if (cmd == PPPOEIOCSFWD32) ++ cmd = PPPOEIOCSFWD; ++ ++ return pppox_ioctl(sock, cmd, (unsigned long)compat_ptr(arg)); ++} ++ ++EXPORT_SYMBOL(pppox_compat_ioctl); ++#endif ++ + static int pppox_create(struct net *net, struct socket *sock, int protocol, + int kern) + { +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -623,6 +623,9 @@ static const struct proto_ops pptp_ops = + .recvmsg = sock_no_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppox_pptp_proto = { +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -638,9 +638,6 @@ COMPATIBLE_IOCTL(PPPIOCDISCONN) + COMPATIBLE_IOCTL(PPPIOCATTCHAN) + COMPATIBLE_IOCTL(PPPIOCGCHAN) + COMPATIBLE_IOCTL(PPPIOCGL2TPSTATS) +-/* PPPOX */ +-COMPATIBLE_IOCTL(PPPOEIOCSFWD) +-COMPATIBLE_IOCTL(PPPOEIOCDFWD) + /* Big A */ + /* sparc only */ + /* Big Q for sound/OSS */ +--- a/include/linux/if_pppox.h ++++ b/include/linux/if_pppox.h +@@ -80,6 +80,9 @@ extern int register_pppox_proto(int prot + extern void unregister_pppox_proto(int proto_num); + extern void pppox_unbind_sock(struct sock *sk);/* delete ppp-channel binding */ + extern int pppox_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg); ++extern int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg); ++ ++#define PPPOEIOCSFWD32 _IOW(0xB1 ,0, compat_size_t) + + /* PPPoX socket states */ + enum { +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1681,6 +1681,9 @@ static const struct proto_ops pppol2tp_o + .recvmsg = pppol2tp_recvmsg, + .mmap = sock_no_mmap, + .ioctl = pppox_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = pppox_compat_ioctl, ++#endif + }; + + static const struct pppox_proto pppol2tp_proto = { diff --git a/queue-5.2/drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch b/queue-5.2/drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch new file mode 100644 index 00000000000..0afcb921d4a --- /dev/null +++ b/queue-5.2/drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch @@ -0,0 +1,66 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: "Arnaud Patard (Rtp)" +Date: Fri, 2 Aug 2019 10:32:40 +0200 +Subject: drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case + +From: "Arnaud Patard (Rtp)" + +[ Upstream commit d934423ac26ed373dfe089734d505dca5ff679b6 ] + +Orion5.x systems are still using machine files and not device-tree. +Commit 96cb4342382290c9 ("net: mvmdio: allow up to three clocks to be +specified for orion-mdio") has replaced devm_clk_get() with of_clk_get(), +leading to a oops at boot and not working network, as reported in +https://lists.debian.org/debian-arm/2019/07/msg00088.html and possibly in +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908712. + +Link: https://lists.debian.org/debian-arm/2019/07/msg00088.html +Fixes: 96cb4342382290c9 ("net: mvmdio: allow up to three clocks to be specified for orion-mdio") +Signed-off-by: Arnaud Patard +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvmdio.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -319,15 +319,31 @@ static int orion_mdio_probe(struct platf + + init_waitqueue_head(&dev->smi_busy_wait); + +- for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { +- dev->clk[i] = of_clk_get(pdev->dev.of_node, i); +- if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) { ++ if (pdev->dev.of_node) { ++ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { ++ dev->clk[i] = of_clk_get(pdev->dev.of_node, i); ++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto out_clk; ++ } ++ if (IS_ERR(dev->clk[i])) ++ break; ++ clk_prepare_enable(dev->clk[i]); ++ } ++ ++ if (!IS_ERR(of_clk_get(pdev->dev.of_node, ++ ARRAY_SIZE(dev->clk)))) ++ dev_warn(&pdev->dev, ++ "unsupported number of clocks, limiting to the first " ++ __stringify(ARRAY_SIZE(dev->clk)) "\n"); ++ } else { ++ dev->clk[0] = clk_get(&pdev->dev, NULL); ++ if (PTR_ERR(dev->clk[0]) == -EPROBE_DEFER) { + ret = -EPROBE_DEFER; + goto out_clk; + } +- if (IS_ERR(dev->clk[i])) +- break; +- clk_prepare_enable(dev->clk[i]); ++ if (!IS_ERR(dev->clk[0])) ++ clk_prepare_enable(dev->clk[0]); + } + + dev->err_interrupt = platform_get_irq(pdev, 0); diff --git a/queue-5.2/hv_sock-fix-hang-when-a-connection-is-closed.patch b/queue-5.2/hv_sock-fix-hang-when-a-connection-is-closed.patch new file mode 100644 index 00000000000..0b5e2f40da9 --- /dev/null +++ b/queue-5.2/hv_sock-fix-hang-when-a-connection-is-closed.patch @@ -0,0 +1,66 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Dexuan Cui +Date: Wed, 31 Jul 2019 01:25:45 +0000 +Subject: hv_sock: Fix hang when a connection is closed + +From: Dexuan Cui + +[ Upstream commit 8c7885e5690be9a27231ebebf82ef29fbf46c4e4 ] + +There is a race condition for an established connection that is being closed +by the guest: the refcnt is 4 at the end of hvs_release() (Note: here the +'remove_sock' is false): + +1 for the initial value; +1 for the sk being in the bound list; +1 for the sk being in the connected list; +1 for the delayed close_work. + +After hvs_release() finishes, __vsock_release() -> sock_put(sk) *may* +decrease the refcnt to 3. + +Concurrently, hvs_close_connection() runs in another thread: + calls vsock_remove_sock() to decrease the refcnt by 2; + call sock_put() to decrease the refcnt to 0, and free the sk; + next, the "release_sock(sk)" may hang due to use-after-free. + +In the above, after hvs_release() finishes, if hvs_close_connection() runs +faster than "__vsock_release() -> sock_put(sk)", then there is not any issue, +because at the beginning of hvs_close_connection(), the refcnt is still 4. + +The issue can be resolved if an extra reference is taken when the +connection is established. + +Fixes: a9eeb998c28d ("hv_sock: Add support for delayed close") +Signed-off-by: Dexuan Cui +Reviewed-by: Sunil Muthuswamy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/hyperv_transport.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vmw_vsock/hyperv_transport.c ++++ b/net/vmw_vsock/hyperv_transport.c +@@ -311,6 +311,11 @@ static void hvs_close_connection(struct + lock_sock(sk); + hvs_do_close_lock_held(vsock_sk(sk), true); + release_sock(sk); ++ ++ /* Release the refcnt for the channel that's opened in ++ * hvs_open_connection(). ++ */ ++ sock_put(sk); + } + + static void hvs_open_connection(struct vmbus_channel *chan) +@@ -378,6 +383,9 @@ static void hvs_open_connection(struct v + } + + set_per_channel_state(chan, conn_from_host ? new : sk); ++ ++ /* This reference will be dropped by hvs_close_connection(). */ ++ sock_hold(conn_from_host ? new : sk); + vmbus_set_chn_rescind_callback(chan, hvs_close_connection); + + /* Set the pending send size to max packet size to always get diff --git a/queue-5.2/ife-error-out-when-nla-attributes-are-empty.patch b/queue-5.2/ife-error-out-when-nla-attributes-are-empty.patch new file mode 100644 index 00000000000..8f26f134d82 --- /dev/null +++ b/queue-5.2/ife-error-out-when-nla-attributes-are-empty.patch @@ -0,0 +1,37 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Cong Wang +Date: Mon, 22 Jul 2019 21:43:00 -0700 +Subject: ife: error out when nla attributes are empty + +From: Cong Wang + +[ Upstream commit c8ec4632c6ac9cda0e8c3d51aa41eeab66585bd5 ] + +act_ife at least requires TCA_IFE_PARMS, so we have to bail out +when there is no attribute passed in. + +Reported-by: syzbot+fbb5b288c9cb6a2eeac4@syzkaller.appspotmail.com +Fixes: ef6980b6becb ("introduce IFE action") +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -481,6 +481,11 @@ static int tcf_ife_init(struct net *net, + int ret = 0; + int err; + ++ if (!nla) { ++ NL_SET_ERR_MSG_MOD(extack, "IFE requires attributes to be passed"); ++ return -EINVAL; ++ } ++ + err = nla_parse_nested_deprecated(tb, TCA_IFE_MAX, nla, ife_policy, + NULL); + if (err < 0) diff --git a/queue-5.2/ip6_gre-reload-ipv6h-in-prepare_ip6gre_xmit_ipv6.patch b/queue-5.2/ip6_gre-reload-ipv6h-in-prepare_ip6gre_xmit_ipv6.patch new file mode 100644 index 00000000000..86fdd3d0a01 --- /dev/null +++ b/queue-5.2/ip6_gre-reload-ipv6h-in-prepare_ip6gre_xmit_ipv6.patch @@ -0,0 +1,40 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Haishuang Yan +Date: Wed, 24 Jul 2019 20:00:42 +0800 +Subject: ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 + +From: Haishuang Yan + +[ Upstream commit 3bc817d665ac6d9de89f59df522ad86f5b5dfc03 ] + +Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull() +which may change skb->data, so we need to re-load ipv6h at +the right place. + +Fixes: 898b29798e36 ("ip6_gre: Refactor ip6gre xmit codes") +Cc: William Tu +Signed-off-by: Haishuang Yan +Acked-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -660,12 +660,13 @@ static int prepare_ip6gre_xmit_ipv6(stru + struct flowi6 *fl6, __u8 *dsfield, + int *encap_limit) + { +- struct ipv6hdr *ipv6h = ipv6_hdr(skb); ++ struct ipv6hdr *ipv6h; + struct ip6_tnl *t = netdev_priv(dev); + __u16 offset; + + offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); + /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ ++ ipv6h = ipv6_hdr(skb); + + if (offset > 0) { + struct ipv6_tlv_tnl_enc_lim *tel; diff --git a/queue-5.2/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch b/queue-5.2/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch new file mode 100644 index 00000000000..ef9a799861c --- /dev/null +++ b/queue-5.2/ip6_tunnel-fix-possible-use-after-free-on-xmit.patch @@ -0,0 +1,52 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Haishuang Yan +Date: Fri, 26 Jul 2019 00:40:17 +0800 +Subject: ip6_tunnel: fix possible use-after-free on xmit + +From: Haishuang Yan + +[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ] + +ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which +can cause a possible use-after-free accessing iph/ipv6h pointer +since the packet will be 'uncloned' running pskb_expand_head if +it is a cloned gso skb. + +Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1278,12 +1278,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str + } + + fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); ++ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); + + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + +- dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); +- + skb_set_inner_ipproto(skb, IPPROTO_IPIP); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, +@@ -1367,12 +1366,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str + } + + fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL); ++ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); + + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + +- dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); +- + skb_set_inner_ipproto(skb, IPPROTO_IPV6); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, diff --git a/queue-5.2/ipip-validate-header-length-in-ipip_tunnel_xmit.patch b/queue-5.2/ipip-validate-header-length-in-ipip_tunnel_xmit.patch new file mode 100644 index 00000000000..c499bac16c4 --- /dev/null +++ b/queue-5.2/ipip-validate-header-length-in-ipip_tunnel_xmit.patch @@ -0,0 +1,33 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Haishuang Yan +Date: Thu, 25 Jul 2019 11:07:56 +0800 +Subject: ipip: validate header length in ipip_tunnel_xmit + +From: Haishuang Yan + +[ Upstream commit 47d858d0bdcd47cc1c6c9eeca91b091dd9e55637 ] + +We need the same checks introduced by commit cb9f1b783850 +("ip: validate header length on virtual device xmit") for +ipip tunnel. + +Fixes: cb9f1b783850b ("ip: validate header length on virtual device xmit") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipip.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -275,6 +275,9 @@ static netdev_tx_t ipip_tunnel_xmit(stru + const struct iphdr *tiph = &tunnel->parms.iph; + u8 ipproto; + ++ if (!pskb_inet_may_pull(skb)) ++ goto tx_error; ++ + switch (skb->protocol) { + case htons(ETH_P_IP): + ipproto = IPPROTO_IPIP; diff --git a/queue-5.2/mlxsw-spectrum-fix-error-path-in-mlxsw_sp_module_init.patch b/queue-5.2/mlxsw-spectrum-fix-error-path-in-mlxsw_sp_module_init.patch new file mode 100644 index 00000000000..2b460bcd498 --- /dev/null +++ b/queue-5.2/mlxsw-spectrum-fix-error-path-in-mlxsw_sp_module_init.patch @@ -0,0 +1,32 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jiri Pirko +Date: Wed, 31 Jul 2019 09:33:14 +0300 +Subject: mlxsw: spectrum: Fix error path in mlxsw_sp_module_init() + +From: Jiri Pirko + +[ Upstream commit 28fe79000e9b0a6f99959869947f1ca305f14599 ] + +In case of sp2 pci driver registration fail, fix the error path to +start with sp1 pci driver unregister. + +Fixes: c3ab435466d5 ("mlxsw: spectrum: Extend to support Spectrum-2 ASIC") +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -5989,7 +5989,7 @@ static int __init mlxsw_sp_module_init(v + return 0; + + err_sp2_pci_driver_register: +- mlxsw_pci_driver_unregister(&mlxsw_sp2_pci_driver); ++ mlxsw_pci_driver_unregister(&mlxsw_sp1_pci_driver); + err_sp1_pci_driver_register: + mlxsw_core_driver_unregister(&mlxsw_sp2_driver); + err_sp2_core_driver_register: diff --git a/queue-5.2/mlxsw-spectrum_buffers-further-reduce-pool-size-on-spectrum-2.patch b/queue-5.2/mlxsw-spectrum_buffers-further-reduce-pool-size-on-spectrum-2.patch new file mode 100644 index 00000000000..d55e0ecad30 --- /dev/null +++ b/queue-5.2/mlxsw-spectrum_buffers-further-reduce-pool-size-on-spectrum-2.patch @@ -0,0 +1,39 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Petr Machata +Date: Wed, 31 Jul 2019 09:33:15 +0300 +Subject: mlxsw: spectrum_buffers: Further reduce pool size on Spectrum-2 + +From: Petr Machata + +[ Upstream commit 744ad9a357280d03d567538cee7e1e457dedd481 ] + +In commit e891ce1dd2a5 ("mlxsw: spectrum_buffers: Reduce pool size on +Spectrum-2"), pool size was reduced to mitigate a problem in port buffer +usage of ports split four ways. It turns out that this work around does not +solve the issue, and a further reduction is required. + +Thus reduce the size of pool 0 by another 2.7 MiB, and round down to the +whole number of cells. + +Fixes: e891ce1dd2a5 ("mlxsw: spectrum_buffers: Reduce pool size on Spectrum-2") +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c +@@ -437,8 +437,8 @@ static const struct mlxsw_sp_sb_pr mlxsw + MLXSW_SP1_SB_PR_CPU_SIZE, true, false), + }; + +-#define MLXSW_SP2_SB_PR_INGRESS_SIZE 38128752 +-#define MLXSW_SP2_SB_PR_EGRESS_SIZE 38128752 ++#define MLXSW_SP2_SB_PR_INGRESS_SIZE 35297568 ++#define MLXSW_SP2_SB_PR_EGRESS_SIZE 35297568 + #define MLXSW_SP2_SB_PR_CPU_SIZE (256 * 1000) + + /* Order according to mlxsw_sp2_sb_pool_dess */ diff --git a/queue-5.2/mvpp2-fix-panic-on-module-removal.patch b/queue-5.2/mvpp2-fix-panic-on-module-removal.patch new file mode 100644 index 00000000000..b644f777376 --- /dev/null +++ b/queue-5.2/mvpp2-fix-panic-on-module-removal.patch @@ -0,0 +1,112 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Matteo Croce +Date: Thu, 1 Aug 2019 14:13:30 +0200 +Subject: mvpp2: fix panic on module removal + +From: Matteo Croce + +[ Upstream commit 944a83a2669ae8aa2c7664e79376ca7468eb0a2b ] + +mvpp2 uses a delayed workqueue to gather traffic statistics. +On module removal the workqueue can be destroyed before calling +cancel_delayed_work_sync() on its works. +Fix it by moving the destroy_workqueue() call after mvpp2_port_remove(). +Also remove an unneeded call to flush_workqueue() + + # rmmod mvpp2 + [ 2743.311722] mvpp2 f4000000.ethernet eth1: phy link down 10gbase-kr/10Gbps/Full + [ 2743.320063] mvpp2 f4000000.ethernet eth1: Link is Down + [ 2743.572263] mvpp2 f4000000.ethernet eth2: phy link down sgmii/1Gbps/Full + [ 2743.580076] mvpp2 f4000000.ethernet eth2: Link is Down + [ 2744.102169] mvpp2 f2000000.ethernet eth0: phy link down 10gbase-kr/10Gbps/Full + [ 2744.110441] mvpp2 f2000000.ethernet eth0: Link is Down + [ 2744.115614] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + [ 2744.115615] Mem abort info: + [ 2744.115616] ESR = 0x96000005 + [ 2744.115617] Exception class = DABT (current EL), IL = 32 bits + [ 2744.115618] SET = 0, FnV = 0 + [ 2744.115619] EA = 0, S1PTW = 0 + [ 2744.115620] Data abort info: + [ 2744.115621] ISV = 0, ISS = 0x00000005 + [ 2744.115622] CM = 0, WnR = 0 + [ 2744.115624] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000422681000 + [ 2744.115626] [0000000000000000] pgd=0000000000000000, pud=0000000000000000 + [ 2744.115630] Internal error: Oops: 96000005 [#1] SMP + [ 2744.115632] Modules linked in: mvpp2(-) algif_hash af_alg nls_iso8859_1 nls_cp437 vfat fat xhci_plat_hcd m25p80 spi_nor xhci_hcd mtd usbcore i2c_mv64xxx sfp usb_common marvell10g phy_generic spi_orion mdio_i2c i2c_core mvmdio phylink sbsa_gwdt ip_tables x_tables autofs4 [last unloaded: mvpp2] + [ 2744.115654] CPU: 3 PID: 8357 Comm: kworker/3:2 Not tainted 5.3.0-rc2 #1 + [ 2744.115655] Hardware name: Marvell 8040 MACCHIATOBin Double-shot (DT) + [ 2744.115665] Workqueue: events_power_efficient phylink_resolve [phylink] + [ 2744.115669] pstate: a0000085 (NzCv daIf -PAN -UAO) + [ 2744.115675] pc : __queue_work+0x9c/0x4d8 + [ 2744.115677] lr : __queue_work+0x170/0x4d8 + [ 2744.115678] sp : ffffff801001bd50 + [ 2744.115680] x29: ffffff801001bd50 x28: ffffffc422597600 + [ 2744.115684] x27: ffffff80109ae6f0 x26: ffffff80108e4018 + [ 2744.115688] x25: 0000000000000003 x24: 0000000000000004 + [ 2744.115691] x23: ffffff80109ae6e0 x22: 0000000000000017 + [ 2744.115694] x21: ffffffc42c030000 x20: ffffffc42209e8f8 + [ 2744.115697] x19: 0000000000000000 x18: 0000000000000000 + [ 2744.115699] x17: 0000000000000000 x16: 0000000000000000 + [ 2744.115701] x15: 0000000000000010 x14: ffffffffffffffff + [ 2744.115702] x13: ffffff8090e2b95f x12: ffffff8010e2b967 + [ 2744.115704] x11: ffffff8010906000 x10: 0000000000000040 + [ 2744.115706] x9 : ffffff80109223b8 x8 : ffffff80109223b0 + [ 2744.115707] x7 : ffffffc42bc00068 x6 : 0000000000000000 + [ 2744.115709] x5 : ffffffc42bc00000 x4 : 0000000000000000 + [ 2744.115710] x3 : 0000000000000000 x2 : 0000000000000000 + [ 2744.115712] x1 : 0000000000000008 x0 : ffffffc42c030000 + [ 2744.115714] Call trace: + [ 2744.115716] __queue_work+0x9c/0x4d8 + [ 2744.115718] delayed_work_timer_fn+0x28/0x38 + [ 2744.115722] call_timer_fn+0x3c/0x180 + [ 2744.115723] expire_timers+0x60/0x168 + [ 2744.115724] run_timer_softirq+0xbc/0x1e8 + [ 2744.115727] __do_softirq+0x128/0x320 + [ 2744.115731] irq_exit+0xa4/0xc0 + [ 2744.115734] __handle_domain_irq+0x70/0xc0 + [ 2744.115735] gic_handle_irq+0x58/0xa8 + [ 2744.115737] el1_irq+0xb8/0x140 + [ 2744.115738] console_unlock+0x3a0/0x568 + [ 2744.115740] vprintk_emit+0x200/0x2a0 + [ 2744.115744] dev_vprintk_emit+0x1c8/0x1e4 + [ 2744.115747] dev_printk_emit+0x6c/0x7c + [ 2744.115751] __netdev_printk+0x104/0x1d8 + [ 2744.115752] netdev_printk+0x60/0x70 + [ 2744.115756] phylink_resolve+0x38c/0x3c8 [phylink] + [ 2744.115758] process_one_work+0x1f8/0x448 + [ 2744.115760] worker_thread+0x54/0x500 + [ 2744.115762] kthread+0x12c/0x130 + [ 2744.115764] ret_from_fork+0x10/0x1c + [ 2744.115768] Code: aa1403e0 97fffbbe aa0003f5 b4000700 (f9400261) + +Fixes: 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Matteo Croce +Acked-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5609,9 +5609,6 @@ static int mvpp2_remove(struct platform_ + + mvpp2_dbgfs_cleanup(priv); + +- flush_workqueue(priv->stats_queue); +- destroy_workqueue(priv->stats_queue); +- + fwnode_for_each_available_child_node(fwnode, port_fwnode) { + if (priv->port_list[i]) { + mutex_destroy(&priv->port_list[i]->gather_stats_lock); +@@ -5620,6 +5617,8 @@ static int mvpp2_remove(struct platform_ + i++; + } + ++ destroy_workqueue(priv->stats_queue); ++ + for (i = 0; i < MVPP2_BM_POOLS_NUM; i++) { + struct mvpp2_bm_pool *bm_pool = &priv->bm_pools[i]; + diff --git a/queue-5.2/mvpp2-refactor-mtu-change-code.patch b/queue-5.2/mvpp2-refactor-mtu-change-code.patch new file mode 100644 index 00000000000..8a3b65336e6 --- /dev/null +++ b/queue-5.2/mvpp2-refactor-mtu-change-code.patch @@ -0,0 +1,85 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Matteo Croce +Date: Sun, 28 Jul 2019 02:46:45 +0200 +Subject: mvpp2: refactor MTU change code + +From: Matteo Croce + +[ Upstream commit 230bd958c2c846ee292aa38bc6b006296c24ca01 ] + +The MTU change code can call napi_disable() with the device already down, +leading to a deadlock. Also, lot of code is duplicated unnecessarily. + +Rework mvpp2_change_mtu() to avoid the deadlock and remove duplicated code. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 41 +++++++----------------- + 1 file changed, 13 insertions(+), 28 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -3609,6 +3609,7 @@ static int mvpp2_set_mac_address(struct + static int mvpp2_change_mtu(struct net_device *dev, int mtu) + { + struct mvpp2_port *port = netdev_priv(dev); ++ bool running = netif_running(dev); + int err; + + if (!IS_ALIGNED(MVPP2_RX_PKT_SIZE(mtu), 8)) { +@@ -3617,40 +3618,24 @@ static int mvpp2_change_mtu(struct net_d + mtu = ALIGN(MVPP2_RX_PKT_SIZE(mtu), 8); + } + +- if (!netif_running(dev)) { +- err = mvpp2_bm_update_mtu(dev, mtu); +- if (!err) { +- port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); +- return 0; +- } ++ if (running) ++ mvpp2_stop_dev(port); + ++ err = mvpp2_bm_update_mtu(dev, mtu); ++ if (err) { ++ netdev_err(dev, "failed to change MTU\n"); + /* Reconfigure BM to the original MTU */ +- err = mvpp2_bm_update_mtu(dev, dev->mtu); +- if (err) +- goto log_error; ++ mvpp2_bm_update_mtu(dev, dev->mtu); ++ } else { ++ port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); + } + +- mvpp2_stop_dev(port); +- +- err = mvpp2_bm_update_mtu(dev, mtu); +- if (!err) { +- port->pkt_size = MVPP2_RX_PKT_SIZE(mtu); +- goto out_start; ++ if (running) { ++ mvpp2_start_dev(port); ++ mvpp2_egress_enable(port); ++ mvpp2_ingress_enable(port); + } + +- /* Reconfigure BM to the original MTU */ +- err = mvpp2_bm_update_mtu(dev, dev->mtu); +- if (err) +- goto log_error; +- +-out_start: +- mvpp2_start_dev(port); +- mvpp2_egress_enable(port); +- mvpp2_ingress_enable(port); +- +- return 0; +-log_error: +- netdev_err(dev, "failed to change MTU\n"); + return err; + } + diff --git a/queue-5.2/net-bridge-delete-local-fdb-on-device-init-failure.patch b/queue-5.2/net-bridge-delete-local-fdb-on-device-init-failure.patch new file mode 100644 index 00000000000..9c1ee04b728 --- /dev/null +++ b/queue-5.2/net-bridge-delete-local-fdb-on-device-init-failure.patch @@ -0,0 +1,44 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Nikolay Aleksandrov +Date: Mon, 29 Jul 2019 12:28:41 +0300 +Subject: net: bridge: delete local fdb on device init failure + +From: Nikolay Aleksandrov + +[ Upstream commit d7bae09fa008c6c9a489580db0a5a12063b97f97 ] + +On initialization failure we have to delete the local fdb which was +inserted due to the default pvid creation. This problem has been present +since the inception of default_pvid. Note that currently there are 2 cases: +1) in br_dev_init() when br_multicast_init() fails +2) if register_netdevice() fails after calling ndo_init() + +This patch takes care of both since br_vlan_flush() is called on both +occasions. Also the new fdb delete would be a no-op on normal bridge +device destruction since the local fdb would've been already flushed by +br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is +called last when adding a port thus nothing can fail after it. + +Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com +Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_vlan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -715,6 +715,11 @@ void br_vlan_flush(struct net_bridge *br + + ASSERT_RTNL(); + ++ /* delete auto-added default pvid local fdb before flushing vlans ++ * otherwise it will be leaked on bridge device init failure ++ */ ++ br_fdb_delete_by_port(br, NULL, 0, 1); ++ + vg = br_vlan_group(br); + __vlan_flush(vg); + RCU_INIT_POINTER(br->vlgrp, NULL); diff --git a/queue-5.2/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch b/queue-5.2/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch new file mode 100644 index 00000000000..06ea1220497 --- /dev/null +++ b/queue-5.2/net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch @@ -0,0 +1,58 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 30 Jul 2019 14:21:00 +0300 +Subject: net: bridge: mcast: don't delete permanent entries when fast leave is enabled + +From: Nikolay Aleksandrov + +[ Upstream commit 5c725b6b65067909548ac9ca9bc777098ec9883d ] + +When permanent entries were introduced by the commit below, they were +exempt from timing out and thus igmp leave wouldn't affect them unless +fast leave was enabled on the port which was added before permanent +entries existed. It shouldn't matter if fast leave is enabled or not +if the user added a permanent entry it shouldn't be deleted on igmp +leave. + +Before: +$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave +$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +< join and leave 229.1.1.1 on eth4 > + +$ bridge mdb show +$ + +After: +$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave +$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +< join and leave 229.1.1.1 on eth4 > + +$ bridge mdb show +dev br0 port eth4 grp 229.1.1.1 permanent + +Fixes: ccb1c31a7a87 ("bridge: add flags to distinguish permanent mdb entires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1388,6 +1388,9 @@ br_multicast_leave_group(struct net_brid + if (!br_port_group_equal(p, port, src)) + continue; + ++ if (p->flags & MDB_PG_FLAGS_PERMANENT) ++ break; ++ + rcu_assign_pointer(*pp, p->next); + hlist_del_init(&p->mglist); + del_timer(&p->timer); diff --git a/queue-5.2/net-bridge-move-default-pvid-init-deinit-to-netdev_register-unregister.patch b/queue-5.2/net-bridge-move-default-pvid-init-deinit-to-netdev_register-unregister.patch new file mode 100644 index 00000000000..5a1ce0d7d35 --- /dev/null +++ b/queue-5.2/net-bridge-move-default-pvid-init-deinit-to-netdev_register-unregister.patch @@ -0,0 +1,187 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Nikolay Aleksandrov +Date: Fri, 2 Aug 2019 13:57:36 +0300 +Subject: net: bridge: move default pvid init/deinit to NETDEV_REGISTER/UNREGISTER + +From: Nikolay Aleksandrov + +[ Upstream commit 091adf9ba6cdb432cbcc217b47e4ffb8aa0d8865 ] + +Most of the bridge device's vlan init bugs come from the fact that its +default pvid is created at the wrong time, way too early in ndo_init() +before the device is even assigned an ifindex. It introduces a bug when the +bridge's dev_addr is added as fdb during the initial default pvid creation +the notification has ifindex/NDA_MASTER both equal to 0 (see example below) +which really makes no sense for user-space[0] and is wrong. +Usually user-space software would ignore such entries, but they are +actually valid and will eventually have all necessary attributes. +It makes much more sense to send a notification *after* the device has +registered and has a proper ifindex allocated rather than before when +there's a chance that the registration might still fail or to receive +it with ifindex/NDA_MASTER == 0. Note that we can remove the fdb flush +from br_vlan_flush() since that case can no longer happen. At +NETDEV_REGISTER br->default_pvid is always == 1 as it's initialized by +br_vlan_init() before that and at NETDEV_UNREGISTER it can be anything +depending why it was called (if called due to NETDEV_REGISTER error +it'll still be == 1, otherwise it could be any value changed during the +device life time). + +For the demonstration below a small change to iproute2 for printing all fdb +notifications is added, because it contained a workaround not to show +entries with ifindex == 0. +Command executed while monitoring: $ ip l add br0 type bridge +Before (both ifindex and master == 0): +$ bridge monitor fdb +36:7e:8a:b3:56:ba dev * vlan 1 master * permanent + +After (proper br0 ifindex): +$ bridge monitor fdb +e6:2a:ae:7a:b7:48 dev br0 vlan 1 master br0 permanent + +v4: move only the default pvid init/deinit to NETDEV_REGISTER/UNREGISTER +v3: send the correct v2 patch with all changes (stub should return 0) +v2: on error in br_vlan_init set br->vlgrp to NULL and return 0 in + the br_vlan_bridge_event stub when bridge vlans are disabled + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=204389 + +Reported-by: michael-dev +Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid") +Signed-off-by: Nikolay Aleksandrov +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br.c | 5 ++++- + net/bridge/br_private.h | 9 +++++---- + net/bridge/br_vlan.c | 34 ++++++++++++++++------------------ + 3 files changed, 25 insertions(+), 23 deletions(-) + +--- a/net/bridge/br.c ++++ b/net/bridge/br.c +@@ -37,12 +37,15 @@ static int br_device_event(struct notifi + int err; + + if (dev->priv_flags & IFF_EBRIDGE) { ++ err = br_vlan_bridge_event(dev, event, ptr); ++ if (err) ++ return notifier_from_errno(err); ++ + if (event == NETDEV_REGISTER) { + /* register of bridge completed, add sysfs entries */ + br_sysfs_addbr(dev); + return NOTIFY_DONE; + } +- br_vlan_bridge_event(dev, event, ptr); + } + + /* not a port of a bridge */ +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -893,8 +893,8 @@ int nbp_get_num_vlan_infos(struct net_br + void br_vlan_get_stats(const struct net_bridge_vlan *v, + struct br_vlan_stats *stats); + void br_vlan_port_event(struct net_bridge_port *p, unsigned long event); +-void br_vlan_bridge_event(struct net_device *dev, unsigned long event, +- void *ptr); ++int br_vlan_bridge_event(struct net_device *dev, unsigned long event, ++ void *ptr); + + static inline struct net_bridge_vlan_group *br_vlan_group( + const struct net_bridge *br) +@@ -1084,9 +1084,10 @@ static inline void br_vlan_port_event(st + { + } + +-static inline void br_vlan_bridge_event(struct net_device *dev, +- unsigned long event, void *ptr) ++static inline int br_vlan_bridge_event(struct net_device *dev, ++ unsigned long event, void *ptr) + { ++ return 0; + } + #endif + +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -715,11 +715,6 @@ void br_vlan_flush(struct net_bridge *br + + ASSERT_RTNL(); + +- /* delete auto-added default pvid local fdb before flushing vlans +- * otherwise it will be leaked on bridge device init failure +- */ +- br_fdb_delete_by_port(br, NULL, 0, 1); +- + vg = br_vlan_group(br); + __vlan_flush(vg); + RCU_INIT_POINTER(br->vlgrp, NULL); +@@ -1048,7 +1043,6 @@ int br_vlan_init(struct net_bridge *br) + { + struct net_bridge_vlan_group *vg; + int ret = -ENOMEM; +- bool changed; + + vg = kzalloc(sizeof(*vg), GFP_KERNEL); + if (!vg) +@@ -1063,17 +1057,10 @@ int br_vlan_init(struct net_bridge *br) + br->vlan_proto = htons(ETH_P_8021Q); + br->default_pvid = 1; + rcu_assign_pointer(br->vlgrp, vg); +- ret = br_vlan_add(br, 1, +- BRIDGE_VLAN_INFO_PVID | BRIDGE_VLAN_INFO_UNTAGGED | +- BRIDGE_VLAN_INFO_BRENTRY, &changed, NULL); +- if (ret) +- goto err_vlan_add; + + out: + return ret; + +-err_vlan_add: +- vlan_tunnel_deinit(vg); + err_tunnel_init: + rhashtable_destroy(&vg->vlan_hash); + err_rhtbl: +@@ -1448,13 +1435,23 @@ static void nbp_vlan_set_vlan_dev_state( + } + + /* Must be protected by RTNL. */ +-void br_vlan_bridge_event(struct net_device *dev, unsigned long event, +- void *ptr) ++int br_vlan_bridge_event(struct net_device *dev, unsigned long event, void *ptr) + { + struct netdev_notifier_changeupper_info *info; +- struct net_bridge *br; ++ struct net_bridge *br = netdev_priv(dev); ++ bool changed; ++ int ret = 0; + + switch (event) { ++ case NETDEV_REGISTER: ++ ret = br_vlan_add(br, br->default_pvid, ++ BRIDGE_VLAN_INFO_PVID | ++ BRIDGE_VLAN_INFO_UNTAGGED | ++ BRIDGE_VLAN_INFO_BRENTRY, &changed, NULL); ++ break; ++ case NETDEV_UNREGISTER: ++ br_vlan_delete(br, br->default_pvid); ++ break; + case NETDEV_CHANGEUPPER: + info = ptr; + br_vlan_upper_change(dev, info->upper_dev, info->linking); +@@ -1462,12 +1459,13 @@ void br_vlan_bridge_event(struct net_dev + + case NETDEV_CHANGE: + case NETDEV_UP: +- br = netdev_priv(dev); + if (!br_opt_get(br, BROPT_VLAN_BRIDGE_BINDING)) +- return; ++ break; + br_vlan_link_state_change(dev, br); + break; + } ++ ++ return ret; + } + + /* Must be protected by RTNL. */ diff --git a/queue-5.2/net-fix-bpf_xdp_adjust_head-regression-for-generic-xdp.patch b/queue-5.2/net-fix-bpf_xdp_adjust_head-regression-for-generic-xdp.patch new file mode 100644 index 00000000000..1f12279c0dc --- /dev/null +++ b/queue-5.2/net-fix-bpf_xdp_adjust_head-regression-for-generic-xdp.patch @@ -0,0 +1,52 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jesper Dangaard Brouer +Date: Thu, 1 Aug 2019 20:00:31 +0200 +Subject: net: fix bpf_xdp_adjust_head regression for generic-XDP + +From: Jesper Dangaard Brouer + +[ Upstream commit 065af355470519bd184019a93ac579f22b036045 ] + +When generic-XDP was moved to a later processing step by commit +458bf2f224f0 ("net: core: support XDP generic on stacked devices.") +a regression was introduced when using bpf_xdp_adjust_head. + +The issue is that after this commit the skb->network_header is now +changed prior to calling generic XDP and not after. Thus, if the header +is changed by XDP (via bpf_xdp_adjust_head), then skb->network_header +also need to be updated again. Fix by calling skb_reset_network_header(). + +Fixes: 458bf2f224f0 ("net: core: support XDP generic on stacked devices.") +Reported-by: Brandon Cazander +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4382,12 +4382,17 @@ static u32 netif_receive_generic_xdp(str + + act = bpf_prog_run_xdp(xdp_prog, xdp); + ++ /* check if bpf_xdp_adjust_head was used */ + off = xdp->data - orig_data; +- if (off > 0) +- __skb_pull(skb, off); +- else if (off < 0) +- __skb_push(skb, -off); +- skb->mac_header += off; ++ if (off) { ++ if (off > 0) ++ __skb_pull(skb, off); ++ else if (off < 0) ++ __skb_push(skb, -off); ++ ++ skb->mac_header += off; ++ skb_reset_network_header(skb); ++ } + + /* check if bpf_xdp_adjust_tail was used. it can only "shrink" + * pckt. diff --git a/queue-5.2/net-fix-ifindex-collision-during-namespace-removal.patch b/queue-5.2/net-fix-ifindex-collision-during-namespace-removal.patch new file mode 100644 index 00000000000..94fbfe04bca --- /dev/null +++ b/queue-5.2/net-fix-ifindex-collision-during-namespace-removal.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jiri Pirko +Date: Sun, 28 Jul 2019 14:56:36 +0200 +Subject: net: fix ifindex collision during namespace removal + +From: Jiri Pirko + +[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ] + +Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions +on net_ns stop.") introduced a possibility to hit a BUG in case device +is returning back to init_net and two following conditions are met: +1) dev->ifindex value is used in a name of another "dev%d" + device in init_net. +2) dev->name is used by another device in init_net. + +Under real life circumstances this is hard to get. Therefore this has +been present happily for over 10 years. To reproduce: + +$ ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +3: enp0s2: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip netns add ns1 +$ ip -n ns1 link add dummy1ns1 type dummy +$ ip -n ns1 link add dummy2ns1 type dummy +$ ip link set enp0s2 netns ns1 +$ ip -n ns1 link set enp0s2 name dummy0 +[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2 +$ ip link add dev4 type dummy +$ ip -n ns1 a +1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +2: dummy1ns1: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff +3: dummy2ns1: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff +4: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip a +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +4: dev4: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff +$ ip netns del ns1 +[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17 +[ 158.719316] ------------[ cut here ]------------ +[ 158.720591] kernel BUG at net/core/dev.c:9824! +[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18 +[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 +[ 158.727508] Workqueue: netns cleanup_net +[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 158.762758] Call Trace: +[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520 +[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.769870] ops_exit_list.isra.0+0xa8/0x150 +[ 158.771544] cleanup_net+0x446/0x8f0 +[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0 +[ 158.775294] process_one_work+0xa1a/0x1740 +[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310 +[ 158.779143] ? do_raw_spin_lock+0x11b/0x280 +[ 158.780848] worker_thread+0x9e/0x1060 +[ 158.782500] ? process_one_work+0x1740/0x1740 +[ 158.784454] kthread+0x31b/0x420 +[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0 +[ 158.788286] ret_from_fork+0x3a/0x50 +[ 158.789871] ---[ end trace defd6c657c71f936 ]--- +[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fix this by checking if a device with the same name exists in init_net +and fallback to original code - dev%d to allocate name - in case it does. + +This was found using syzkaller. + +Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9711,6 +9711,8 @@ static void __net_exit default_device_ex + + /* Push remaining network devices to init_net */ + snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); ++ if (__dev_get_by_name(&init_net, fb_name)) ++ snprintf(fb_name, IFNAMSIZ, "dev%%d"); + err = dev_change_net_namespace(dev, &init_net, fb_name); + if (err) { + pr_emerg("%s: failed to move %s to init_net: %d\n", diff --git a/queue-5.2/net-mlx5-add-missing-rdma_rx-capabilities.patch b/queue-5.2/net-mlx5-add-missing-rdma_rx-capabilities.patch new file mode 100644 index 00000000000..8837e2ffeb0 --- /dev/null +++ b/queue-5.2/net-mlx5-add-missing-rdma_rx-capabilities.patch @@ -0,0 +1,46 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Maor Gottlieb +Date: Sun, 14 Jul 2019 11:33:07 +0300 +Subject: net/mlx5: Add missing RDMA_RX capabilities + +From: Maor Gottlieb + +[ Upstream commit 987f6c69dd923069d443f6a37225f5b1630a30f2 ] + +New flow table type RDMA_RX was added but the MLX5_CAP_FLOW_TABLE_TYPE +didn't handle this new flow table type. +This means that MLX5_CAP_FLOW_TABLE_TYPE returns an empty capability to +this flow table type. + +Update both the macro and the maximum supported flow table type to +RDMA_RX. + +Fixes: d83eb50e29de ("net/mlx5: Add support in RDMA RX steering") +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h +@@ -68,7 +68,7 @@ enum fs_flow_table_type { + FS_FT_SNIFFER_RX = 0X5, + FS_FT_SNIFFER_TX = 0X6, + FS_FT_RDMA_RX = 0X7, +- FS_FT_MAX_TYPE = FS_FT_SNIFFER_TX, ++ FS_FT_MAX_TYPE = FS_FT_RDMA_RX, + }; + + enum fs_flow_table_op_mod { +@@ -274,7 +274,8 @@ void mlx5_cleanup_fs(struct mlx5_core_de + (type == FS_FT_FDB) ? MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, cap) : \ + (type == FS_FT_SNIFFER_RX) ? MLX5_CAP_FLOWTABLE_SNIFFER_RX(mdev, cap) : \ + (type == FS_FT_SNIFFER_TX) ? MLX5_CAP_FLOWTABLE_SNIFFER_TX(mdev, cap) : \ +- (BUILD_BUG_ON_ZERO(FS_FT_SNIFFER_TX != FS_FT_MAX_TYPE))\ ++ (type == FS_FT_RDMA_RX) ? MLX5_CAP_FLOWTABLE_RDMA_RX(mdev, cap) : \ ++ (BUILD_BUG_ON_ZERO(FS_FT_RDMA_RX != FS_FT_MAX_TYPE))\ + ) + + #endif diff --git a/queue-5.2/net-mlx5-fix-modify_cq_in-alignment.patch b/queue-5.2/net-mlx5-fix-modify_cq_in-alignment.patch new file mode 100644 index 00000000000..c4480cbf287 --- /dev/null +++ b/queue-5.2/net-mlx5-fix-modify_cq_in-alignment.patch @@ -0,0 +1,40 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Edward Srouji +Date: Tue, 23 Jul 2019 10:12:55 +0300 +Subject: net/mlx5: Fix modify_cq_in alignment + +From: Edward Srouji + +[ Upstream commit 7a32f2962c56d9d8a836b4469855caeee8766bd4 ] + +Fix modify_cq_in alignment to match the device specification. +After this fix the 'cq_umem_valid' field will be in the right offset. + +Cc: # 4.19 +Fixes: bd37197554eb ("net/mlx5: Update mlx5_ifc with DEVX UID bits") +Signed-off-by: Edward Srouji +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mlx5/mlx5_ifc.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -5865,10 +5865,12 @@ struct mlx5_ifc_modify_cq_in_bits { + + struct mlx5_ifc_cqc_bits cq_context; + +- u8 reserved_at_280[0x40]; ++ u8 reserved_at_280[0x60]; + + u8 cq_umem_valid[0x1]; +- u8 reserved_at_2c1[0x5bf]; ++ u8 reserved_at_2e1[0x1f]; ++ ++ u8 reserved_at_300[0x580]; + + u8 pas[0][0x40]; + }; diff --git a/queue-5.2/net-mlx5-use-reversed-order-when-unregister-devices.patch b/queue-5.2/net-mlx5-use-reversed-order-when-unregister-devices.patch new file mode 100644 index 00000000000..dc1c6030edb --- /dev/null +++ b/queue-5.2/net-mlx5-use-reversed-order-when-unregister-devices.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Mark Zhang +Date: Tue, 9 Jul 2019 05:37:12 +0300 +Subject: net/mlx5: Use reversed order when unregister devices + +From: Mark Zhang + +[ Upstream commit 08aa5e7da6bce1a1963f63cf32c2e7ad434ad578 ] + +When lag is active, which is controlled by the bonded mlx5e netdev, mlx5 +interface unregestering must happen in the reverse order where rdma is +unregistered (unloaded) first, to guarantee all references to the lag +context in hardware is removed, then remove mlx5e netdev interface which +will cleanup the lag context from hardware. + +Without this fix during destroy of LAG interface, we observed following +errors: + * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed, + status bad parameter(0x3), syndrome (0xe4ac33) + * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed, + status bad parameter(0x3), syndrome (0xa5aee8). + +Fixes: a31208b1e11d ("net/mlx5_core: New init and exit flow for mlx5_core") +Reviewed-by: Parav Pandit +Reviewed-by: Leon Romanovsky +Signed-off-by: Mark Zhang +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -213,7 +213,7 @@ void mlx5_unregister_device(struct mlx5_ + struct mlx5_interface *intf; + + mutex_lock(&mlx5_intf_mutex); +- list_for_each_entry(intf, &intf_list, list) ++ list_for_each_entry_reverse(intf, &intf_list, list) + mlx5_remove_device(intf, priv); + list_del(&priv->dev_list); + mutex_unlock(&mlx5_intf_mutex); diff --git a/queue-5.2/net-mlx5e-always-initialize-frag-last_in_page.patch b/queue-5.2/net-mlx5e-always-initialize-frag-last_in_page.patch new file mode 100644 index 00000000000..df7ad04f831 --- /dev/null +++ b/queue-5.2/net-mlx5e-always-initialize-frag-last_in_page.patch @@ -0,0 +1,78 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Qian Cai +Date: Thu, 1 Aug 2019 09:52:54 -0400 +Subject: net/mlx5e: always initialize frag->last_in_page + +From: Qian Cai + +[ Upstream commit 60d60c8fbd8d1acf25b041ecd72ae4fa16e9405b ] + +The commit 069d11465a80 ("net/mlx5e: RX, Enhance legacy Receive Queue +memory scheme") introduced an undefined behaviour below due to +"frag->last_in_page" is only initialized in mlx5e_init_frags_partition() +when, + +if (next_frag.offset + frag_info[f].frag_stride > PAGE_SIZE) + +or after bailed out the loop, + +for (i = 0; i < mlx5_wq_cyc_get_size(&rq->wqe.wq); i++) + +As the result, there could be some "frag" have uninitialized +value of "last_in_page". + +Later, get_frag() obtains those "frag" and check "frag->last_in_page" in +mlx5e_put_rx_frag() and triggers the error during boot. Fix it by always +initializing "frag->last_in_page" to "false" in +mlx5e_init_frags_partition(). + +UBSAN: Undefined behaviour in +drivers/net/ethernet/mellanox/mlx5/core/en_rx.c:325:12 +load of value 170 is not a valid value for type 'bool' (aka '_Bool') +Call trace: + dump_backtrace+0x0/0x264 + show_stack+0x20/0x2c + dump_stack+0xb0/0x104 + __ubsan_handle_load_invalid_value+0x104/0x128 + mlx5e_handle_rx_cqe+0x8e8/0x12cc [mlx5_core] + mlx5e_poll_rx_cq+0xca8/0x1a94 [mlx5_core] + mlx5e_napi_poll+0x17c/0xa30 [mlx5_core] + net_rx_action+0x248/0x940 + __do_softirq+0x350/0x7b8 + irq_exit+0x200/0x26c + __handle_domain_irq+0xc8/0x128 + gic_handle_irq+0x138/0x228 + el1_irq+0xb8/0x140 + arch_cpu_idle+0x1a4/0x348 + do_idle+0x114/0x1b0 + cpu_startup_entry+0x24/0x28 + rest_init+0x1ac/0x1dc + arch_call_rest_init+0x10/0x18 + start_kernel+0x4d4/0x57c + +Fixes: 069d11465a80 ("net/mlx5e: RX, Enhance legacy Receive Queue memory scheme") +Signed-off-by: Qian Cai +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -340,12 +340,11 @@ static inline u64 mlx5e_get_mpwqe_offset + + static void mlx5e_init_frags_partition(struct mlx5e_rq *rq) + { +- struct mlx5e_wqe_frag_info next_frag, *prev; ++ struct mlx5e_wqe_frag_info next_frag = {}; ++ struct mlx5e_wqe_frag_info *prev = NULL; + int i; + + next_frag.di = &rq->wqe.di[0]; +- next_frag.offset = 0; +- prev = NULL; + + for (i = 0; i < mlx5_wq_cyc_get_size(&rq->wqe.wq); i++) { + struct mlx5e_rq_frag_info *frag_info = &rq->wqe.info.arr[0]; diff --git a/queue-5.2/net-mlx5e-fix-matching-of-speed-to-prm-link-modes.patch b/queue-5.2/net-mlx5e-fix-matching-of-speed-to-prm-link-modes.patch new file mode 100644 index 00000000000..99e68ce9c9d --- /dev/null +++ b/queue-5.2/net-mlx5e-fix-matching-of-speed-to-prm-link-modes.patch @@ -0,0 +1,284 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Aya Levin +Date: Sun, 16 Jun 2019 13:20:29 +0300 +Subject: net/mlx5e: Fix matching of speed to PRM link modes + +From: Aya Levin + +[ Upstream commit 4b95840a6ced0634082f6d962ba9aa0ce797f12f ] + +Speed translation is performed based on legacy or extended PTYS +register. Translate speed with respect to: +1) Capability bit of extended PTYS table. +2) User request: + a) When auto-negotiation is turned on, inspect advertisement whether it + contains extended link modes. + b) When auto-negotiation is turned off, speed > 100Gbps (maximal + speed supported in legacy mode). +With both conditions fulfilled translation is done with extended PTYS +table otherwise use legacy PTYS table. +Without this patch 25/50/100 Gbps speed cannot be set, since try to +configure in extended mode but read from legacy mode. + +Fixes: dd1b9e09c12b ("net/mlx5: ethtool, Allow legacy link-modes configuration via non-extended ptys") +Signed-off-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port.c | 27 +++++-- + drivers/net/ethernet/mellanox/mlx5/core/en/port.h | 6 + + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 67 +++++++++++++------ + 3 files changed, 68 insertions(+), 32 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c +@@ -78,9 +78,10 @@ static const u32 mlx5e_ext_link_speed[ML + }; + + static void mlx5e_port_get_speed_arr(struct mlx5_core_dev *mdev, +- const u32 **arr, u32 *size) ++ const u32 **arr, u32 *size, ++ bool force_legacy) + { +- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); ++ bool ext = force_legacy ? false : MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); + + *size = ext ? ARRAY_SIZE(mlx5e_ext_link_speed) : + ARRAY_SIZE(mlx5e_link_speed); +@@ -152,7 +153,8 @@ int mlx5_port_set_eth_ptys(struct mlx5_c + sizeof(out), MLX5_REG_PTYS, 0, 1); + } + +-u32 mlx5e_port_ptys2speed(struct mlx5_core_dev *mdev, u32 eth_proto_oper) ++u32 mlx5e_port_ptys2speed(struct mlx5_core_dev *mdev, u32 eth_proto_oper, ++ bool force_legacy) + { + unsigned long temp = eth_proto_oper; + const u32 *table; +@@ -160,7 +162,7 @@ u32 mlx5e_port_ptys2speed(struct mlx5_co + u32 max_size; + int i; + +- mlx5e_port_get_speed_arr(mdev, &table, &max_size); ++ mlx5e_port_get_speed_arr(mdev, &table, &max_size, force_legacy); + i = find_first_bit(&temp, max_size); + if (i < max_size) + speed = table[i]; +@@ -170,6 +172,7 @@ u32 mlx5e_port_ptys2speed(struct mlx5_co + int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed) + { + struct mlx5e_port_eth_proto eproto; ++ bool force_legacy = false; + bool ext; + int err; + +@@ -177,8 +180,13 @@ int mlx5e_port_linkspeed(struct mlx5_cor + err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) + goto out; +- +- *speed = mlx5e_port_ptys2speed(mdev, eproto.oper); ++ if (ext && !eproto.admin) { ++ force_legacy = true; ++ err = mlx5_port_query_eth_proto(mdev, 1, false, &eproto); ++ if (err) ++ goto out; ++ } ++ *speed = mlx5e_port_ptys2speed(mdev, eproto.oper, force_legacy); + if (!(*speed)) + err = -EINVAL; + +@@ -201,7 +209,7 @@ int mlx5e_port_max_linkspeed(struct mlx5 + if (err) + return err; + +- mlx5e_port_get_speed_arr(mdev, &table, &max_size); ++ mlx5e_port_get_speed_arr(mdev, &table, &max_size, false); + for (i = 0; i < max_size; ++i) + if (eproto.cap & MLX5E_PROT_MASK(i)) + max_speed = max(max_speed, table[i]); +@@ -210,14 +218,15 @@ int mlx5e_port_max_linkspeed(struct mlx5 + return 0; + } + +-u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed) ++u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed, ++ bool force_legacy) + { + u32 link_modes = 0; + const u32 *table; + u32 max_size; + int i; + +- mlx5e_port_get_speed_arr(mdev, &table, &max_size); ++ mlx5e_port_get_speed_arr(mdev, &table, &max_size, force_legacy); + for (i = 0; i < max_size; ++i) { + if (table[i] == speed) + link_modes |= MLX5E_PROT_MASK(i); +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h +@@ -48,10 +48,12 @@ void mlx5_port_query_eth_autoneg(struct + u8 *an_disable_cap, u8 *an_disable_admin); + int mlx5_port_set_eth_ptys(struct mlx5_core_dev *dev, bool an_disable, + u32 proto_admin, bool ext); +-u32 mlx5e_port_ptys2speed(struct mlx5_core_dev *mdev, u32 eth_proto_oper); ++u32 mlx5e_port_ptys2speed(struct mlx5_core_dev *mdev, u32 eth_proto_oper, ++ bool force_legacy); + int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); + int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed); +-u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed); ++u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed, ++ bool force_legacy); + + int mlx5e_port_query_pbmc(struct mlx5_core_dev *mdev, void *out); + int mlx5e_port_set_pbmc(struct mlx5_core_dev *mdev, void *in); +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -764,7 +764,7 @@ static void ptys2ethtool_supported_adver + } + + static void get_speed_duplex(struct net_device *netdev, +- u32 eth_proto_oper, ++ u32 eth_proto_oper, bool force_legacy, + struct ethtool_link_ksettings *link_ksettings) + { + struct mlx5e_priv *priv = netdev_priv(netdev); +@@ -774,7 +774,7 @@ static void get_speed_duplex(struct net_ + if (!netif_carrier_ok(netdev)) + goto out; + +- speed = mlx5e_port_ptys2speed(priv->mdev, eth_proto_oper); ++ speed = mlx5e_port_ptys2speed(priv->mdev, eth_proto_oper, force_legacy); + if (!speed) { + speed = SPEED_UNKNOWN; + goto out; +@@ -893,8 +893,8 @@ int mlx5e_ethtool_get_link_ksettings(str + /* Fields: eth_proto_admin and ext_eth_proto_admin are + * mutually exclusive. Hence try reading legacy advertising + * when extended advertising is zero. +- * admin_ext indicates how eth_proto_admin should be +- * interpreted ++ * admin_ext indicates which proto_admin (ext vs. legacy) ++ * should be read and interpreted + */ + admin_ext = ext; + if (ext && !eth_proto_admin) { +@@ -903,7 +903,7 @@ int mlx5e_ethtool_get_link_ksettings(str + admin_ext = false; + } + +- eth_proto_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, ++ eth_proto_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, admin_ext, + eth_proto_oper); + eth_proto_lp = MLX5_GET(ptys_reg, out, eth_proto_lp_advertise); + an_disable_admin = MLX5_GET(ptys_reg, out, an_disable_admin); +@@ -918,7 +918,8 @@ int mlx5e_ethtool_get_link_ksettings(str + get_supported(mdev, eth_proto_cap, link_ksettings); + get_advertising(eth_proto_admin, tx_pause, rx_pause, link_ksettings, + admin_ext); +- get_speed_duplex(priv->netdev, eth_proto_oper, link_ksettings); ++ get_speed_duplex(priv->netdev, eth_proto_oper, !admin_ext, ++ link_ksettings); + + eth_proto_oper = eth_proto_oper ? eth_proto_oper : eth_proto_cap; + +@@ -995,45 +996,69 @@ static u32 mlx5e_ethtool2ptys_ext_adver_ + return ptys_modes; + } + ++static bool ext_link_mode_requested(const unsigned long *adver) ++{ ++#define MLX5E_MIN_PTYS_EXT_LINK_MODE_BIT ETHTOOL_LINK_MODE_50000baseKR_Full_BIT ++ int size = __ETHTOOL_LINK_MODE_MASK_NBITS - MLX5E_MIN_PTYS_EXT_LINK_MODE_BIT; ++ __ETHTOOL_DECLARE_LINK_MODE_MASK(modes); ++ ++ bitmap_set(modes, MLX5E_MIN_PTYS_EXT_LINK_MODE_BIT, size); ++ return bitmap_intersects(modes, adver, __ETHTOOL_LINK_MODE_MASK_NBITS); ++} ++ ++static bool ext_speed_requested(u32 speed) ++{ ++#define MLX5E_MAX_PTYS_LEGACY_SPEED 100000 ++ return !!(speed > MLX5E_MAX_PTYS_LEGACY_SPEED); ++} ++ ++static bool ext_requested(u8 autoneg, const unsigned long *adver, u32 speed) ++{ ++ bool ext_link_mode = ext_link_mode_requested(adver); ++ bool ext_speed = ext_speed_requested(speed); ++ ++ return autoneg == AUTONEG_ENABLE ? ext_link_mode : ext_speed; ++} ++ + int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv, + const struct ethtool_link_ksettings *link_ksettings) + { + struct mlx5_core_dev *mdev = priv->mdev; + struct mlx5e_port_eth_proto eproto; ++ const unsigned long *adver; + bool an_changes = false; + u8 an_disable_admin; + bool ext_supported; +- bool ext_requested; + u8 an_disable_cap; + bool an_disable; + u32 link_modes; + u8 an_status; ++ u8 autoneg; + u32 speed; ++ bool ext; + int err; + + u32 (*ethtool2ptys_adver_func)(const unsigned long *adver); + +-#define MLX5E_PTYS_EXT ((1ULL << ETHTOOL_LINK_MODE_50000baseKR_Full_BIT) - 1) ++ adver = link_ksettings->link_modes.advertising; ++ autoneg = link_ksettings->base.autoneg; ++ speed = link_ksettings->base.speed; + +- ext_requested = !!(link_ksettings->link_modes.advertising[0] > +- MLX5E_PTYS_EXT || +- link_ksettings->link_modes.advertising[1]); ++ ext = ext_requested(autoneg, adver, speed), + ext_supported = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet); +- ext_requested &= ext_supported; ++ if (!ext_supported && ext) ++ return -EOPNOTSUPP; + +- speed = link_ksettings->base.speed; +- ethtool2ptys_adver_func = ext_requested ? +- mlx5e_ethtool2ptys_ext_adver_link : ++ ethtool2ptys_adver_func = ext ? mlx5e_ethtool2ptys_ext_adver_link : + mlx5e_ethtool2ptys_adver_link; +- err = mlx5_port_query_eth_proto(mdev, 1, ext_requested, &eproto); ++ err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto); + if (err) { + netdev_err(priv->netdev, "%s: query port eth proto failed: %d\n", + __func__, err); + goto out; + } +- link_modes = link_ksettings->base.autoneg == AUTONEG_ENABLE ? +- ethtool2ptys_adver_func(link_ksettings->link_modes.advertising) : +- mlx5e_port_speed2linkmodes(mdev, speed); ++ link_modes = autoneg == AUTONEG_ENABLE ? ethtool2ptys_adver_func(adver) : ++ mlx5e_port_speed2linkmodes(mdev, speed, !ext); + + link_modes = link_modes & eproto.cap; + if (!link_modes) { +@@ -1046,14 +1071,14 @@ int mlx5e_ethtool_set_link_ksettings(str + mlx5_port_query_eth_autoneg(mdev, &an_status, &an_disable_cap, + &an_disable_admin); + +- an_disable = link_ksettings->base.autoneg == AUTONEG_DISABLE; ++ an_disable = autoneg == AUTONEG_DISABLE; + an_changes = ((!an_disable && an_disable_admin) || + (an_disable && !an_disable_admin)); + + if (!an_changes && link_modes == eproto.admin) + goto out; + +- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext_requested); ++ mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext); + mlx5_toggle_port_link(mdev); + + out: diff --git a/queue-5.2/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch b/queue-5.2/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch new file mode 100644 index 00000000000..c403b82aef4 --- /dev/null +++ b/queue-5.2/net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch @@ -0,0 +1,98 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Ariel Levkovich +Date: Sat, 6 Jul 2019 18:06:15 +0300 +Subject: net/mlx5e: Prevent encap flow counter update async to user query + +From: Ariel Levkovich + +[ Upstream commit 90bb769291161cf25a818d69cf608c181654473e ] + +This patch prevents a race between user invoked cached counters +query and a neighbor last usage updater. + +The cached flow counter stats can be queried by calling +"mlx5_fc_query_cached" which provides the number of bytes and +packets that passed via this flow since the last time this counter +was queried. +It does so by reducting the last saved stats from the current, cached +stats and then updating the last saved stats with the cached stats. +It also provide the lastuse value for that flow. + +Since "mlx5e_tc_update_neigh_used_value" needs to retrieve the +last usage time of encapsulation flows, it calls the flow counter +query method periodically and async to user queries of the flow counter +using cls_flower. +This call is causing the driver to update the last reported bytes and +packets from the cache and therefore, future user queries of the flow +stats will return lower than expected number for bytes and packets +since the last saved stats in the driver was updated async to the last +saved stats in cls_flower. + +This causes wrong stats presentation of encapsulation flows to user. + +Since the neighbor usage updater only needs the lastuse stats from the +cached counter, the fix is to use a dedicated lastuse query call that +returns the lastuse value without synching between the cached stats and +the last saved stats. + +Fixes: f6dfb4c3f216 ("net/mlx5e: Update neighbour 'used' state using HW flow rules counters") +Signed-off-by: Ariel Levkovich +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c | 5 +++++ + include/linux/mlx5/fs.h | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1210,13 +1210,13 @@ static struct mlx5_fc *mlx5e_tc_get_coun + void mlx5e_tc_update_neigh_used_value(struct mlx5e_neigh_hash_entry *nhe) + { + struct mlx5e_neigh *m_neigh = &nhe->m_neigh; +- u64 bytes, packets, lastuse = 0; + struct mlx5e_tc_flow *flow; + struct mlx5e_encap_entry *e; + struct mlx5_fc *counter; + struct neigh_table *tbl; + bool neigh_used = false; + struct neighbour *n; ++ u64 lastuse; + + if (m_neigh->family == AF_INET) + tbl = &arp_tbl; +@@ -1236,7 +1236,7 @@ void mlx5e_tc_update_neigh_used_value(st + encaps[efi->index]); + if (flow->flags & MLX5E_TC_FLOW_OFFLOADED) { + counter = mlx5e_tc_get_counter(flow); +- mlx5_fc_query_cached(counter, &bytes, &packets, &lastuse); ++ lastuse = mlx5_fc_query_lastuse(counter); + if (time_after((unsigned long)lastuse, nhe->reported_lastuse)) { + neigh_used = true; + break; +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c +@@ -367,6 +367,11 @@ int mlx5_fc_query(struct mlx5_core_dev * + } + EXPORT_SYMBOL(mlx5_fc_query); + ++u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter) ++{ ++ return counter->cache.lastuse; ++} ++ + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse) + { +--- a/include/linux/mlx5/fs.h ++++ b/include/linux/mlx5/fs.h +@@ -211,6 +211,7 @@ int mlx5_modify_rule_destination(struct + + struct mlx5_fc *mlx5_fc_create(struct mlx5_core_dev *dev, bool aging); + void mlx5_fc_destroy(struct mlx5_core_dev *dev, struct mlx5_fc *counter); ++u64 mlx5_fc_query_lastuse(struct mlx5_fc *counter); + void mlx5_fc_query_cached(struct mlx5_fc *counter, + u64 *bytes, u64 *packets, u64 *lastuse); + int mlx5_fc_query(struct mlx5_core_dev *dev, struct mlx5_fc *counter, diff --git a/queue-5.2/net-phy-fix-race-in-genphy_update_link.patch b/queue-5.2/net-phy-fix-race-in-genphy_update_link.patch new file mode 100644 index 00000000000..ee80e51919e --- /dev/null +++ b/queue-5.2/net-phy-fix-race-in-genphy_update_link.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Heiner Kallweit +Date: Wed, 31 Jul 2019 23:05:10 +0200 +Subject: net: phy: fix race in genphy_update_link + +From: Heiner Kallweit + +[ Upstream commit aa6b1956158f1afc52761137620d4b3f8a058d24 ] + +In phy_start_aneg() autoneg is started, and immediately after that +link and autoneg status are read. As reported in [0] it can happen that +at time of this read the PHY has reset the "aneg complete" bit but not +yet the "link up" bit, what can result in a false link-up detection. +To fix this don't report link as up if we're in aneg mode and PHY +doesn't signal "aneg complete". + +[0] https://marc.info/?t=156413509900003&r=1&w=2 + +Fixes: 4950c2ba49cc ("net: phy: fix autoneg mismatch case in genphy_read_status") +Reported-by: liuyonglong +Tested-by: liuyonglong +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1730,6 +1730,12 @@ done: + phydev->link = status & BMSR_LSTATUS ? 1 : 0; + phydev->autoneg_complete = status & BMSR_ANEGCOMPLETE ? 1 : 0; + ++ /* Consider the case that autoneg was started and "aneg complete" ++ * bit has been reset, but "link up" bit not yet. ++ */ ++ if (phydev->autoneg == AUTONEG_ENABLE && !phydev->autoneg_complete) ++ phydev->link = 0; ++ + return 0; + } + EXPORT_SYMBOL(genphy_update_link); diff --git a/queue-5.2/net-phy-fixed_phy-print-gpio-error-only-if-gpio-node-is-present.patch b/queue-5.2/net-phy-fixed_phy-print-gpio-error-only-if-gpio-node-is-present.patch new file mode 100644 index 00000000000..e03b3570f3d --- /dev/null +++ b/queue-5.2/net-phy-fixed_phy-print-gpio-error-only-if-gpio-node-is-present.patch @@ -0,0 +1,36 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Hubert Feurstein +Date: Tue, 30 Jul 2019 11:46:23 +0200 +Subject: net: phy: fixed_phy: print gpio error only if gpio node is present + +From: Hubert Feurstein + +[ Upstream commit ab98c008ac761752cdc27f9eb053419feadeb2f7 ] + +It is perfectly ok to not have an gpio attached to the fixed-link node. So +the driver should not throw an error message when the gpio is missing. + +Fixes: 5468e82f7034 ("net: phy: fixed-phy: Drop GPIO from fixed_phy_add()") +Signed-off-by: Hubert Feurstein +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/fixed_phy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/fixed_phy.c ++++ b/drivers/net/phy/fixed_phy.c +@@ -216,8 +216,10 @@ static struct gpio_desc *fixed_phy_get_g + if (IS_ERR(gpiod)) { + if (PTR_ERR(gpiod) == -EPROBE_DEFER) + return gpiod; +- pr_err("error getting GPIO for fixed link %pOF, proceed without\n", +- fixed_link_node); ++ ++ if (PTR_ERR(gpiod) != -ENOENT) ++ pr_err("error getting GPIO for fixed link %pOF, proceed without\n", ++ fixed_link_node); + gpiod = NULL; + } + diff --git a/queue-5.2/net-phy-mscc-initialize-stats-array.patch b/queue-5.2/net-phy-mscc-initialize-stats-array.patch new file mode 100644 index 00000000000..0cd451b8d89 --- /dev/null +++ b/queue-5.2/net-phy-mscc-initialize-stats-array.patch @@ -0,0 +1,69 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Andreas Schwab +Date: Wed, 24 Jul 2019 17:32:57 +0200 +Subject: net: phy: mscc: initialize stats array + +From: Andreas Schwab + +[ Upstream commit f972037e71246c5e0916eef835174d58ffc517e4 ] + +The memory allocated for the stats array may contain arbitrary data. + +Fixes: e4f9ba642f0b ("net: phy: mscc: add support for VSC8514 PHY.") +Fixes: 00d70d8e0e78 ("net: phy: mscc: add support for VSC8574 PHY") +Fixes: a5afc1678044 ("net: phy: mscc: add support for VSC8584 PHY") +Fixes: f76178dc5218 ("net: phy: mscc: add ethtool statistics counters") +Signed-off-by: Andreas Schwab +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mscc.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/phy/mscc.c ++++ b/drivers/net/phy/mscc.c +@@ -2226,8 +2226,8 @@ static int vsc8514_probe(struct phy_devi + vsc8531->supp_led_modes = VSC85XX_SUPP_LED_MODES; + vsc8531->hw_stats = vsc85xx_hw_stats; + vsc8531->nstats = ARRAY_SIZE(vsc85xx_hw_stats); +- vsc8531->stats = devm_kmalloc_array(&phydev->mdio.dev, vsc8531->nstats, +- sizeof(u64), GFP_KERNEL); ++ vsc8531->stats = devm_kcalloc(&phydev->mdio.dev, vsc8531->nstats, ++ sizeof(u64), GFP_KERNEL); + if (!vsc8531->stats) + return -ENOMEM; + +@@ -2251,8 +2251,8 @@ static int vsc8574_probe(struct phy_devi + vsc8531->supp_led_modes = VSC8584_SUPP_LED_MODES; + vsc8531->hw_stats = vsc8584_hw_stats; + vsc8531->nstats = ARRAY_SIZE(vsc8584_hw_stats); +- vsc8531->stats = devm_kmalloc_array(&phydev->mdio.dev, vsc8531->nstats, +- sizeof(u64), GFP_KERNEL); ++ vsc8531->stats = devm_kcalloc(&phydev->mdio.dev, vsc8531->nstats, ++ sizeof(u64), GFP_KERNEL); + if (!vsc8531->stats) + return -ENOMEM; + +@@ -2281,8 +2281,8 @@ static int vsc8584_probe(struct phy_devi + vsc8531->supp_led_modes = VSC8584_SUPP_LED_MODES; + vsc8531->hw_stats = vsc8584_hw_stats; + vsc8531->nstats = ARRAY_SIZE(vsc8584_hw_stats); +- vsc8531->stats = devm_kmalloc_array(&phydev->mdio.dev, vsc8531->nstats, +- sizeof(u64), GFP_KERNEL); ++ vsc8531->stats = devm_kcalloc(&phydev->mdio.dev, vsc8531->nstats, ++ sizeof(u64), GFP_KERNEL); + if (!vsc8531->stats) + return -ENOMEM; + +@@ -2311,8 +2311,8 @@ static int vsc85xx_probe(struct phy_devi + vsc8531->supp_led_modes = VSC85XX_SUPP_LED_MODES; + vsc8531->hw_stats = vsc85xx_hw_stats; + vsc8531->nstats = ARRAY_SIZE(vsc85xx_hw_stats); +- vsc8531->stats = devm_kmalloc_array(&phydev->mdio.dev, vsc8531->nstats, +- sizeof(u64), GFP_KERNEL); ++ vsc8531->stats = devm_kcalloc(&phydev->mdio.dev, vsc8531->nstats, ++ sizeof(u64), GFP_KERNEL); + if (!vsc8531->stats) + return -ENOMEM; + diff --git a/queue-5.2/net-phylink-don-t-start-and-stop-sgmii-phys-in-sfp-modules-twice.patch b/queue-5.2/net-phylink-don-t-start-and-stop-sgmii-phys-in-sfp-modules-twice.patch new file mode 100644 index 00000000000..32107a78031 --- /dev/null +++ b/queue-5.2/net-phylink-don-t-start-and-stop-sgmii-phys-in-sfp-modules-twice.patch @@ -0,0 +1,145 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Arseny Solokha +Date: Wed, 24 Jul 2019 20:31:39 +0700 +Subject: net: phylink: don't start and stop SGMII PHYs in SFP modules twice + +From: Arseny Solokha + +[ Upstream commit c7fa7f567cab6532be285a5df104617d80bce245 ] + +SFP modules connected using the SGMII interface have their own PHYs which +are handled by the struct phylink's phydev field. On the other hand, for +the modules connected using 1000Base-X interface that field is not set. + +Since commit ce0aa27ff3f6 ("sfp: add sfp-bus to bridge between network +devices and sfp cages") phylink_start() ends up setting the phydev field +using the sfp-bus infrastructure, which eventually calls phy_start() on it, +and then calling phy_start() again on the same phydev from phylink_start() +itself. Similar call sequence holds for phylink_stop(), only in the reverse +order. This results in WARNs during network interface bringup and shutdown +when a copper SFP module is connected, as phy_start() and phy_stop() are +called twice in a row for the same phy_device: + + % ip link set up dev eth0 + ------------[ cut here ]------------ + called from state UP + WARNING: CPU: 1 PID: 155 at drivers/net/phy/phy.c:895 phy_start+0x74/0xc0 + Modules linked in: + CPU: 1 PID: 155 Comm: backend Not tainted 5.2.0+ #1 + NIP: c0227bf0 LR: c0227bf0 CTR: c004d224 + REGS: df547720 TRAP: 0700 Not tainted (5.2.0+) + MSR: 00029000 CR: 24002822 XER: 00000000 + + GPR00: c0227bf0 df5477d8 df5d7080 00000014 df9d2370 df9d5ac4 1f4eb000 00000001 + GPR08: c061fe58 00000000 00000000 df5477d8 0000003c 100c8768 00000000 00000000 + GPR16: df486a00 c046f1c8 c046eea0 00000000 c046e904 c0239604 db68449c 00000000 + GPR24: e9083204 00000000 00000001 db684460 e9083404 00000000 db6dce00 db6dcc00 + NIP [c0227bf0] phy_start+0x74/0xc0 + LR [c0227bf0] phy_start+0x74/0xc0 + Call Trace: + [df5477d8] [c0227bf0] phy_start+0x74/0xc0 (unreliable) + [df5477e8] [c023cad0] startup_gfar+0x398/0x3f4 + [df547828] [c023cf08] gfar_enet_open+0x364/0x374 + [df547898] [c029d870] __dev_open+0xe4/0x140 + [df5478c8] [c029db70] __dev_change_flags+0xf0/0x188 + [df5478f8] [c029dc28] dev_change_flags+0x20/0x54 + [df547918] [c02ae304] do_setlink+0x310/0x818 + [df547a08] [c02b1eb8] __rtnl_newlink+0x384/0x6b0 + [df547c28] [c02b222c] rtnl_newlink+0x48/0x68 + [df547c48] [c02ad7c8] rtnetlink_rcv_msg+0x240/0x27c + [df547c98] [c02cc068] netlink_rcv_skb+0x8c/0xf0 + [df547cd8] [c02cba3c] netlink_unicast+0x114/0x19c + [df547d08] [c02cbd74] netlink_sendmsg+0x2b0/0x2c0 + [df547d58] [c027b668] sock_sendmsg_nosec+0x20/0x40 + [df547d68] [c027d080] ___sys_sendmsg+0x17c/0x1dc + [df547e98] [c027df7c] __sys_sendmsg+0x68/0x84 + [df547ef8] [c027e430] sys_socketcall+0x1a0/0x204 + [df547f38] [c000d1d8] ret_from_syscall+0x0/0x38 + --- interrupt: c01 at 0xfd4e030 + LR = 0xfd4e010 + Instruction dump: + 813f0188 38800000 2b890005 419d0014 3d40c046 5529103a 394aa208 7c8a482e + 3c60c046 3863a1b8 4cc63182 4be009a1 <0fe00000> 48000030 3c60c046 3863a1d0 + ---[ end trace d4c095aeaf6ea998 ]--- + +and + + % ip link set down dev eth0 + ------------[ cut here ]------------ + called from state HALTED + WARNING: CPU: 1 PID: 184 at drivers/net/phy/phy.c:858 phy_stop+0x3c/0x88 + + <...> + + Call Trace: + [df581788] [c0228450] phy_stop+0x3c/0x88 (unreliable) + [df581798] [c022d548] sfp_sm_phy_detach+0x1c/0x44 + [df5817a8] [c022e8cc] sfp_sm_event+0x4b0/0x87c + [df581848] [c022f04c] sfp_upstream_stop+0x34/0x44 + [df581858] [c0225608] phylink_stop+0x7c/0xe4 + [df581868] [c023c57c] stop_gfar+0x7c/0x94 + [df581888] [c023c5b8] gfar_close+0x24/0x94 + [df5818a8] [c0298688] __dev_close_many+0xdc/0xf8 + [df5818c8] [c029db58] __dev_change_flags+0xd8/0x188 + [df5818f8] [c029dc28] dev_change_flags+0x20/0x54 + [df581918] [c02ae304] do_setlink+0x310/0x818 + [df581a08] [c02b1eb8] __rtnl_newlink+0x384/0x6b0 + [df581c28] [c02b222c] rtnl_newlink+0x48/0x68 + [df581c48] [c02ad7c8] rtnetlink_rcv_msg+0x240/0x27c + [df581c98] [c02cc068] netlink_rcv_skb+0x8c/0xf0 + [df581cd8] [c02cba3c] netlink_unicast+0x114/0x19c + [df581d08] [c02cbd74] netlink_sendmsg+0x2b0/0x2c0 + [df581d58] [c027b668] sock_sendmsg_nosec+0x20/0x40 + [df581d68] [c027d080] ___sys_sendmsg+0x17c/0x1dc + [df581e98] [c027df7c] __sys_sendmsg+0x68/0x84 + [df581ef8] [c027e430] sys_socketcall+0x1a0/0x204 + [df581f38] [c000d1d8] ret_from_syscall+0x0/0x38 + + <...> + + ---[ end trace d4c095aeaf6ea999 ]--- + +SFP modules with the 1000Base-X interface are not affected. + +Place explicit calls to phy_start() and phy_stop() before enabling or after +disabling an attached SFP module, where phydev is not yet set (or is +already unset), so they will be made only from the inside of sfp-bus, if +needed. + +Fixes: 217962615662 ("net: phy: warn if phy_start is called from invalid state") +Signed-off-by: Arseny Solokha +Acked-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -912,10 +912,10 @@ void phylink_start(struct phylink *pl) + + if (pl->link_an_mode == MLO_AN_FIXED && !IS_ERR(pl->link_gpio)) + mod_timer(&pl->link_poll, jiffies + HZ); +- if (pl->sfp_bus) +- sfp_upstream_start(pl->sfp_bus); + if (pl->phydev) + phy_start(pl->phydev); ++ if (pl->sfp_bus) ++ sfp_upstream_start(pl->sfp_bus); + } + EXPORT_SYMBOL_GPL(phylink_start); + +@@ -932,10 +932,10 @@ void phylink_stop(struct phylink *pl) + { + ASSERT_RTNL(); + +- if (pl->phydev) +- phy_stop(pl->phydev); + if (pl->sfp_bus) + sfp_upstream_stop(pl->sfp_bus); ++ if (pl->phydev) ++ phy_stop(pl->phydev); + if (pl->link_an_mode == MLO_AN_FIXED && !IS_ERR(pl->link_gpio)) + del_timer_sync(&pl->link_poll); + diff --git a/queue-5.2/net-phylink-fix-flow-control-for-fixed-link.patch b/queue-5.2/net-phylink-fix-flow-control-for-fixed-link.patch new file mode 100644 index 00000000000..938216e7f6f --- /dev/null +++ b/queue-5.2/net-phylink-fix-flow-control-for-fixed-link.patch @@ -0,0 +1,54 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: "René van Dorst" +Date: Sat, 27 Jul 2019 11:40:11 +0200 +Subject: net: phylink: Fix flow control for fixed-link + +From: "René van Dorst" + +[ Upstream commit 8aace4f3eba2a3ceb431e18683ea0e1ecbade5cd ] + +In phylink_parse_fixedlink() the pl->link_config.advertising bits are AND +with pl->supported, pl->supported is zeroed and only the speed/duplex +modes and MII bits are set. +So pl->link_config.advertising always loses the flow control/pause bits. + +By setting Pause and Asym_Pause bits in pl->supported, the flow control +work again when devicetree "pause" is set in fixes-link node and the MAC +advertise that is supports pause. + +Results with this patch. + +Legend: +- DT = 'Pause' is set in the fixed-link in devicetree. +- validate() = ‘Yes’ means phylink_set(mask, Pause) is set in the + validate(). +- flow = results reported my link is Up line. + ++-----+------------+-------+ +| DT | validate() | flow | ++-----+------------+-------+ +| Yes | Yes | rx/tx | +| No | Yes | off | +| Yes | No | off | ++-----+------------+-------+ + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: René van Dorst +Acked-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -195,6 +195,8 @@ static int phylink_parse_fixedlink(struc + pl->supported, true); + linkmode_zero(pl->supported); + phylink_set(pl->supported, MII); ++ phylink_set(pl->supported, Pause); ++ phylink_set(pl->supported, Asym_Pause); + if (s) { + __set_bit(s->bit, pl->supported); + } else { diff --git a/queue-5.2/net-qualcomm-rmnet-fix-incorrect-ul-checksum-offload-logic.patch b/queue-5.2/net-qualcomm-rmnet-fix-incorrect-ul-checksum-offload-logic.patch new file mode 100644 index 00000000000..a6397414ae8 --- /dev/null +++ b/queue-5.2/net-qualcomm-rmnet-fix-incorrect-ul-checksum-offload-logic.patch @@ -0,0 +1,86 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Subash Abhinov Kasiviswanathan +Date: Thu, 25 Jul 2019 12:07:12 -0600 +Subject: net: qualcomm: rmnet: Fix incorrect UL checksum offload logic + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit a7cf3d24ee6081930feb4c830a7f6f16ebe31c49 ] + +The udp_ip4_ind bit is set only for IPv4 UDP non-fragmented packets +so that the hardware can flip the checksum to 0xFFFF if the computed +checksum is 0 per RFC768. + +However, this bit had to be set for IPv6 UDP non fragmented packets +as well per hardware requirements. Otherwise, IPv6 UDP packets +with computed checksum as 0 were transmitted by hardware and were +dropped in the network. + +In addition to setting this bit for IPv6 UDP, the field is also +appropriately renamed to udp_ind as part of this change. + +Fixes: 5eb5f8608ef1 ("net: qualcomm: rmnet: Add support for TX checksum offload") +Cc: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h | 2 +- + drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c | 13 +++++++++---- + 2 files changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map.h +@@ -51,7 +51,7 @@ struct rmnet_map_dl_csum_trailer { + struct rmnet_map_ul_csum_header { + __be16 csum_start_offset; + u16 csum_insert_offset:14; +- u16 udp_ip4_ind:1; ++ u16 udp_ind:1; + u16 csum_enabled:1; + } __aligned(1); + +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_data.c +@@ -206,9 +206,9 @@ rmnet_map_ipv4_ul_csum_header(void *iphd + ul_header->csum_insert_offset = skb->csum_offset; + ul_header->csum_enabled = 1; + if (ip4h->protocol == IPPROTO_UDP) +- ul_header->udp_ip4_ind = 1; ++ ul_header->udp_ind = 1; + else +- ul_header->udp_ip4_ind = 0; ++ ul_header->udp_ind = 0; + + /* Changing remaining fields to network order */ + hdr++; +@@ -239,6 +239,7 @@ rmnet_map_ipv6_ul_csum_header(void *ip6h + struct rmnet_map_ul_csum_header *ul_header, + struct sk_buff *skb) + { ++ struct ipv6hdr *ip6h = (struct ipv6hdr *)ip6hdr; + __be16 *hdr = (__be16 *)ul_header, offset; + + offset = htons((__force u16)(skb_transport_header(skb) - +@@ -246,7 +247,11 @@ rmnet_map_ipv6_ul_csum_header(void *ip6h + ul_header->csum_start_offset = offset; + ul_header->csum_insert_offset = skb->csum_offset; + ul_header->csum_enabled = 1; +- ul_header->udp_ip4_ind = 0; ++ ++ if (ip6h->nexthdr == IPPROTO_UDP) ++ ul_header->udp_ind = 1; ++ else ++ ul_header->udp_ind = 0; + + /* Changing remaining fields to network order */ + hdr++; +@@ -419,7 +424,7 @@ sw_csum: + ul_header->csum_start_offset = 0; + ul_header->csum_insert_offset = 0; + ul_header->csum_enabled = 0; +- ul_header->udp_ip4_ind = 0; ++ ul_header->udp_ind = 0; + + priv->stats.csum_sw++; + } diff --git a/queue-5.2/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch b/queue-5.2/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch new file mode 100644 index 00000000000..624de38814e --- /dev/null +++ b/queue-5.2/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 16:24:33 +0800 +Subject: net: sched: Fix a possible null-pointer dereference in dequeue_func() + +From: Jia-Ju Bai + +[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ] + +In dequeue_func(), there is an if statement on line 74 to check whether +skb is NULL: + if (skb) + +When skb is NULL, it is used on line 77: + prefetch(&skb->end); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, skb->end is used when skb is not NULL. + +This bug is found by a static analysis tool STCheck written by us. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Signed-off-by: Jia-Ju Bai +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_codel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(stru + struct Qdisc *sch = ctx; + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); + +- if (skb) ++ if (skb) { + sch->qstats.backlog -= qdisc_pkt_len(skb); +- +- prefetch(&skb->end); /* we'll need skb_shinfo() */ ++ prefetch(&skb->end); /* we'll need skb_shinfo() */ ++ } + return skb; + } + diff --git a/queue-5.2/net-sched-update-vlan-action-for-batched-events-operations.patch b/queue-5.2/net-sched-update-vlan-action-for-batched-events-operations.patch new file mode 100644 index 00000000000..b011a740af4 --- /dev/null +++ b/queue-5.2/net-sched-update-vlan-action-for-batched-events-operations.patch @@ -0,0 +1,45 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Roman Mashak +Date: Fri, 2 Aug 2019 15:16:46 -0400 +Subject: net sched: update vlan action for batched events operations + +From: Roman Mashak + +[ Upstream commit b35475c5491a14c8ce7a5046ef7bcda8a860581a ] + +Add get_fill_size() routine used to calculate the action size +when building a batch of events. + +Fixes: c7e2b9689 ("sched: introduce vlan action") +Signed-off-by: Roman Mashak +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_vlan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sched/act_vlan.c ++++ b/net/sched/act_vlan.c +@@ -306,6 +306,14 @@ static int tcf_vlan_search(struct net *n + return tcf_idr_search(tn, a, index); + } + ++static size_t tcf_vlan_get_fill_size(const struct tc_action *act) ++{ ++ return nla_total_size(sizeof(struct tc_vlan)) ++ + nla_total_size(sizeof(u16)) /* TCA_VLAN_PUSH_VLAN_ID */ ++ + nla_total_size(sizeof(u16)) /* TCA_VLAN_PUSH_VLAN_PROTOCOL */ ++ + nla_total_size(sizeof(u8)); /* TCA_VLAN_PUSH_VLAN_PRIORITY */ ++} ++ + static struct tc_action_ops act_vlan_ops = { + .kind = "vlan", + .id = TCA_ID_VLAN, +@@ -315,6 +323,7 @@ static struct tc_action_ops act_vlan_ops + .init = tcf_vlan_init, + .cleanup = tcf_vlan_cleanup, + .walk = tcf_vlan_walker, ++ .get_fill_size = tcf_vlan_get_fill_size, + .lookup = tcf_vlan_search, + .size = sizeof(struct tcf_vlan), + }; diff --git a/queue-5.2/net-sched-use-temporary-variable-for-actions-indexes.patch b/queue-5.2/net-sched-use-temporary-variable-for-actions-indexes.patch new file mode 100644 index 00000000000..f851f3c35e9 --- /dev/null +++ b/queue-5.2/net-sched-use-temporary-variable-for-actions-indexes.patch @@ -0,0 +1,607 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Dmytro Linkin +Date: Thu, 1 Aug 2019 13:02:51 +0000 +Subject: net: sched: use temporary variable for actions indexes + +From: Dmytro Linkin + +[ Upstream commit 7be8ef2cdbfe41a2e524b7c6cc3f8e6cfaa906e4 ] + +Currently init call of all actions (except ipt) init their 'parm' +structure as a direct pointer to nla data in skb. This leads to race +condition when some of the filter actions were initialized successfully +(and were assigned with idr action index that was written directly +into nla data), but then were deleted and retried (due to following +action module missing or classifier-initiated retry), in which case +action init code tries to insert action to idr with index that was +assigned on previous iteration. During retry the index can be reused +by another action that was inserted concurrently, which causes +unintended action sharing between filters. +To fix described race condition, save action idr index to temporary +stack-allocated variable instead on nla data. + +Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") +Signed-off-by: Dmytro Linkin +Signed-off-by: Vlad Buslov +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_bpf.c | 9 +++++---- + net/sched/act_connmark.c | 9 +++++---- + net/sched/act_csum.c | 9 +++++---- + net/sched/act_gact.c | 8 +++++--- + net/sched/act_ife.c | 8 +++++--- + net/sched/act_mirred.c | 13 +++++++------ + net/sched/act_nat.c | 9 +++++---- + net/sched/act_pedit.c | 10 ++++++---- + net/sched/act_police.c | 8 +++++--- + net/sched/act_sample.c | 10 +++++----- + net/sched/act_simple.c | 10 ++++++---- + net/sched/act_skbedit.c | 11 ++++++----- + net/sched/act_skbmod.c | 11 ++++++----- + net/sched/act_tunnel_key.c | 8 +++++--- + net/sched/act_vlan.c | 16 +++++++++------- + 15 files changed, 85 insertions(+), 64 deletions(-) + +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -285,6 +285,7 @@ static int tcf_bpf_init(struct net *net, + struct tcf_bpf *prog; + bool is_bpf, is_ebpf; + int ret, res = 0; ++ u32 index; + + if (!nla) + return -EINVAL; +@@ -298,13 +299,13 @@ static int tcf_bpf_init(struct net *net, + return -EINVAL; + + parm = nla_data(tb[TCA_ACT_BPF_PARMS]); +- +- ret = tcf_idr_check_alloc(tn, &parm->index, act, bind); ++ index = parm->index; ++ ret = tcf_idr_check_alloc(tn, &index, act, bind); + if (!ret) { +- ret = tcf_idr_create(tn, parm->index, est, act, ++ ret = tcf_idr_create(tn, index, est, act, + &act_bpf_ops, bind, true); + if (ret < 0) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_connmark.c ++++ b/net/sched/act_connmark.c +@@ -103,6 +103,7 @@ static int tcf_connmark_init(struct net + struct tcf_connmark_info *ci; + struct tc_connmark *parm; + int ret = 0, err; ++ u32 index; + + if (!nla) + return -EINVAL; +@@ -116,13 +117,13 @@ static int tcf_connmark_init(struct net + return -EINVAL; + + parm = nla_data(tb[TCA_CONNMARK_PARMS]); +- +- ret = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ ret = tcf_idr_check_alloc(tn, &index, a, bind); + if (!ret) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_connmark_ops, bind, false); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -52,6 +52,7 @@ static int tcf_csum_init(struct net *net + struct tc_csum *parm; + struct tcf_csum *p; + int ret = 0, err; ++ u32 index; + + if (nla == NULL) + return -EINVAL; +@@ -64,13 +65,13 @@ static int tcf_csum_init(struct net *net + if (tb[TCA_CSUM_PARMS] == NULL) + return -EINVAL; + parm = nla_data(tb[TCA_CSUM_PARMS]); +- +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_csum_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_gact.c ++++ b/net/sched/act_gact.c +@@ -61,6 +61,7 @@ static int tcf_gact_init(struct net *net + struct tc_gact *parm; + struct tcf_gact *gact; + int ret = 0; ++ u32 index; + int err; + #ifdef CONFIG_GACT_PROB + struct tc_gact_p *p_parm = NULL; +@@ -77,6 +78,7 @@ static int tcf_gact_init(struct net *net + if (tb[TCA_GACT_PARMS] == NULL) + return -EINVAL; + parm = nla_data(tb[TCA_GACT_PARMS]); ++ index = parm->index; + + #ifndef CONFIG_GACT_PROB + if (tb[TCA_GACT_PROB] != NULL) +@@ -94,12 +96,12 @@ static int tcf_gact_init(struct net *net + } + #endif + +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_gact_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -479,6 +479,7 @@ static int tcf_ife_init(struct net *net, + u8 *saddr = NULL; + bool exists = false; + int ret = 0; ++ u32 index; + int err; + + if (!nla) { +@@ -507,7 +508,8 @@ static int tcf_ife_init(struct net *net, + if (!p) + return -ENOMEM; + +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) { + kfree(p); + return err; +@@ -519,10 +521,10 @@ static int tcf_ife_init(struct net *net, + } + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, &act_ife_ops, ++ ret = tcf_idr_create(tn, index, est, a, &act_ife_ops, + bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + kfree(p); + return ret; + } +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -101,6 +101,7 @@ static int tcf_mirred_init(struct net *n + struct net_device *dev; + bool exists = false; + int ret, err; ++ u32 index; + + if (!nla) { + NL_SET_ERR_MSG_MOD(extack, "Mirred requires attributes to be passed"); +@@ -115,8 +116,8 @@ static int tcf_mirred_init(struct net *n + return -EINVAL; + } + parm = nla_data(tb[TCA_MIRRED_PARMS]); +- +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -133,21 +134,21 @@ static int tcf_mirred_init(struct net *n + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + NL_SET_ERR_MSG_MOD(extack, "Unknown mirred option"); + return -EINVAL; + } + + if (!exists) { + if (!parm->ifindex) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + NL_SET_ERR_MSG_MOD(extack, "Specified device does not exist"); + return -EINVAL; + } +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_mirred_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_nat.c ++++ b/net/sched/act_nat.c +@@ -44,6 +44,7 @@ static int tcf_nat_init(struct net *net, + struct tc_nat *parm; + int ret = 0, err; + struct tcf_nat *p; ++ u32 index; + + if (nla == NULL) + return -EINVAL; +@@ -56,13 +57,13 @@ static int tcf_nat_init(struct net *net, + if (tb[TCA_NAT_PARMS] == NULL) + return -EINVAL; + parm = nla_data(tb[TCA_NAT_PARMS]); +- +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_nat_ops, bind, false); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -149,6 +149,7 @@ static int tcf_pedit_init(struct net *ne + struct tcf_pedit *p; + int ret = 0, err; + int ksize; ++ u32 index; + + if (!nla) { + NL_SET_ERR_MSG_MOD(extack, "Pedit requires attributes to be passed"); +@@ -179,18 +180,19 @@ static int tcf_pedit_init(struct net *ne + if (IS_ERR(keys_ex)) + return PTR_ERR(keys_ex); + +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { + if (!parm->nkeys) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed"); + ret = -EINVAL; + goto out_free; + } +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_pedit_ops, bind, false); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + goto out_free; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_police.c ++++ b/net/sched/act_police.c +@@ -57,6 +57,7 @@ static int tcf_police_init(struct net *n + struct tc_action_net *tn = net_generic(net, police_net_id); + struct tcf_police_params *new; + bool exists = false; ++ u32 index; + + if (nla == NULL) + return -EINVAL; +@@ -73,7 +74,8 @@ static int tcf_police_init(struct net *n + return -EINVAL; + + parm = nla_data(tb[TCA_POLICE_TBF]); +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -81,10 +83,10 @@ static int tcf_police_init(struct net *n + return 0; + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, NULL, a, ++ ret = tcf_idr_create(tn, index, NULL, a, + &act_police_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_sample.c ++++ b/net/sched/act_sample.c +@@ -41,8 +41,8 @@ static int tcf_sample_init(struct net *n + struct tc_action_net *tn = net_generic(net, sample_net_id); + struct nlattr *tb[TCA_SAMPLE_MAX + 1]; + struct psample_group *psample_group; ++ u32 psample_group_num, rate, index; + struct tcf_chain *goto_ch = NULL; +- u32 psample_group_num, rate; + struct tc_sample *parm; + struct tcf_sample *s; + bool exists = false; +@@ -59,8 +59,8 @@ static int tcf_sample_init(struct net *n + return -EINVAL; + + parm = nla_data(tb[TCA_SAMPLE_PARMS]); +- +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -68,10 +68,10 @@ static int tcf_sample_init(struct net *n + return 0; + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_sample_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; +--- a/net/sched/act_simple.c ++++ b/net/sched/act_simple.c +@@ -95,6 +95,7 @@ static int tcf_simp_init(struct net *net + struct tcf_defact *d; + bool exists = false; + int ret = 0, err; ++ u32 index; + + if (nla == NULL) + return -EINVAL; +@@ -108,7 +109,8 @@ static int tcf_simp_init(struct net *net + return -EINVAL; + + parm = nla_data(tb[TCA_DEF_PARMS]); +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -119,15 +121,15 @@ static int tcf_simp_init(struct net *net + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EINVAL; + } + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_simp_ops, bind, false); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_skbedit.c ++++ b/net/sched/act_skbedit.c +@@ -99,6 +99,7 @@ static int tcf_skbedit_init(struct net * + u16 *queue_mapping = NULL, *ptype = NULL; + bool exists = false; + int ret = 0, err; ++ u32 index; + + if (nla == NULL) + return -EINVAL; +@@ -146,8 +147,8 @@ static int tcf_skbedit_init(struct net * + } + + parm = nla_data(tb[TCA_SKBEDIT_PARMS]); +- +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -158,15 +159,15 @@ static int tcf_skbedit_init(struct net * + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EINVAL; + } + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_skbedit_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -87,12 +87,12 @@ static int tcf_skbmod_init(struct net *n + struct tcf_skbmod_params *p, *p_old; + struct tcf_chain *goto_ch = NULL; + struct tc_skbmod *parm; ++ u32 lflags = 0, index; + struct tcf_skbmod *d; + bool exists = false; + u8 *daddr = NULL; + u8 *saddr = NULL; + u16 eth_type = 0; +- u32 lflags = 0; + int ret = 0, err; + + if (!nla) +@@ -122,10 +122,11 @@ static int tcf_skbmod_init(struct net *n + } + + parm = nla_data(tb[TCA_SKBMOD_PARMS]); ++ index = parm->index; + if (parm->flags & SKBMOD_F_SWAPMAC) + lflags = SKBMOD_F_SWAPMAC; + +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -136,15 +137,15 @@ static int tcf_skbmod_init(struct net *n + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EINVAL; + } + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_skbmod_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -225,6 +225,7 @@ static int tunnel_key_init(struct net *n + __be16 flags = 0; + u8 tos, ttl; + int ret = 0; ++ u32 index; + int err; + + if (!nla) { +@@ -245,7 +246,8 @@ static int tunnel_key_init(struct net *n + } + + parm = nla_data(tb[TCA_TUNNEL_KEY_PARMS]); +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -345,7 +347,7 @@ static int tunnel_key_init(struct net *n + } + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_tunnel_key_ops, bind, true); + if (ret) { + NL_SET_ERR_MSG(extack, "Cannot create TC IDR"); +@@ -403,7 +405,7 @@ err_out: + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + +--- a/net/sched/act_vlan.c ++++ b/net/sched/act_vlan.c +@@ -116,6 +116,7 @@ static int tcf_vlan_init(struct net *net + u8 push_prio = 0; + bool exists = false; + int ret = 0, err; ++ u32 index; + + if (!nla) + return -EINVAL; +@@ -128,7 +129,8 @@ static int tcf_vlan_init(struct net *net + if (!tb[TCA_VLAN_PARMS]) + return -EINVAL; + parm = nla_data(tb[TCA_VLAN_PARMS]); +- err = tcf_idr_check_alloc(tn, &parm->index, a, bind); ++ index = parm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) + return err; + exists = err; +@@ -144,7 +146,7 @@ static int tcf_vlan_init(struct net *net + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EINVAL; + } + push_vid = nla_get_u16(tb[TCA_VLAN_PUSH_VLAN_ID]); +@@ -152,7 +154,7 @@ static int tcf_vlan_init(struct net *net + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -ERANGE; + } + +@@ -166,7 +168,7 @@ static int tcf_vlan_init(struct net *net + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EPROTONOSUPPORT; + } + } else { +@@ -180,16 +182,16 @@ static int tcf_vlan_init(struct net *net + if (exists) + tcf_idr_release(*a, bind); + else +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return -EINVAL; + } + action = parm->v_action; + + if (!exists) { +- ret = tcf_idr_create(tn, parm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_vlan_ops, bind, true); + if (ret) { +- tcf_idr_cleanup(tn, parm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + diff --git a/queue-5.2/net-smc-avoid-fallback-in-case-of-non-blocking-connect.patch b/queue-5.2/net-smc-avoid-fallback-in-case-of-non-blocking-connect.patch new file mode 100644 index 00000000000..56d933874b1 --- /dev/null +++ b/queue-5.2/net-smc-avoid-fallback-in-case-of-non-blocking-connect.patch @@ -0,0 +1,57 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Ursula Braun +Date: Fri, 2 Aug 2019 10:47:50 +0200 +Subject: net/smc: avoid fallback in case of non-blocking connect + +From: Ursula Braun + +[ Upstream commit cd2063604ea6a8c2683b4eb9b5f4c4da74592d87 ] + +FASTOPEN is not possible with SMC. sendmsg() with msg_flag MSG_FASTOPEN +triggers a fallback to TCP if the socket is in state SMC_INIT. +But if a nonblocking connect is already started, fallback to TCP +is no longer possible, even though the socket may still be in state +SMC_INIT. +And if a nonblocking connect is already started, a listen() call +does not make sense. + +Reported-by: syzbot+bd8cc73d665590a1fcad@syzkaller.appspotmail.com +Fixes: 50717a37db032 ("net/smc: nonblocking connect rework") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -253,7 +253,7 @@ static int smc_bind(struct socket *sock, + + /* Check if socket is already active */ + rc = -EINVAL; +- if (sk->sk_state != SMC_INIT) ++ if (sk->sk_state != SMC_INIT || smc->connect_nonblock) + goto out_rel; + + smc->clcsock->sk->sk_reuse = sk->sk_reuse; +@@ -1399,7 +1399,8 @@ static int smc_listen(struct socket *soc + lock_sock(sk); + + rc = -EINVAL; +- if ((sk->sk_state != SMC_INIT) && (sk->sk_state != SMC_LISTEN)) ++ if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) || ++ smc->connect_nonblock) + goto out; + + rc = 0; +@@ -1527,7 +1528,7 @@ static int smc_sendmsg(struct socket *so + goto out; + + if (msg->msg_flags & MSG_FASTOPEN) { +- if (sk->sk_state == SMC_INIT) { ++ if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) { + smc_switch_to_fallback(smc); + smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP; + } else { diff --git a/queue-5.2/net-smc-do-not-schedule-tx_work-in-smc_closed-state.patch b/queue-5.2/net-smc-do-not-schedule-tx_work-in-smc_closed-state.patch new file mode 100644 index 00000000000..accf581615f --- /dev/null +++ b/queue-5.2/net-smc-do-not-schedule-tx_work-in-smc_closed-state.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Ursula Braun +Date: Fri, 2 Aug 2019 10:16:38 +0200 +Subject: net/smc: do not schedule tx_work in SMC_CLOSED state + +From: Ursula Braun + +[ Upstream commit f9cedf1a9b1cdcfb0c52edb391d01771e43994a4 ] + +The setsockopts options TCP_NODELAY and TCP_CORK may schedule the +tx worker. Make sure the socket is not yet moved into SMC_CLOSED +state (for instance by a shutdown SHUT_RDWR call). + +Reported-by: syzbot+92209502e7aab127c75f@syzkaller.appspotmail.com +Reported-by: syzbot+b972214bb803a343f4fe@syzkaller.appspotmail.com +Fixes: 01d2f7e2cdd31 ("net/smc: sockopts TCP_NODELAY and TCP_CORK") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1741,14 +1741,18 @@ static int smc_setsockopt(struct socket + } + break; + case TCP_NODELAY: +- if (sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) { ++ if (sk->sk_state != SMC_INIT && ++ sk->sk_state != SMC_LISTEN && ++ sk->sk_state != SMC_CLOSED) { + if (val && !smc->use_fallback) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); + } + break; + case TCP_CORK: +- if (sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) { ++ if (sk->sk_state != SMC_INIT && ++ sk->sk_state != SMC_LISTEN && ++ sk->sk_state != SMC_CLOSED) { + if (!val && !smc->use_fallback) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); diff --git a/queue-5.2/net-stmmac-use-netif_tx_napi_add-for-tx-polling-function.patch b/queue-5.2/net-stmmac-use-netif_tx_napi_add-for-tx-polling-function.patch new file mode 100644 index 00000000000..a3eb7a4f06d --- /dev/null +++ b/queue-5.2/net-stmmac-use-netif_tx_napi_add-for-tx-polling-function.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Frode Isaksen +Date: Tue, 30 Jul 2019 13:38:14 +0200 +Subject: net: stmmac: Use netif_tx_napi_add() for TX polling function + +From: Frode Isaksen + +[ Upstream commit 4d97972b45f080db4c6d27cc0b54321d9cd7be17 ] + +This variant of netif_napi_add() should be used from drivers +using NAPI to exclusively poll a TX queue. + +Signed-off-by: Frode Isaksen +Tested-by: Bartosz Golaszewski +Signed-off-by: Bartosz Golaszewski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4374,8 +4374,9 @@ int stmmac_dvr_probe(struct device *devi + NAPI_POLL_WEIGHT); + } + if (queue < priv->plat->tx_queues_to_use) { +- netif_napi_add(ndev, &ch->tx_napi, stmmac_napi_poll_tx, +- NAPI_POLL_WEIGHT); ++ netif_tx_napi_add(ndev, &ch->tx_napi, ++ stmmac_napi_poll_tx, ++ NAPI_POLL_WEIGHT); + } + } + diff --git a/queue-5.2/nfc-nfcmrvl-fix-gpio-handling-regression.patch b/queue-5.2/nfc-nfcmrvl-fix-gpio-handling-regression.patch new file mode 100644 index 00000000000..46e9fa9e84f --- /dev/null +++ b/queue-5.2/nfc-nfcmrvl-fix-gpio-handling-regression.patch @@ -0,0 +1,77 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Johan Hovold +Date: Mon, 5 Aug 2019 12:00:55 +0200 +Subject: NFC: nfcmrvl: fix gpio-handling regression + +From: Johan Hovold + +[ Upstream commit c3953a3c2d3175d2f9f0304c9a1ba89e7743c5e4 ] + +Fix two reset-gpio sanity checks which were never converted to use +gpio_is_valid(), and make sure to use -EINVAL to indicate a missing +reset line also for the UART-driver module parameter and for the USB +driver. + +This specifically prevents the UART and USB drivers from incidentally +trying to request and use gpio 0, and also avoids triggering a WARN() in +gpio_to_desc() during probe when no valid reset line has been specified. + +Fixes: e33a3f84f88f ("NFC: nfcmrvl: allow gpio 0 for reset signalling") +Reported-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com +Tested-by: syzbot+cf35b76f35e068a1107f@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nfcmrvl/main.c | 4 ++-- + drivers/nfc/nfcmrvl/uart.c | 4 ++-- + drivers/nfc/nfcmrvl/usb.c | 1 + + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/nfc/nfcmrvl/main.c ++++ b/drivers/nfc/nfcmrvl/main.c +@@ -244,7 +244,7 @@ void nfcmrvl_chip_reset(struct nfcmrvl_p + /* Reset possible fault of previous session */ + clear_bit(NFCMRVL_PHY_ERROR, &priv->flags); + +- if (priv->config.reset_n_io) { ++ if (gpio_is_valid(priv->config.reset_n_io)) { + nfc_info(priv->dev, "reset the chip\n"); + gpio_set_value(priv->config.reset_n_io, 0); + usleep_range(5000, 10000); +@@ -255,7 +255,7 @@ void nfcmrvl_chip_reset(struct nfcmrvl_p + + void nfcmrvl_chip_halt(struct nfcmrvl_private *priv) + { +- if (priv->config.reset_n_io) ++ if (gpio_is_valid(priv->config.reset_n_io)) + gpio_set_value(priv->config.reset_n_io, 0); + } + +--- a/drivers/nfc/nfcmrvl/uart.c ++++ b/drivers/nfc/nfcmrvl/uart.c +@@ -26,7 +26,7 @@ + static unsigned int hci_muxed; + static unsigned int flow_control; + static unsigned int break_control; +-static unsigned int reset_n_io; ++static int reset_n_io = -EINVAL; + + /* + ** NFCMRVL NCI OPS +@@ -231,5 +231,5 @@ MODULE_PARM_DESC(break_control, "Tell if + module_param(hci_muxed, uint, 0); + MODULE_PARM_DESC(hci_muxed, "Tell if transport is muxed in HCI one."); + +-module_param(reset_n_io, uint, 0); ++module_param(reset_n_io, int, 0); + MODULE_PARM_DESC(reset_n_io, "GPIO that is wired to RESET_N signal."); +--- a/drivers/nfc/nfcmrvl/usb.c ++++ b/drivers/nfc/nfcmrvl/usb.c +@@ -305,6 +305,7 @@ static int nfcmrvl_probe(struct usb_inte + + /* No configuration for USB */ + memset(&config, 0, sizeof(config)); ++ config.reset_n_io = -EINVAL; + + nfc_info(&udev->dev, "intf %p id %p\n", intf, id); + diff --git a/queue-5.2/ocelot-cancel-delayed-work-before-wq-destruction.patch b/queue-5.2/ocelot-cancel-delayed-work-before-wq-destruction.patch new file mode 100644 index 00000000000..b9f4c23e13a --- /dev/null +++ b/queue-5.2/ocelot-cancel-delayed-work-before-wq-destruction.patch @@ -0,0 +1,34 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Claudiu Manoil +Date: Thu, 25 Jul 2019 16:33:18 +0300 +Subject: ocelot: Cancel delayed work before wq destruction + +From: Claudiu Manoil + +[ Upstream commit c5d139697d5d9ecf9c7cd92d7d7838a173508900 ] + +Make sure the delayed work for stats update is not pending before +wq destruction. +This fixes the module unload path. +The issue is there since day 1. + +Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support") + +Signed-off-by: Claudiu Manoil +Reviewed-by: Alexandre Belloni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1797,6 +1797,7 @@ EXPORT_SYMBOL(ocelot_init); + + void ocelot_deinit(struct ocelot *ocelot) + { ++ cancel_delayed_work(&ocelot->stats_work); + destroy_workqueue(ocelot->stats_queue); + mutex_destroy(&ocelot->stats_lock); + } diff --git a/queue-5.2/r8169-don-t-use-msi-before-rtl8168d.patch b/queue-5.2/r8169-don-t-use-msi-before-rtl8168d.patch new file mode 100644 index 00000000000..bd2209d6979 --- /dev/null +++ b/queue-5.2/r8169-don-t-use-msi-before-rtl8168d.patch @@ -0,0 +1,49 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Heiner Kallweit +Date: Sat, 27 Jul 2019 12:45:10 +0200 +Subject: r8169: don't use MSI before RTL8168d + +From: Heiner Kallweit + +[ Upstream commit 003bd5b4a7b4a94b501e3a1e2e7c9df6b2a94ed4 ] + +It was reported that after resuming from suspend network fails with +error "do_IRQ: 3.38 No irq handler for vector", see [0]. Enabling WoL +can work around the issue, but the only actual fix is to disable MSI. +So let's mimic the behavior of the vendor driver and disable MSI on +all chip versions before RTL8168d. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=204079 + +Fixes: 6c6aa15fdea5 ("r8169: improve interrupt handling") +Reported-by: DuÅ¡an Dragić +Tested-by: DuÅ¡an Dragić +Signed-off-by: Heiner Kallweit +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -7050,13 +7050,18 @@ static int rtl_alloc_irq(struct rtl8169_ + { + unsigned int flags; + +- if (tp->mac_version <= RTL_GIGA_MAC_VER_06) { ++ switch (tp->mac_version) { ++ case RTL_GIGA_MAC_VER_02 ... RTL_GIGA_MAC_VER_06: + rtl_unlock_config_regs(tp); + RTL_W8(tp, Config2, RTL_R8(tp, Config2) & ~MSIEnable); + rtl_lock_config_regs(tp); ++ /* fall through */ ++ case RTL_GIGA_MAC_VER_07 ... RTL_GIGA_MAC_VER_24: + flags = PCI_IRQ_LEGACY; +- } else { ++ break; ++ default: + flags = PCI_IRQ_ALL_TYPES; ++ break; + } + + return pci_alloc_irq_vectors(tp->pci_dev, 1, 1, flags); diff --git a/queue-5.2/rocker-fix-memory-leaks-of-fib_work-on-two-error-return-paths.patch b/queue-5.2/rocker-fix-memory-leaks-of-fib_work-on-two-error-return-paths.patch new file mode 100644 index 00000000000..b1bbcdc7e28 --- /dev/null +++ b/queue-5.2/rocker-fix-memory-leaks-of-fib_work-on-two-error-return-paths.patch @@ -0,0 +1,34 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Colin Ian King +Date: Sun, 28 Jul 2019 00:37:26 +0100 +Subject: rocker: fix memory leaks of fib_work on two error return paths + +From: Colin Ian King + +[ Upstream commit 011f175428d46461f94a65dacb9a416529d08dda ] + +Currently there are two error return paths that leak memory allocated +to fib_work. Fix this by kfree'ing fib_work before returning. + +Addresses-Coverity: ("Resource leak") +Fixes: 19a9d136f198 ("ipv4: Flag fib_info with a fib_nh using IPv6 gateway") +Fixes: dbcc4fa718ee ("rocker: Fail attempts to use routes with nexthop objects") +Signed-off-by: Colin Ian King +Reviewed-by: David Ahern +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rocker/rocker_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2208,6 +2208,7 @@ static int rocker_router_fib_event(struc + + if (fen_info->fi->fib_nh_is_v6) { + NL_SET_ERR_MSG_MOD(info->extack, "IPv6 gateway with IPv4 route is not supported"); ++ kfree(fib_work); + return notifier_from_errno(-EINVAL); + } + } diff --git a/queue-5.2/selftests-bpf-add-wrapper-scripts-for-test_xdp_vlan.sh.patch b/queue-5.2/selftests-bpf-add-wrapper-scripts-for-test_xdp_vlan.sh.patch new file mode 100644 index 00000000000..c65cf68fb6f --- /dev/null +++ b/queue-5.2/selftests-bpf-add-wrapper-scripts-for-test_xdp_vlan.sh.patch @@ -0,0 +1,75 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jesper Dangaard Brouer +Date: Thu, 1 Aug 2019 20:00:21 +0200 +Subject: selftests/bpf: add wrapper scripts for test_xdp_vlan.sh + +From: Jesper Dangaard Brouer + +[ Upstream commit d35661fcf95d8818c1f9acc818a1bad23dda4e1c ] + +In-order to test both native-XDP (xdpdrv) and generic-XDP (xdpgeneric) +create two wrapper test scripts, that start the test_xdp_vlan.sh script +with these modes. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/Makefile | 3 ++- + tools/testing/selftests/bpf/test_xdp_vlan.sh | 5 ++++- + tools/testing/selftests/bpf/test_xdp_vlan_mode_generic.sh | 9 +++++++++ + tools/testing/selftests/bpf/test_xdp_vlan_mode_native.sh | 9 +++++++++ + 4 files changed, 24 insertions(+), 2 deletions(-) + create mode 100755 tools/testing/selftests/bpf/test_xdp_vlan_mode_generic.sh + create mode 100755 tools/testing/selftests/bpf/test_xdp_vlan_mode_native.sh + +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -51,7 +51,8 @@ TEST_PROGS := test_kmod.sh \ + test_lirc_mode2.sh \ + test_skb_cgroup_id.sh \ + test_flow_dissector.sh \ +- test_xdp_vlan.sh \ ++ test_xdp_vlan_mode_generic.sh \ ++ test_xdp_vlan_mode_native.sh \ + test_lwt_ip_encap.sh \ + test_tcp_check_syncookie.sh \ + test_tc_tunnel.sh \ +--- a/tools/testing/selftests/bpf/test_xdp_vlan.sh ++++ b/tools/testing/selftests/bpf/test_xdp_vlan.sh +@@ -2,7 +2,10 @@ + # SPDX-License-Identifier: GPL-2.0 + # Author: Jesper Dangaard Brouer + +-TESTNAME=xdp_vlan ++# Allow wrapper scripts to name test ++if [ -z "$TESTNAME" ]; then ++ TESTNAME=xdp_vlan ++fi + + # Default XDP mode + XDP_MODE=xdpgeneric +--- /dev/null ++++ b/tools/testing/selftests/bpf/test_xdp_vlan_mode_generic.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++# Exit on failure ++set -e ++ ++# Wrapper script to test generic-XDP ++export TESTNAME=xdp_vlan_mode_generic ++./test_xdp_vlan.sh --mode=xdpgeneric +--- /dev/null ++++ b/tools/testing/selftests/bpf/test_xdp_vlan_mode_native.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++# Exit on failure ++set -e ++ ++# Wrapper script to test native-XDP ++export TESTNAME=xdp_vlan_mode_native ++./test_xdp_vlan.sh --mode=xdpdrv diff --git a/queue-5.2/selftests-bpf-reduce-time-to-execute-test_xdp_vlan.sh.patch b/queue-5.2/selftests-bpf-reduce-time-to-execute-test_xdp_vlan.sh.patch new file mode 100644 index 00000000000..117d5de24b5 --- /dev/null +++ b/queue-5.2/selftests-bpf-reduce-time-to-execute-test_xdp_vlan.sh.patch @@ -0,0 +1,50 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jesper Dangaard Brouer +Date: Thu, 1 Aug 2019 20:00:26 +0200 +Subject: selftests/bpf: reduce time to execute test_xdp_vlan.sh + +From: Jesper Dangaard Brouer + +[ Upstream commit 13978d1e73d2fcfb6addcf3392707ad68fa88ccb ] + +Given the increasing number of BPF selftests, it makes sense to +reduce the time to execute these tests. The ping parameters are +adjusted to reduce the time from measures 9 sec to approx 2.8 sec. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_xdp_vlan.sh | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/bpf/test_xdp_vlan.sh ++++ b/tools/testing/selftests/bpf/test_xdp_vlan.sh +@@ -188,7 +188,7 @@ ip netns exec ns2 ip link set lo up + # At this point, the hosts cannot reach each-other, + # because ns2 are using VLAN tags on the packets. + +-ip netns exec ns2 sh -c 'ping -W 1 -c 1 100.64.41.1 || echo "Okay ping fails"' ++ip netns exec ns2 sh -c 'ping -W 1 -c 1 100.64.41.1 || echo "Success: First ping must fail"' + + + # Now we can use the test_xdp_vlan.c program to pop/push these VLAN tags +@@ -210,8 +210,8 @@ ip netns exec ns1 tc filter add dev $DEV + prio 1 handle 1 bpf da obj $FILE sec tc_vlan_push + + # Now the namespaces can reach each-other, test with ping: +-ip netns exec ns2 ping -W 2 -c 3 $IPADDR1 +-ip netns exec ns1 ping -W 2 -c 3 $IPADDR2 ++ip netns exec ns2 ping -i 0.2 -W 2 -c 2 $IPADDR1 ++ip netns exec ns1 ping -i 0.2 -W 2 -c 2 $IPADDR2 + + # Second test: Replace xdp prog, that fully remove vlan header + # +@@ -224,5 +224,5 @@ ip netns exec ns1 ip link set $DEVNS1 $X + ip netns exec ns1 ip link set $DEVNS1 $XDP_MODE object $FILE section $XDP_PROG + + # Now the namespaces should still be able reach each-other, test with ping: +-ip netns exec ns2 ping -W 2 -c 3 $IPADDR1 +-ip netns exec ns1 ping -W 2 -c 3 $IPADDR2 ++ip netns exec ns2 ping -i 0.2 -W 2 -c 2 $IPADDR1 ++ip netns exec ns1 ping -i 0.2 -W 2 -c 2 $IPADDR2 diff --git a/queue-5.2/series b/queue-5.2/series index 20148a1b49c..51873f28d5e 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -5,3 +5,49 @@ alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-ty.patch alsa-usb-audio-fix-gpf-in-snd_usb_pipe_sanity_check.patch hid-wacom-fix-bit-shift-for-cintiq-companion-2.patch hid-add-quirk-for-hp-x1200-pixart-oem-mouse.patch +atm-iphase-fix-spectre-v1-vulnerability.patch +bnx2x-disable-multi-cos-feature.patch +drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch +ife-error-out-when-nla-attributes-are-empty.patch +ip6_gre-reload-ipv6h-in-prepare_ip6gre_xmit_ipv6.patch +ip6_tunnel-fix-possible-use-after-free-on-xmit.patch +ipip-validate-header-length-in-ipip_tunnel_xmit.patch +mlxsw-spectrum-fix-error-path-in-mlxsw_sp_module_init.patch +mvpp2-fix-panic-on-module-removal.patch +mvpp2-refactor-mtu-change-code.patch +net-bridge-delete-local-fdb-on-device-init-failure.patch +net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch +net-bridge-move-default-pvid-init-deinit-to-netdev_register-unregister.patch +net-fix-ifindex-collision-during-namespace-removal.patch +net-mlx5e-always-initialize-frag-last_in_page.patch +net-mlx5-use-reversed-order-when-unregister-devices.patch +net-phy-fixed_phy-print-gpio-error-only-if-gpio-node-is-present.patch +net-phylink-don-t-start-and-stop-sgmii-phys-in-sfp-modules-twice.patch +net-phylink-fix-flow-control-for-fixed-link.patch +net-phy-mscc-initialize-stats-array.patch +net-qualcomm-rmnet-fix-incorrect-ul-checksum-offload-logic.patch +net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch +net-sched-update-vlan-action-for-batched-events-operations.patch +net-sched-use-temporary-variable-for-actions-indexes.patch +net-smc-do-not-schedule-tx_work-in-smc_closed-state.patch +net-stmmac-use-netif_tx_napi_add-for-tx-polling-function.patch +nfc-nfcmrvl-fix-gpio-handling-regression.patch +ocelot-cancel-delayed-work-before-wq-destruction.patch +tipc-compat-allow-tipc-commands-without-arguments.patch +tipc-fix-unitilized-skb-list-crash.patch +tun-mark-small-packets-as-owned-by-the-tap-sock.patch +net-mlx5-fix-modify_cq_in-alignment.patch +net-mlx5e-prevent-encap-flow-counter-update-async-to-user-query.patch +r8169-don-t-use-msi-before-rtl8168d.patch +bpf-fix-xdp-vlan-selftests-test_xdp_vlan.sh.patch +selftests-bpf-add-wrapper-scripts-for-test_xdp_vlan.sh.patch +selftests-bpf-reduce-time-to-execute-test_xdp_vlan.sh.patch +net-fix-bpf_xdp_adjust_head-regression-for-generic-xdp.patch +hv_sock-fix-hang-when-a-connection-is-closed.patch +net-phy-fix-race-in-genphy_update_link.patch +net-smc-avoid-fallback-in-case-of-non-blocking-connect.patch +rocker-fix-memory-leaks-of-fib_work-on-two-error-return-paths.patch +mlxsw-spectrum_buffers-further-reduce-pool-size-on-spectrum-2.patch +net-mlx5-add-missing-rdma_rx-capabilities.patch +net-mlx5e-fix-matching-of-speed-to-prm-link-modes.patch +compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch diff --git a/queue-5.2/tipc-compat-allow-tipc-commands-without-arguments.patch b/queue-5.2/tipc-compat-allow-tipc-commands-without-arguments.patch new file mode 100644 index 00000000000..42817d1fafd --- /dev/null +++ b/queue-5.2/tipc-compat-allow-tipc-commands-without-arguments.patch @@ -0,0 +1,85 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Taras Kondratiuk +Date: Mon, 29 Jul 2019 22:15:07 +0000 +Subject: tipc: compat: allow tipc commands without arguments + +From: Taras Kondratiuk + +[ Upstream commit 4da5f0018eef4c0de31675b670c80e82e13e99d1 ] + +Commit 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit") +broke older tipc tools that use compat interface (e.g. tipc-config from +tipcutils package): + +% tipc-config -p +operation not supported + +The commit started to reject TIPC netlink compat messages that do not +have attributes. It is too restrictive because some of such messages are +valid (they don't need any arguments): + +% grep 'tx none' include/uapi/linux/tipc_config.h +#define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */ +#define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */ +#define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */ +#define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */ +#define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */ +#define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */ +#define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */ +#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */ + +This patch relaxes the original fix and rejects messages without +arguments only if such arguments are expected by a command (reg_type is +non zero). + +Fixes: 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit") +Cc: stable@vger.kernel.org +Signed-off-by: Taras Kondratiuk +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg { + int rep_type; + int rep_size; + int req_type; ++ int req_size; + struct net *net; + struct sk_buff *rep; + struct tlv_desc *req; +@@ -257,7 +258,8 @@ static int tipc_nl_compat_dumpit(struct + int err; + struct sk_buff *arg; + +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type)) ++ if (msg->req_type && (!msg->req_size || ++ !TLV_CHECK_TYPE(msg->req, msg->req_type))) + return -EINVAL; + + msg->rep = tipc_tlv_alloc(msg->rep_size); +@@ -354,7 +356,8 @@ static int tipc_nl_compat_doit(struct ti + { + int err; + +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type)) ++ if (msg->req_type && (!msg->req_size || ++ !TLV_CHECK_TYPE(msg->req, msg->req_type))) + return -EINVAL; + + err = __tipc_nl_compat_doit(cmd, msg); +@@ -1288,8 +1291,8 @@ static int tipc_nl_compat_recv(struct sk + goto send; + } + +- len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); +- if (!len || !TLV_OK(msg.req, len)) { ++ msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); ++ if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) { + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); + err = -EOPNOTSUPP; + goto send; diff --git a/queue-5.2/tipc-fix-unitilized-skb-list-crash.patch b/queue-5.2/tipc-fix-unitilized-skb-list-crash.patch new file mode 100644 index 00000000000..8473f5ea5a1 --- /dev/null +++ b/queue-5.2/tipc-fix-unitilized-skb-list-crash.patch @@ -0,0 +1,104 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Jon Maloy +Date: Tue, 30 Jul 2019 20:19:10 +0200 +Subject: tipc: fix unitilized skb list crash + +From: Jon Maloy + +[ Upstream commit 2948a1fcd77a8bb11604387e3fc52f0ebf5729e9 ] + +Our test suite somtimes provokes the following crash: + +Description of problem: +[ 1092.597234] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e8 +[ 1092.605072] PGD 0 P4D 0 +[ 1092.607620] Oops: 0000 [#1] SMP PTI +[ 1092.611118] CPU: 37 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 4.18.0-122.el8.x86_64 #1 +[ 1092.619724] Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7 02/08/2018 +[ 1092.627215] RIP: 0010:tipc_mcast_filter_msg+0x93/0x2d0 [tipc] +[ 1092.632955] Code: 0f 84 aa 01 00 00 89 cf 4d 01 ca 4c 8b 26 c1 ef 19 83 e7 0f 83 ff 0c 4d 0f 45 d1 41 8b 6a 10 0f cd 4c 39 e6 0f 84 81 01 00 00 <4d> 8b 9c 24 e8 00 00 00 45 8b 13 41 0f ca 44 89 d7 c1 ef 13 83 e7 +[ 1092.651703] RSP: 0018:ffff929e5fa83a18 EFLAGS: 00010282 +[ 1092.656927] RAX: ffff929e3fb38100 RBX: 00000000069f29ee RCX: 00000000416c0045 +[ 1092.664058] RDX: ffff929e5fa83a88 RSI: ffff929e31a28420 RDI: 0000000000000000 +[ 1092.671209] RBP: 0000000029b11821 R08: 0000000000000000 R09: ffff929e39b4407a +[ 1092.678343] R10: ffff929e39b4407a R11: 0000000000000007 R12: 0000000000000000 +[ 1092.685475] R13: 0000000000000001 R14: ffff929e3fb38100 R15: ffff929e39b4407a +[ 1092.692614] FS: 0000000000000000(0000) GS:ffff929e5fa80000(0000) knlGS:0000000000000000 +[ 1092.700702] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1092.706447] CR2: 00000000000000e8 CR3: 000000031300a004 CR4: 00000000007606e0 +[ 1092.713579] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1092.720712] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1092.727843] PKRU: 55555554 +[ 1092.730556] Call Trace: +[ 1092.733010] +[ 1092.735034] tipc_sk_filter_rcv+0x7ca/0xb80 [tipc] +[ 1092.739828] ? __kmalloc_node_track_caller+0x1cb/0x290 +[ 1092.744974] ? dev_hard_start_xmit+0xa5/0x210 +[ 1092.749332] tipc_sk_rcv+0x389/0x640 [tipc] +[ 1092.753519] tipc_sk_mcast_rcv+0x23c/0x3a0 [tipc] +[ 1092.758224] tipc_rcv+0x57a/0xf20 [tipc] +[ 1092.762154] ? ktime_get_real_ts64+0x40/0xe0 +[ 1092.766432] ? tpacket_rcv+0x50/0x9f0 +[ 1092.770098] tipc_l2_rcv_msg+0x4a/0x70 [tipc] +[ 1092.774452] __netif_receive_skb_core+0xb62/0xbd0 +[ 1092.779164] ? enqueue_entity+0xf6/0x630 +[ 1092.783084] ? kmem_cache_alloc+0x158/0x1c0 +[ 1092.787272] ? __build_skb+0x25/0xd0 +[ 1092.790849] netif_receive_skb_internal+0x42/0xf0 +[ 1092.795557] napi_gro_receive+0xba/0xe0 +[ 1092.799417] mlx5e_handle_rx_cqe+0x83/0xd0 [mlx5_core] +[ 1092.804564] mlx5e_poll_rx_cq+0xd5/0x920 [mlx5_core] +[ 1092.809536] mlx5e_napi_poll+0xb2/0xce0 [mlx5_core] +[ 1092.814415] ? __wake_up_common_lock+0x89/0xc0 +[ 1092.818861] net_rx_action+0x149/0x3b0 +[ 1092.822616] __do_softirq+0xe3/0x30a +[ 1092.826193] irq_exit+0x100/0x110 +[ 1092.829512] do_IRQ+0x85/0xd0 +[ 1092.832483] common_interrupt+0xf/0xf +[ 1092.836147] +[ 1092.838255] RIP: 0010:cpuidle_enter_state+0xb7/0x2a0 +[ 1092.843221] Code: e8 3e 79 a5 ff 80 7c 24 03 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 d7 01 00 00 31 ff e8 a0 6b ab ff fb 66 0f 1f 44 00 00 <48> b8 ff ff ff ff f3 01 00 00 4c 29 f3 ba ff ff ff 7f 48 39 c3 7f +[ 1092.861967] RSP: 0018:ffffaa5ec6533e98 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffdd +[ 1092.869530] RAX: ffff929e5faa3100 RBX: 000000fe63dd2092 RCX: 000000000000001f +[ 1092.876665] RDX: 000000fe63dd2092 RSI: 000000003a518aaa RDI: 0000000000000000 +[ 1092.883795] RBP: 0000000000000003 R08: 0000000000000004 R09: 0000000000022940 +[ 1092.890929] R10: 0000040cb0666b56 R11: ffff929e5faa20a8 R12: ffff929e5faade78 +[ 1092.898060] R13: ffffffffb59258f8 R14: 000000fe60f3228d R15: 0000000000000000 +[ 1092.905196] ? cpuidle_enter_state+0x92/0x2a0 +[ 1092.909555] do_idle+0x236/0x280 +[ 1092.912785] cpu_startup_entry+0x6f/0x80 +[ 1092.916715] start_secondary+0x1a7/0x200 +[ 1092.920642] secondary_startup_64+0xb7/0xc0 +[...] + +The reason is that the skb list tipc_socket::mc_method.deferredq only +is initialized for connectionless sockets, while nothing stops arriving +multicast messages from being filtered by connection oriented sockets, +with subsequent access to the said list. + +We fix this by initializing the list unconditionally at socket creation. +This eliminates the crash, while the message still is dropped further +down in tipc_sk_filter_rcv() as it should be. + +Reported-by: Li Shuang +Signed-off-by: Jon Maloy +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -485,9 +485,8 @@ static int tipc_sk_create(struct net *ne + tsk_set_unreturnable(tsk, true); + if (sock->type == SOCK_DGRAM) + tsk_set_unreliable(tsk, true); +- __skb_queue_head_init(&tsk->mc_method.deferredq); + } +- ++ __skb_queue_head_init(&tsk->mc_method.deferredq); + trace_tipc_sk_create(sk, NULL, TIPC_DUMP_NONE, " "); + return 0; + } diff --git a/queue-5.2/tun-mark-small-packets-as-owned-by-the-tap-sock.patch b/queue-5.2/tun-mark-small-packets-as-owned-by-the-tap-sock.patch new file mode 100644 index 00000000000..79ecee61ec5 --- /dev/null +++ b/queue-5.2/tun-mark-small-packets-as-owned-by-the-tap-sock.patch @@ -0,0 +1,72 @@ +From foo@baz Thu 08 Aug 2019 08:50:15 AM CEST +From: Alexis Bauvin +Date: Tue, 23 Jul 2019 16:23:01 +0200 +Subject: tun: mark small packets as owned by the tap sock + +From: Alexis Bauvin + +[ Upstream commit 4b663366246be1d1d4b1b8b01245b2e88ad9e706 ] + +- v1 -> v2: Move skb_set_owner_w to __tun_build_skb to reduce patch size + +Small packets going out of a tap device go through an optimized code +path that uses build_skb() rather than sock_alloc_send_pskb(). The +latter calls skb_set_owner_w(), but the small packet code path does not. + +The net effect is that small packets are not owned by the userland +application's socket (e.g. QEMU), while large packets are. +This can be seen with a TCP session, where packets are not owned when +the window size is small enough (around PAGE_SIZE), while they are once +the window grows (note that this requires the host to support virtio +tso for the guest to offload segmentation). +All this leads to inconsistent behaviour in the kernel, especially on +netfilter modules that uses sk->socket (e.g. xt_owner). + +Fixes: 66ccbc9c87c2 ("tap: use build_skb() for small packet") +Signed-off-by: Alexis Bauvin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1600,7 +1600,8 @@ static bool tun_can_build_skb(struct tun + return true; + } + +-static struct sk_buff *__tun_build_skb(struct page_frag *alloc_frag, char *buf, ++static struct sk_buff *__tun_build_skb(struct tun_file *tfile, ++ struct page_frag *alloc_frag, char *buf, + int buflen, int len, int pad) + { + struct sk_buff *skb = build_skb(buf, buflen); +@@ -1610,6 +1611,7 @@ static struct sk_buff *__tun_build_skb(s + + skb_reserve(skb, pad); + skb_put(skb, len); ++ skb_set_owner_w(skb, tfile->socket.sk); + + get_page(alloc_frag->page); + alloc_frag->offset += buflen; +@@ -1687,7 +1689,8 @@ static struct sk_buff *tun_build_skb(str + */ + if (hdr->gso_type || !xdp_prog) { + *skb_xdp = 1; +- return __tun_build_skb(alloc_frag, buf, buflen, len, pad); ++ return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, ++ pad); + } + + *skb_xdp = 0; +@@ -1724,7 +1727,7 @@ static struct sk_buff *tun_build_skb(str + rcu_read_unlock(); + local_bh_enable(); + +- return __tun_build_skb(alloc_frag, buf, buflen, len, pad); ++ return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad); + + err_xdp: + put_page(alloc_frag->page);