From: Sasha Levin Date: Sun, 20 Jun 2021 03:15:24 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.128~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5413cbb81b145ddc924b5db033b6bc46984d4e16;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alx-fix-an-error-handling-path-in-alx_probe.patch b/queue-4.19/alx-fix-an-error-handling-path-in-alx_probe.patch new file mode 100644 index 00000000000..de2e47e01cf --- /dev/null +++ b/queue-4.19/alx-fix-an-error-handling-path-in-alx_probe.patch @@ -0,0 +1,36 @@ +From 4062a5bf8bcd32ae77b63817ca93cc3b411cc302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 08:13:39 +0200 +Subject: alx: Fix an error handling path in 'alx_probe()' + +From: Christophe JAILLET + +[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index d83ad06bf199..54bfe9d84ecd 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1855,6 +1855,7 @@ out_free_netdev: + free_netdev(netdev); + out_pci_release: + pci_release_mem_regions(pdev); ++ pci_disable_pcie_error_reporting(pdev); + out_pci_disable: + pci_disable_device(pdev); + return err; +-- +2.30.2 + diff --git a/queue-4.19/batman-adv-avoid-warn_on-timing-related-checks.patch b/queue-4.19/batman-adv-avoid-warn_on-timing-related-checks.patch new file mode 100644 index 00000000000..24ef2063290 --- /dev/null +++ b/queue-4.19/batman-adv-avoid-warn_on-timing-related-checks.patch @@ -0,0 +1,45 @@ +From c0f2815dc457504a254b2a1cc5411703e5d3e0fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 21:00:27 +0200 +Subject: batman-adv: Avoid WARN_ON timing related checks + +From: Sven Eckelmann + +[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ] + +The soft/batadv interface for a queued OGM can be changed during the time +the OGM was queued for transmission and when the OGM is actually +transmitted by the worker. + +But WARN_ON must be used to denote kernel bugs and not to print simple +warnings. A warning can simply be printed using pr_warn. + +Reported-by: Tetsuo Handa +Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com +Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_iv_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c +index 0b052ff51bde..cede6826e5b3 100644 +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -594,8 +594,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet) + if (WARN_ON(!forw_packet->if_outgoing)) + return; + +- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface)) ++ if (forw_packet->if_outgoing->soft_iface != soft_iface) { ++ pr_warn("%s: soft interface switch for queued OGM\n", __func__); + return; ++ } + + if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE) + return; +-- +2.30.2 + diff --git a/queue-4.19/be2net-fix-an-error-handling-path-in-be_probe.patch b/queue-4.19/be2net-fix-an-error-handling-path-in-be_probe.patch new file mode 100644 index 00000000000..bdefe62c348 --- /dev/null +++ b/queue-4.19/be2net-fix-an-error-handling-path-in-be_probe.patch @@ -0,0 +1,37 @@ +From e7ca77c57a33c31bc704d84fa094de420c600a74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 20:43:37 +0200 +Subject: be2net: Fix an error handling path in 'be_probe()' + +From: Christophe JAILLET + +[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: d6b6d9877878 ("be2net: use PCIe AER capability") +Signed-off-by: Christophe JAILLET +Acked-by: Somnath Kotur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 3fe6a28027fe..05cb2f7cc35c 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -6029,6 +6029,7 @@ drv_cleanup: + unmap_bars: + be_unmap_pci_bars(adapter); + free_netdev: ++ pci_disable_pcie_error_reporting(pdev); + free_netdev(netdev); + rel_reg: + pci_release_regions(pdev); +-- +2.30.2 + diff --git a/queue-4.19/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch b/queue-4.19/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch new file mode 100644 index 00000000000..1f5e119a5ff --- /dev/null +++ b/queue-4.19/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch @@ -0,0 +1,100 @@ +From 524d4862816549b6416f938e5fc851316b1654aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:04:35 +0200 +Subject: icmp: don't send out ICMP messages with a source address of 0.0.0.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ] + +When constructing ICMP response messages, the kernel will try to pick a +suitable source address for the outgoing packet. However, if no IPv4 +addresses are configured on the system at all, this will fail and we end up +producing an ICMP message with a source address of 0.0.0.0. This can happen +on a box routing IPv4 traffic via v6 nexthops, for instance. + +Since 0.0.0.0 is not generally routable on the internet, there's a good +chance that such ICMP messages will never make it back to the sender of the +original packet that the ICMP message was sent in response to. This, in +turn, can create connectivity and PMTUd problems for senders. Fortunately, +RFC7600 reserves a dummy address to be used as a source for ICMP +messages (192.0.0.8/32), so let's teach the kernel to substitute that +address as a last resort if the regular source address selection procedure +fails. + +Below is a quick example reproducing this issue with network namespaces: + +ip netns add ns0 +ip l add type veth peer netns ns0 +ip l set dev veth0 up +ip a add 10.0.0.1/24 dev veth0 +ip a add fc00:dead:cafe:42::1/64 dev veth0 +ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2 +ip -n ns0 l set dev veth0 up +ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0 +ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1 +ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0 +ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1 +tcpdump -tpni veth0 -c 2 icmp & +ping -w 1 10.1.0.1 > /dev/null +tcpdump: verbose output suppressed, use -v[v]... for full protocol decode +listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64 +IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 +2 packets captured +2 packets received by filter +0 packets dropped by kernel + +With this patch the above capture changes to: +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64 +IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Juliusz Chroboczek +Reviewed-by: David Ahern +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in.h | 3 +++ + net/ipv4/icmp.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index 48e8a225b985..2a66ab49f14d 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -280,6 +280,9 @@ struct sockaddr_in { + /* Address indicating an error return. */ + #define INADDR_NONE ((unsigned long int) 0xffffffff) + ++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ ++#define INADDR_DUMMY ((unsigned long int) 0xc0000008) ++ + /* Network number for local host loopback. */ + #define IN_LOOPBACKNET 127 + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index b048125ea099..dde6cf82e9f0 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -744,6 +744,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + icmp_param.data_len = room; + icmp_param.head_len = sizeof(struct icmphdr); + ++ /* if we don't have a source address at this point, fall back to the ++ * dummy address instead of sending out a packet with a source address ++ * of 0.0.0.0 ++ */ ++ if (!fl4.saddr) ++ fl4.saddr = htonl(INADDR_DUMMY); ++ + icmp_push_reply(&icmp_param, &fl4, &ipc, &rt); + ende: + ip_rt_put(rt); +-- +2.30.2 + diff --git a/queue-4.19/net-add-documentation-to-socket.c.patch b/queue-4.19/net-add-documentation-to-socket.c.patch new file mode 100644 index 00000000000..0696445ddca --- /dev/null +++ b/queue-4.19/net-add-documentation-to-socket.c.patch @@ -0,0 +1,561 @@ +From fc85173e6ff1a589db893b28a7fdea40162ddfee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2019 10:45:23 -0300 +Subject: net: add documentation to socket.c + +From: Pedro Tammela + +[ Upstream commit 8a3c245c031944f2176118270e7bc5d4fd4a1075 ] + +Adds missing sphinx documentation to the +socket.c's functions. Also fixes some whitespaces. + +I also changed the style of older documentation as an +effort to have an uniform documentation style. + +Signed-off-by: Pedro Tammela +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/net.h | 6 + + include/linux/socket.h | 12 +- + net/socket.c | 277 ++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 271 insertions(+), 24 deletions(-) + +diff --git a/include/linux/net.h b/include/linux/net.h +index e0930678c8bf..41dc703b261c 100644 +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -83,6 +83,12 @@ enum sock_type { + + #endif /* ARCH_HAS_SOCKET_TYPES */ + ++/** ++ * enum sock_shutdown_cmd - Shutdown types ++ * @SHUT_RD: shutdown receptions ++ * @SHUT_WR: shutdown transmissions ++ * @SHUT_RDWR: shutdown receptions/transmissions ++ */ + enum sock_shutdown_cmd { + SHUT_RD, + SHUT_WR, +diff --git a/include/linux/socket.h b/include/linux/socket.h +index 7ed4713d5337..cc1d3f1b7656 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -26,7 +26,7 @@ typedef __kernel_sa_family_t sa_family_t; + /* + * 1003.1g requires sa_family_t and that sa_data is char. + */ +- ++ + struct sockaddr { + sa_family_t sa_family; /* address family, AF_xxx */ + char sa_data[14]; /* 14 bytes of protocol address */ +@@ -44,7 +44,7 @@ struct linger { + * system, not 4.3. Thus msg_accrights(len) are now missing. They + * belong in an obscure libc emulation or the bin. + */ +- ++ + struct msghdr { + void *msg_name; /* ptr to socket address structure */ + int msg_namelen; /* size of socket address structure */ +@@ -54,7 +54,7 @@ struct msghdr { + unsigned int msg_flags; /* flags on received message */ + struct kiocb *msg_iocb; /* ptr to iocb for async requests */ + }; +- ++ + struct user_msghdr { + void __user *msg_name; /* ptr to socket address structure */ + int msg_namelen; /* size of socket address structure */ +@@ -122,7 +122,7 @@ struct cmsghdr { + * inside range, given by msg->msg_controllen before using + * ancillary object DATA. --ANK (980731) + */ +- ++ + static inline struct cmsghdr * __cmsg_nxthdr(void *__ctl, __kernel_size_t __size, + struct cmsghdr *__cmsg) + { +@@ -264,10 +264,10 @@ struct ucred { + /* Maximum queue length specifiable by listen. */ + #define SOMAXCONN 128 + +-/* Flags we can use with send/ and recv. ++/* Flags we can use with send/ and recv. + Added those for 1003.1g not all are supported yet + */ +- ++ + #define MSG_OOB 1 + #define MSG_PEEK 2 + #define MSG_DONTROUTE 4 +diff --git a/net/socket.c b/net/socket.c +index 29169045dcfe..1ed7be54815a 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -384,6 +384,18 @@ static struct file_system_type sock_fs_type = { + * but we take care of internal coherence yet. + */ + ++/** ++ * sock_alloc_file - Bind a &socket to a &file ++ * @sock: socket ++ * @flags: file status flags ++ * @dname: protocol name ++ * ++ * Returns the &file bound with @sock, implicitly storing it ++ * in sock->file. If dname is %NULL, sets to "". ++ * On failure the return is a ERR pointer (see linux/err.h). ++ * This function uses GFP_KERNEL internally. ++ */ ++ + struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname) + { + struct file *file; +@@ -424,6 +436,14 @@ static int sock_map_fd(struct socket *sock, int flags) + return PTR_ERR(newfile); + } + ++/** ++ * sock_from_file - Return the &socket bounded to @file. ++ * @file: file ++ * @err: pointer to an error code return ++ * ++ * On failure returns %NULL and assigns -ENOTSOCK to @err. ++ */ ++ + struct socket *sock_from_file(struct file *file, int *err) + { + if (file->f_op == &socket_file_ops) +@@ -532,11 +552,11 @@ static const struct inode_operations sockfs_inode_ops = { + }; + + /** +- * sock_alloc - allocate a socket ++ * sock_alloc - allocate a socket + * + * Allocate a new inode and socket object. The two are bound together + * and initialised. The socket is then returned. If we are out of inodes +- * NULL is returned. ++ * NULL is returned. This functions uses GFP_KERNEL internally. + */ + + struct socket *sock_alloc(void) +@@ -561,7 +581,7 @@ struct socket *sock_alloc(void) + EXPORT_SYMBOL(sock_alloc); + + /** +- * sock_release - close a socket ++ * sock_release - close a socket + * @sock: socket to close + * + * The socket is released from the protocol stack if it has a release +@@ -617,6 +637,15 @@ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) + } + EXPORT_SYMBOL(__sock_tx_timestamp); + ++/** ++ * sock_sendmsg - send a message through @sock ++ * @sock: socket ++ * @msg: message to send ++ * ++ * Sends @msg through @sock, passing through LSM. ++ * Returns the number of bytes sent, or an error code. ++ */ ++ + static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg) + { + int ret = sock->ops->sendmsg(sock, msg, msg_data_left(msg)); +@@ -633,6 +662,18 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg) + } + EXPORT_SYMBOL(sock_sendmsg); + ++/** ++ * kernel_sendmsg - send a message through @sock (kernel-space) ++ * @sock: socket ++ * @msg: message header ++ * @vec: kernel vec ++ * @num: vec array length ++ * @size: total message data size ++ * ++ * Builds the message data with @vec and sends it through @sock. ++ * Returns the number of bytes sent, or an error code. ++ */ ++ + int kernel_sendmsg(struct socket *sock, struct msghdr *msg, + struct kvec *vec, size_t num, size_t size) + { +@@ -641,6 +682,19 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg, + } + EXPORT_SYMBOL(kernel_sendmsg); + ++/** ++ * kernel_sendmsg_locked - send a message through @sock (kernel-space) ++ * @sk: sock ++ * @msg: message header ++ * @vec: output s/g array ++ * @num: output s/g array length ++ * @size: total message data size ++ * ++ * Builds the message data with @vec and sends it through @sock. ++ * Returns the number of bytes sent, or an error code. ++ * Caller must hold @sk. ++ */ ++ + int kernel_sendmsg_locked(struct sock *sk, struct msghdr *msg, + struct kvec *vec, size_t num, size_t size) + { +@@ -789,6 +843,16 @@ void __sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + } + EXPORT_SYMBOL_GPL(__sock_recv_ts_and_drops); + ++/** ++ * sock_recvmsg - receive a message from @sock ++ * @sock: socket ++ * @msg: message to receive ++ * @flags: message flags ++ * ++ * Receives @msg from @sock, passing through LSM. Returns the total number ++ * of bytes received, or an error. ++ */ ++ + static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg, + int flags) + { +@@ -804,20 +868,21 @@ int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags) + EXPORT_SYMBOL(sock_recvmsg); + + /** +- * kernel_recvmsg - Receive a message from a socket (kernel space) +- * @sock: The socket to receive the message from +- * @msg: Received message +- * @vec: Input s/g array for message data +- * @num: Size of input s/g array +- * @size: Number of bytes to read +- * @flags: Message flags (MSG_DONTWAIT, etc...) ++ * kernel_recvmsg - Receive a message from a socket (kernel space) ++ * @sock: The socket to receive the message from ++ * @msg: Received message ++ * @vec: Input s/g array for message data ++ * @num: Size of input s/g array ++ * @size: Number of bytes to read ++ * @flags: Message flags (MSG_DONTWAIT, etc...) + * +- * On return the msg structure contains the scatter/gather array passed in the +- * vec argument. The array is modified so that it consists of the unfilled +- * portion of the original array. ++ * On return the msg structure contains the scatter/gather array passed in the ++ * vec argument. The array is modified so that it consists of the unfilled ++ * portion of the original array. + * +- * The returned value is the total number of bytes received, or an error. ++ * The returned value is the total number of bytes received, or an error. + */ ++ + int kernel_recvmsg(struct socket *sock, struct msghdr *msg, + struct kvec *vec, size_t num, size_t size, int flags) + { +@@ -983,6 +1048,13 @@ static long sock_do_ioctl(struct net *net, struct socket *sock, + * what to do with it - that's up to the protocol still. + */ + ++/** ++ * get_net_ns - increment the refcount of the network namespace ++ * @ns: common namespace (net) ++ * ++ * Returns the net's common namespace. ++ */ ++ + struct ns_common *get_net_ns(struct ns_common *ns) + { + return &get_net(container_of(ns, struct net, ns))->ns; +@@ -1077,6 +1149,19 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) + return err; + } + ++/** ++ * sock_create_lite - creates a socket ++ * @family: protocol family (AF_INET, ...) ++ * @type: communication type (SOCK_STREAM, ...) ++ * @protocol: protocol (0, ...) ++ * @res: new socket ++ * ++ * Creates a new socket and assigns it to @res, passing through LSM. ++ * The new socket initialization is not complete, see kernel_accept(). ++ * Returns 0 or an error. On failure @res is set to %NULL. ++ * This function internally uses GFP_KERNEL. ++ */ ++ + int sock_create_lite(int family, int type, int protocol, struct socket **res) + { + int err; +@@ -1202,6 +1287,21 @@ call_kill: + } + EXPORT_SYMBOL(sock_wake_async); + ++/** ++ * __sock_create - creates a socket ++ * @net: net namespace ++ * @family: protocol family (AF_INET, ...) ++ * @type: communication type (SOCK_STREAM, ...) ++ * @protocol: protocol (0, ...) ++ * @res: new socket ++ * @kern: boolean for kernel space sockets ++ * ++ * Creates a new socket and assigns it to @res, passing through LSM. ++ * Returns 0 or an error. On failure @res is set to %NULL. @kern must ++ * be set to true if the socket resides in kernel space. ++ * This function internally uses GFP_KERNEL. ++ */ ++ + int __sock_create(struct net *net, int family, int type, int protocol, + struct socket **res, int kern) + { +@@ -1311,12 +1411,35 @@ out_release: + } + EXPORT_SYMBOL(__sock_create); + ++/** ++ * sock_create - creates a socket ++ * @family: protocol family (AF_INET, ...) ++ * @type: communication type (SOCK_STREAM, ...) ++ * @protocol: protocol (0, ...) ++ * @res: new socket ++ * ++ * A wrapper around __sock_create(). ++ * Returns 0 or an error. This function internally uses GFP_KERNEL. ++ */ ++ + int sock_create(int family, int type, int protocol, struct socket **res) + { + return __sock_create(current->nsproxy->net_ns, family, type, protocol, res, 0); + } + EXPORT_SYMBOL(sock_create); + ++/** ++ * sock_create_kern - creates a socket (kernel space) ++ * @net: net namespace ++ * @family: protocol family (AF_INET, ...) ++ * @type: communication type (SOCK_STREAM, ...) ++ * @protocol: protocol (0, ...) ++ * @res: new socket ++ * ++ * A wrapper around __sock_create(). ++ * Returns 0 or an error. This function internally uses GFP_KERNEL. ++ */ ++ + int sock_create_kern(struct net *net, int family, int type, int protocol, struct socket **res) + { + return __sock_create(net, family, type, protocol, res, 1); +@@ -3273,18 +3396,46 @@ static long compat_sock_ioctl(struct file *file, unsigned int cmd, + } + #endif + ++/** ++ * kernel_bind - bind an address to a socket (kernel space) ++ * @sock: socket ++ * @addr: address ++ * @addrlen: length of address ++ * ++ * Returns 0 or an error. ++ */ ++ + int kernel_bind(struct socket *sock, struct sockaddr *addr, int addrlen) + { + return sock->ops->bind(sock, addr, addrlen); + } + EXPORT_SYMBOL(kernel_bind); + ++/** ++ * kernel_listen - move socket to listening state (kernel space) ++ * @sock: socket ++ * @backlog: pending connections queue size ++ * ++ * Returns 0 or an error. ++ */ ++ + int kernel_listen(struct socket *sock, int backlog) + { + return sock->ops->listen(sock, backlog); + } + EXPORT_SYMBOL(kernel_listen); + ++/** ++ * kernel_accept - accept a connection (kernel space) ++ * @sock: listening socket ++ * @newsock: new connected socket ++ * @flags: flags ++ * ++ * @flags must be SOCK_CLOEXEC, SOCK_NONBLOCK or 0. ++ * If it fails, @newsock is guaranteed to be %NULL. ++ * Returns 0 or an error. ++ */ ++ + int kernel_accept(struct socket *sock, struct socket **newsock, int flags) + { + struct sock *sk = sock->sk; +@@ -3310,6 +3461,19 @@ done: + } + EXPORT_SYMBOL(kernel_accept); + ++/** ++ * kernel_connect - connect a socket (kernel space) ++ * @sock: socket ++ * @addr: address ++ * @addrlen: address length ++ * @flags: flags (O_NONBLOCK, ...) ++ * ++ * For datagram sockets, @addr is the addres to which datagrams are sent ++ * by default, and the only address from which datagrams are received. ++ * For stream sockets, attempts to connect to @addr. ++ * Returns 0 or an error code. ++ */ ++ + int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen, + int flags) + { +@@ -3317,18 +3481,48 @@ int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen, + } + EXPORT_SYMBOL(kernel_connect); + ++/** ++ * kernel_getsockname - get the address which the socket is bound (kernel space) ++ * @sock: socket ++ * @addr: address holder ++ * ++ * Fills the @addr pointer with the address which the socket is bound. ++ * Returns 0 or an error code. ++ */ ++ + int kernel_getsockname(struct socket *sock, struct sockaddr *addr) + { + return sock->ops->getname(sock, addr, 0); + } + EXPORT_SYMBOL(kernel_getsockname); + ++/** ++ * kernel_peername - get the address which the socket is connected (kernel space) ++ * @sock: socket ++ * @addr: address holder ++ * ++ * Fills the @addr pointer with the address which the socket is connected. ++ * Returns 0 or an error code. ++ */ ++ + int kernel_getpeername(struct socket *sock, struct sockaddr *addr) + { + return sock->ops->getname(sock, addr, 1); + } + EXPORT_SYMBOL(kernel_getpeername); + ++/** ++ * kernel_getsockopt - get a socket option (kernel space) ++ * @sock: socket ++ * @level: API level (SOL_SOCKET, ...) ++ * @optname: option tag ++ * @optval: option value ++ * @optlen: option length ++ * ++ * Assigns the option length to @optlen. ++ * Returns 0 or an error. ++ */ ++ + int kernel_getsockopt(struct socket *sock, int level, int optname, + char *optval, int *optlen) + { +@@ -3351,6 +3545,17 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, + } + EXPORT_SYMBOL(kernel_getsockopt); + ++/** ++ * kernel_setsockopt - set a socket option (kernel space) ++ * @sock: socket ++ * @level: API level (SOL_SOCKET, ...) ++ * @optname: option tag ++ * @optval: option value ++ * @optlen: option length ++ * ++ * Returns 0 or an error. ++ */ ++ + int kernel_setsockopt(struct socket *sock, int level, int optname, + char *optval, unsigned int optlen) + { +@@ -3371,6 +3576,17 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, + } + EXPORT_SYMBOL(kernel_setsockopt); + ++/** ++ * kernel_sendpage - send a &page through a socket (kernel space) ++ * @sock: socket ++ * @page: page ++ * @offset: page offset ++ * @size: total size in bytes ++ * @flags: flags (MSG_DONTWAIT, ...) ++ * ++ * Returns the total amount sent in bytes or an error. ++ */ ++ + int kernel_sendpage(struct socket *sock, struct page *page, int offset, + size_t size, int flags) + { +@@ -3381,6 +3597,18 @@ int kernel_sendpage(struct socket *sock, struct page *page, int offset, + } + EXPORT_SYMBOL(kernel_sendpage); + ++/** ++ * kernel_sendpage_locked - send a &page through the locked sock (kernel space) ++ * @sk: sock ++ * @page: page ++ * @offset: page offset ++ * @size: total size in bytes ++ * @flags: flags (MSG_DONTWAIT, ...) ++ * ++ * Returns the total amount sent in bytes or an error. ++ * Caller must hold @sk. ++ */ ++ + int kernel_sendpage_locked(struct sock *sk, struct page *page, int offset, + size_t size, int flags) + { +@@ -3394,17 +3622,30 @@ int kernel_sendpage_locked(struct sock *sk, struct page *page, int offset, + } + EXPORT_SYMBOL(kernel_sendpage_locked); + ++/** ++ * kernel_shutdown - shut down part of a full-duplex connection (kernel space) ++ * @sock: socket ++ * @how: connection part ++ * ++ * Returns 0 or an error. ++ */ ++ + int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how) + { + return sock->ops->shutdown(sock, how); + } + EXPORT_SYMBOL(kernel_sock_shutdown); + +-/* This routine returns the IP overhead imposed by a socket i.e. +- * the length of the underlying IP header, depending on whether +- * this is an IPv4 or IPv6 socket and the length from IP options turned +- * on at the socket. Assumes that the caller has a lock on the socket. ++/** ++ * kernel_sock_ip_overhead - returns the IP overhead imposed by a socket ++ * @sk: socket ++ * ++ * This routine returns the IP overhead imposed by a socket i.e. ++ * the length of the underlying IP header, depending on whether ++ * this is an IPv4 or IPv6 socket and the length from IP options turned ++ * on at the socket. Assumes that the caller has a lock on the socket. + */ ++ + u32 kernel_sock_ip_overhead(struct sock *sk) + { + struct inet_sock *inet; +-- +2.30.2 + diff --git a/queue-4.19/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch b/queue-4.19/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch new file mode 100644 index 00000000000..2f7b555eb74 --- /dev/null +++ b/queue-4.19/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch @@ -0,0 +1,96 @@ +From 532b03f4475b9420b64edbc0c2b4e332f7506e17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:47:15 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg / + unix_release_sock + +From: Eric Dumazet + +[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ] + +While unix_may_send(sk, osk) is called while osk is locked, it appears +unix_release_sock() can overwrite unix_peer() after this lock has been +released, making KCSAN unhappy. + +Changing unix_release_sock() to access/change unix_peer() +before lock is released should fix this issue. + +BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock + +write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1: + unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558 + unix_release+0x2f/0x50 net/unix/af_unix.c:859 + __sock_release net/socket.c:599 [inline] + sock_close+0x6c/0x150 net/socket.c:1258 + __fput+0x25b/0x4e0 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209 + __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0: + unix_may_send net/unix/af_unix.c:189 [inline] + unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff888167905400 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 2020306468af..53fe5ada5a83 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -540,12 +540,14 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.mnt = NULL; + state = sk->sk_state; + sk->sk_state = TCP_CLOSE; ++ ++ skpair = unix_peer(sk); ++ unix_peer(sk) = NULL; ++ + unix_state_unlock(sk); + + wake_up_interruptible_all(&u->peer_wait); + +- skpair = unix_peer(sk); +- + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); +@@ -560,7 +562,6 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ +- unix_peer(sk) = NULL; + } + + /* Try to flush out this socket. Throw out buffers at least */ +-- +2.30.2 + diff --git a/queue-4.19/net-cdc_eem-fix-tx-fixup-skb-leak.patch b/queue-4.19/net-cdc_eem-fix-tx-fixup-skb-leak.patch new file mode 100644 index 00000000000..831636b6fe3 --- /dev/null +++ b/queue-4.19/net-cdc_eem-fix-tx-fixup-skb-leak.patch @@ -0,0 +1,44 @@ +From 91b986e4229de0ae39b0a15ca48abc366f48dd6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 07:32:32 +0800 +Subject: net: cdc_eem: fix tx fixup skb leak + +From: Linyu Yuan + +[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ] + +when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), +if skb_copy_expand() failed, it return NULL, +usbnet_start_xmit() will have no chance to free original skb. + +fix it by free orginal skb in eem_tx_fixup() first, +then check skb clone status, if failed, return NULL to usbnet. + +Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") +Signed-off-by: Linyu Yuan +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_eem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c +index 61ea4eaace5d..e3f108080af1 100644 +--- a/drivers/net/usb/cdc_eem.c ++++ b/drivers/net/usb/cdc_eem.c +@@ -135,10 +135,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + } + + skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); ++ dev_kfree_skb_any(skb); + if (!skb2) + return NULL; + +- dev_kfree_skb_any(skb); + skb = skb2; + + done: +-- +2.30.2 + diff --git a/queue-4.19/net-cdc_ncm-switch-to-eth-d-interface-naming.patch b/queue-4.19/net-cdc_ncm-switch-to-eth-d-interface-naming.patch new file mode 100644 index 00000000000..40324dbfaa2 --- /dev/null +++ b/queue-4.19/net-cdc_ncm-switch-to-eth-d-interface-naming.patch @@ -0,0 +1,77 @@ +From bedb048aec5c65d2a68de8fe664257b1c0627e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 01:05:49 -0700 +Subject: net: cdc_ncm: switch to eth%d interface naming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ] + +This is meant to make the host side cdc_ncm interface consistently +named just like the older CDC protocols: cdc_ether & cdc_ecm +(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'. + +include/linux/usb/usbnet.h: + #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */ + #define FLAG_WLAN 0x0080 /* use "wlan%d" names */ + #define FLAG_WWAN 0x0400 /* use "wwan%d" names */ + #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */ + +drivers/net/usb/usbnet.c @ line 1711: + strcpy (net->name, "usb%d"); + ... + // heuristic: "usb%d" for links we know are two-host, + // else "eth%d" when there's reasonable doubt. userspace + // can rename the link if it knows better. + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || + (net->dev_addr [0] & 0x02) == 0)) + strcpy (net->name, "eth%d"); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + strcpy(net->name, "wlan%d"); + /* WWAN devices should always be named "wwan%d" */ + if ((dev->driver_info->flags & FLAG_WWAN) != 0) + strcpy(net->name, "wwan%d"); + +So by using ETHER | POINTTOPOINT the interface naming is +either usb%d or eth%d based on the global uniqueness of the +mac address of the device. + +Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm +driver end up being called usb%d instead of eth%d even though they're +definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've +tested don't hit this problem due to use of different drivers, primarily +r8152 and aqc111) + +Fixes tag is based purely on git blame, and is really just here to make +sure this hits LTS branches newer than v4.5. + +Cc: Lorenzo Colitti +Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind") +Signed-off-by: Maciej Żenczykowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 82ec00a7370d..f3f78ccdb274 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1666,7 +1666,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_LINK_INTR, ++ | FLAG_LINK_INTR | FLAG_ETHER, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .manage_power = usbnet_manage_power, +-- +2.30.2 + diff --git a/queue-4.19/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/queue-4.19/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch new file mode 100644 index 00000000000..f917a2da399 --- /dev/null +++ b/queue-4.19/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch @@ -0,0 +1,56 @@ +From f3f2eae71b5e718b7642a3ef164625acede53ef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 16:49:02 +0300 +Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove + +From: Pavel Skripkin + +[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] + +static void ec_bhf_remove(struct pci_dev *dev) +{ +... + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); + free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); +... +} + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after pci_iounmap() +calls. + +Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ec_bhf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index d71cba0842c5..59dc20020c73 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +-- +2.30.2 + diff --git a/queue-4.19/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch b/queue-4.19/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch new file mode 100644 index 00000000000..89f83fcd072 --- /dev/null +++ b/queue-4.19/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch @@ -0,0 +1,44 @@ +From f57334ccfab6ea423ef6cf9db12f260e4bae9200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:14:26 +0800 +Subject: net: fec_ptp: fix issue caused by refactor the fec_devtype + +From: Joakim Zhang + +[ Upstream commit d23765646e71b43ed2b809930411ba5c0aadee7b ] + +Commit da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +refactor the fec_devtype, need adjust ptp driver accordingly. + +Fixes: da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 09a762eb4f09..eca65d49decb 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -220,15 +220,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc) + { + struct fec_enet_private *fep = + container_of(cc, struct fec_enet_private, cc); +- const struct platform_device_id *id_entry = +- platform_get_device_id(fep->pdev); + u32 tempval; + + tempval = readl(fep->hwp + FEC_ATIME_CTRL); + tempval |= FEC_T_CTRL_CAPTURE; + writel(tempval, fep->hwp + FEC_ATIME_CTRL); + +- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE) ++ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE) + udelay(1); + + return readl(fep->hwp + FEC_ATIME); +-- +2.30.2 + diff --git a/queue-4.19/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/queue-4.19/net-hamradio-fix-memory-leak-in-mkiss_close.patch new file mode 100644 index 00000000000..f01eb7aa25d --- /dev/null +++ b/queue-4.19/net-hamradio-fix-memory-leak-in-mkiss_close.patch @@ -0,0 +1,112 @@ +From bcbc4223fcff0aaa755b08abbbf208774661ace9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 22:09:06 +0300 +Subject: net: hamradio: fix memory leak in mkiss_close + +From: Pavel Skripkin + +[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ] + +My local syzbot instance hit memory leak in +mkiss_open()[1]. The problem was in missing +free_netdev() in mkiss_close(). + +In mkiss_open() netdevice is allocated and then +registered, but in mkiss_close() netdevice was +only unregistered, but not freed. + +Fail log: + +BUG: memory leak +unreferenced object 0xffff8880281ba000 (size 4096): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. + 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x98/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880141a9a00 (size 96): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... + 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... + backtrace: + [] __hw_addr_create_ex+0x5b/0x310 + [] __hw_addr_add_ex+0x1f8/0x2b0 + [] dev_addr_init+0x10b/0x1f0 + [] alloc_netdev_mqs+0x13b/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880219bfc00 (size 512): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ + 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x777/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff888029b2b200 (size 256): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x912/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index 3b14e6e281d4..940aa7a19f50 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +-- +2.30.2 + diff --git a/queue-4.19/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch b/queue-4.19/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch new file mode 100644 index 00000000000..7d43d70b355 --- /dev/null +++ b/queue-4.19/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch @@ -0,0 +1,86 @@ +From 88774020790570b6d06f7acd5b62ce9606737c9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:59:25 +0800 +Subject: net: ipv4: fix memory leak in ip_mc_add1_src + +From: Chengyang Fan + +[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ] + +BUG: memory leak +unreferenced object 0xffff888101bc4c00 (size 32): + comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ + backtrace: + [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] + [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] + [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] + [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 + [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 + [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] + [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 + [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 + [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 + [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] + [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] + [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 + [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 + [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set +link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, +because it was also called in igmpv3_clear_delrec(). + +Rough callgraph: + +inetdev_destroy +-> ip_mc_destroy_dev + -> igmpv3_clear_delrec + -> ip_mc_clear_src +-> RCU_INIT_POINTER(dev->ip_ptr, NULL) + +However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't +release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the +NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through +inetdev_by_index() and then in_dev->mc_list->sources cannot be released +by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: + +sock_close +-> __sock_release + -> inet_release + -> ip_mc_drop_socket + -> inetdev_by_index + -> ip_mc_leave_src + -> ip_mc_del_src + -> ip_mc_del1_src + +So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free +in_dev->mc_list->sources. + +Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...") +Reported-by: Hulk Robot +Signed-off-by: Chengyang Fan +Acked-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 523d26f5e22e..ffa847fc9619 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1816,6 +1816,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev) + while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) { + in_dev->mc_list = i->next_rcu; + in_dev->mc_count--; ++ ip_mc_clear_src(i); + ip_ma_put(i); + } + } +-- +2.30.2 + diff --git a/queue-4.19/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch b/queue-4.19/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..cf7ec5a4f27 --- /dev/null +++ b/queue-4.19/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,66 @@ +From 50234f3651eba4ce2deecf256023b633270049ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 09:51:58 +0800 +Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std + +From: Nanyong Sun + +[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ] + +Reported by syzkaller: +BUG: memory leak +unreferenced object 0xffff888105df7000 (size 64): +comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) +hex dump (first 32 bytes): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] +[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 +[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 +[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] +[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 +[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 +[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 +[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] +[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 +[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 +[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] +[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 +[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 +[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 +[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 +[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 +[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +The memory of doi_def->map.std pointing is allocated in +netlbl_cipsov4_add_std, but no place has freed it. It should be +freed in cipso_v4_doi_free which frees the cipso DOI resource. + +Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Reported-by: Hulk Robot +Signed-off-by: Nanyong Sun +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 6a1b52b34e20..e8b8dd1cb157 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -486,6 +486,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) + kfree(doi_def->map.std->lvl.local); + kfree(doi_def->map.std->cat.cipso); + kfree(doi_def->map.std->cat.local); ++ kfree(doi_def->map.std); + break; + } + kfree(doi_def); +-- +2.30.2 + diff --git a/queue-4.19/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch b/queue-4.19/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch new file mode 100644 index 00000000000..bb9174d63c9 --- /dev/null +++ b/queue-4.19/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch @@ -0,0 +1,131 @@ +From 46ca927c0dbbaf600e535b9fab89253a9a61c2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:29:59 +0800 +Subject: net: make get_net_ns return error if NET_NS is disabled + +From: Changbin Du + +[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ] + +There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled. +The reason is that nsfs tries to access ns->ops but the proc_ns_operations +is not implemented in this case. + +[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010 +[7.670268] pgd = 32b54000 +[7.670544] [00000010] *pgd=00000000 +[7.671861] Internal error: Oops: 5 [#1] SMP ARM +[7.672315] Modules linked in: +[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16 +[7.673309] Hardware name: Generic DT based system +[7.673642] PC is at nsfs_evict+0x24/0x30 +[7.674486] LR is at clear_inode+0x20/0x9c + +The same to tun SIOCGSKNS command. + +To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is +disabled. Meanwhile move it to right place net/core/net_namespace.c. + +Signed-off-by: Changbin Du +Fixes: c62cce2caee5 ("net: add an ioctl to get a socket network namespace") +Cc: Cong Wang +Cc: Jakub Kicinski +Cc: David Laight +Cc: Christian Brauner +Suggested-by: Jakub Kicinski +Acked-by: Christian Brauner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/socket.h | 2 -- + include/net/net_namespace.h | 7 +++++++ + net/core/net_namespace.c | 12 ++++++++++++ + net/socket.c | 13 ------------- + 4 files changed, 19 insertions(+), 15 deletions(-) + +diff --git a/include/linux/socket.h b/include/linux/socket.h +index cc1d3f1b7656..15a7eb24f63c 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -384,6 +384,4 @@ extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr, + extern int __sys_socketpair(int family, int type, int protocol, + int __user *usockvec); + extern int __sys_shutdown(int fd, int how); +- +-extern struct ns_common *get_net_ns(struct ns_common *ns); + #endif /* _LINUX_SOCKET_H */ +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 5007eaba207d..bc88ac6c2e1d 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -175,6 +175,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, + void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); + + void net_ns_barrier(void); ++ ++struct ns_common *get_net_ns(struct ns_common *ns); + #else /* CONFIG_NET_NS */ + #include + #include +@@ -194,6 +196,11 @@ static inline void net_ns_get_ownership(const struct net *net, + } + + static inline void net_ns_barrier(void) {} ++ ++static inline struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return ERR_PTR(-EINVAL); ++} + #endif /* CONFIG_NET_NS */ + + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index c60123dff803..939d8a31eb82 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -598,6 +598,18 @@ void __put_net(struct net *net) + } + EXPORT_SYMBOL_GPL(__put_net); + ++/** ++ * get_net_ns - increment the refcount of the network namespace ++ * @ns: common namespace (net) ++ * ++ * Returns the net's common namespace. ++ */ ++struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return &get_net(container_of(ns, struct net, ns))->ns; ++} ++EXPORT_SYMBOL_GPL(get_net_ns); ++ + struct net *get_net_ns_by_fd(int fd) + { + struct file *file; +diff --git a/net/socket.c b/net/socket.c +index 1ed7be54815a..f14bca00ff01 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1048,19 +1048,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock, + * what to do with it - that's up to the protocol still. + */ + +-/** +- * get_net_ns - increment the refcount of the network namespace +- * @ns: common namespace (net) +- * +- * Returns the net's common namespace. +- */ +- +-struct ns_common *get_net_ns(struct ns_common *ns) +-{ +- return &get_net(container_of(ns, struct net, ns))->ns; +-} +-EXPORT_SYMBOL_GPL(get_net_ns); +- + static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) + { + struct socket *sock; +-- +2.30.2 + diff --git a/queue-4.19/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch b/queue-4.19/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch new file mode 100644 index 00000000000..47b1753d12b --- /dev/null +++ b/queue-4.19/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch @@ -0,0 +1,43 @@ +From a8f9c99787fa2a634830edd352aa35425855a68e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 14:34:58 +0300 +Subject: net/mlx5e: Block offload of outer header csum for UDP tunnels + +From: Aya Levin + +[ Upstream commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122 ] + +The device is able to offload either the outer header csum or inner +header csum. The driver utilizes the inner csum offload. Hence, block +setting of tx-udp_tnl-csum-segmentation and set it to off[fixed]. + +Fixes: b49663c8fb49 ("net/mlx5e: Add support for UDP tunnel segmentation with outer checksum offload") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 51edc507b7b5..9003702892cd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4679,11 +4679,8 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + } + + if (mlx5_vxlan_allowed(mdev->vxlan)) { +- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL; + } + + if (MLX5_CAP_ETH(mdev, tunnel_stateless_gre)) { +-- +2.30.2 + diff --git a/queue-4.19/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch b/queue-4.19/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch new file mode 100644 index 00000000000..9eff8a71b3b --- /dev/null +++ b/queue-4.19/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch @@ -0,0 +1,43 @@ +From 85fd79f4946307b734aedabcb58af6aebd14037c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:20:32 -0500 +Subject: net/mlx5e: Remove dependency in IPsec initialization flows + +From: Huy Nguyen + +[ Upstream commit 8ad893e516a77209a1818a2072d2027d87db809f ] + +Currently, IPsec feature is disabled because mlx5e_build_nic_netdev +is required to be called after mlx5e_ipsec_init. This requirement is +invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize +independent resources. + +Remove ipsec pointer check in mlx5e_build_nic_netdev so that the +two functions can be called at any order. + +Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") +Signed-off-by: Huy Nguyen +Reviewed-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index cf58c9637904..c467f5e981f6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -515,9 +515,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) + struct mlx5_core_dev *mdev = priv->mdev; + struct net_device *netdev = priv->netdev; + +- if (!priv->ipsec) +- return; +- + if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) || + !MLX5_CAP_ETH(mdev, swp)) { + mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n"); +-- +2.30.2 + diff --git a/queue-4.19/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch b/queue-4.19/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch new file mode 100644 index 00000000000..420b5b4fb8f --- /dev/null +++ b/queue-4.19/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch @@ -0,0 +1,50 @@ +From b765166971c7bfb33bebb47ebb9a33902a39521c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:06:50 +0300 +Subject: net: qrtr: fix OOB Read in qrtr_endpoint_post + +From: Pavel Skripkin + +[ Upstream commit ad9d24c9429e2159d1e279dc3a83191ccb4daf1d ] + +Syzbot reported slab-out-of-bounds Read in +qrtr_endpoint_post. The problem was in wrong +_size_ type: + + if (len != ALIGN(size, 4) + hdrlen) + goto err; + +If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of +ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293 +in header this check won't fail and + + skb_put_data(skb, data + hdrlen, size); + +will read out of bound from data, which is hdrlen allocated block. + +Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") +Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index 43f63d0606ec..1e2772913957 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -264,7 +264,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + const struct qrtr_hdr_v2 *v2; + struct sk_buff *skb; + struct qrtr_cb *cb; +- unsigned int size; ++ size_t size; + unsigned int ver; + size_t hdrlen; + +-- +2.30.2 + diff --git a/queue-4.19/net-rds-fix-memory-leak-in-rds_recvmsg.patch b/queue-4.19/net-rds-fix-memory-leak-in-rds_recvmsg.patch new file mode 100644 index 00000000000..a9fb5f3ac39 --- /dev/null +++ b/queue-4.19/net-rds-fix-memory-leak-in-rds_recvmsg.patch @@ -0,0 +1,73 @@ +From 29ca7a5ea2cafdb08f1a28f112977d56fac0ece2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:06:41 +0300 +Subject: net: rds: fix memory leak in rds_recvmsg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ] + +Syzbot reported memory leak in rds. The problem +was in unputted refcount in case of error. + +int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + int msg_flags) +{ +... + + if (!rds_next_incoming(rs, &inc)) { + ... + } + +After this "if" inc refcount incremented and + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; + goto out; + } +... +out: + return ret; +} + +in case of rds_cmsg_recv() fail the refcount won't be +decremented. And it's easy to see from ftrace log, that +rds_inc_addref() don't have rds_inc_put() pair in +rds_recvmsg() after rds_cmsg_recv() + + 1) | rds_recvmsg() { + 1) 3.721 us | rds_inc_addref(); + 1) 3.853 us | rds_message_inc_copy_to_user(); + 1) + 10.395 us | rds_cmsg_recv(); + 1) + 34.260 us | } + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Håkon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/recv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index 3ca278988b52..ccf0bf283002 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -705,7 +705,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; +- goto out; ++ break; + } + rds_recvmsg_zcookie(rs, msg); + +-- +2.30.2 + diff --git a/queue-4.19/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch b/queue-4.19/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch new file mode 100644 index 00000000000..303067f3dc5 --- /dev/null +++ b/queue-4.19/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch @@ -0,0 +1,42 @@ +From f3ba4e4c3d4629e39845d0b2f42c3e01ceb8a287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:16:11 +0800 +Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition + +From: Jisheng Zhang + +[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ] + +The register starts from 0x800 is the 16th MAC address register rather +than the first one. + +Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index 184ca13c8f79..1a84cf459e40 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -86,10 +86,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ +-- +2.30.2 + diff --git a/queue-4.19/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch b/queue-4.19/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch new file mode 100644 index 00000000000..f54ee8645b6 --- /dev/null +++ b/queue-4.19/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch @@ -0,0 +1,72 @@ +From 81600248855d59138765fd17488fca85ed155c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:48:33 +0800 +Subject: net: usb: fix possible use-after-free in smsc75xx_bind + +From: Dongliang Mu + +[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ] + +The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +fails to clean up the work scheduled in smsc75xx_reset-> +smsc75xx_set_multicast, which leads to use-after-free if the work is +scheduled to start after the deallocation. In addition, this patch +also removes a dangling pointer - dev->data[0]. + +This patch calls cancel_work_sync to cancel the scheduled work and set +the dangling pointer to NULL. + +Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 62f2862c9775..8b9fd4e071f3 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- goto err; ++ goto free_pdata; + } + + smsc75xx_init_mac_address(dev); +@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- goto err; ++ goto cancel_work; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1515,8 +1515,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; + return 0; + +-err: ++cancel_work: ++ cancel_work_sync(&pdata->set_multicast); ++free_pdata: + kfree(pdata); ++ dev->data[0] = 0; + return ret; + } + +@@ -1527,7 +1530,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) + cancel_work_sync(&pdata->set_multicast); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); +- pdata = NULL; + dev->data[0] = 0; + } + } +-- +2.30.2 + diff --git a/queue-4.19/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch b/queue-4.19/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch new file mode 100644 index 00000000000..edc3c2a93e4 --- /dev/null +++ b/queue-4.19/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch @@ -0,0 +1,59 @@ +From 4868eceb906cf6236d3d6c68b1ceed524ecf0a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:29 +0300 +Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options + +From: Maxim Mikityanskiy + +[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] + +The TCP option parser in synproxy (synproxy_parse_options) could read +one byte out of bounds. When the length is 1, the execution flow gets +into the loop, reads one byte of the opcode, and if the opcode is +neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds +the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added an early return when length < 0 to avoid calling +skb_header_pointer with negative length. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_synproxy_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index 353a2aa80c3c..04b07b63c540 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + int length = (th->doff * 4) - sizeof(*th); + u8 buf[40], *ptr; + ++ if (unlikely(length < 0)) ++ return false; ++ + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); + if (ptr == NULL) + return false; +@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + length--; + continue; + default: ++ if (length < 2) ++ return true; + opsize = *ptr++; + if (opsize < 2) + return true; +-- +2.30.2 + diff --git a/queue-4.19/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch b/queue-4.19/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch new file mode 100644 index 00000000000..a044a459ebe --- /dev/null +++ b/queue-4.19/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch @@ -0,0 +1,37 @@ +From ae81eee5f6a9b1f401af7d6121f1ef66efe6a745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:53:12 +0200 +Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + +From: Christophe JAILLET + +[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: e87ad5539343 ("netxen: support pci error handlers") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index 42b99b182616..a331ad406e7a 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1618,6 +1618,8 @@ err_out_free_netdev: + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-4.19/ptp-improve-max_adj-check-against-unreasonable-value.patch b/queue-4.19/ptp-improve-max_adj-check-against-unreasonable-value.patch new file mode 100644 index 00000000000..ef5006e592b --- /dev/null +++ b/queue-4.19/ptp-improve-max_adj-check-against-unreasonable-value.patch @@ -0,0 +1,80 @@ +From 73bd25db58a8954e698711637a9a697fe1cf155c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:24:05 -0700 +Subject: ptp: improve max_adj check against unreasonable values + +From: Jakub Kicinski + +[ Upstream commit 475b92f932168a78da8109acd10bfb7578b8f2bb ] + +Scaled PPM conversion to PPB may (on 64bit systems) result +in a value larger than s32 can hold (freq/scaled_ppm is a long). +This means the kernel will not correctly reject unreasonably +high ->freq values (e.g. > 4294967295ppb, 281474976645 scaled PPM). + +The conversion is equivalent to a division by ~66 (65.536), +so the value of ppb is always smaller than ppm, but not small +enough to assume narrowing the type from long -> s32 is okay. + +Note that reasonable user space (e.g. ptp4l) will not use such +high values, anyway, 4289046510ppb ~= 4.3x, so the fix is +somewhat pedantic. + +Fixes: d39a743511cd ("ptp: validate the requested frequency adjustment.") +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Signed-off-by: Jakub Kicinski +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 6 +++--- + include/linux/ptp_clock_kernel.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index 863958f3bb57..89632cc9c28f 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -76,7 +76,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, + spin_unlock_irqrestore(&queue->lock, flags); + } + +-s32 scaled_ppm_to_ppb(long ppm) ++long scaled_ppm_to_ppb(long ppm) + { + /* + * The 'freq' field in the 'struct timex' is in parts per +@@ -93,7 +93,7 @@ s32 scaled_ppm_to_ppb(long ppm) + s64 ppb = 1 + ppm; + ppb *= 125; + ppb >>= 13; +- return (s32) ppb; ++ return (long) ppb; + } + EXPORT_SYMBOL(scaled_ppm_to_ppb); + +@@ -148,7 +148,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct timex *tx) + delta = ktime_to_ns(kt); + err = ops->adjtime(ops, delta); + } else if (tx->modes & ADJ_FREQUENCY) { +- s32 ppb = scaled_ppm_to_ppb(tx->freq); ++ long ppb = scaled_ppm_to_ppb(tx->freq); + if (ppb > ops->max_adj || ppb < -ops->max_adj) + return -ERANGE; + if (ops->adjfine) +diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h +index 40ea83fcfdd5..99c3f4ee938e 100644 +--- a/include/linux/ptp_clock_kernel.h ++++ b/include/linux/ptp_clock_kernel.h +@@ -210,7 +210,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp); + * @ppm: Parts per million, but with a 16 bit binary fractional field + */ + +-extern s32 scaled_ppm_to_ppb(long ppm); ++extern long scaled_ppm_to_ppb(long ppm); + + /** + * ptp_find_pin() - obtain the pin index of a given auxiliary function +-- +2.30.2 + diff --git a/queue-4.19/ptp-ptp_clock-publish-scaled_ppm_to_ppb.patch b/queue-4.19/ptp-ptp_clock-publish-scaled_ppm_to_ppb.patch new file mode 100644 index 00000000000..820ea5564af --- /dev/null +++ b/queue-4.19/ptp-ptp_clock-publish-scaled_ppm_to_ppb.patch @@ -0,0 +1,64 @@ +From 97c9ab69366955c1bfd9ab58ff53e7c6b9ed5dc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2019 18:45:09 +0300 +Subject: ptp: ptp_clock: Publish scaled_ppm_to_ppb + +From: Shalom Toledo + +[ Upstream commit 4368dada5b37e74a13b892ca5cef8a7d558e9a5f ] + +Publish scaled_ppm_to_ppb to allow drivers to use it. + +Signed-off-by: Shalom Toledo +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 3 ++- + include/linux/ptp_clock_kernel.h | 8 ++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index e232233beb8f..863958f3bb57 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -76,7 +76,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, + spin_unlock_irqrestore(&queue->lock, flags); + } + +-static s32 scaled_ppm_to_ppb(long ppm) ++s32 scaled_ppm_to_ppb(long ppm) + { + /* + * The 'freq' field in the 'struct timex' is in parts per +@@ -95,6 +95,7 @@ static s32 scaled_ppm_to_ppb(long ppm) + ppb >>= 13; + return (s32) ppb; + } ++EXPORT_SYMBOL(scaled_ppm_to_ppb); + + /* posix clock implementation */ + +diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h +index 51349d124ee5..40ea83fcfdd5 100644 +--- a/include/linux/ptp_clock_kernel.h ++++ b/include/linux/ptp_clock_kernel.h +@@ -204,6 +204,14 @@ extern void ptp_clock_event(struct ptp_clock *ptp, + + extern int ptp_clock_index(struct ptp_clock *ptp); + ++/** ++ * scaled_ppm_to_ppb() - convert scaled ppm to ppb ++ * ++ * @ppm: Parts per million, but with a 16 bit binary fractional field ++ */ ++ ++extern s32 scaled_ppm_to_ppb(long ppm); ++ + /** + * ptp_find_pin() - obtain the pin index of a given auxiliary function + * +-- +2.30.2 + diff --git a/queue-4.19/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch b/queue-4.19/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch new file mode 100644 index 00000000000..f796af6c434 --- /dev/null +++ b/queue-4.19/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch @@ -0,0 +1,36 @@ +From 9a0cbb7a3845a057ee7191613045db26e76aef0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:37:46 +0200 +Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()' + +From: Christophe JAILLET + +[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 451724c821c1 ("qlcnic: aer support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index ed34b7d1a9e1..43920374beae 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2708,6 +2708,7 @@ err_out_free_hw_res: + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-4.19/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch b/queue-4.19/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch new file mode 100644 index 00000000000..516e4112ef7 --- /dev/null +++ b/queue-4.19/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch @@ -0,0 +1,55 @@ +From a820987d60fc5d5324cef2214302d3d946214457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 14:17:53 +0300 +Subject: rtnetlink: Fix regression in bridge VLAN configuration + +From: Ido Schimmel + +[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ] + +Cited commit started returning errors when notification info is not +filled by the bridge driver, resulting in the following regression: + + # ip link add name br1 type bridge vlan_filtering 1 + # bridge vlan add dev br1 vid 555 self pvid untagged + RTNETLINK answers: Invalid argument + +As long as the bridge driver does not fill notification info for the +bridge device itself, an empty notification should not be considered as +an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send +notification when skb->len == 0 in rtnl_bridge_notify"). + +Fix by removing the error and add a comment to avoid future bugs. + +Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()") +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 7f2dda27f9e7..055fd09ac111 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -4102,10 +4102,12 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) { +- err = -EINVAL; ++ /* Notification info is only filled for bridge ports, not the bridge ++ * device itself. Therefore, a zero notification length is valid and ++ * should not result in an error. ++ */ ++ if (!skb->len) + goto errout; +- } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-4.19/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch b/queue-4.19/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch new file mode 100644 index 00000000000..88c9d2635cd --- /dev/null +++ b/queue-4.19/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch @@ -0,0 +1,72 @@ +From 3dc8a8f85a2853943207c71d67019260daad7d99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:31 +0300 +Subject: sch_cake: Fix out of bounds when parsing TCP options and header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxim Mikityanskiy + +[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ] + +The TCP option parser in cake qdisc (cake_get_tcpopt and +cake_tcph_may_drop) could read one byte out of bounds. When the length +is 1, the execution flow gets into the loop, reads one byte of the +opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads +one more byte, which exceeds the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP +header. Although it wasn't strictly an out-of-bounds access (memory was +allocated), garbage values could be read where CAKE expected the TCP +header if doff was smaller than 5. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") +Signed-off-by: Maxim Mikityanskiy +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 32712e7dcbdc..2025f0f559de 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -900,7 +900,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb, + } + + tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); +- if (!tcph) ++ if (!tcph || tcph->doff < 5) + return NULL; + + return skb_header_pointer(skb, offset, +@@ -924,6 +924,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +@@ -1061,6 +1063,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index fa82552d804..addc6e62c04 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -23,3 +23,31 @@ dmaengine-qcom_hidma_mgmt-depends-on-has_iomem.patch dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch afs-fix-an-is_err-vs-null-check.patch mm-memory-failure-make-sure-wait-for-page-writeback-.patch +batman-adv-avoid-warn_on-timing-related-checks.patch +net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch +net-rds-fix-memory-leak-in-rds_recvmsg.patch +udp-fix-race-between-close-and-udp_abort.patch +rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch +net-mlx5e-remove-dependency-in-ipsec-initialization-.patch +net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch +netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch +sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch +alx-fix-an-error-handling-path-in-alx_probe.patch +net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch +net-add-documentation-to-socket.c.patch +net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch +qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch +netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch +net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch +ptp-ptp_clock-publish-scaled_ppm_to_ppb.patch +ptp-improve-max_adj-check-against-unreasonable-value.patch +net-cdc_ncm-switch-to-eth-d-interface-naming.patch +net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch +net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch +net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch +net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch +be2net-fix-an-error-handling-path-in-be_probe.patch +net-hamradio-fix-memory-leak-in-mkiss_close.patch +net-cdc_eem-fix-tx-fixup-skb-leak.patch +icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch +net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch diff --git a/queue-4.19/udp-fix-race-between-close-and-udp_abort.patch b/queue-4.19/udp-fix-race-between-close-and-udp_abort.patch new file mode 100644 index 00000000000..fb2cdaec44a --- /dev/null +++ b/queue-4.19/udp-fix-race-between-close-and-udp_abort.patch @@ -0,0 +1,77 @@ +From dc6542dc0a448ed83e2ecf521141b2a7d327d874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 11:49:01 +0200 +Subject: udp: fix race between close() and udp_abort() + +From: Paolo Abeni + +[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ] + +Kaustubh reported and diagnosed a panic in udp_lib_lookup(). +The root cause is udp_abort() racing with close(). Both +racing functions acquire the socket lock, but udp{v6}_destroy_sock() +release it before performing destructive actions. + +We can't easily extend the socket lock scope to avoid the race, +instead use the SOCK_DEAD flag to prevent udp_abort from doing +any action when the critical race happens. + +Diagnosed-and-tested-by: Kaustubh Pandey +Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 10 ++++++++++ + net/ipv6/udp.c | 3 +++ + 2 files changed, 13 insertions(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 110af0e7dc7b..2ff9f774d446 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2432,6 +2432,9 @@ void udp_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + bool slow = lock_sock_fast(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_flush_pending_frames(sk); + unlock_sock_fast(sk, slow); + if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) { +@@ -2673,10 +2676,17 @@ int udp_abort(struct sock *sk, int err) + { + lock_sock(sk); + ++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing ++ * with close() ++ */ ++ if (sock_flag(sk, SOCK_DEAD)) ++ goto out; ++ + sk->sk_err = err; + sk->sk_error_report(sk); + __udp_disconnect(sk, 0); + ++out: + release_sock(sk); + + return 0; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 6799ad462be3..c4a76c6af205 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1476,6 +1476,9 @@ void udpv6_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + lock_sock(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_v6_flush_pending_frames(sk); + release_sock(sk); + +-- +2.30.2 +