From: Greg Kroah-Hartman Date: Tue, 3 Dec 2019 11:50:16 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.4.2~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48131e16cca7dd871c203302ce3a509117996bf3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: macvlan-schedule-bc_work-even-if-error.patch net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch openvswitch-fix-flow-command-message-size.patch openvswitch-remove-another-bug_on.patch slip-fix-use-after-free-read-in-slip_open.patch tipc-fix-link-name-length-check.patch --- diff --git a/queue-4.4/macvlan-schedule-bc_work-even-if-error.patch b/queue-4.4/macvlan-schedule-bc_work-even-if-error.patch new file mode 100644 index 00000000000..390764d5111 --- /dev/null +++ b/queue-4.4/macvlan-schedule-bc_work-even-if-error.patch @@ -0,0 +1,52 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: Menglong Dong +Date: Mon, 25 Nov 2019 16:58:09 +0800 +Subject: macvlan: schedule bc_work even if error + +From: Menglong Dong + +[ Upstream commit 1d7ea55668878bb350979c377fc72509dd6f5b21 ] + +While enqueueing a broadcast skb to port->bc_queue, schedule_work() +is called to add port->bc_work, which processes the skbs in +bc_queue, to "events" work queue. If port->bc_queue is full, the +skb will be discarded and schedule_work(&port->bc_work) won't be +called. However, if port->bc_queue is full and port->bc_work is not +running or pending, port->bc_queue will keep full and schedule_work() +won't be called any more, and all broadcast skbs to macvlan will be +discarded. This case can happen: + +macvlan_process_broadcast() is the pending function of port->bc_work, +it moves all the skbs in port->bc_queue to the queue "list", and +processes the skbs in "list". During this, new skbs will keep being +added to port->bc_queue in macvlan_broadcast_enqueue(), and +port->bc_queue may already full when macvlan_process_broadcast() +return. This may happen, especially when there are a lot of real-time +threads and the process is preempted. + +Fix this by calling schedule_work(&port->bc_work) even if +port->bc_work is full in macvlan_broadcast_enqueue(). + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Menglong Dong +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -326,10 +326,11 @@ static void macvlan_broadcast_enqueue(st + } + spin_unlock(&port->bc_queue.lock); + ++ schedule_work(&port->bc_work); ++ + if (err) + goto free_nskb; + +- schedule_work(&port->bc_work); + return; + + free_nskb: diff --git a/queue-4.4/net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch b/queue-4.4/net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch new file mode 100644 index 00000000000..4eac102eff9 --- /dev/null +++ b/queue-4.4/net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch @@ -0,0 +1,81 @@ +From foo@baz Tue 03 Dec 2019 10:28:24 AM CET +From: Dust Li +Date: Thu, 28 Nov 2019 14:29:09 +0800 +Subject: net: sched: fix `tc -s class show` no bstats on class with nolock subqueues + +From: Dust Li + +[ Upstream commit 14e54ab9143fa60794d13ea0a66c792a2046a8f3 ] + +When a classful qdisc's child qdisc has set the flag +TCQ_F_CPUSTATS (pfifo_fast for example), the child qdisc's +cpu_bstats should be passed to gnet_stats_copy_basic(), +but many classful qdisc didn't do that. As a result, +`tc -s class show dev DEV` always return 0 for bytes and +packets in this case. + +Pass the child qdisc's cpu_bstats to gnet_stats_copy_basic() +to fix this issue. + +The qstats also has this problem, but it has been fixed +in 5dd431b6b9 ("net: sched: introduce and use qstats read...") +and bstats still remains buggy. + +Fixes: 22e0f8b9322c ("net: sched: make bstats per cpu and estimator RCU safe") +Signed-off-by: Dust Li +Signed-off-by: Tony Lu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_mq.c | 2 +- + net/sched/sch_mqprio.c | 3 ++- + net/sched/sch_multiq.c | 2 +- + net/sched/sch_prio.c | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -195,7 +195,7 @@ static int mq_dump_class_stats(struct Qd + struct netdev_queue *dev_queue = mq_queue_get(sch, cl); + + sch = dev_queue->qdisc_sleeping; +- if (gnet_stats_copy_basic(d, NULL, &sch->bstats) < 0 || ++ if (gnet_stats_copy_basic(d, sch->cpu_bstats, &sch->bstats) < 0 || + gnet_stats_copy_queue(d, NULL, &sch->qstats, sch->q.qlen) < 0) + return -1; + return 0; +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -355,7 +355,8 @@ static int mqprio_dump_class_stats(struc + struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl); + + sch = dev_queue->qdisc_sleeping; +- if (gnet_stats_copy_basic(d, NULL, &sch->bstats) < 0 || ++ if (gnet_stats_copy_basic(d, sch->cpu_bstats, ++ &sch->bstats) < 0 || + gnet_stats_copy_queue(d, NULL, + &sch->qstats, sch->q.qlen) < 0) + return -1; +--- a/net/sched/sch_multiq.c ++++ b/net/sched/sch_multiq.c +@@ -351,7 +351,7 @@ static int multiq_dump_class_stats(struc + struct Qdisc *cl_q; + + cl_q = q->queues[cl - 1]; +- if (gnet_stats_copy_basic(d, NULL, &cl_q->bstats) < 0 || ++ if (gnet_stats_copy_basic(d, cl_q->cpu_bstats, &cl_q->bstats) < 0 || + gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0) + return -1; + +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -319,7 +319,7 @@ static int prio_dump_class_stats(struct + struct Qdisc *cl_q; + + cl_q = q->queues[cl - 1]; +- if (gnet_stats_copy_basic(d, NULL, &cl_q->bstats) < 0 || ++ if (gnet_stats_copy_basic(d, cl_q->cpu_bstats, &cl_q->bstats) < 0 || + gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0) + return -1; + diff --git a/queue-4.4/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch b/queue-4.4/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch new file mode 100644 index 00000000000..5d6a103c304 --- /dev/null +++ b/queue-4.4/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: Paolo Abeni +Date: Sun, 1 Dec 2019 18:41:24 +0100 +Subject: openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() + +From: Paolo Abeni + +[ Upstream commit 8ffeb03fbba3b599690b361467bfd2373e8c450f ] + +All the callers of ovs_flow_cmd_build_info() already deal with +error return code correctly, so we can handle the error condition +in a more gracefull way. Still dump a warning to preserve +debuggability. + +v1 -> v2: + - clarify the commit message + - clean the skb and report the error (DaveM) + +Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -904,7 +904,10 @@ static struct sk_buff *ovs_flow_cmd_buil + retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb, + info->snd_portid, info->snd_seq, 0, + cmd, ufid_flags); +- BUG_ON(retval < 0); ++ if (WARN_ON_ONCE(retval < 0)) { ++ kfree_skb(skb); ++ skb = ERR_PTR(retval); ++ } + return skb; + } + diff --git a/queue-4.4/openvswitch-fix-flow-command-message-size.patch b/queue-4.4/openvswitch-fix-flow-command-message-size.patch new file mode 100644 index 00000000000..88c178ce4a5 --- /dev/null +++ b/queue-4.4/openvswitch-fix-flow-command-message-size.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: Paolo Abeni +Date: Tue, 26 Nov 2019 12:55:50 +0100 +Subject: openvswitch: fix flow command message size + +From: Paolo Abeni + +[ Upstream commit 4e81c0b3fa93d07653e2415fa71656b080a112fd ] + +When user-space sets the OVS_UFID_F_OMIT_* flags, and the relevant +flow has no UFID, we can exceed the computed size, as +ovs_nla_put_identifier() will always dump an OVS_FLOW_ATTR_KEY +attribute. +Take the above in account when computing the flow command message +size. + +Fixes: 74ed7ab9264c ("openvswitch: Add support for unique flow IDs.") +Reported-by: Qi Jun Ding +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -725,9 +725,13 @@ static size_t ovs_flow_cmd_msg_size(cons + { + size_t len = NLMSG_ALIGN(sizeof(struct ovs_header)); + +- /* OVS_FLOW_ATTR_UFID */ ++ /* OVS_FLOW_ATTR_UFID, or unmasked flow key as fallback ++ * see ovs_nla_put_identifier() ++ */ + if (sfid && ovs_identifier_is_ufid(sfid)) + len += nla_total_size(sfid->ufid_len); ++ else ++ len += nla_total_size(ovs_key_attr_size()); + + /* OVS_FLOW_ATTR_KEY */ + if (!sfid || should_fill_key(sfid, ufid_flags)) diff --git a/queue-4.4/openvswitch-remove-another-bug_on.patch b/queue-4.4/openvswitch-remove-another-bug_on.patch new file mode 100644 index 00000000000..f7b3b1397e7 --- /dev/null +++ b/queue-4.4/openvswitch-remove-another-bug_on.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: Paolo Abeni +Date: Sun, 1 Dec 2019 18:41:25 +0100 +Subject: openvswitch: remove another BUG_ON() + +From: Paolo Abeni + +[ Upstream commit 8a574f86652a4540a2433946ba826ccb87f398cc ] + +If we can't build the flow del notification, we can simply delete +the flow, no need to crash the kernel. Still keep a WARN_ON to +preserve debuggability. + +Note: the BUG_ON() predates the Fixes tag, but this change +can be applied only after the mentioned commit. + +v1 -> v2: + - do not leak an skb on error + +Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1325,7 +1325,10 @@ static int ovs_flow_cmd_del(struct sk_bu + OVS_FLOW_CMD_DEL, + ufid_flags); + rcu_read_unlock(); +- BUG_ON(err < 0); ++ if (WARN_ON_ONCE(err < 0)) { ++ kfree_skb(reply); ++ goto out_free; ++ } + + ovs_notify(&dp_flow_genl_family, reply, info); + } else { +@@ -1333,6 +1336,7 @@ static int ovs_flow_cmd_del(struct sk_bu + } + } + ++out_free: + ovs_flow_free(flow, true); + return 0; + unlock: diff --git a/queue-4.4/series b/queue-4.4/series index 87c7bdf8a7b..26b0bfbcee9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -80,3 +80,10 @@ mei-bus-prefix-device-names-on-bus-with-the-bus-name.patch media-v4l2-ctrl-fix-flags-for-do_white_balance.patch net-macb-fix-error-format-in-dev_err.patch pwm-clear-chip_data-in-pwm_put.patch +macvlan-schedule-bc_work-even-if-error.patch +openvswitch-fix-flow-command-message-size.patch +slip-fix-use-after-free-read-in-slip_open.patch +openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch +openvswitch-remove-another-bug_on.patch +tipc-fix-link-name-length-check.patch +net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch diff --git a/queue-4.4/slip-fix-use-after-free-read-in-slip_open.patch b/queue-4.4/slip-fix-use-after-free-read-in-slip_open.patch new file mode 100644 index 00000000000..a3b7d222423 --- /dev/null +++ b/queue-4.4/slip-fix-use-after-free-read-in-slip_open.patch @@ -0,0 +1,60 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: Jouni Hogander +Date: Mon, 25 Nov 2019 14:23:43 +0200 +Subject: slip: Fix use-after-free Read in slip_open + +From: Jouni Hogander + +[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ] + +Slip_open doesn't clean-up device which registration failed from the +slip_devs device list. On next open after failure this list is iterated +and freed device is accessed. Fix this by calling sl_free_netdev in error +path. + +Here is the trace from the Syzbot: + +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0x197/0x210 lib/dump_stack.c:118 +print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 +__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 +kasan_report+0x12/0x20 mm/kasan/common.c:634 +__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 +sl_sync drivers/net/slip/slip.c:725 [inline] +slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 +tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 +tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 +tiocsetd drivers/tty/tty_io.c:2334 [inline] +tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:509 [inline] +do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 +ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 +__do_sys_ioctl fs/ioctl.c:720 [inline] +__se_sys_ioctl fs/ioctl.c:718 [inline] +__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 +do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path") +Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com +Cc: David Miller +Cc: Oliver Hartkopp +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -860,6 +860,7 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ sl_free_netdev(sl->dev); + free_netdev(sl->dev); + + err_exit: diff --git a/queue-4.4/tipc-fix-link-name-length-check.patch b/queue-4.4/tipc-fix-link-name-length-check.patch new file mode 100644 index 00000000000..859724eef3c --- /dev/null +++ b/queue-4.4/tipc-fix-link-name-length-check.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 03 Dec 2019 11:22:48 AM CET +From: John Rutherford +Date: Tue, 26 Nov 2019 13:52:55 +1100 +Subject: tipc: fix link name length check + +From: John Rutherford + +[ Upstream commit fd567ac20cb0377ff466d3337e6e9ac5d0cb15e4 ] + +In commit 4f07b80c9733 ("tipc: check msg->req data len in +tipc_nl_compat_bearer_disable") the same patch code was copied into +routines: tipc_nl_compat_bearer_disable(), +tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats(). +The two link routine occurrences should have been modified to check +the maximum link name length and not bearer name length. + +Fixes: 4f07b80c9733 ("tipc: check msg->reg data len in tipc_nl_compat_bearer_disable") +Signed-off-by: John Rutherford +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -516,7 +516,7 @@ static int tipc_nl_compat_link_stat_dump + if (len <= 0) + return -EINVAL; + +- len = min_t(int, len, TIPC_MAX_BEARER_NAME); ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(name, len)) + return -EINVAL; + +@@ -791,7 +791,7 @@ static int tipc_nl_compat_link_reset_sta + if (len <= 0) + return -EINVAL; + +- len = min_t(int, len, TIPC_MAX_BEARER_NAME); ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(name, len)) + return -EINVAL; +