From: Greg Kroah-Hartman Date: Tue, 21 Jan 2020 17:25:27 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.211~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=22b945a109442ef92bb55e3871155442d7ac4939;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: net-dsa-tag_qca-fix-doubled-tx-statistics.patch net-usb-lan78xx-limit-size-of-local-tso-packets.patch net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch r8152-add-missing-endpoint-sanity-check.patch tcp-fix-marked-lost-packets-not-being-retransmitted.patch --- diff --git a/queue-4.9/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch b/queue-4.9/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch index fc7c1b35884..31f22f0c187 100644 --- a/queue-4.9/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch +++ b/queue-4.9/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch @@ -20,14 +20,12 @@ Tested-by: Matteo Croce Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - drivers/net/macvlan.c | 5 +++-- + drivers/net/macvlan.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c -index 854947b9db4e..e2b3d3c4d4df 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c -@@ -234,7 +234,7 @@ static void macvlan_broadcast(struct sk_buff *skb, +@@ -234,7 +234,7 @@ static void macvlan_broadcast(struct sk_ struct net_device *src, enum macvlan_mode mode) { @@ -36,7 +34,7 @@ index 854947b9db4e..e2b3d3c4d4df 100644 const struct macvlan_dev *vlan; struct sk_buff *nskb; unsigned int i; -@@ -487,10 +487,11 @@ static int macvlan_queue_xmit(struct sk_buff *skb, struct net_device *dev) +@@ -487,10 +487,11 @@ static int macvlan_queue_xmit(struct sk_ const struct macvlan_dev *dest; if (vlan->mode == MACVLAN_MODE_BRIDGE) { @@ -49,6 +47,3 @@ index 854947b9db4e..e2b3d3c4d4df 100644 macvlan_broadcast(skb, port, dev, MACVLAN_MODE_BRIDGE); goto xmit_world; } --- -2.20.1 - diff --git a/queue-4.9/net-dsa-tag_qca-fix-doubled-tx-statistics.patch b/queue-4.9/net-dsa-tag_qca-fix-doubled-tx-statistics.patch new file mode 100644 index 00000000000..a5c4f88ecf4 --- /dev/null +++ b/queue-4.9/net-dsa-tag_qca-fix-doubled-tx-statistics.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 21 Jan 2020 06:00:26 PM CET +From: Alexander Lobakin +Date: Wed, 15 Jan 2020 11:56:52 +0300 +Subject: net: dsa: tag_qca: fix doubled Tx statistics + +From: Alexander Lobakin + +[ Upstream commit bd5874da57edd001b35cf28ae737779498c16a56 ] + +DSA subsystem takes care of netdev statistics since commit 4ed70ce9f01c +("net: dsa: Refactor transmit path to eliminate duplication"), so +any accounting inside tagger callbacks is redundant and can lead to +messing up the stats. +This bug is present in Qualcomm tagger since day 0. + +Fixes: cafdc45c949b ("net-next: dsa: add Qualcomm tag RX/TX handler") +Reviewed-by: Andrew Lunn +Signed-off-by: Alexander Lobakin +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_qca.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/dsa/tag_qca.c ++++ b/net/dsa/tag_qca.c +@@ -40,9 +40,6 @@ static struct sk_buff *qca_tag_xmit(stru + struct dsa_slave_priv *p = netdev_priv(dev); + u16 *phdr, hdr; + +- dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; +- + if (skb_cow_head(skb, 0) < 0) + goto out_free; + diff --git a/queue-4.9/net-usb-lan78xx-limit-size-of-local-tso-packets.patch b/queue-4.9/net-usb-lan78xx-limit-size-of-local-tso-packets.patch new file mode 100644 index 00000000000..552443a61d6 --- /dev/null +++ b/queue-4.9/net-usb-lan78xx-limit-size-of-local-tso-packets.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 21 Jan 2020 06:00:26 PM CET +From: Eric Dumazet +Date: Mon, 13 Jan 2020 09:27:11 -0800 +Subject: net: usb: lan78xx: limit size of local TSO packets + +From: Eric Dumazet + +[ Upstream commit f8d7408a4d7f60f8b2df0f81decdc882dd9c20dc ] + +lan78xx_tx_bh() makes sure to not exceed MAX_SINGLE_PACKET_SIZE +bytes in the aggregated packets it builds, but does +nothing to prevent large GSO packets being submitted. + +Pierre-Francois reported various hangs when/if TSO is enabled. + +For localy generated packets, we can use netif_set_gso_max_size() +to limit the size of TSO packets. + +Note that forwarded packets could still hit the issue, +so a complete fix might require implementing .ndo_features_check +for this driver, forcing a software segmentation if the size +of the TSO packet exceeds MAX_SINGLE_PACKET_SIZE. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Eric Dumazet +Reported-by: RENARD Pierre-Francois +Tested-by: RENARD Pierre-Francois +Cc: Stefan Wahren +Cc: Woojung Huh +Cc: Microchip Linux Driver Support +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3375,6 +3375,7 @@ static int lan78xx_probe(struct usb_inte + + if (netdev->mtu > (dev->hard_mtu - netdev->hard_header_len)) + netdev->mtu = dev->hard_mtu - netdev->hard_header_len; ++ netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + + dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; + dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; diff --git a/queue-4.9/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch new file mode 100644 index 00000000000..9b045bf91d9 --- /dev/null +++ b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Jan 2020 06:00:26 PM CET +From: Colin Ian King +Date: Tue, 14 Jan 2020 14:54:48 +0000 +Subject: net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info + +From: Colin Ian King + +[ Upstream commit ddf420390526ede3b9ff559ac89f58cb59d9db2f ] + +Array utdm_info is declared as an array of MAX_HDLC_NUM (4) elements +however up to UCC_MAX_NUM (8) elements are potentially being written +to it. Currently we have an array out-of-bounds write error on the +last 4 elements. Fix this by making utdm_info UCC_MAX_NUM elements in +size. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -77,7 +77,7 @@ static struct ucc_tdm_info utdm_primary_ + }, + }; + +-static struct ucc_tdm_info utdm_info[MAX_HDLC_NUM]; ++static struct ucc_tdm_info utdm_info[UCC_MAX_NUM]; + + static int uhdlc_init(struct ucc_hdlc_private *priv) + { diff --git a/queue-4.9/r8152-add-missing-endpoint-sanity-check.patch b/queue-4.9/r8152-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..602c43174d3 --- /dev/null +++ b/queue-4.9/r8152-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Jan 2020 06:00:26 PM CET +From: Johan Hovold +Date: Tue, 14 Jan 2020 09:27:29 +0100 +Subject: r8152: add missing endpoint sanity check + +From: Johan Hovold + +[ Upstream commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 ] + +Add missing endpoint sanity check to probe in order to prevent a +NULL-pointer dereference (or slab out-of-bounds access) when retrieving +the interrupt-endpoint bInterval on ndo_open() in case a device lacks +the expected endpoints. + +Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer") +Cc: hayeswang +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -4365,6 +4365,9 @@ static int rtl8152_probe(struct usb_inte + return -ENODEV; + } + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + usb_reset_device(udev); + netdev = alloc_etherdev(sizeof(struct r8152)); + if (!netdev) { diff --git a/queue-4.9/series b/queue-4.9/series index b840d8e568e..559d75357dc 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -79,3 +79,8 @@ netfilter-fix-a-use-after-free-in-mtype_destroy.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch +net-dsa-tag_qca-fix-doubled-tx-statistics.patch +net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch +r8152-add-missing-endpoint-sanity-check.patch +tcp-fix-marked-lost-packets-not-being-retransmitted.patch +net-usb-lan78xx-limit-size-of-local-tso-packets.patch diff --git a/queue-4.9/tcp-fix-marked-lost-packets-not-being-retransmitted.patch b/queue-4.9/tcp-fix-marked-lost-packets-not-being-retransmitted.patch new file mode 100644 index 00000000000..12992392730 --- /dev/null +++ b/queue-4.9/tcp-fix-marked-lost-packets-not-being-retransmitted.patch @@ -0,0 +1,83 @@ +From foo@baz Tue 21 Jan 2020 06:00:26 PM CET +From: Pengcheng Yang +Date: Tue, 14 Jan 2020 17:23:40 +0800 +Subject: tcp: fix marked lost packets not being retransmitted + +From: Pengcheng Yang + +[ Upstream commit e176b1ba476cf36f723cfcc7a9e57f3cb47dec70 ] + +When the packet pointed to by retransmit_skb_hint is unlinked by ACK, +retransmit_skb_hint will be set to NULL in tcp_clean_rtx_queue(). +If packet loss is detected at this time, retransmit_skb_hint will be set +to point to the current packet loss in tcp_verify_retransmit_hint(), +then the packets that were previously marked lost but not retransmitted +due to the restriction of cwnd will be skipped and cannot be +retransmitted. + +To fix this, when retransmit_skb_hint is NULL, retransmit_skb_hint can +be reset only after all marked lost packets are retransmitted +(retrans_out >= lost_out), otherwise we need to traverse from +tcp_rtx_queue_head in tcp_xmit_retransmit_queue(). + +Packetdrill to demonstrate: + +// Disable RACK and set max_reordering to keep things simple + 0 `sysctl -q net.ipv4.tcp_recovery=0` + +0 `sysctl -q net.ipv4.tcp_max_reordering=3` + +// Establish a connection + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 + +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 + +0 bind(3, ..., ...) = 0 + +0 listen(3, 1) = 0 + + +.1 < S 0:0(0) win 32792 + +0 > S. 0:0(0) ack 1 <...> + +.01 < . 1:1(0) ack 1 win 257 + +0 accept(3, ..., ...) = 4 + +// Send 8 data segments + +0 write(4, ..., 8000) = 8000 + +0 > P. 1:8001(8000) ack 1 + +// Enter recovery and 1:3001 is marked lost + +.01 < . 1:1(0) ack 1 win 257 + +0 < . 1:1(0) ack 1 win 257 + +0 < . 1:1(0) ack 1 win 257 + +// Retransmit 1:1001, now retransmit_skb_hint points to 1001:2001 + +0 > . 1:1001(1000) ack 1 + +// 1001:2001 was ACKed causing retransmit_skb_hint to be set to NULL + +.01 < . 1:1(0) ack 2001 win 257 +// Now retransmit_skb_hint points to 4001:5001 which is now marked lost + +// BUG: 2001:3001 was not retransmitted + +0 > . 2001:3001(1000) ack 1 + +Signed-off-by: Pengcheng Yang +Acked-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -923,9 +923,10 @@ static void tcp_update_reordering(struct + /* This must be called before lost_out is incremented */ + static void tcp_verify_retransmit_hint(struct tcp_sock *tp, struct sk_buff *skb) + { +- if (!tp->retransmit_skb_hint || +- before(TCP_SKB_CB(skb)->seq, +- TCP_SKB_CB(tp->retransmit_skb_hint)->seq)) ++ if ((!tp->retransmit_skb_hint && tp->retrans_out >= tp->lost_out) || ++ (tp->retransmit_skb_hint && ++ before(TCP_SKB_CB(skb)->seq, ++ TCP_SKB_CB(tp->retransmit_skb_hint)->seq))) + tp->retransmit_skb_hint = skb; + + if (!tp->lost_out ||