From: Greg Kroah-Hartman Date: Fri, 2 Nov 2018 05:16:13 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.1~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=391cf331ae940a9456783540112a83b64ce65e34;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bonding-fix-length-of-actor-system.patch bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch mlxsw-core-fix-devlink-unregister-flow.patch mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch net-drop-skb-on-failure-in-ip_check_defrag.patch net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch net-properly-unlink-gro-packets-on-overflow.patch net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch net-udp-fix-handling-of-checksum_complete-packets.patch openvswitch-fix-push-pop-ethernet-validation.patch r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch revert-be2net-remove-desc-field-from-be_eq_obj.patch revert-net-simplify-sock_poll_wait.patch rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch sctp-check-policy-more-carefully-when-getting-pr-status.patch vhost-fix-spectre-v1-vulnerability.patch --- diff --git a/queue-4.19/bonding-fix-length-of-actor-system.patch b/queue-4.19/bonding-fix-length-of-actor-system.patch new file mode 100644 index 00000000000..a7477d7362e --- /dev/null +++ b/queue-4.19/bonding-fix-length-of-actor-system.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Tobias Jungel +Date: Sun, 28 Oct 2018 12:54:10 +0100 +Subject: bonding: fix length of actor system + +From: Tobias Jungel + +[ Upstream commit 414dd6fb9a1a1b59983aea7bf0f79f0085ecc5b8 ] + +The attribute IFLA_BOND_AD_ACTOR_SYSTEM is sent to user space having the +length of sizeof(bond->params.ad_actor_system) which is 8 byte. This +patch aligns the length to ETH_ALEN to have the same MAC address exposed +as using sysfs. + +Fixes: f87fda00b6ed2 ("bonding: prevent out of bound accesses") +Signed-off-by: Tobias Jungel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_netlink.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_netlink.c ++++ b/drivers/net/bonding/bond_netlink.c +@@ -638,8 +638,7 @@ static int bond_fill_info(struct sk_buff + goto nla_put_failure; + + if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM, +- sizeof(bond->params.ad_actor_system), +- &bond->params.ad_actor_system)) ++ ETH_ALEN, &bond->params.ad_actor_system)) + goto nla_put_failure; + } + if (!bond_3ad_get_active_agg_info(bond, &info)) { diff --git a/queue-4.19/bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch b/queue-4.19/bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch new file mode 100644 index 00000000000..d53d68bb4d2 --- /dev/null +++ b/queue-4.19/bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Hangbin Liu +Date: Fri, 26 Oct 2018 10:28:43 +0800 +Subject: bridge: do not add port to router list when receives query with source 0.0.0.0 + +From: Hangbin Liu + +[ Upstream commit 5a2de63fd1a59c30c02526d427bc014b98adf508 ] + +Based on RFC 4541, 2.1.1. IGMP Forwarding Rules + + The switch supporting IGMP snooping must maintain a list of + multicast routers and the ports on which they are attached. This + list can be constructed in any combination of the following ways: + + a) This list should be built by the snooping switch sending + Multicast Router Solicitation messages as described in IGMP + Multicast Router Discovery [MRDISC]. It may also snoop + Multicast Router Advertisement messages sent by and to other + nodes. + + b) The arrival port for IGMP Queries (sent by multicast routers) + where the source address is not 0.0.0.0. + +We should not add the port to router list when receives query with source +0.0.0.0. + +Reported-by: Ying Xu +Signed-off-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1420,7 +1420,15 @@ static void br_multicast_query_received( + return; + + br_multicast_update_query_timer(br, query, max_delay); +- br_multicast_mark_router(br, port); ++ ++ /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, ++ * the arrival port for IGMP Queries where the source address ++ * is 0.0.0.0 should not be added to router port list. ++ */ ++ if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || ++ (saddr->proto == htons(ETH_P_IPV6) && ++ !ipv6_addr_any(&saddr->u.ip6))) ++ br_multicast_mark_router(br, port); + } + + static void br_ip4_multicast_query(struct net_bridge *br, diff --git a/queue-4.19/ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch b/queue-4.19/ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch new file mode 100644 index 00000000000..3c3a4ae76fb --- /dev/null +++ b/queue-4.19/ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Stefano Brivio +Date: Wed, 24 Oct 2018 14:37:21 +0200 +Subject: ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called + +From: Stefano Brivio + +[ Upstream commit ee1abcf689353f36d9322231b4320926096bdee0 ] + +Commit a61bbcf28a8c ("[NET]: Store skb->timestamp as offset to a base +timestamp") introduces a neighbour control buffer and zeroes it out in +ndisc_rcv(), as ndisc_recv_ns() uses it. + +Commit f2776ff04722 ("[IPV6]: Fix address/interface handling in UDP and +DCCP, according to the scoping architecture.") introduces the usage of the +IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in +present-day __udp6_lib_err()). + +Now, with commit b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate +redirect, instead of rt6_redirect()."), we call protocol error handlers +from ndisc_redirect_rcv(), after the control buffer is already stolen and +some parts are already zeroed out. This implies that inet6_iif() on this +path will always return zero. + +This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as +we might actually need to match sockets for a given interface. + +Instead of always claiming the control buffer in ndisc_rcv(), do that only +when needed. + +Fixes: b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().") +Signed-off-by: Stefano Brivio +Reviewed-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1732,10 +1732,9 @@ int ndisc_rcv(struct sk_buff *skb) + return 0; + } + +- memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); +- + switch (msg->icmph.icmp6_type) { + case NDISC_NEIGHBOUR_SOLICITATION: ++ memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb)); + ndisc_recv_ns(skb); + break; + diff --git a/queue-4.19/mlxsw-core-fix-devlink-unregister-flow.patch b/queue-4.19/mlxsw-core-fix-devlink-unregister-flow.patch new file mode 100644 index 00000000000..963b1ef8adb --- /dev/null +++ b/queue-4.19/mlxsw-core-fix-devlink-unregister-flow.patch @@ -0,0 +1,75 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Shalom Toledo +Date: Mon, 29 Oct 2018 14:26:16 +0000 +Subject: mlxsw: core: Fix devlink unregister flow + +From: Shalom Toledo + +[ Upstream commit a22712a962912faf257e857ab6857f56a93cfb34 ] + +After a failed reload, the driver is still registered to devlink, its +devlink instance is still allocated and the 'reload_fail' flag is set. +Then, in the next reload try, the driver's allocated devlink instance will +be freed without unregistering from devlink and its components (e.g, +resources). This scenario can cause a use-after-free if the user tries to +execute command via devlink user-space tool. + +Fix by not freeing the devlink instance during reload (failed or not). + +Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload") +Signed-off-by: Shalom Toledo +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -943,8 +943,8 @@ static int mlxsw_devlink_core_bus_device + mlxsw_core->bus, + mlxsw_core->bus_priv, true, + devlink); +- if (err) +- mlxsw_core->reload_fail = true; ++ mlxsw_core->reload_fail = !!err; ++ + return err; + } + +@@ -1083,8 +1083,15 @@ void mlxsw_core_bus_device_unregister(st + { + struct devlink *devlink = priv_to_devlink(mlxsw_core); + +- if (mlxsw_core->reload_fail) +- goto reload_fail; ++ if (mlxsw_core->reload_fail) { ++ if (!reload) ++ /* Only the parts that were not de-initialized in the ++ * failed reload attempt need to be de-initialized. ++ */ ++ goto reload_fail_deinit; ++ else ++ return; ++ } + + if (mlxsw_core->driver->fini) + mlxsw_core->driver->fini(mlxsw_core); +@@ -1098,9 +1105,12 @@ void mlxsw_core_bus_device_unregister(st + if (!reload) + devlink_resources_unregister(devlink, NULL); + mlxsw_core->bus->fini(mlxsw_core->bus_priv); +- if (reload) +- return; +-reload_fail: ++ ++ return; ++ ++reload_fail_deinit: ++ devlink_unregister(devlink); ++ devlink_resources_unregister(devlink, NULL); + devlink_free(devlink); + } + EXPORT_SYMBOL(mlxsw_core_bus_device_unregister); diff --git a/queue-4.19/mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch b/queue-4.19/mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch new file mode 100644 index 00000000000..ebf6e6d9db7 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Petr Machata +Date: Mon, 29 Oct 2018 14:26:14 +0000 +Subject: mlxsw: spectrum_switchdev: Don't ignore deletions of learned MACs + +From: Petr Machata + +[ Upstream commit ad0b9d94182be8356978d220c82f9837cffeb7a9 ] + +Demands to remove FDB entries should be honored even if the FDB entry in +question was originally learned, and not added by the user. Therefore +ignore the added_by_user datum for SWITCHDEV_FDB_DEL_TO_DEVICE. + +Fixes: 816a3bed9549 ("switchdev: Add fdb.added_by_user to switchdev notifications") +Signed-off-by: Petr Machata +Suggested-by: Ido Schimmel +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -2317,8 +2317,6 @@ static void mlxsw_sp_switchdev_event_wor + break; + case SWITCHDEV_FDB_DEL_TO_DEVICE: + fdb_info = &switchdev_work->fdb_info; +- if (!fdb_info->added_by_user) +- break; + mlxsw_sp_port_fdb_set(mlxsw_sp_port, fdb_info, false); + break; + case SWITCHDEV_FDB_ADD_TO_BRIDGE: /* fall through */ diff --git a/queue-4.19/net-drop-skb-on-failure-in-ip_check_defrag.patch b/queue-4.19/net-drop-skb-on-failure-in-ip_check_defrag.patch new file mode 100644 index 00000000000..5ec144bea21 --- /dev/null +++ b/queue-4.19/net-drop-skb-on-failure-in-ip_check_defrag.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Cong Wang +Date: Thu, 1 Nov 2018 12:02:37 -0700 +Subject: net: drop skb on failure in ip_check_defrag() + +From: Cong Wang + +[ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ] + +Most callers of pskb_trim_rcsum() simply drop the skb when +it fails, however, ip_check_defrag() still continues to pass +the skb up to stack. This is suspicious. + +In ip_check_defrag(), after we learn the skb is an IP fragment, +passing the skb to callers makes no sense, because callers expect +fragments are defrag'ed on success. So, dropping the skb when we +can't defrag it is reasonable. + +Note, prior to commit 88078d98d1bb, this is not a big problem as +checksum will be fixed up anyway. After it, the checksum is not +correct on failure. + +Found this during code review. + +Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends") +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -720,10 +720,14 @@ struct sk_buff *ip_check_defrag(struct n + if (ip_is_fragment(&iph)) { + skb = skb_share_check(skb, GFP_ATOMIC); + if (skb) { +- if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) +- return skb; +- if (pskb_trim_rcsum(skb, netoff + len)) +- return skb; ++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) { ++ kfree_skb(skb); ++ return NULL; ++ } ++ if (pskb_trim_rcsum(skb, netoff + len)) { ++ kfree_skb(skb); ++ return NULL; ++ } + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); + if (ip_defrag(net, skb, user)) + return NULL; diff --git a/queue-4.19/net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch b/queue-4.19/net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch new file mode 100644 index 00000000000..1850647b2bd --- /dev/null +++ b/queue-4.19/net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch @@ -0,0 +1,81 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: David Ahern +Date: Wed, 24 Oct 2018 13:58:39 -0700 +Subject: net/ipv6: Allow onlink routes to have a device mismatch if it is the default route + +From: David Ahern + +[ Upstream commit 4ed591c8ab44e711e56b8e021ffaf4f407c045f5 ] + +The intent of ip6_route_check_nh_onlink is to make sure the gateway +given for an onlink route is not actually on a connected route for +a different interface (e.g., 2001:db8:1::/64 is on dev eth1 and then +an onlink route has a via 2001:db8:1::1 dev eth2). If the gateway +lookup hits the default route then it most likely will be a different +interface than the onlink route which is ok. + +Update ip6_route_check_nh_onlink to disregard the device mismatch +if the gateway lookup hits the default route. Turns out the existing +onlink tests are passing because there is no default route or it is +an unreachable default, so update the onlink tests to have a default +route other than unreachable. + +Fixes: fc1e64e1092f6 ("net/ipv6: Add support for onlink flag") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 ++ + tools/testing/selftests/net/fib-onlink-tests.sh | 14 +++++++------- + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2799,6 +2799,8 @@ static int ip6_route_check_nh_onlink(str + grt = ip6_nh_lookup_table(net, cfg, gw_addr, tbid, 0); + if (grt) { + if (!grt->dst.error && ++ /* ignore match if it is the default route */ ++ grt->from && !ipv6_addr_any(&grt->from->fib6_dst.addr) && + (grt->rt6i_flags & flags || dev != grt->dst.dev)) { + NL_SET_ERR_MSG(extack, + "Nexthop has invalid gateway or device mismatch"); +--- a/tools/testing/selftests/net/fib-onlink-tests.sh ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -167,8 +167,8 @@ setup() + # add vrf table + ip li add ${VRF} type vrf table ${VRF_TABLE} + ip li set ${VRF} up +- ip ro add table ${VRF_TABLE} unreachable default +- ip -6 ro add table ${VRF_TABLE} unreachable default ++ ip ro add table ${VRF_TABLE} unreachable default metric 8192 ++ ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192 + + # create test interfaces + ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} +@@ -185,20 +185,20 @@ setup() + for n in 1 3 5 7; do + ip li set ${NETIFS[p${n}]} up + ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + + # move peer interfaces to namespace and add addresses + for n in 2 4 6 8; do + ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up + ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} +- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad + done + +- set +e ++ ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64} ++ ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64} + +- # let DAD complete - assume default of 1 probe +- sleep 1 ++ set +e + } + + cleanup() diff --git a/queue-4.19/net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch b/queue-4.19/net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch new file mode 100644 index 00000000000..713cf451efc --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch @@ -0,0 +1,108 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Eric Dumazet +Date: Tue, 30 Oct 2018 00:57:25 -0700 +Subject: net/mlx5e: fix csum adjustments caused by RXFCS + +From: Eric Dumazet + +[ Upstream commit d48051c5b8376038c2b287c3b1bd55b8d391d567 ] + +As shown by Dmitris, we need to use csum_block_add() instead of csum_add() +when adding the FCS contribution to skb csum. + +Before 4.18 (more exactly commit 88078d98d1bb "net: pskb_trim_rcsum() +and CHECKSUM_COMPLETE are friends"), the whole skb csum was thrown away, +so RXFCS changes were ignored. + +Then before commit d55bef5059dd ("net: fix pskb_trim_rcsum_slow() with +odd trim offset") both mlx5 and pskb_trim_rcsum_slow() bugs were canceling +each other. + +Now we fixed pskb_trim_rcsum_slow() we need to fix mlx5. + +Note that this patch also rewrites mlx5e_get_fcs() to : + +- Use skb_header_pointer() instead of reinventing it. +- Use __get_unaligned_cpu32() to avoid possible non aligned accesses + as Dmitris pointed out. + +Fixes: 902a545904c7 ("net/mlx5e: When RXFCS is set, add FCS data into checksum calculation") +Reported-by: Paweł Staszewski +Signed-off-by: Eric Dumazet +Cc: Eran Ben Elisha +Cc: Saeed Mahameed +Cc: Dimitris Michailidis +Cc: Cong Wang +Cc: Paweł Staszewski +Reviewed-by: Eran Ben Elisha +Tested-By: Maria Pasechnik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 45 ++++-------------------- + 1 file changed, 9 insertions(+), 36 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -696,43 +696,15 @@ static inline bool is_last_ethertype_ip( + return (ethertype == htons(ETH_P_IP) || ethertype == htons(ETH_P_IPV6)); + } + +-static __be32 mlx5e_get_fcs(struct sk_buff *skb) ++static u32 mlx5e_get_fcs(const struct sk_buff *skb) + { +- int last_frag_sz, bytes_in_prev, nr_frags; +- u8 *fcs_p1, *fcs_p2; +- skb_frag_t *last_frag; +- __be32 fcs_bytes; +- +- if (!skb_is_nonlinear(skb)) +- return *(__be32 *)(skb->data + skb->len - ETH_FCS_LEN); +- +- nr_frags = skb_shinfo(skb)->nr_frags; +- last_frag = &skb_shinfo(skb)->frags[nr_frags - 1]; +- last_frag_sz = skb_frag_size(last_frag); +- +- /* If all FCS data is in last frag */ +- if (last_frag_sz >= ETH_FCS_LEN) +- return *(__be32 *)(skb_frag_address(last_frag) + +- last_frag_sz - ETH_FCS_LEN); +- +- fcs_p2 = (u8 *)skb_frag_address(last_frag); +- bytes_in_prev = ETH_FCS_LEN - last_frag_sz; +- +- /* Find where the other part of the FCS is - Linear or another frag */ +- if (nr_frags == 1) { +- fcs_p1 = skb_tail_pointer(skb); +- } else { +- skb_frag_t *prev_frag = &skb_shinfo(skb)->frags[nr_frags - 2]; ++ const void *fcs_bytes; ++ u32 _fcs_bytes; + +- fcs_p1 = skb_frag_address(prev_frag) + +- skb_frag_size(prev_frag); +- } +- fcs_p1 -= bytes_in_prev; +- +- memcpy(&fcs_bytes, fcs_p1, bytes_in_prev); +- memcpy(((u8 *)&fcs_bytes) + bytes_in_prev, fcs_p2, last_frag_sz); ++ fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN, ++ ETH_FCS_LEN, &_fcs_bytes); + +- return fcs_bytes; ++ return __get_unaligned_cpu32(fcs_bytes); + } + + static inline void mlx5e_handle_csum(struct net_device *netdev, +@@ -765,8 +737,9 @@ static inline void mlx5e_handle_csum(str + network_depth - ETH_HLEN, + skb->csum); + if (unlikely(netdev->features & NETIF_F_RXFCS)) +- skb->csum = csum_add(skb->csum, +- (__force __wsum)mlx5e_get_fcs(skb)); ++ skb->csum = csum_block_add(skb->csum, ++ (__force __wsum)mlx5e_get_fcs(skb), ++ skb->len - ETH_FCS_LEN); + stats->csum_complete++; + return; + } diff --git a/queue-4.19/net-properly-unlink-gro-packets-on-overflow.patch b/queue-4.19/net-properly-unlink-gro-packets-on-overflow.patch new file mode 100644 index 00000000000..a40fd4ebce1 --- /dev/null +++ b/queue-4.19/net-properly-unlink-gro-packets-on-overflow.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: "David S. Miller" +Date: Sun, 28 Oct 2018 10:35:12 -0700 +Subject: net: Properly unlink GRO packets on overflow. + +From: "David S. Miller" + +[ Upstream commti ece23711dd956cd5053c9cb03e9fe0668f9c8894 ] + +Just like with normal GRO processing, we have to initialize +skb->next to NULL when we unlink overflow packets from the +GRO hash lists. + +Fixes: d4546c2509b1 ("net: Convert GRO SKB handling to list_head.") +Reported-by: Oleksandr Natalenko +Tested-by: Oleksandr Natalenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5431,6 +5431,7 @@ static void gro_flush_oldest(struct list + * SKB to the chain. + */ + list_del(&oldest->list); ++ oldest->next = NULL; + napi_gro_complete(oldest); + } + diff --git a/queue-4.19/net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch b/queue-4.19/net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch new file mode 100644 index 00000000000..b7d0b5491be --- /dev/null +++ b/queue-4.19/net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch @@ -0,0 +1,54 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Jakub Kicinski +Date: Fri, 26 Oct 2018 15:51:06 -0700 +Subject: net: sched: gred: pass the right attribute to gred_change_table_def() + +From: Jakub Kicinski + +[ Upstream commit 38b4f18d56372e1e21771ab7b0357b853330186c ] + +gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute, +and expects it will be able to interpret its contents as +struct tc_gred_sopt. Pass the correct gred attribute, instead of +TCA_OPTIONS. + +This bug meant the table definition could never be changed after +Qdisc was initialized (unless whatever TCA_OPTIONS contained both +passed netlink validation and was a valid struct tc_gred_sopt...). + +Old behaviour: +$ ip link add type dummy +$ tc qdisc replace dev dummy0 parent root handle 7: \ + gred setup vqs 4 default 0 +$ tc qdisc replace dev dummy0 parent root handle 7: \ + gred setup vqs 4 default 0 +RTNETLINK answers: Invalid argument + +Now: +$ ip link add type dummy +$ tc qdisc replace dev dummy0 parent root handle 7: \ + gred setup vqs 4 default 0 +$ tc qdisc replace dev dummy0 parent root handle 7: \ + gred setup vqs 4 default 0 +$ tc qdisc replace dev dummy0 parent root handle 7: \ + gred setup vqs 4 default 0 + +Fixes: f62d6b936df5 ("[PKT_SCHED]: GRED: Use central VQ change procedure") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_gred.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -413,7 +413,7 @@ static int gred_change(struct Qdisc *sch + if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL) { + if (tb[TCA_GRED_LIMIT] != NULL) + sch->limit = nla_get_u32(tb[TCA_GRED_LIMIT]); +- return gred_change_table_def(sch, opt); ++ return gred_change_table_def(sch, tb[TCA_GRED_DPS]); + } + + if (tb[TCA_GRED_PARMS] == NULL || diff --git a/queue-4.19/net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch b/queue-4.19/net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch new file mode 100644 index 00000000000..9d5dae4a36c --- /dev/null +++ b/queue-4.19/net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch @@ -0,0 +1,95 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Karsten Graul +Date: Thu, 25 Oct 2018 13:25:28 +0200 +Subject: net/smc: fix smc_buf_unuse to use the lgr pointer + +From: Karsten Graul + +[ Upstream commit fb692ec4117f6fd25044cfb5720d6b79d400dc65 ] + +The pointer to the link group is unset in the smc connection structure +right before the call to smc_buf_unuse. Provide the lgr pointer to +smc_buf_unuse explicitly. +And move the call to smc_lgr_schedule_free_work to the end of +smc_conn_free. + +Fixes: a6920d1d130c ("net/smc: handle unregistered buffers") +Signed-off-by: Karsten Graul +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_core.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -122,22 +122,17 @@ static void __smc_lgr_unregister_conn(st + sock_put(&smc->sk); /* sock_hold in smc_lgr_register_conn() */ + } + +-/* Unregister connection and trigger lgr freeing if applicable ++/* Unregister connection from lgr + */ + static void smc_lgr_unregister_conn(struct smc_connection *conn) + { + struct smc_link_group *lgr = conn->lgr; +- int reduced = 0; + + write_lock_bh(&lgr->conns_lock); + if (conn->alert_token_local) { +- reduced = 1; + __smc_lgr_unregister_conn(conn); + } + write_unlock_bh(&lgr->conns_lock); +- if (!reduced || lgr->conns_num) +- return; +- smc_lgr_schedule_free_work(lgr); + } + + /* Send delete link, either as client to request the initiation +@@ -291,7 +286,8 @@ out: + return rc; + } + +-static void smc_buf_unuse(struct smc_connection *conn) ++static void smc_buf_unuse(struct smc_connection *conn, ++ struct smc_link_group *lgr) + { + if (conn->sndbuf_desc) + conn->sndbuf_desc->used = 0; +@@ -301,8 +297,6 @@ static void smc_buf_unuse(struct smc_con + conn->rmb_desc->used = 0; + } else { + /* buf registration failed, reuse not possible */ +- struct smc_link_group *lgr = conn->lgr; +- + write_lock_bh(&lgr->rmbs_lock); + list_del(&conn->rmb_desc->list); + write_unlock_bh(&lgr->rmbs_lock); +@@ -315,16 +309,21 @@ static void smc_buf_unuse(struct smc_con + /* remove a finished connection from its link group */ + void smc_conn_free(struct smc_connection *conn) + { +- if (!conn->lgr) ++ struct smc_link_group *lgr = conn->lgr; ++ ++ if (!lgr) + return; +- if (conn->lgr->is_smcd) { ++ if (lgr->is_smcd) { + smc_ism_unset_conn(conn); + tasklet_kill(&conn->rx_tsklet); + } else { + smc_cdc_tx_dismiss_slots(conn); + } +- smc_lgr_unregister_conn(conn); +- smc_buf_unuse(conn); ++ smc_lgr_unregister_conn(conn); /* unsets conn->lgr */ ++ smc_buf_unuse(conn, lgr); /* allow buffer reuse */ ++ ++ if (!lgr->conns_num) ++ smc_lgr_schedule_free_work(lgr); + } + + static void smc_link_clear(struct smc_link *lnk) diff --git a/queue-4.19/net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch b/queue-4.19/net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch new file mode 100644 index 00000000000..a958aafd887 --- /dev/null +++ b/queue-4.19/net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Niklas Cassel +Date: Wed, 31 Oct 2018 16:08:10 +0100 +Subject: net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules + +From: Niklas Cassel + +[ Upstream commit 30549aab146ccb1275230c3b4b4bc6b4181fd54e ] + +When building stmmac, it is only possible to select CONFIG_DWMAC_GENERIC, +or any of the glue drivers, when CONFIG_STMMAC_PLATFORM is set. +The only exception is CONFIG_STMMAC_PCI. + +When calling of_mdiobus_register(), it will call our ->reset() +callback, which is set to stmmac_mdio_reset(). + +Most of the code in stmmac_mdio_reset() is protected by a +"#if defined(CONFIG_STMMAC_PLATFORM)", which will evaluate +to false when CONFIG_STMMAC_PLATFORM=m. + +Because of this, the phy reset gpio will only be pulled when +stmmac is built as built-in, but not when built as modules. + +Fix this by using "#if IS_ENABLED()" instead of "#if defined()". + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -243,7 +243,7 @@ static int stmmac_mdio_write(struct mii_ + */ + int stmmac_mdio_reset(struct mii_bus *bus) + { +-#if defined(CONFIG_STMMAC_PLATFORM) ++#if IS_ENABLED(CONFIG_STMMAC_PLATFORM) + struct net_device *ndev = bus->priv; + struct stmmac_priv *priv = netdev_priv(ndev); + unsigned int mii_address = priv->hw->mii.addr; diff --git a/queue-4.19/net-udp-fix-handling-of-checksum_complete-packets.patch b/queue-4.19/net-udp-fix-handling-of-checksum_complete-packets.patch new file mode 100644 index 00000000000..30f40ceb557 --- /dev/null +++ b/queue-4.19/net-udp-fix-handling-of-checksum_complete-packets.patch @@ -0,0 +1,146 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Sean Tranchetti +Date: Tue, 23 Oct 2018 16:04:31 -0600 +Subject: net: udp: fix handling of CHECKSUM_COMPLETE packets + +From: Sean Tranchetti + +[ Upstream commit db4f1be3ca9b0ef7330763d07bf4ace83ad6f913 ] + +Current handling of CHECKSUM_COMPLETE packets by the UDP stack is +incorrect for any packet that has an incorrect checksum value. + +udp4/6_csum_init() will both make a call to +__skb_checksum_validate_complete() to initialize/validate the csum +field when receiving a CHECKSUM_COMPLETE packet. When this packet +fails validation, skb->csum will be overwritten with the pseudoheader +checksum so the packet can be fully validated by software, but the +skb->ip_summed value will be left as CHECKSUM_COMPLETE so that way +the stack can later warn the user about their hardware spewing bad +checksums. Unfortunately, leaving the SKB in this state can cause +problems later on in the checksum calculation. + +Since the the packet is still marked as CHECKSUM_COMPLETE, +udp_csum_pull_header() will SUBTRACT the checksum of the UDP header +from skb->csum instead of adding it, leaving us with a garbage value +in that field. Once we try to copy the packet to userspace in the +udp4/6_recvmsg(), we'll make a call to skb_copy_and_csum_datagram_msg() +to checksum the packet data and add it in the garbage skb->csum value +to perform our final validation check. + +Since the value we're validating is not the proper checksum, it's possible +that the folded value could come out to 0, causing us not to drop the +packet. Instead, we believe that the packet was checksummed incorrectly +by hardware since skb->ip_summed is still CHECKSUM_COMPLETE, and we attempt +to warn the user with netdev_rx_csum_fault(skb->dev); + +Unfortunately, since this is the UDP path, skb->dev has been overwritten +by skb->dev_scratch and is no longer a valid pointer, so we end up +reading invalid memory. + +This patch addresses this problem in two ways: + 1) Do not use the dev pointer when calling netdev_rx_csum_fault() + from skb_copy_and_csum_datagram_msg(). Since this gets called + from the UDP path where skb->dev has been overwritten, we have + no way of knowing if the pointer is still valid. Also for the + sake of consistency with the other uses of + netdev_rx_csum_fault(), don't attempt to call it if the + packet was checksummed by software. + + 2) Add better CHECKSUM_COMPLETE handling to udp4/6_csum_init(). + If we receive a packet that's CHECKSUM_COMPLETE that fails + verification (i.e. skb->csum_valid == 0), check who performed + the calculation. It's possible that the checksum was done in + software by the network stack earlier (such as Netfilter's + CONNTRACK module), and if that says the checksum is bad, + we can drop the packet immediately instead of waiting until + we try and copy it to userspace. Otherwise, we need to + mark the SKB as CHECKSUM_NONE, since the skb->csum field + no longer contains the full packet checksum after the + call to __skb_checksum_validate_complete(). + +Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") +Fixes: c84d949057ca ("udp: copy skb->truesize in the first cache line") +Cc: Sam Kumar +Cc: Eric Dumazet +Signed-off-by: Sean Tranchetti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/datagram.c | 5 +++-- + net/ipv4/udp.c | 20 ++++++++++++++++++-- + net/ipv6/ip6_checksum.c | 20 ++++++++++++++++++-- + 3 files changed, 39 insertions(+), 6 deletions(-) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -808,8 +808,9 @@ int skb_copy_and_csum_datagram_msg(struc + return -EINVAL; + } + +- if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE)) +- netdev_rx_csum_fault(skb->dev); ++ if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) && ++ !skb->csum_complete_sw) ++ netdev_rx_csum_fault(NULL); + } + return 0; + fault: +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2120,8 +2120,24 @@ static inline int udp4_csum_init(struct + /* Note, we are only interested in != 0 or == 0, thus the + * force to int. + */ +- return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, +- inet_compute_pseudo); ++ err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, ++ inet_compute_pseudo); ++ if (err) ++ return err; ++ ++ if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) { ++ /* If SW calculated the value, we know it's bad */ ++ if (skb->csum_complete_sw) ++ return 1; ++ ++ /* HW says the value is bad. Let's validate that. ++ * skb->csum is no longer the full packet checksum, ++ * so don't treat it as such. ++ */ ++ skb_checksum_complete_unset(skb); ++ } ++ ++ return 0; + } + + /* wrapper for udp_queue_rcv_skb tacking care of csum conversion and +--- a/net/ipv6/ip6_checksum.c ++++ b/net/ipv6/ip6_checksum.c +@@ -88,8 +88,24 @@ int udp6_csum_init(struct sk_buff *skb, + * Note, we are only interested in != 0 or == 0, thus the + * force to int. + */ +- return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, +- ip6_compute_pseudo); ++ err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, ++ ip6_compute_pseudo); ++ if (err) ++ return err; ++ ++ if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) { ++ /* If SW calculated the value, we know it's bad */ ++ if (skb->csum_complete_sw) ++ return 1; ++ ++ /* HW says the value is bad. Let's validate that. ++ * skb->csum is no longer the full packet checksum, ++ * so don't treat is as such. ++ */ ++ skb_checksum_complete_unset(skb); ++ } ++ ++ return 0; + } + EXPORT_SYMBOL(udp6_csum_init); + diff --git a/queue-4.19/openvswitch-fix-push-pop-ethernet-validation.patch b/queue-4.19/openvswitch-fix-push-pop-ethernet-validation.patch new file mode 100644 index 00000000000..9c4e36acb94 --- /dev/null +++ b/queue-4.19/openvswitch-fix-push-pop-ethernet-validation.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: "Jaime Caamaño Ruiz" +Date: Wed, 31 Oct 2018 18:52:03 +0100 +Subject: openvswitch: Fix push/pop ethernet validation + +From: "Jaime Caamaño Ruiz" + +[ Upstream commit 46ebe2834ba5b541f28ee72e556a3fed42c47570 ] + +When there are both pop and push ethernet header actions among the +actions to be applied to a packet, an unexpected EINVAL (Invalid +argument) error is obtained. This is due to mac_proto not being reset +correctly when those actions are validated. + +Reported-at: +https://mail.openvswitch.org/pipermail/ovs-discuss/2018-October/047554.html +Fixes: 91820da6ae85 ("openvswitch: add Ethernet push and pop actions") +Signed-off-by: Jaime Caamaño Ruiz +Tested-by: Greg Rose +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -3030,7 +3030,7 @@ static int __ovs_nla_copy_actions(struct + * is already present */ + if (mac_proto != MAC_PROTO_NONE) + return -EINVAL; +- mac_proto = MAC_PROTO_NONE; ++ mac_proto = MAC_PROTO_ETHERNET; + break; + + case OVS_ACTION_ATTR_POP_ETH: +@@ -3038,7 +3038,7 @@ static int __ovs_nla_copy_actions(struct + return -EINVAL; + if (vlan_tci & htons(VLAN_TAG_PRESENT)) + return -EINVAL; +- mac_proto = MAC_PROTO_ETHERNET; ++ mac_proto = MAC_PROTO_NONE; + break; + + case OVS_ACTION_ATTR_PUSH_NSH: diff --git a/queue-4.19/r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch b/queue-4.19/r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch new file mode 100644 index 00000000000..aa389f4a640 --- /dev/null +++ b/queue-4.19/r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Heiner Kallweit +Date: Thu, 25 Oct 2018 18:40:19 +0200 +Subject: r8169: fix broken Wake-on-LAN from S5 (poweroff) + +From: Heiner Kallweit + +[ Upstream commit 649f0837a8cc2b39329f2de00fa0d04b029291c5 ] + +It was reported that WoL from S5 is broken (WoL from S3 works) and the +analysis showed that during system shutdown the network interface was +brought down already when the actual kernel shutdown started. +Therefore netif_running() returned false and as a consequence the PHY +was suspended. Obviously WoL wasn't working then. +To fix this the original patch needs to be effectively reverted. +A side effect is that when normally bringing down the interface and +WoL is enabled the PHY will remain powered on (like it was before the +original patch). + +Fixes: fe87bef01f9b ("r8169: don't check WoL when powering down PHY and interface is down") +Reported-by: Neil MacLeod +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -4175,10 +4175,15 @@ static void rtl_wol_suspend_quirk(struct + + static bool rtl_wol_pll_power_down(struct rtl8169_private *tp) + { +- if (!netif_running(tp->dev) || !__rtl8169_get_wol(tp)) ++ struct phy_device *phydev; ++ ++ if (!__rtl8169_get_wol(tp)) + return false; + +- phy_speed_down(tp->dev->phydev, false); ++ /* phydev may not be attached to netdevice */ ++ phydev = mdiobus_get_phy(tp->mii_bus, 0); ++ ++ phy_speed_down(phydev, false); + rtl_wol_suspend_quirk(tp); + + return true; diff --git a/queue-4.19/revert-be2net-remove-desc-field-from-be_eq_obj.patch b/queue-4.19/revert-be2net-remove-desc-field-from-be_eq_obj.patch new file mode 100644 index 00000000000..dd48e427935 --- /dev/null +++ b/queue-4.19/revert-be2net-remove-desc-field-from-be_eq_obj.patch @@ -0,0 +1,49 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Ivan Vecera +Date: Tue, 23 Oct 2018 16:40:26 +0200 +Subject: Revert "be2net: remove desc field from be_eq_obj" + +From: Ivan Vecera + +[ Upstream commit 5ef79151c2fbc401cf38325e9a32e77b9fc593ae ] + +The mentioned commit needs to be reverted because we cannot pass +string allocated on stack to request_irq(). This function stores +uses this pointer for later use (e.g. /proc/interrupts) so we need +to keep this string persistently. + +Fixes: d6d9704af8f4 ("be2net: remove desc field from be_eq_obj") +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be.h | 1 + + drivers/net/ethernet/emulex/benet/be_main.c | 6 ++---- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be.h ++++ b/drivers/net/ethernet/emulex/benet/be.h +@@ -185,6 +185,7 @@ static inline void queue_tail_inc(struct + + struct be_eq_obj { + struct be_queue_info q; ++ char desc[32]; + + struct be_adapter *adapter; + struct napi_struct napi; +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -3488,11 +3488,9 @@ static int be_msix_register(struct be_ad + int status, i, vec; + + for_all_evt_queues(adapter, eqo, i) { +- char irq_name[IFNAMSIZ+4]; +- +- snprintf(irq_name, sizeof(irq_name), "%s-q%d", netdev->name, i); ++ sprintf(eqo->desc, "%s-q%d", netdev->name, i); + vec = be_msix_vec_get(adapter, eqo); +- status = request_irq(vec, be_msix, 0, irq_name, eqo); ++ status = request_irq(vec, be_msix, 0, eqo->desc, eqo); + if (status) + goto err_msix; + diff --git a/queue-4.19/revert-net-simplify-sock_poll_wait.patch b/queue-4.19/revert-net-simplify-sock_poll_wait.patch new file mode 100644 index 00000000000..bc099857174 --- /dev/null +++ b/queue-4.19/revert-net-simplify-sock_poll_wait.patch @@ -0,0 +1,205 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Karsten Graul +Date: Tue, 23 Oct 2018 13:40:39 +0200 +Subject: Revert "net: simplify sock_poll_wait" + +From: Karsten Graul + +[ Upstream commit 89ab066d4229acd32e323f1569833302544a4186 ] + +This reverts commit dd979b4df817e9976f18fb6f9d134d6bc4a3c317. + +This broke tcp_poll for SMC fallback: An AF_SMC socket establishes an +internal TCP socket for the initial handshake with the remote peer. +Whenever the SMC connection can not be established this TCP socket is +used as a fallback. All socket operations on the SMC socket are then +forwarded to the TCP socket. In case of poll, the file->private_data +pointer references the SMC socket because the TCP socket has no file +assigned. This causes tcp_poll to wait on the wrong socket. + +Signed-off-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 2 +- + include/net/sock.h | 12 +++++++++--- + net/atm/common.c | 2 +- + net/caif/caif_socket.c | 2 +- + net/core/datagram.c | 2 +- + net/dccp/proto.c | 2 +- + net/ipv4/tcp.c | 2 +- + net/iucv/af_iucv.c | 2 +- + net/nfc/llcp_sock.c | 2 +- + net/rxrpc/af_rxrpc.c | 2 +- + net/smc/af_smc.c | 2 +- + net/tipc/socket.c | 2 +- + net/unix/af_unix.c | 4 ++-- + 13 files changed, 22 insertions(+), 16 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1071,7 +1071,7 @@ __poll_t af_alg_poll(struct file *file, + struct af_alg_ctx *ctx = ask->private; + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + if (!ctx->more || ctx->used) +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2057,14 +2057,20 @@ static inline bool skwq_has_sleeper(stru + /** + * sock_poll_wait - place memory barrier behind the poll_wait call. + * @filp: file ++ * @sock: socket to wait on + * @p: poll_table + * + * See the comments in the wq_has_sleeper function. ++ * ++ * Do not derive sock from filp->private_data here. An SMC socket establishes ++ * an internal TCP socket that is used in the fallback case. All socket ++ * operations on the SMC socket are then forwarded to the TCP socket. In case of ++ * poll, the filp->private_data pointer references the SMC socket because the ++ * TCP socket has no file assigned. + */ +-static inline void sock_poll_wait(struct file *filp, poll_table *p) ++static inline void sock_poll_wait(struct file *filp, struct socket *sock, ++ poll_table *p) + { +- struct socket *sock = filp->private_data; +- + if (!poll_does_not_wait(p)) { + poll_wait(filp, &sock->wq->wait, p); + /* We need to be sure we are in sync with the +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -653,7 +653,7 @@ __poll_t vcc_poll(struct file *file, str + struct atm_vcc *vcc; + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + vcc = ATM_SD(sock); +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -941,7 +941,7 @@ static __poll_t caif_poll(struct file *f + __poll_t mask; + struct caifsock *cf_sk = container_of(sk, struct caifsock, sk); + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -838,7 +838,7 @@ __poll_t datagram_poll(struct file *file + struct sock *sk = sock->sk; + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -325,7 +325,7 @@ __poll_t dccp_poll(struct file *file, st + __poll_t mask; + struct sock *sk = sock->sk; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + if (sk->sk_state == DCCP_LISTEN) + return inet_csk_listen_poll(sk); + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -507,7 +507,7 @@ __poll_t tcp_poll(struct file *file, str + const struct tcp_sock *tp = tcp_sk(sk); + int state; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + + state = inet_sk_state_load(sk); + if (state == TCP_LISTEN) +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1505,7 +1505,7 @@ __poll_t iucv_sock_poll(struct file *fil + struct sock *sk = sock->sk; + __poll_t mask = 0; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + + if (sk->sk_state == IUCV_LISTEN) + return iucv_accept_poll(sk); +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -556,7 +556,7 @@ static __poll_t llcp_sock_poll(struct fi + + pr_debug("%p\n", sk); + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + + if (sk->sk_state == LLCP_LISTEN) + return llcp_accept_poll(sk); +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -741,7 +741,7 @@ static __poll_t rxrpc_poll(struct file * + struct rxrpc_sock *rx = rxrpc_sk(sk); + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + /* the socket is readable if there are any messages waiting on the Rx +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1543,7 +1543,7 @@ static __poll_t smc_poll(struct file *fi + mask |= EPOLLERR; + } else { + if (sk->sk_state != SMC_CLOSED) +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + if (sk->sk_err) + mask |= EPOLLERR; + if ((sk->sk_shutdown == SHUTDOWN_MASK) || +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -715,7 +715,7 @@ static __poll_t tipc_poll(struct file *f + struct tipc_sock *tsk = tipc_sk(sk); + __poll_t revents = 0; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + + if (sk->sk_shutdown & RCV_SHUTDOWN) + revents |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM; +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2640,7 +2640,7 @@ static __poll_t unix_poll(struct file *f + struct sock *sk = sock->sk; + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ +@@ -2677,7 +2677,7 @@ static __poll_t unix_dgram_poll(struct f + unsigned int writable; + __poll_t mask; + +- sock_poll_wait(file, wait); ++ sock_poll_wait(file, sock, wait); + mask = 0; + + /* exceptional events? */ diff --git a/queue-4.19/rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch b/queue-4.19/rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch new file mode 100644 index 00000000000..51f9992ed13 --- /dev/null +++ b/queue-4.19/rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch @@ -0,0 +1,124 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Ido Schimmel +Date: Mon, 29 Oct 2018 20:36:43 +0000 +Subject: rtnetlink: Disallow FDB configuration for non-Ethernet device + +From: Ido Schimmel + +[ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ] + +When an FDB entry is configured, the address is validated to have the +length of an Ethernet address, but the device for which the address is +configured can be of any type. + +The above can result in the use of uninitialized memory when the address +is later compared against existing addresses since 'dev->addr_len' is +used and it may be greater than ETH_ALEN, as with ip6tnl devices. + +Fix this by making sure that FDB entries are only configured for +Ethernet devices. + +BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863 +CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x14b/0x190 lib/dump_stack.c:113 + kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956 + __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645 + memcmp+0x11d/0x180 lib/string.c:863 + dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464 + ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline] + rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558 + rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715 + netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 + __sys_sendmsg net/socket.c:2152 [inline] + __do_sys_sendmsg net/socket.c:2161 [inline] + __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 + do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440ee9 +Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9 +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0 +R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181 + kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2718 [inline] + __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:996 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] + netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 + __sys_sendmsg net/socket.c:2152 [inline] + __do_sys_sendmsg net/socket.c:2161 [inline] + __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 + do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +v2: +* Make error message more specific (David) + +Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_") +Signed-off-by: Ido Schimmel +Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com +Cc: Vlad Yasevich +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3530,6 +3530,11 @@ static int rtnl_fdb_add(struct sk_buff * + return -EINVAL; + } + ++ if (dev->type != ARPHRD_ETHER) { ++ NL_SET_ERR_MSG(extack, "FDB delete only supported for Ethernet devices"); ++ return -EINVAL; ++ } ++ + addr = nla_data(tb[NDA_LLADDR]); + + err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack); +@@ -3634,6 +3639,11 @@ static int rtnl_fdb_del(struct sk_buff * + return -EINVAL; + } + ++ if (dev->type != ARPHRD_ETHER) { ++ NL_SET_ERR_MSG(extack, "FDB add only supported for Ethernet devices"); ++ return -EINVAL; ++ } ++ + addr = nla_data(tb[NDA_LLADDR]); + + err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack); diff --git a/queue-4.19/sctp-check-policy-more-carefully-when-getting-pr-status.patch b/queue-4.19/sctp-check-policy-more-carefully-when-getting-pr-status.patch new file mode 100644 index 00000000000..ca7de284792 --- /dev/null +++ b/queue-4.19/sctp-check-policy-more-carefully-when-getting-pr-status.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Xin Long +Date: Mon, 29 Oct 2018 23:13:11 +0800 +Subject: sctp: check policy more carefully when getting pr status + +From: Xin Long + +[ Upstream commit 713358369382cebf92f6e98ce2005f94e7344931 ] + +When getting pr_assocstatus and pr_streamstatus by sctp_getsockopt, +it doesn't correctly process the case when policy is set with +SCTP_PR_SCTP_ALL | SCTP_PR_SCTP_MASK. It even causes a +slab-out-of-bounds in sctp_getsockopt_pr_streamstatus(). + +This patch fixes it by return -EINVAL for this case. + +Fixes: 0ac1077e3a54 ("sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL") +Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com +Suggested-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7101,14 +7101,15 @@ static int sctp_getsockopt_pr_assocstatu + } + + policy = params.sprstat_policy; +- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) ++ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || ++ ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK))) + goto out; + + asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); + if (!asoc) + goto out; + +- if (policy & SCTP_PR_SCTP_ALL) { ++ if (policy == SCTP_PR_SCTP_ALL) { + params.sprstat_abandoned_unsent = 0; + params.sprstat_abandoned_sent = 0; + for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) { +@@ -7160,7 +7161,8 @@ static int sctp_getsockopt_pr_streamstat + } + + policy = params.sprstat_policy; +- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))) ++ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) || ++ ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK))) + goto out; + + asoc = sctp_id2assoc(sk, params.sprstat_assoc_id); diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..e15f26f3055 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,20 @@ +bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch +ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch +net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch +net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch +net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch +net-udp-fix-handling-of-checksum_complete-packets.patch +revert-net-simplify-sock_poll_wait.patch +rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch +vhost-fix-spectre-v1-vulnerability.patch +bonding-fix-length-of-actor-system.patch +openvswitch-fix-push-pop-ethernet-validation.patch +net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch +net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch +mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch +mlxsw-core-fix-devlink-unregister-flow.patch +net-drop-skb-on-failure-in-ip_check_defrag.patch +net-properly-unlink-gro-packets-on-overflow.patch +r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch +revert-be2net-remove-desc-field-from-be_eq_obj.patch +sctp-check-policy-more-carefully-when-getting-pr-status.patch diff --git a/queue-4.19/vhost-fix-spectre-v1-vulnerability.patch b/queue-4.19/vhost-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..f75d3b6fc67 --- /dev/null +++ b/queue-4.19/vhost-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Nov 2 06:12:28 CET 2018 +From: Jason Wang +Date: Tue, 30 Oct 2018 14:10:49 +0800 +Subject: vhost: Fix Spectre V1 vulnerability + +From: Jason Wang + +[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ] + +The idx in vhost_vring_ioctl() was controlled by userspace, hence a +potential exploitation of the Spectre variant 1 vulnerability. + +Fixing this by sanitizing idx before using it to index d->vqs. + +Cc: Michael S. Tsirkin +Cc: Josh Poimboeuf +Cc: Andrea Arcangeli +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include "vhost.h" + +@@ -1397,6 +1398,7 @@ long vhost_vring_ioctl(struct vhost_dev + if (idx >= d->nvqs) + return -ENOBUFS; + ++ idx = array_index_nospec(idx, d->nvqs); + vq = d->vqs[idx]; + + mutex_lock(&vq->mutex);