From: Greg Kroah-Hartman Date: Sun, 24 Feb 2019 13:58:26 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.161~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=354a3f4a450e010ab49ca3796ab5252d829f572c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-define-arch_slab_minalign-8.patch arc-u-boot-check-arguments-paranoidly.patch arcv2-enable-unaligned-access-in-early-asm-code.patch batman-adv-fix-uninit-value-in-batadv_interface_tx.patch net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch parisc-fix-ptrace-syscall-number-modification.patch sctp-call-gso_reset_checksum-when-computing-checksum-in-sctp_gso_segment.patch sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch --- diff --git a/queue-4.9/arc-define-arch_slab_minalign-8.patch b/queue-4.9/arc-define-arch_slab_minalign-8.patch new file mode 100644 index 00000000000..ed2360d43b4 --- /dev/null +++ b/queue-4.9/arc-define-arch_slab_minalign-8.patch @@ -0,0 +1,81 @@ +From b6835ea77729e7faf4656ca637ba53f42b8ee3fd Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Fri, 8 Feb 2019 13:55:19 +0300 +Subject: ARC: define ARCH_SLAB_MINALIGN = 8 + +From: Alexey Brodkin + +commit b6835ea77729e7faf4656ca637ba53f42b8ee3fd upstream. + +The default value of ARCH_SLAB_MINALIGN in "include/linux/slab.h" is +"__alignof__(unsigned long long)" which for ARC unexpectedly turns out +to be 4. This is not a compiler bug, but as defined by ARC ABI [1] + +Thus slab allocator would allocate a struct which is 32-bit aligned, +which is generally OK even if struct has long long members. +There was however potetial problem when it had any atomic64_t which +use LLOCKD/SCONDD instructions which are required by ISA to take +64-bit addresses. This is the problem we ran into + +[ 4.015732] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null) +[ 4.167881] Misaligned Access +[ 4.172356] Path: /bin/busybox.nosuid +[ 4.176004] CPU: 2 PID: 171 Comm: rm Not tainted 4.19.14-yocto-standard #1 +[ 4.182851] +[ 4.182851] [ECR ]: 0x000d0000 => Check Programmer's Manual +[ 4.190061] [EFA ]: 0xbeaec3fc +[ 4.190061] [BLINK ]: ext4_delete_entry+0x210/0x234 +[ 4.190061] [ERET ]: ext4_delete_entry+0x13e/0x234 +[ 4.202985] [STAT32]: 0x80080002 : IE K +[ 4.207236] BTA: 0x9009329c SP: 0xbe5b1ec4 FP: 0x00000000 +[ 4.212790] LPS: 0x9074b118 LPE: 0x9074b120 LPC: 0x00000000 +[ 4.218348] r00: 0x00000040 r01: 0x00000021 r02: 0x00000001 +... +... +[ 4.270510] Stack Trace: +[ 4.274510] ext4_delete_entry+0x13e/0x234 +[ 4.278695] ext4_rmdir+0xe0/0x238 +[ 4.282187] vfs_rmdir+0x50/0xf0 +[ 4.285492] do_rmdir+0x9e/0x154 +[ 4.288802] EV_Trap+0x110/0x114 + +The fix is to make sure slab allocations are 64-bit aligned. + +Do note that atomic64_t is __attribute__((aligned(8)) which means gcc +does generate 64-bit aligned references, relative to beginning of +container struct. However the issue is if the container itself is not +64-bit aligned, atomic64_t ends up unaligned which is what this patch +ensures. + +[1] https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/wiki/files/ARCv2_ABI.pdf + +Signed-off-by: Alexey Brodkin +Cc: # 4.8+ +Signed-off-by: Vineet Gupta +[vgupta: reworked changelog, added dependency on LL64+LLSC] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/cache.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arc/include/asm/cache.h ++++ b/arch/arc/include/asm/cache.h +@@ -49,6 +49,17 @@ + + #define ARCH_DMA_MINALIGN L1_CACHE_BYTES + ++/* ++ * Make sure slab-allocated buffers are 64-bit aligned when atomic64_t uses ++ * ARCv2 64-bit atomics (LLOCKD/SCONDD). This guarantess runtime 64-bit ++ * alignment for any atomic64_t embedded in buffer. ++ * Default ARCH_SLAB_MINALIGN is __alignof__(long long) which has a relaxed ++ * value of 4 (and not 8) in ARC ABI. ++ */ ++#if defined(CONFIG_ARC_HAS_LL64) && defined(CONFIG_ARC_HAS_LLSC) ++#define ARCH_SLAB_MINALIGN 8 ++#endif ++ + extern void arc_cache_init(void); + extern char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len); + extern void read_decode_cache_bcr(void); diff --git a/queue-4.9/arc-u-boot-check-arguments-paranoidly.patch b/queue-4.9/arc-u-boot-check-arguments-paranoidly.patch new file mode 100644 index 00000000000..8e929d061fa --- /dev/null +++ b/queue-4.9/arc-u-boot-check-arguments-paranoidly.patch @@ -0,0 +1,160 @@ +From a66f2e57bd566240d8b3884eedf503928fbbe557 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Thu, 14 Feb 2019 18:07:44 +0300 +Subject: ARC: U-boot: check arguments paranoidly + +From: Eugeniy Paltsev + +commit a66f2e57bd566240d8b3884eedf503928fbbe557 upstream. + +Handle U-boot arguments paranoidly: + * don't allow to pass unknown tag. + * try to use external device tree blob only if corresponding tag + (TAG_DTB) is set. + * don't check uboot_tag if kernel build with no ARC_UBOOT_SUPPORT. + +NOTE: +If U-boot args are invalid we skip them and try to use embedded device +tree blob. We can't panic on invalid U-boot args as we really pass +invalid args due to bug in U-boot code. +This happens if we don't provide external DTB to U-boot and +don't set 'bootargs' U-boot environment variable (which is default +case at least for HSDK board) In that case we will pass +{r0 = 1 (bootargs in r2); r1 = 0; r2 = 0;} to linux which is invalid. + +While I'm at it refactor U-boot arguments handling code. + +Cc: stable@vger.kernel.org +Tested-by: Corentin LABBE +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/head.S | 4 +- + arch/arc/kernel/setup.c | 89 +++++++++++++++++++++++++++++++++--------------- + 2 files changed, 65 insertions(+), 28 deletions(-) + +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -103,9 +103,9 @@ ENTRY(stext) + #ifdef CONFIG_ARC_UBOOT_SUPPORT + ; Uboot - kernel ABI + ; r0 = [0] No uboot interaction, [1] cmdline in r2, [2] DTB in r2 +- ; r1 = magic number (board identity, unused as of now ++ ; r1 = magic number (always zero as of now) + ; r2 = pointer to uboot provided cmdline or external DTB in mem +- ; These are handled later in setup_arch() ++ ; These are handled later in handle_uboot_args() + st r0, [@uboot_tag] + st r2, [@uboot_arg] + #endif +--- a/arch/arc/kernel/setup.c ++++ b/arch/arc/kernel/setup.c +@@ -381,43 +381,80 @@ void setup_processor(void) + arc_chk_core_config(); + } + +-static inline int is_kernel(unsigned long addr) ++static inline bool uboot_arg_invalid(unsigned long addr) + { +- if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end) +- return 1; +- return 0; ++ /* ++ * Check that it is a untranslated address (although MMU is not enabled ++ * yet, it being a high address ensures this is not by fluke) ++ */ ++ if (addr < PAGE_OFFSET) ++ return true; ++ ++ /* Check that address doesn't clobber resident kernel image */ ++ return addr >= (unsigned long)_stext && addr <= (unsigned long)_end; + } + +-void __init setup_arch(char **cmdline_p) ++#define IGNORE_ARGS "Ignore U-boot args: " ++ ++/* uboot_tag values for U-boot - kernel ABI revision 0; see head.S */ ++#define UBOOT_TAG_NONE 0 ++#define UBOOT_TAG_CMDLINE 1 ++#define UBOOT_TAG_DTB 2 ++ ++void __init handle_uboot_args(void) + { ++ bool use_embedded_dtb = true; ++ bool append_cmdline = false; ++ + #ifdef CONFIG_ARC_UBOOT_SUPPORT +- /* make sure that uboot passed pointer to cmdline/dtb is valid */ +- if (uboot_tag && is_kernel((unsigned long)uboot_arg)) +- panic("Invalid uboot arg\n"); +- +- /* See if u-boot passed an external Device Tree blob */ +- machine_desc = setup_machine_fdt(uboot_arg); /* uboot_tag == 2 */ +- if (!machine_desc) ++ /* check that we know this tag */ ++ if (uboot_tag != UBOOT_TAG_NONE && ++ uboot_tag != UBOOT_TAG_CMDLINE && ++ uboot_tag != UBOOT_TAG_DTB) { ++ pr_warn(IGNORE_ARGS "invalid uboot tag: '%08x'\n", uboot_tag); ++ goto ignore_uboot_args; ++ } ++ ++ if (uboot_tag != UBOOT_TAG_NONE && ++ uboot_arg_invalid((unsigned long)uboot_arg)) { ++ pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg); ++ goto ignore_uboot_args; ++ } ++ ++ /* see if U-boot passed an external Device Tree blob */ ++ if (uboot_tag == UBOOT_TAG_DTB) { ++ machine_desc = setup_machine_fdt((void *)uboot_arg); ++ ++ /* external Device Tree blob is invalid - use embedded one */ ++ use_embedded_dtb = !machine_desc; ++ } ++ ++ if (uboot_tag == UBOOT_TAG_CMDLINE) ++ append_cmdline = true; ++ ++ignore_uboot_args: + #endif +- { +- /* No, so try the embedded one */ ++ ++ if (use_embedded_dtb) { + machine_desc = setup_machine_fdt(__dtb_start); + if (!machine_desc) + panic("Embedded DT invalid\n"); ++ } + +- /* +- * If we are here, it is established that @uboot_arg didn't +- * point to DT blob. Instead if u-boot says it is cmdline, +- * append to embedded DT cmdline. +- * setup_machine_fdt() would have populated @boot_command_line +- */ +- if (uboot_tag == 1) { +- /* Ensure a whitespace between the 2 cmdlines */ +- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE); +- strlcat(boot_command_line, uboot_arg, +- COMMAND_LINE_SIZE); +- } ++ /* ++ * NOTE: @boot_command_line is populated by setup_machine_fdt() so this ++ * append processing can only happen after. ++ */ ++ if (append_cmdline) { ++ /* Ensure a whitespace between the 2 cmdlines */ ++ strlcat(boot_command_line, " ", COMMAND_LINE_SIZE); ++ strlcat(boot_command_line, uboot_arg, COMMAND_LINE_SIZE); + } ++} ++ ++void __init setup_arch(char **cmdline_p) ++{ ++ handle_uboot_args(); + + /* Save unparsed command line copy for /proc/cmdline */ + *cmdline_p = boot_command_line; diff --git a/queue-4.9/arcv2-enable-unaligned-access-in-early-asm-code.patch b/queue-4.9/arcv2-enable-unaligned-access-in-early-asm-code.patch new file mode 100644 index 00000000000..880ac825c26 --- /dev/null +++ b/queue-4.9/arcv2-enable-unaligned-access-in-early-asm-code.patch @@ -0,0 +1,49 @@ +From 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 16 Jan 2019 14:29:50 +0300 +Subject: ARCv2: Enable unaligned access in early ASM code + +From: Eugeniy Paltsev + +commit 252f6e8eae909bc075a1b1e3b9efb095ae4c0b56 upstream. + +It is currently done in arc_init_IRQ() which might be too late +considering gcc 7.3.1 onwards (GNU 2018.03) generates unaligned +memory accesses by default + +Cc: stable@vger.kernel.org #4.4+ +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +[vgupta: rewrote changelog] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/head.S | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + .macro CPU_EARLY_SETUP + +@@ -47,6 +48,15 @@ + sr r5, [ARC_REG_DC_CTRL] + + 1: ++ ++#ifdef CONFIG_ISA_ARCV2 ++ ; Unaligned access is disabled at reset, so re-enable early as ++ ; gcc 7.3.1 (ARC GNU 2018.03) onwards generates unaligned access ++ ; by default ++ lr r5, [status32] ++ bset r5, r5, STATUS_AD_BIT ++ kflag r5 ++#endif + .endm + + .section .init.text, "ax",@progbits diff --git a/queue-4.9/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch b/queue-4.9/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch new file mode 100644 index 00000000000..404ee44c10f --- /dev/null +++ b/queue-4.9/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch @@ -0,0 +1,99 @@ +From foo@baz Sun Feb 24 14:36:50 CET 2019 +From: Eric Dumazet +Date: Mon, 11 Feb 2019 14:41:22 -0800 +Subject: batman-adv: fix uninit-value in batadv_interface_tx() + +From: Eric Dumazet + +[ Upstream commit 4ffcbfac60642f63ae3d80891f573ba7e94a265c ] + +KMSAN reported batadv_interface_tx() was possibly using a +garbage value [1] + +batadv_get_vid() does have a pskb_may_pull() call +but batadv_interface_tx() does not actually make sure +this did not fail. + +[1] +BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 +CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313 + batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 + __netdev_start_xmit include/linux/netdevice.h:4356 [inline] + netdev_start_xmit include/linux/netdevice.h:4365 [inline] + xmit_one net/core/dev.c:3257 [inline] + dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273 + __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876 + packet_snd net/packet/af_packet.c:2928 [inline] + packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x441889 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889 +RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0 +R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2759 [inline] + __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 + __kmalloc_reserve net/core/skbuff.c:137 [inline] + __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 + alloc_skb include/linux/skbuff.h:998 [inline] + alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220 + sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083 + packet_alloc_skb net/packet/af_packet.c:2781 [inline] + packet_snd net/packet/af_packet.c:2872 [inline] + packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Marek Lindner +Cc: Simon Wunderlich +Cc: Antonio Quartulli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -217,6 +217,8 @@ static int batadv_interface_tx(struct sk + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, sizeof(*vhdr))) ++ goto dropped; + vhdr = vlan_eth_hdr(skb); + + /* drop batman-in-batman packets to prevent loops */ diff --git a/queue-4.9/net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch b/queue-4.9/net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch new file mode 100644 index 00000000000..25001b42d3e --- /dev/null +++ b/queue-4.9/net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch @@ -0,0 +1,80 @@ +From foo@baz Sun Feb 24 08:42:25 CET 2019 +From: Saeed Mahameed +Date: Mon, 11 Feb 2019 18:04:17 +0200 +Subject: net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames + +From: Saeed Mahameed + +[ Upstream commit 29dded89e80e3fff61efb34f07a8a3fba3ea146d ] + +When an ethernet frame is padded to meet the minimum ethernet frame +size, the padding octets are not covered by the hardware checksum. +Fortunately the padding octets are usually zero's, which don't affect +checksum. However, it is not guaranteed. For example, switches might +choose to make other use of these octets. +This repeatedly causes kernel hardware checksum fault. + +Prior to the cited commit below, skb checksum was forced to be +CHECKSUM_NONE when padding is detected. After it, we need to keep +skb->csum updated. However, fixing up CHECKSUM_COMPLETE requires to +verify and parse IP headers, it does not worth the effort as the packets +are so small that CHECKSUM_COMPLETE has no significant advantage. + +Future work: when reporting checksum complete is not an option for +IP non-TCP/UDP packets, we can actually fallback to report checksum +unnecessary, by looking at cqe IPOK bit. + +Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends") +Cc: Eric Dumazet +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -777,13 +777,27 @@ static int get_fixed_ipv6_csum(__wsum hw + return 0; + } + #endif ++ ++#define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN) ++ + static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va, + netdev_features_t dev_features) + { + __wsum hw_checksum = 0; ++ void *hdr; + +- void *hdr = (u8 *)va + sizeof(struct ethhdr); ++ /* CQE csum doesn't cover padding octets in short ethernet ++ * frames. And the pad field is appended prior to calculating ++ * and appending the FCS field. ++ * ++ * Detecting these padded frames requires to verify and parse ++ * IP headers, so we simply force all those small frames to skip ++ * checksum complete. ++ */ ++ if (short_frame(skb->len)) ++ return -EINVAL; + ++ hdr = (u8 *)va + sizeof(struct ethhdr); + hw_checksum = csum_unfold((__force __sum16)cqe->checksum); + + if (cqe->vlan_my_qpn & cpu_to_be32(MLX4_CQE_CVLAN_PRESENT_MASK) && +@@ -945,6 +959,11 @@ xdp_drop: + } + + if (likely(dev->features & NETIF_F_RXCSUM)) { ++ /* TODO: For IP non TCP/UDP packets when csum complete is ++ * not an option (not supported or any other reason) we can ++ * actually check cqe IPOK status bit and report ++ * CHECKSUM_UNNECESSARY rather than CHECKSUM_NONE ++ */ + if (cqe->status & cpu_to_be16(MLX4_CQE_STATUS_TCP | + MLX4_CQE_STATUS_UDP)) { + if ((cqe->status & cpu_to_be16(MLX4_CQE_STATUS_IPOK)) && diff --git a/queue-4.9/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch b/queue-4.9/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch new file mode 100644 index 00000000000..b548303e6c9 --- /dev/null +++ b/queue-4.9/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Feb 24 14:36:50 CET 2019 +From: Kal Conley +Date: Sun, 10 Feb 2019 09:57:11 +0100 +Subject: net/packet: fix 4gb buffer limit due to overflow check + +From: Kal Conley + +[ Upstream commit fc62814d690cf62189854464f4bd07457d5e9e50 ] + +When calculating rb->frames_per_block * req->tp_block_nr the result +can overflow. Check it for overflow without limiting the total buffer +size to UINT_MAX. + +This change fixes support for packet ring buffers >= UINT_MAX. + +Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr") +Signed-off-by: Kal Conley +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4316,7 +4316,7 @@ static int packet_set_ring(struct sock * + rb->frames_per_block = req->tp_block_size / req->tp_frame_size; + if (unlikely(rb->frames_per_block == 0)) + goto out; +- if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) ++ if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr)) + goto out; + if (unlikely((rb->frames_per_block * req->tp_block_nr) != + req->tp_frame_nr)) diff --git a/queue-4.9/parisc-fix-ptrace-syscall-number-modification.patch b/queue-4.9/parisc-fix-ptrace-syscall-number-modification.patch new file mode 100644 index 00000000000..d1a01a3744d --- /dev/null +++ b/queue-4.9/parisc-fix-ptrace-syscall-number-modification.patch @@ -0,0 +1,91 @@ +From b7dc5a071ddf69c0350396b203cba32fe5bab510 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sat, 16 Feb 2019 16:10:39 +0300 +Subject: parisc: Fix ptrace syscall number modification + +From: Dmitry V. Levin + +commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream. + +Commit 910cd32e552e ("parisc: Fix and enable seccomp filter support") +introduced a regression in ptrace-based syscall tampering: when tracer +changes syscall number to -1, the kernel fails to initialize %r28 with +-ENOSYS and subsequently fails to return the error code of the failed +syscall to userspace. + +This erroneous behaviour could be observed with a simple strace syscall +fault injection command which is expected to print something like this: + +$ strace -a0 -ewrite -einject=write:error=enospc echo hello +write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED) +write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED) ++++ exited with 1 +++ + +After commit 910cd32e552ea09caa89cdbe328e468979b030dd it loops printing +something like this instead: + +write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0) +) = 0 (INJECTED) + +This bug was found by strace test suite. + +Fixes: 910cd32e552e ("parisc: Fix and enable seccomp filter support") +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Dmitry V. Levin +Tested-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/ptrace.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/arch/parisc/kernel/ptrace.c ++++ b/arch/parisc/kernel/ptrace.c +@@ -311,15 +311,29 @@ long compat_arch_ptrace(struct task_stru + + long do_syscall_trace_enter(struct pt_regs *regs) + { +- if (test_thread_flag(TIF_SYSCALL_TRACE) && +- tracehook_report_syscall_entry(regs)) { ++ if (test_thread_flag(TIF_SYSCALL_TRACE)) { ++ int rc = tracehook_report_syscall_entry(regs); ++ + /* +- * Tracing decided this syscall should not happen or the +- * debugger stored an invalid system call number. Skip +- * the system call and the system call restart handling. ++ * As tracesys_next does not set %r28 to -ENOSYS ++ * when %r20 is set to -1, initialize it here. + */ +- regs->gr[20] = -1UL; +- goto out; ++ regs->gr[28] = -ENOSYS; ++ ++ if (rc) { ++ /* ++ * A nonzero return code from ++ * tracehook_report_syscall_entry() tells us ++ * to prevent the syscall execution. Skip ++ * the syscall call and the syscall restart handling. ++ * ++ * Note that the tracer may also just change ++ * regs->gr[20] to an invalid syscall number, ++ * that is handled by tracesys_next. ++ */ ++ regs->gr[20] = -1UL; ++ return -1; ++ } + } + + /* Do the secure computing check after ptrace. */ +@@ -343,7 +357,6 @@ long do_syscall_trace_enter(struct pt_re + regs->gr[24] & 0xffffffff, + regs->gr[23] & 0xffffffff); + +-out: + /* + * Sign extend the syscall number to 64bit since it may have been + * modified by a compat ptrace call diff --git a/queue-4.9/sctp-call-gso_reset_checksum-when-computing-checksum-in-sctp_gso_segment.patch b/queue-4.9/sctp-call-gso_reset_checksum-when-computing-checksum-in-sctp_gso_segment.patch new file mode 100644 index 00000000000..edc8e08479a --- /dev/null +++ b/queue-4.9/sctp-call-gso_reset_checksum-when-computing-checksum-in-sctp_gso_segment.patch @@ -0,0 +1,69 @@ +From foo@baz Sun Feb 24 14:36:50 CET 2019 +From: Xin Long +Date: Tue, 12 Feb 2019 18:47:30 +0800 +Subject: sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment + +From: Xin Long + +[ Upstream commit fc228abc2347e106a44c0e9b29ab70b712c4ca51 ] + +Jianlin reported a panic when running sctp gso over gre over vlan device: + + [ 84.772930] RIP: 0010:do_csum+0x6d/0x170 + [ 84.790605] Call Trace: + [ 84.791054] csum_partial+0xd/0x20 + [ 84.791657] gre_gso_segment+0x2c3/0x390 + [ 84.792364] inet_gso_segment+0x161/0x3e0 + [ 84.793071] skb_mac_gso_segment+0xb8/0x120 + [ 84.793846] __skb_gso_segment+0x7e/0x180 + [ 84.794581] validate_xmit_skb+0x141/0x2e0 + [ 84.795297] __dev_queue_xmit+0x258/0x8f0 + [ 84.795949] ? eth_header+0x26/0xc0 + [ 84.796581] ip_finish_output2+0x196/0x430 + [ 84.797295] ? skb_gso_validate_network_len+0x11/0x80 + [ 84.798183] ? ip_finish_output+0x169/0x270 + [ 84.798875] ip_output+0x6c/0xe0 + [ 84.799413] ? ip_append_data.part.50+0xc0/0xc0 + [ 84.800145] iptunnel_xmit+0x144/0x1c0 + [ 84.800814] ip_tunnel_xmit+0x62d/0x930 [ip_tunnel] + [ 84.801699] gre_tap_xmit+0xac/0xf0 [ip_gre] + [ 84.802395] dev_hard_start_xmit+0xa5/0x210 + [ 84.803086] sch_direct_xmit+0x14f/0x340 + [ 84.803733] __dev_queue_xmit+0x799/0x8f0 + [ 84.804472] ip_finish_output2+0x2e0/0x430 + [ 84.805255] ? skb_gso_validate_network_len+0x11/0x80 + [ 84.806154] ip_output+0x6c/0xe0 + [ 84.806721] ? ip_append_data.part.50+0xc0/0xc0 + [ 84.807516] sctp_packet_transmit+0x716/0xa10 [sctp] + [ 84.808337] sctp_outq_flush+0xd7/0x880 [sctp] + +It was caused by SKB_GSO_CB(skb)->csum_start not set in sctp_gso_segment. +sctp_gso_segment() calls skb_segment() with 'feature | NETIF_F_HW_CSUM', +which causes SKB_GSO_CB(skb)->csum_start not to be set in skb_segment(). + +For TCP/UDP, when feature supports HW_CSUM, CHECKSUM_PARTIAL will be set +and gso_reset_checksum will be called to set SKB_GSO_CB(skb)->csum_start. + +So SCTP should do the same as TCP/UDP, to call gso_reset_checksum() when +computing checksum in sctp_gso_segment. + +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/offload.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/offload.c ++++ b/net/sctp/offload.c +@@ -35,6 +35,7 @@ + static __le32 sctp_gso_make_checksum(struct sk_buff *skb) + { + skb->ip_summed = CHECKSUM_NONE; ++ gso_reset_checksum(skb, ~0); + return sctp_compute_cksum(skb, skb_transport_offset(skb)); + } + diff --git a/queue-4.9/series b/queue-4.9/series index 189ea645ec4..1de5b3e98f8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -29,3 +29,13 @@ net-ethernet-stmmac-change-dma-descriptors-to-__le32.patch rdma-srp-rework-scsi-device-reset-handling.patch keys-user-align-the-payload-buffer.patch keys-always-initialize-keyring_index_key-desc_len.patch +batman-adv-fix-uninit-value-in-batadv_interface_tx.patch +net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch +team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch +sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch +sctp-call-gso_reset_checksum-when-computing-checksum-in-sctp_gso_segment.patch +net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch +parisc-fix-ptrace-syscall-number-modification.patch +arcv2-enable-unaligned-access-in-early-asm-code.patch +arc-u-boot-check-arguments-paranoidly.patch +arc-define-arch_slab_minalign-8.patch diff --git a/queue-4.9/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch b/queue-4.9/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch new file mode 100644 index 00000000000..28c4e579b94 --- /dev/null +++ b/queue-4.9/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Feb 24 14:36:50 CET 2019 +From: Hangbin Liu +Date: Thu, 7 Feb 2019 18:36:11 +0800 +Subject: sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() + +From: Hangbin Liu + +[ Upstream commit 173656accaf583698bac3f9e269884ba60d51ef4 ] + +If we disabled IPv6 from the kernel command line (ipv6.disable=1), we should +not call ip6_err_gen_icmpv6_unreach(). This: + + ip link add sit1 type sit local 192.0.2.1 remote 192.0.2.2 ttl 1 + ip link set sit1 up + ip addr add 198.51.100.1/24 dev sit1 + ping 198.51.100.2 + +if IPv6 is disabled at boot time, will crash the kernel. + +v2: there's no need to use in6_dev_get(), use __in6_dev_get() instead, + as we only need to check that idev exists and we are under + rcu_read_lock() (from netif_receive_skb_internal()). + +Reported-by: Jianlin Shi +Fixes: ca15a078bd90 ("sit: generate icmpv6 error when receiving icmpv4 error") +Cc: Oussama Ghorbel +Signed-off-by: Hangbin Liu +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -540,7 +540,8 @@ static int ipip6_err(struct sk_buff *skb + } + + err = 0; +- if (!ip6_err_gen_icmpv6_unreach(skb, iph->ihl * 4, type, data_len)) ++ if (__in6_dev_get(skb->dev) && ++ !ip6_err_gen_icmpv6_unreach(skb, iph->ihl * 4, type, data_len)) + goto out; + + if (t->parms.iph.daddr == 0) diff --git a/queue-4.9/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch b/queue-4.9/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch new file mode 100644 index 00000000000..b8bb4ee0673 --- /dev/null +++ b/queue-4.9/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch @@ -0,0 +1,113 @@ +From foo@baz Sun Feb 24 14:36:50 CET 2019 +From: Cong Wang +Date: Mon, 11 Feb 2019 21:59:51 -0800 +Subject: team: avoid complex list operations in team_nl_cmd_options_set() + +From: Cong Wang + +[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] + +The current opt_inst_list operations inside team_nl_cmd_options_set() +is too complex to track: + + LIST_HEAD(opt_inst_list); + nla_for_each_nested(...) { + list_for_each_entry(opt_inst, &team->option_inst_list, list) { + if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) + continue; + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + } + team_nl_send_event_options_get(team, &opt_inst_list); + +as while we retrieve 'opt_inst' from team->option_inst_list, it could +be added to the local 'opt_inst_list' for multiple times. The +__team_option_inst_tmp_find() doesn't work, as the setter +team_mode_option_set() still calls team->ops.exit() which uses +->tmp_list too in __team_options_change_check(). + +Simplify the list operations by moving the 'opt_inst_list' and +team_nl_send_event_options_get() into the nla_for_each_nested() loop so +that it can be guranteed that we won't insert a same list entry for +multiple times. Therefore, __team_option_inst_tmp_find() can be removed +too. + +Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") +Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") +Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com +Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com +Cc: Jiri Pirko +Cc: Paolo Abeni +Signed-off-by: Cong Wang +Acked-by: Jiri Pirko +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -261,17 +261,6 @@ static void __team_option_inst_mark_remo + } + } + +-static bool __team_option_inst_tmp_find(const struct list_head *opts, +- const struct team_option_inst *needle) +-{ +- struct team_option_inst *opt_inst; +- +- list_for_each_entry(opt_inst, opts, tmp_list) +- if (opt_inst == needle) +- return true; +- return false; +-} +- + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2466,7 +2455,6 @@ static int team_nl_cmd_options_set(struc + int err = 0; + int i; + struct nlattr *nl_option; +- LIST_HEAD(opt_inst_list); + + rtnl_lock(); + +@@ -2486,6 +2474,7 @@ static int team_nl_cmd_options_set(struc + struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; + struct nlattr *attr; + struct nlattr *attr_data; ++ LIST_HEAD(opt_inst_list); + enum team_option_type opt_type; + int opt_port_ifindex = 0; /* != 0 for per-port options */ + u32 opt_array_index = 0; +@@ -2589,23 +2578,17 @@ static int team_nl_cmd_options_set(struc + if (err) + goto team_put; + opt_inst->changed = true; +- +- /* dumb/evil user-space can send us duplicate opt, +- * keep only the last one +- */ +- if (__team_option_inst_tmp_find(&opt_inst_list, +- opt_inst)) +- continue; +- + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { + err = -ENOENT; + goto team_put; + } +- } + +- err = team_nl_send_event_options_get(team, &opt_inst_list); ++ err = team_nl_send_event_options_get(team, &opt_inst_list); ++ if (err) ++ break; ++ } + + team_put: + team_nl_team_put(team);