From: Greg Kroah-Hartman Date: Sun, 9 Jun 2019 08:06:50 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.1.9~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=312cc5ba0427641cf2a98c73b484f79934a4a14c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ethtool-fix-potential-userspace-buffer-overflow.patch ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch pktgen-do-not-sleep-with-the-thread-lock-held.patch revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch --- diff --git a/queue-4.9/ethtool-fix-potential-userspace-buffer-overflow.patch b/queue-4.9/ethtool-fix-potential-userspace-buffer-overflow.patch new file mode 100644 index 00000000000..7d8df668a81 --- /dev/null +++ b/queue-4.9/ethtool-fix-potential-userspace-buffer-overflow.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Vivien Didelot +Date: Mon, 3 Jun 2019 16:57:13 -0400 +Subject: ethtool: fix potential userspace buffer overflow + +From: Vivien Didelot + +[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ] + +ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), +and pass it to the kernel driver via ops->get_regs() for filling. + +There is no restriction about what the kernel drivers can or cannot do +with the open ethtool_regs structure. They usually set regs->version +and ignore regs->len or set it to the same size as ops->get_regs_len(). + +But if userspace allocates a smaller buffer for the registers dump, +we would cause a userspace buffer overflow in the final copy_to_user() +call, which uses the regs.len value potentially reset by the driver. + +To fix this, make this case obvious and store regs.len before calling +ops->get_regs(), to only copy as much data as requested by userspace, +up to the value returned by ops->get_regs_len(). + +While at it, remove the redundant check for non-null regbuf. + +Signed-off-by: Vivien Didelot +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/ethtool.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1390,13 +1390,16 @@ static int ethtool_get_regs(struct net_d + return -ENOMEM; + } + ++ if (regs.len < reglen) ++ reglen = regs.len; ++ + ops->get_regs(dev, ®s, regbuf); + + ret = -EFAULT; + if (copy_to_user(useraddr, ®s, sizeof(regs))) + goto out; + useraddr += offsetof(struct ethtool_regs, data); +- if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) ++ if (copy_to_user(useraddr, regbuf, reglen)) + goto out; + ret = 0; + diff --git a/queue-4.9/ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch b/queue-4.9/ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch new file mode 100644 index 00000000000..6fc656d7172 --- /dev/null +++ b/queue-4.9/ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch @@ -0,0 +1,57 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Olivier Matz +Date: Thu, 6 Jun 2019 09:15:19 +0200 +Subject: ipv6: fix EFAULT on sendto with icmpv6 and hdrincl + +From: Olivier Matz + +[ Upstream commit b9aa52c4cb457e7416cc0c95f475e72ef4a61336 ] + +The following code returns EFAULT (Bad address): + + s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); + setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1); + sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */ + +The IPv4 equivalent code works. A workaround is to use IPPROTO_RAW +instead of IPPROTO_ICMPV6. + +The failure happens because 2 bytes are eaten from the msghdr by +rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6 +equivalent of "ipv4: Avoid reading user iov twice after +raw_probe_proto_opt""), but at that time it was not a problem because +IPV6_HDRINCL was not yet introduced. + +Only eat these 2 bytes if hdrincl == 0. + +Fixes: 715f504b1189 ("ipv6: add IPV6_HDRINCL option for raw sockets") +Signed-off-by: Olivier Matz +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/raw.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -880,11 +880,14 @@ static int rawv6_sendmsg(struct sock *sk + opt = ipv6_fixup_options(&opt_space, opt); + + fl6.flowi6_proto = proto; +- rfv.msg = msg; +- rfv.hlen = 0; +- err = rawv6_probe_proto_opt(&rfv, &fl6); +- if (err) +- goto out; ++ ++ if (!hdrincl) { ++ rfv.msg = msg; ++ rfv.hlen = 0; ++ err = rawv6_probe_proto_opt(&rfv, &fl6); ++ if (err) ++ goto out; ++ } + + if (!ipv6_addr_any(daddr)) + fl6.daddr = *daddr; diff --git a/queue-4.9/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch b/queue-4.9/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch new file mode 100644 index 00000000000..16f7194b9f1 --- /dev/null +++ b/queue-4.9/ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch @@ -0,0 +1,64 @@ +From foo@baz Sun 09 Jun 2019 09:44:19 AM CEST +From: Olivier Matz +Date: Thu, 6 Jun 2019 09:15:18 +0200 +Subject: ipv6: use READ_ONCE() for inet->hdrincl as in ipv4 + +From: Olivier Matz + +[ Upstream commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 ] + +As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race +condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate +READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the +value of inet->hdrincl in a local variable, to avoid introducing a race +condition in the next commit. + +Signed-off-by: Olivier Matz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/raw.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -774,6 +774,7 @@ static int rawv6_sendmsg(struct sock *sk + struct sockcm_cookie sockc; + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; ++ int hdrincl; + u16 proto; + int err; + +@@ -787,6 +788,13 @@ static int rawv6_sendmsg(struct sock *sk + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields. ++ * Doing this indirectly yields the same result. ++ */ ++ hdrincl = inet->hdrincl; ++ hdrincl = READ_ONCE(hdrincl); ++ + /* + * Get and verify the address. + */ +@@ -904,7 +912,7 @@ static int rawv6_sendmsg(struct sock *sk + fl6.flowi6_oif = np->ucast_oif; + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6)); + +- if (inet->hdrincl) ++ if (hdrincl) + fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH; + + if (ipc6.tclass < 0) +@@ -927,7 +935,7 @@ static int rawv6_sendmsg(struct sock *sk + goto do_confirm; + + back_from_confirm: +- if (inet->hdrincl) ++ if (hdrincl) + err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags); + else { + ipc6.opt = opt; diff --git a/queue-4.9/neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch b/queue-4.9/neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch new file mode 100644 index 00000000000..db3b2ffba3d --- /dev/null +++ b/queue-4.9/neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch @@ -0,0 +1,57 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: David Ahern +Date: Wed, 1 May 2019 18:18:42 -0700 +Subject: neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit + +From: David Ahern + +[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ] + +Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to +INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not +updated to use the altered key. The result is that every packet Tx does +a lookup on the gateway address which does not find an entry, a new one +is created only to find the existing one in the table right before the +insert since arp_constructor was updated to reset the primary key. This +is seen in the allocs and destroys counters: + ip -s -4 ntable show | head -10 | grep alloc + +which increase for each packet showing the unnecessary overhread. + +Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE. + +Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY") +Reported-by: Alan Maguire +Signed-off-by: David Ahern +Tested-by: Alan Maguire +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2489,7 +2490,13 @@ int neigh_xmit(int index, struct net_dev + if (!tbl) + goto out; + rcu_read_lock_bh(); +- neigh = __neigh_lookup_noref(tbl, addr, dev); ++ if (index == NEIGH_ARP_TABLE) { ++ u32 key = *((u32 *)addr); ++ ++ neigh = __ipv4_neigh_lookup_noref(dev, key); ++ } else { ++ neigh = __neigh_lookup_noref(tbl, addr, dev); ++ } + if (!neigh) + neigh = __neigh_create(tbl, addr, dev, false); + err = PTR_ERR(neigh); diff --git a/queue-4.9/net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch b/queue-4.9/net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch new file mode 100644 index 00000000000..023bb8b0bcc --- /dev/null +++ b/queue-4.9/net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch @@ -0,0 +1,60 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Erez Alfasi +Date: Mon, 20 May 2019 17:42:52 +0300 +Subject: net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query + +From: Erez Alfasi + +[ Upstream commit 135dd9594f127c8a82d141c3c8430e9e2143216a ] + +Querying EEPROM high pages data for SFP module is currently +not supported by our driver but is still tried, resulting in +invalid FW queries. + +Set the EEPROM ethtool data length to 256 for SFP module to +limit the reading for page 0 only and prevent invalid FW queries. + +Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support") +Signed-off-by: Erez Alfasi +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +++- + drivers/net/ethernet/mellanox/mlx4/port.c | 5 ----- + 2 files changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1930,6 +1930,8 @@ static int mlx4_en_set_tunable(struct ne + return ret; + } + ++#define MLX4_EEPROM_PAGE_LEN 256 ++ + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -1964,7 +1966,7 @@ static int mlx4_en_get_module_info(struc + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; + break; + default: + return -ENOSYS; +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -1960,11 +1960,6 @@ int mlx4_get_module_info(struct mlx4_dev + size -= offset + size - I2C_PAGE_SIZE; + + i2c_addr = I2C_ADDR_LOW; +- if (offset >= I2C_PAGE_SIZE) { +- /* Reset offset to high page */ +- i2c_addr = I2C_ADDR_HIGH; +- offset -= I2C_PAGE_SIZE; +- } + + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); diff --git a/queue-4.9/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/queue-4.9/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch new file mode 100644 index 00000000000..f38bfbbf208 --- /dev/null +++ b/queue-4.9/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch @@ -0,0 +1,90 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Zhu Yanjun +Date: Thu, 6 Jun 2019 04:00:03 -0400 +Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool + +From: Zhu Yanjun + +[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ] + +When the following tests last for several hours, the problem will occur. + +Server: + rds-stress -r 1.1.1.16 -D 1M +Client: + rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30 + +The following will occur. + +" +Starting up.... +tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu +% + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 + 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 +" +>From vmcore, we can find that clean_list is NULL. + +>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker. +Then rds_ib_mr_pool_flush_worker calls +" + rds_ib_flush_mr_pool(pool, 0, NULL); +" +Then in function +" +int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, + int free_all, struct rds_ib_mr **ibmr_ret) +" +ibmr_ret is NULL. + +In the source code, +" +... +list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +if (ibmr_ret) + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); + +/* more than one entry in llist nodes */ +if (clean_nodes->next) + llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); +... +" +When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next +instead of clean_nodes is added in clean_list. +So clean_nodes is discarded. It can not be used again. +The workqueue is executed periodically. So more and more clean_nodes are +discarded. Finally the clean_list is NULL. +Then this problem will occur. + +Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist") +Signed-off-by: Zhu Yanjun +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_rdma.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/rds/ib_rdma.c ++++ b/net/rds/ib_rdma.c +@@ -416,12 +416,14 @@ int rds_ib_flush_mr_pool(struct rds_ib_m + wait_clean_list_grace(); + + list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +- if (ibmr_ret) ++ if (ibmr_ret) { + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); +- ++ clean_nodes = clean_nodes->next; ++ } + /* more than one entry in llist nodes */ +- if (clean_nodes->next) +- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); ++ if (clean_nodes) ++ llist_add_batch(clean_nodes, clean_tail, ++ &pool->clean_list); + + } + diff --git a/queue-4.9/pktgen-do-not-sleep-with-the-thread-lock-held.patch b/queue-4.9/pktgen-do-not-sleep-with-the-thread-lock-held.patch new file mode 100644 index 00000000000..d596d4336c3 --- /dev/null +++ b/queue-4.9/pktgen-do-not-sleep-with-the-thread-lock-held.patch @@ -0,0 +1,96 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Paolo Abeni +Date: Thu, 6 Jun 2019 15:45:03 +0200 +Subject: pktgen: do not sleep with the thread lock held. + +From: Paolo Abeni + +[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ] + +Currently, the process issuing a "start" command on the pktgen procfs +interface, acquires the pktgen thread lock and never release it, until +all pktgen threads are completed. The above can blocks indefinitely any +other pktgen command and any (even unrelated) netdevice removal - as +the pktgen netdev notifier acquires the same lock. + +The issue is demonstrated by the following script, reported by Matteo: + +ip -b - <<'EOF' + link add type dummy + link add type veth + link set dummy0 up +EOF +modprobe pktgen +echo reset >/proc/net/pktgen/pgctrl +{ + echo rem_device_all + echo add_device dummy0 +} >/proc/net/pktgen/kpktgend_0 +echo count 0 >/proc/net/pktgen/dummy0 +echo start >/proc/net/pktgen/pgctrl & +sleep 1 +rmmod veth + +Fix the above releasing the thread lock around the sleep call. + +Additionally we must prevent racing with forcefull rmmod - as the +thread lock no more protects from them. Instead, acquire a self-reference +before waiting for any thread. As a side effect, running + +rmmod pktgen + +while some thread is running now fails with "module in use" error, +before this patch such command hanged indefinitely. + +Note: the issue predates the commit reported in the fixes tag, but +this fix can't be applied before the mentioned commit. + +v1 -> v2: + - no need to check for thread existence after flipping the lock, + pktgen threads are freed only at net exit time + - + +Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.") +Reported-and-tested-by: Matteo Croce +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/pktgen.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3147,7 +3147,13 @@ static int pktgen_wait_thread_run(struct + { + while (thread_is_running(t)) { + ++ /* note: 't' will still be around even after the unlock/lock ++ * cycle because pktgen_thread threads are only cleared at ++ * net exit ++ */ ++ mutex_unlock(&pktgen_thread_lock); + msleep_interruptible(100); ++ mutex_lock(&pktgen_thread_lock); + + if (signal_pending(current)) + goto signal; +@@ -3162,6 +3168,10 @@ static int pktgen_wait_all_threads_run(s + struct pktgen_thread *t; + int sig = 1; + ++ /* prevent from racing with rmmod */ ++ if (!try_module_get(THIS_MODULE)) ++ return sig; ++ + mutex_lock(&pktgen_thread_lock); + + list_for_each_entry(t, &pn->pktgen_threads, th_list) { +@@ -3175,6 +3185,7 @@ static int pktgen_wait_all_threads_run(s + t->control |= (T_STOP); + + mutex_unlock(&pktgen_thread_lock); ++ module_put(THIS_MODULE); + return sig; + } + diff --git a/queue-4.9/revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch b/queue-4.9/revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch new file mode 100644 index 00000000000..e70dc48d1c0 --- /dev/null +++ b/queue-4.9/revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch @@ -0,0 +1,25 @@ +From 41da877a19fb3d45dad80997e92f25965feaabc3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 9 Jun 2019 09:55:08 +0200 +Subject: Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")" + +From: Greg Kroah-Hartman + +This reverts commit d5c71a7c533e88a9fcc74fe1b5c25743868fa300 as the +patch that this "fixes" is about to be reverted... + +Signed-off-by: Greg Kroah-Hartman +--- + net/core/fib_rules.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -430,7 +430,6 @@ int fib_nl_newrule(struct sk_buff *skb, + goto errout_free; + + if (rule_exists(ops, frh, tb, rule)) { +- err = 0; + if (nlh->nlmsg_flags & NLM_F_EXCL) + err = -EEXIST; + goto errout_free; diff --git a/queue-4.9/revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch b/queue-4.9/revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch new file mode 100644 index 00000000000..c557f4b5003 --- /dev/null +++ b/queue-4.9/revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch @@ -0,0 +1,45 @@ +From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST +From: Hangbin Liu +Date: Wed, 5 Jun 2019 12:27:14 +0800 +Subject: Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied" + +From: Hangbin Liu + +[ Upstream commit 4970b42d5c362bf873982db7d93245c5281e58f4 ] + +This reverts commit e9919a24d3022f72bcadc407e73a6ef17093a849. + +Nathan reported the new behaviour breaks Android, as Android just add +new rules and delete old ones. + +If we return 0 without adding dup rules, Android will remove the new +added rules and causing system to soft-reboot. + +Fixes: e9919a24d302 ("fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied") +Reported-by: Nathan Chancellor +Reported-by: Yaro Slav +Reported-by: Maciej Å»enczykowski +Signed-off-by: Hangbin Liu +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/fib_rules.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -429,9 +429,9 @@ int fib_nl_newrule(struct sk_buff *skb, + if (rule->l3mdev && rule->table) + goto errout_free; + +- if (rule_exists(ops, frh, tb, rule)) { +- if (nlh->nlmsg_flags & NLM_F_EXCL) +- err = -EEXIST; ++ if ((nlh->nlmsg_flags & NLM_F_EXCL) && ++ rule_exists(ops, frh, tb, rule)) { ++ err = -EEXIST; + goto errout_free; + } + diff --git a/queue-4.9/series b/queue-4.9/series index f407955e624..8914c4e1ab1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -59,3 +59,12 @@ mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch revert-x86-build-move-_etext-to-actual-end-of-.text.patch efi-libstub-unify-command-line-param-parsing.patch media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch +ethtool-fix-potential-userspace-buffer-overflow.patch +neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch +net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch +net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch +pktgen-do-not-sleep-with-the-thread-lock-held.patch +ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch +ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch +revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch +revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch