From: Greg Kroah-Hartman Date: Wed, 15 May 2019 08:02:43 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.140~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28f0052ceac6e13650f6034bc70652a219cfd63b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: bonding-fix-arp_validate-toggling-in-active-backup-mode.patch bridge-fix-error-path-for-kobject_init_and_add.patch ipv4-fix-raw-socket-lookup-for-local-traffic.patch net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch packet-fix-error-path-in-packet_init.patch vlan-disable-siocshwtstamp-in-container.patch --- diff --git a/queue-3.18/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch b/queue-3.18/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch new file mode 100644 index 00000000000..cac92f4f1b4 --- /dev/null +++ b/queue-3.18/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch @@ -0,0 +1,78 @@ +From foo@baz Wed 15 May 2019 09:45:15 AM CEST +From: Jarod Wilson +Date: Fri, 10 May 2019 17:57:09 -0400 +Subject: bonding: fix arp_validate toggling in active-backup mode + +From: Jarod Wilson + +[ Upstream commit a9b8a2b39ce65df45687cf9ef648885c2a99fe75 ] + +There's currently a problem with toggling arp_validate on and off with an +active-backup bond. At the moment, you can start up a bond, like so: + +modprobe bonding mode=1 arp_interval=100 arp_validate=0 arp_ip_targets=192.168.1.1 +ip link set bond0 down +echo "ens4f0" > /sys/class/net/bond0/bonding/slaves +echo "ens4f1" > /sys/class/net/bond0/bonding/slaves +ip link set bond0 up +ip addr add 192.168.1.2/24 dev bond0 + +Pings to 192.168.1.1 work just fine. Now turn on arp_validate: + +echo 1 > /sys/class/net/bond0/bonding/arp_validate + +Pings to 192.168.1.1 continue to work just fine. Now when you go to turn +arp_validate off again, the link falls flat on it's face: + +echo 0 > /sys/class/net/bond0/bonding/arp_validate +dmesg +... +[133191.911987] bond0: Setting arp_validate to none (0) +[133194.257793] bond0: bond_should_notify_peers: slave ens4f0 +[133194.258031] bond0: link status definitely down for interface ens4f0, disabling it +[133194.259000] bond0: making interface ens4f1 the new active one +[133197.330130] bond0: link status definitely down for interface ens4f1, disabling it +[133197.331191] bond0: now running without any active interface! + +The problem lies in bond_options.c, where passing in arp_validate=0 +results in bond->recv_probe getting set to NULL. This flies directly in +the face of commit 3fe68df97c7f, which says we need to set recv_probe = +bond_arp_recv, even if we're not using arp_validate. Said commit fixed +this in bond_option_arp_interval_set, but missed that we can get to that +same state in bond_option_arp_validate_set as well. + +One solution would be to universally set recv_probe = bond_arp_recv here +as well, but I don't think bond_option_arp_validate_set has any business +touching recv_probe at all, and that should be left to the arp_interval +code, so we can just make things much tidier here. + +Fixes: 3fe68df97c7f ("bonding: always set recv_probe to bond_arp_rcv in arp monitor") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Signed-off-by: Jarod Wilson +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_options.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1032,13 +1032,6 @@ static int bond_option_arp_validate_set( + { + netdev_info(bond->dev, "Setting arp_validate to %s (%llu)\n", + newval->string, newval->value); +- +- if (bond->dev->flags & IFF_UP) { +- if (!newval->value) +- bond->recv_probe = NULL; +- else if (bond->params.arp_interval) +- bond->recv_probe = bond_arp_rcv; +- } + bond->params.arp_validate = newval->value; + + return 0; diff --git a/queue-3.18/bridge-fix-error-path-for-kobject_init_and_add.patch b/queue-3.18/bridge-fix-error-path-for-kobject_init_and_add.patch new file mode 100644 index 00000000000..e497bf194f9 --- /dev/null +++ b/queue-3.18/bridge-fix-error-path-for-kobject_init_and_add.patch @@ -0,0 +1,64 @@ +From foo@baz Wed 15 May 2019 09:54:25 AM CEST +From: "Tobin C. Harding" +Date: Fri, 10 May 2019 12:52:12 +1000 +Subject: bridge: Fix error path for kobject_init_and_add() + +From: "Tobin C. Harding" + +[ Upstream commit bdfad5aec1392b93495b77b864d58d7f101dc1c1 ] + +Currently error return from kobject_init_and_add() is not followed by a +call to kobject_put(). This means there is a memory leak. We currently +set p to NULL so that kfree() may be called on it as a noop, the code is +arguably clearer if we move the kfree() up closer to where it is +called (instead of after goto jump). + +Remove a goto label 'err1' and jump to call to kobject_put() in error +return from kobject_init_and_add() fixing the memory leak. Re-name goto +label 'put_back' to 'err1' now that we don't use err1, following current +nomenclature (err1, err2 ...). Move call to kfree out of the error +code at bottom of function up to closer to where memory was allocated. +Add comment to clarify call to kfree(). + +Signed-off-by: Tobin C. Harding +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_if.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -460,13 +460,15 @@ int br_add_if(struct net_bridge *br, str + call_netdevice_notifiers(NETDEV_JOIN, dev); + + err = dev_set_allmulti(dev, 1); +- if (err) +- goto put_back; ++ if (err) { ++ kfree(p); /* kobject not yet init'd, manually free */ ++ goto err1; ++ } + + err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), + SYSFS_BRIDGE_PORT_ATTR); + if (err) +- goto err1; ++ goto err2; + + err = br_sysfs_addif(p); + if (err) +@@ -531,12 +533,9 @@ err3: + sysfs_remove_link(br->ifobj, p->dev->name); + err2: + kobject_put(&p->kobj); +- p = NULL; /* kobject_put frees */ +-err1: + dev_set_allmulti(dev, -1); +-put_back: ++err1: + dev_put(dev); +- kfree(p); + return err; + } + diff --git a/queue-3.18/ipv4-fix-raw-socket-lookup-for-local-traffic.patch b/queue-3.18/ipv4-fix-raw-socket-lookup-for-local-traffic.patch new file mode 100644 index 00000000000..bfc62ed9d71 --- /dev/null +++ b/queue-3.18/ipv4-fix-raw-socket-lookup-for-local-traffic.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 15 May 2019 09:45:15 AM CEST +From: David Ahern +Date: Tue, 7 May 2019 20:44:59 -0700 +Subject: ipv4: Fix raw socket lookup for local traffic + +From: David Ahern + +[ Upstream commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f ] + +inet_iif should be used for the raw socket lookup. inet_iif considers +rt_iif which handles the case of local traffic. + +As it stands, ping to a local address with the '-I ' option fails +ever since ping was changed to use SO_BINDTODEVICE instead of +cmsg + IP_PKTINFO. + +IPv6 works fine. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -158,6 +158,7 @@ static int icmp_filter(const struct sock + */ + static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + { ++ int dif = inet_iif(skb); + struct sock *sk; + struct hlist_head *head; + int delivered = 0; +@@ -170,8 +171,7 @@ static int raw_v4_input(struct sk_buff * + + net = dev_net(skb->dev); + sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, +- iph->saddr, iph->daddr, +- skb->dev->ifindex); ++ iph->saddr, iph->daddr, dif); + + while (sk) { + delivered = 1; diff --git a/queue-3.18/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch b/queue-3.18/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch new file mode 100644 index 00000000000..6de9ebdd7dc --- /dev/null +++ b/queue-3.18/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch @@ -0,0 +1,81 @@ +From foo@baz Wed 15 May 2019 09:54:25 AM CEST +From: Christophe Leroy +Date: Fri, 3 May 2019 13:33:23 +0000 +Subject: net: ucc_geth - fix Oops when changing number of buffers in the ring + +From: Christophe Leroy + +[ Upstream commit ee0df19305d9fabd9479b785918966f6e25b733b ] + +When changing the number of buffers in the RX ring while the interface +is running, the following Oops is encountered due to the new number +of buffers being taken into account immediately while their allocation +is done when opening the device only. + +[ 69.882706] Unable to handle kernel paging request for data at address 0xf0000100 +[ 69.890172] Faulting instruction address: 0xc033e164 +[ 69.895122] Oops: Kernel access of bad area, sig: 11 [#1] +[ 69.900494] BE PREEMPT CMPCPRO +[ 69.907120] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.115-00006-g179ade8ce3-dirty #269 +[ 69.915956] task: c0684310 task.stack: c06da000 +[ 69.920470] NIP: c033e164 LR: c02e44d0 CTR: c02e41fc +[ 69.925504] REGS: dfff1e20 TRAP: 0300 Not tainted (4.14.115-00006-g179ade8ce3-dirty) +[ 69.934161] MSR: 00009032 CR: 22004428 XER: 20000000 +[ 69.940869] DAR: f0000100 DSISR: 20000000 +[ 69.940869] GPR00: c0352d70 dfff1ed0 c0684310 f00000a4 00000040 dfff1f68 00000000 0000001f +[ 69.940869] GPR08: df53f410 1cc00040 00000021 c0781640 42004424 100c82b6 f00000a4 df53f5b0 +[ 69.940869] GPR16: df53f6c0 c05daf84 00000040 00000000 00000040 c0782be4 00000000 00000001 +[ 69.940869] GPR24: 00000000 df53f400 000001b0 df53f410 df53f000 0000003f df708220 1cc00044 +[ 69.978348] NIP [c033e164] skb_put+0x0/0x5c +[ 69.982528] LR [c02e44d0] ucc_geth_poll+0x2d4/0x3f8 +[ 69.987384] Call Trace: +[ 69.989830] [dfff1ed0] [c02e4554] ucc_geth_poll+0x358/0x3f8 (unreliable) +[ 69.996522] [dfff1f20] [c0352d70] net_rx_action+0x248/0x30c +[ 70.002099] [dfff1f80] [c04e93e4] __do_softirq+0xfc/0x310 +[ 70.007492] [dfff1fe0] [c0021124] irq_exit+0xd0/0xd4 +[ 70.012458] [dfff1ff0] [c000e7e0] call_do_irq+0x24/0x3c +[ 70.017683] [c06dbe80] [c0006bac] do_IRQ+0x64/0xc4 +[ 70.022474] [c06dbea0] [c001097c] ret_from_except+0x0/0x14 +[ 70.027964] --- interrupt: 501 at rcu_idle_exit+0x84/0x90 +[ 70.027964] LR = rcu_idle_exit+0x74/0x90 +[ 70.037585] [c06dbf60] [20000000] 0x20000000 (unreliable) +[ 70.042984] [c06dbf80] [c004bb0c] do_idle+0xb4/0x11c +[ 70.047945] [c06dbfa0] [c004bd14] cpu_startup_entry+0x18/0x1c +[ 70.053682] [c06dbfb0] [c05fb034] start_kernel+0x370/0x384 +[ 70.059153] [c06dbff0] [00003438] 0x3438 +[ 70.063062] Instruction dump: +[ 70.066023] 38a00000 38800000 90010014 4bfff015 80010014 7c0803a6 3123ffff 7c691910 +[ 70.073767] 38210010 4e800020 38600000 4e800020 <80e3005c> 80c30098 3107ffff 7d083910 +[ 70.081690] ---[ end trace be7ccd9c1e1a9f12 ]--- + +This patch forbids the modification of the number of buffers in the +ring while the interface is running. + +Fixes: ac421852b3a0 ("ucc_geth: add ethtool support") +Signed-off-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/ucc_geth_ethtool.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c ++++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +@@ -253,14 +253,12 @@ uec_set_ringparam(struct net_device *net + return -EINVAL; + } + ++ if (netif_running(netdev)) ++ return -EBUSY; ++ + ug_info->bdRingLenRx[queue] = ring->rx_pending; + ug_info->bdRingLenTx[queue] = ring->tx_pending; + +- if (netif_running(netdev)) { +- /* FIXME: restart automatically */ +- netdev_info(netdev, "Please re-open the interface\n"); +- } +- + return ret; + } + diff --git a/queue-3.18/packet-fix-error-path-in-packet_init.patch b/queue-3.18/packet-fix-error-path-in-packet_init.patch new file mode 100644 index 00000000000..7c9c2a05228 --- /dev/null +++ b/queue-3.18/packet-fix-error-path-in-packet_init.patch @@ -0,0 +1,87 @@ +From foo@baz Wed 15 May 2019 09:54:25 AM CEST +From: YueHaibing +Date: Thu, 9 May 2019 22:52:20 +0800 +Subject: packet: Fix error path in packet_init + +From: YueHaibing + +[ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ] + +kernel BUG at lib/list_debug.c:47! +invalid opcode: 0000 [#1 +CPU: 0 PID: 12914 Comm: rmmod Tainted: G W 5.1.0+ #47 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:__list_del_entry_valid+0x53/0x90 +Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48 +89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2 +RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff +RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000 +R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000 +FS: 00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0 +Call Trace: + unregister_pernet_operations+0x34/0x120 + unregister_pernet_subsys+0x1c/0x30 + packet_exit+0x1c/0x369 [af_packet + __x64_sys_delete_module+0x156/0x260 + ? lockdep_hardirqs_on+0x133/0x1b0 + ? do_syscall_64+0x12/0x1f0 + do_syscall_64+0x6e/0x1f0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +When modprobe af_packet, register_pernet_subsys +fails and does a cleanup, ops->list is set to LIST_POISON1, +but the module init is considered to success, then while rmmod it, +BUG() is triggered in __list_del_entry_valid which is called from +unregister_pernet_subsys. This patch fix error handing path in +packet_init to avoid possilbe issue if some error occur. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4200,14 +4200,29 @@ static void __exit packet_exit(void) + + static int __init packet_init(void) + { +- int rc = proto_register(&packet_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&packet_proto, 0); ++ if (rc) + goto out; ++ rc = sock_register(&packet_family_ops); ++ if (rc) ++ goto out_proto; ++ rc = register_pernet_subsys(&packet_net_ops); ++ if (rc) ++ goto out_sock; ++ rc = register_netdevice_notifier(&packet_netdev_notifier); ++ if (rc) ++ goto out_pernet; + +- sock_register(&packet_family_ops); +- register_pernet_subsys(&packet_net_ops); +- register_netdevice_notifier(&packet_netdev_notifier); ++ return 0; ++ ++out_pernet: ++ unregister_pernet_subsys(&packet_net_ops); ++out_sock: ++ sock_unregister(PF_PACKET); ++out_proto: ++ proto_unregister(&packet_proto); + out: + return rc; + } diff --git a/queue-3.18/series b/queue-3.18/series index 1ec655ae0f6..8b5f0aec5e4 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -75,3 +75,9 @@ gpu-ipu-v3-dp-fix-csc-handling.patch don-t-jump-to-compute_result-state-from-check_result-state.patch usb-serial-use-variable-for-status.patch usb-serial-fix-unthrottle-races.patch +bridge-fix-error-path-for-kobject_init_and_add.patch +net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch +packet-fix-error-path-in-packet_init.patch +vlan-disable-siocshwtstamp-in-container.patch +ipv4-fix-raw-socket-lookup-for-local-traffic.patch +bonding-fix-arp_validate-toggling-in-active-backup-mode.patch diff --git a/queue-3.18/usb-serial-fix-unthrottle-races.patch b/queue-3.18/usb-serial-fix-unthrottle-races.patch index b6bd2f2cb1c..869f03a78a2 100644 --- a/queue-3.18/usb-serial-fix-unthrottle-races.patch +++ b/queue-3.18/usb-serial-fix-unthrottle-races.patch @@ -42,14 +42,12 @@ Fixes: d83b405383c9 ("USB: serial: add support for multiple read urbs") Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin --- - drivers/usb/serial/generic.c | 39 +++++++++++++++++++++++++++++------- + drivers/usb/serial/generic.c | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) -diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c -index a648fdca938a2..0036d96277870 100644 --- a/drivers/usb/serial/generic.c +++ b/drivers/usb/serial/generic.c -@@ -350,6 +350,7 @@ void usb_serial_generic_read_bulk_callback(struct urb *urb) +@@ -350,6 +350,7 @@ void usb_serial_generic_read_bulk_callba struct usb_serial_port *port = urb->context; unsigned char *data = urb->transfer_buffer; unsigned long flags; @@ -57,7 +55,7 @@ index a648fdca938a2..0036d96277870 100644 int status = urb->status; int i; -@@ -357,33 +358,51 @@ void usb_serial_generic_read_bulk_callback(struct urb *urb) +@@ -357,33 +358,51 @@ void usb_serial_generic_read_bulk_callba if (urb == port->read_urbs[i]) break; } @@ -116,7 +114,7 @@ index a648fdca938a2..0036d96277870 100644 /* Throttle the device if requested by tty */ spin_lock_irqsave(&port->lock, flags); port->throttled = port->throttle_req; -@@ -458,6 +477,12 @@ void usb_serial_generic_unthrottle(struct tty_struct *tty) +@@ -458,6 +477,12 @@ void usb_serial_generic_unthrottle(struc port->throttled = port->throttle_req = 0; spin_unlock_irq(&port->lock); @@ -129,6 +127,3 @@ index a648fdca938a2..0036d96277870 100644 if (was_throttled) usb_serial_generic_submit_read_urbs(port, GFP_KERNEL); } --- -2.20.1 - diff --git a/queue-3.18/vlan-disable-siocshwtstamp-in-container.patch b/queue-3.18/vlan-disable-siocshwtstamp-in-container.patch new file mode 100644 index 00000000000..92941b69ca3 --- /dev/null +++ b/queue-3.18/vlan-disable-siocshwtstamp-in-container.patch @@ -0,0 +1,39 @@ +From foo@baz Wed 15 May 2019 09:54:25 AM CEST +From: Hangbin Liu +Date: Thu, 9 May 2019 14:55:07 +0800 +Subject: vlan: disable SIOCSHWTSTAMP in container + +From: Hangbin Liu + +[ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ] + +With NET_ADMIN enabled in container, a normal user could be mapped to +root and is able to change the real device's rx filter via ioctl on +vlan, which would affect the other ptp process on host. Fix it by +disabling SIOCSHWTSTAMP in container. + +Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") +Signed-off-by: Hangbin Liu +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -394,10 +394,12 @@ static int vlan_dev_ioctl(struct net_dev + ifrr.ifr_ifru = ifr->ifr_ifru; + + switch (cmd) { ++ case SIOCSHWTSTAMP: ++ if (!net_eq(dev_net(dev), &init_net)) ++ break; + case SIOCGMIIPHY: + case SIOCGMIIREG: + case SIOCSMIIREG: +- case SIOCSHWTSTAMP: + case SIOCGHWTSTAMP: + if (netif_device_present(real_dev) && ops->ndo_do_ioctl) + err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);