From: Greg Kroah-Hartman Date: Thu, 19 Jul 2018 08:05:10 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.142~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b4be86c9ba3bad1c26350966c77c6d648547994;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: atm-zatm-fix-potential-spectre-v1.patch ipvlan-fix-ifla_mtu-ignored-on-newlink.patch net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch net-dccp-switch-rx_tstamp_last_feedback-to-monotonic-clock.patch net-mlx5-fix-command-interface-race-in-polling-mode.patch net-mlx5-fix-incorrect-raw-command-length-parsing.patch net-mlx5-fix-wrong-size-allocation-for-qos-etc-tc-regitster.patch net-packet-fix-use-after-free.patch net-sungem-fix-rx-checksum-support.patch net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch qed-fix-use-of-incorrect-size-in-memcpy-call.patch qed-limit-msix-vectors-in-kdump-kernel-to-the-minimum-required-count.patch qmi_wwan-add-support-for-the-dell-wireless-5821e-module.patch r8152-napi-hangup-fix-after-disconnect.patch tcp-fix-fast-open-key-endianness.patch tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch vhost_net-validate-sock-before-trying-to-put-its-fd.patch --- diff --git a/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch b/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..702c0a46356 --- /dev/null +++ b/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Fri, 29 Jun 2018 13:28:07 -0500 +Subject: atm: zatm: Fix potential Spectre v1 + +From: "Gustavo A. R. Silva" + +[ Upstream commit ced9e191501e52b95e1b57b8e0db00943869eed0 ] + +pool can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/atm/zatm.c:1491 zatm_ioctl() warn: potential spectre issue +'zatm_dev->pool_info' (local cap) + +Fix this by sanitizing pool before using it to index +zatm_dev->pool_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/zatm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1483,6 +1483,8 @@ static int zatm_ioctl(struct atm_dev *de + return -EFAULT; + if (pool < 0 || pool > ZATM_LAST_POOL) + return -EINVAL; ++ pool = array_index_nospec(pool, ++ ZATM_LAST_POOL + 1); + if (copy_from_user(&info, + &((struct zatm_pool_req __user *) arg)->info, + sizeof(info))) return -EFAULT; diff --git a/queue-4.9/ipvlan-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.9/ipvlan-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..055c4cadc2c --- /dev/null +++ b/queue-4.9/ipvlan-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Xin Long +Date: Thu, 21 Jun 2018 12:56:04 +0800 +Subject: ipvlan: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit 30877961b1cdd6fdca783c2e8c4f0f47e95dc58c ] + +Commit 296d48568042 ("ipvlan: inherit MTU from master device") adjusted +the mtu from the master device when creating a ipvlan device, but it +would also override the mtu value set in rtnl_create_link. It causes +IFLA_MTU param not to take effect. + +So this patch is to not adjust the mtu if IFLA_MTU param is set when +creating a ipvlan device. + +Fixes: 296d48568042 ("ipvlan: inherit MTU from master device") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -525,7 +525,8 @@ static int ipvlan_link_new(struct net *s + ipvlan->dev = dev; + ipvlan->port = port; + ipvlan->sfeatures = IPVLAN_FEATURES; +- ipvlan_adjust_mtu(ipvlan, phy_dev); ++ if (!tb[IFLA_MTU]) ++ ipvlan_adjust_mtu(ipvlan, phy_dev); + INIT_LIST_HEAD(&ipvlan->addrs); + + /* TODO Probably put random address here to be presented to the diff --git a/queue-4.9/net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch b/queue-4.9/net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch new file mode 100644 index 00000000000..47c01866a97 --- /dev/null +++ b/queue-4.9/net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Eric Dumazet +Date: Fri, 22 Jun 2018 06:44:14 -0700 +Subject: net: dccp: avoid crash in ccid3_hc_rx_send_feedback() + +From: Eric Dumazet + +[ Upstream commit 74174fe5634ffbf645a7ca5a261571f700b2f332 ] + +On fast hosts or malicious bots, we trigger a DCCP_BUG() which +seems excessive. + +syzbot reported : + +BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback() +CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 + ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline] + ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793 + ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] + dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180 + dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378 + dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 + sk_backlog_rcv include/net/sock.h:914 [inline] + __sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517 + dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875 + ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215 + NF_HOOK include/linux/netfilter.h:287 [inline] + ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396 + NF_HOOK include/linux/netfilter.h:287 [inline] + ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492 + __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 + process_backlog+0x219/0x760 net/core/dev.c:5373 + napi_poll net/core/dev.c:5771 [inline] + net_rx_action+0x7da/0x1980 net/core/dev.c:5837 + __do_softirq+0x2e8/0xb17 kernel/softirq.c:284 + run_ksoftirqd+0x86/0x100 kernel/softirq.c:645 + smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 + kthread+0x345/0x410 kernel/kthread.c:240 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Gerrit Renker +Cc: dccp@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ccids/ccid3.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -624,9 +624,8 @@ static void ccid3_hc_rx_send_feedback(st + case CCID3_FBACK_PERIODIC: + delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback); + if (delta <= 0) +- DCCP_BUG("delta (%ld) <= 0", (long)delta); +- else +- hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); ++ delta = 1; ++ hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); + break; + default: + return; diff --git a/queue-4.9/net-dccp-switch-rx_tstamp_last_feedback-to-monotonic-clock.patch b/queue-4.9/net-dccp-switch-rx_tstamp_last_feedback-to-monotonic-clock.patch new file mode 100644 index 00000000000..493777132bc --- /dev/null +++ b/queue-4.9/net-dccp-switch-rx_tstamp_last_feedback-to-monotonic-clock.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Eric Dumazet +Date: Fri, 22 Jun 2018 06:44:15 -0700 +Subject: net: dccp: switch rx_tstamp_last_feedback to monotonic clock + +From: Eric Dumazet + +[ Upstream commit 0ce4e70ff00662ad7490e545ba0cd8c1fa179fca ] + +To compute delays, better not use time of the day which can +be changed by admins or malicious programs. + +Also change ccid3_first_li() to use s64 type for delta variable +to avoid potential overflows. + +Signed-off-by: Eric Dumazet +Cc: Gerrit Renker +Cc: dccp@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ccids/ccid3.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -599,7 +599,7 @@ static void ccid3_hc_rx_send_feedback(st + { + struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk); + struct dccp_sock *dp = dccp_sk(sk); +- ktime_t now = ktime_get_real(); ++ ktime_t now = ktime_get(); + s64 delta = 0; + + switch (fbtype) { +@@ -631,7 +631,7 @@ static void ccid3_hc_rx_send_feedback(st + return; + } + +- ccid3_pr_debug("Interval %ldusec, X_recv=%u, 1/p=%u\n", (long)delta, ++ ccid3_pr_debug("Interval %lldusec, X_recv=%u, 1/p=%u\n", delta, + hc->rx_x_recv, hc->rx_pinv); + + hc->rx_tstamp_last_feedback = now; +@@ -678,7 +678,8 @@ static int ccid3_hc_rx_insert_options(st + static u32 ccid3_first_li(struct sock *sk) + { + struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk); +- u32 x_recv, p, delta; ++ u32 x_recv, p; ++ s64 delta; + u64 fval; + + if (hc->rx_rtt == 0) { +@@ -686,7 +687,9 @@ static u32 ccid3_first_li(struct sock *s + hc->rx_rtt = DCCP_FALLBACK_RTT; + } + +- delta = ktime_to_us(net_timedelta(hc->rx_tstamp_last_feedback)); ++ delta = ktime_us_delta(ktime_get(), hc->rx_tstamp_last_feedback); ++ if (delta <= 0) ++ delta = 1; + x_recv = scaled_div32(hc->rx_bytes_recv, delta); + if (x_recv == 0) { /* would also trigger divide-by-zero */ + DCCP_WARN("X_recv==0\n"); diff --git a/queue-4.9/net-mlx5-fix-command-interface-race-in-polling-mode.patch b/queue-4.9/net-mlx5-fix-command-interface-race-in-polling-mode.patch new file mode 100644 index 00000000000..bbd9cf44c70 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-command-interface-race-in-polling-mode.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Alex Vesker +Date: Tue, 12 Jun 2018 16:14:31 +0300 +Subject: net/mlx5: Fix command interface race in polling mode + +From: Alex Vesker + +[ Upstream commit d412c31dae053bf30a1bc15582a9990df297a660 ] + +The command interface can work in two modes: Events and Polling. +In the general case, each time we invoke a command, a work is +queued to handle it. + +When working in events, the interrupt handler completes the +command execution. On the other hand, when working in polling +mode, the work itself completes it. + +Due to a bug in the work handler, a command could have been +completed by the interrupt handler, while the work handler +hasn't finished yet, causing the it to complete once again +if the command interface mode was changed from Events to +polling after the interrupt handler was called. + +mlx5_unload_one() + mlx5_stop_eqs() + // Destroy the EQ before cmd EQ + ...cmd_work_handler() + write_doorbell() + --> EVENT_TYPE_CMD + mlx5_cmd_comp_handler() // First free + free_ent(cmd, ent->idx) + complete(&ent->done) + + <-- mlx5_stop_eqs //cmd was complete + // move to polling before destroying the last cmd EQ + mlx5_cmd_use_polling() + cmd->mode = POLL; + + --> cmd_work_handler (continues) + if (cmd->mode == POLL) + mlx5_cmd_comp_handler() // Double free + +The solution is to store the cmd->mode before writing the doorbell. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -784,6 +784,7 @@ static void cmd_work_handler(struct work + struct semaphore *sem; + unsigned long flags; + int alloc_ret; ++ int cmd_mode; + + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); +@@ -830,6 +831,7 @@ static void cmd_work_handler(struct work + set_signature(ent, !cmd->checksum_disabled); + dump_command(dev, ent, 1); + ent->ts1 = ktime_get_ns(); ++ cmd_mode = cmd->mode; + + if (ent->callback) + schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); +@@ -854,7 +856,7 @@ static void cmd_work_handler(struct work + iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell); + mmiowb(); + /* if not in polling don't use ent after this point */ +- if (cmd->mode == CMD_MODE_POLLING) { ++ if (cmd_mode == CMD_MODE_POLLING) { + poll_timeout(ent); + /* make sure we read the descriptor after ownership is SW */ + rmb(); diff --git a/queue-4.9/net-mlx5-fix-incorrect-raw-command-length-parsing.patch b/queue-4.9/net-mlx5-fix-incorrect-raw-command-length-parsing.patch new file mode 100644 index 00000000000..36bfce92e03 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-incorrect-raw-command-length-parsing.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Alex Vesker +Date: Fri, 25 May 2018 20:25:59 +0300 +Subject: net/mlx5: Fix incorrect raw command length parsing + +From: Alex Vesker + +[ Upstream commit 603b7bcff824740500ddfa001d7a7168b0b38542 ] + +The NULL character was not set correctly for the string containing +the command length, this caused failures reading the output of the +command due to a random length. The fix is to initialize the output +length string. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1256,7 +1256,7 @@ static ssize_t outlen_write(struct file + { + struct mlx5_core_dev *dev = filp->private_data; + struct mlx5_cmd_debug *dbg = &dev->cmd.dbg; +- char outlen_str[8]; ++ char outlen_str[8] = {0}; + int outlen; + void *ptr; + int err; +@@ -1271,8 +1271,6 @@ static ssize_t outlen_write(struct file + if (copy_from_user(outlen_str, buf, count)) + return -EFAULT; + +- outlen_str[7] = 0; +- + err = sscanf(outlen_str, "%d", &outlen); + if (err < 0) + return err; diff --git a/queue-4.9/net-mlx5-fix-wrong-size-allocation-for-qos-etc-tc-regitster.patch b/queue-4.9/net-mlx5-fix-wrong-size-allocation-for-qos-etc-tc-regitster.patch new file mode 100644 index 00000000000..97fbf0e4dd1 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-wrong-size-allocation-for-qos-etc-tc-regitster.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Shay Agroskin +Date: Tue, 22 May 2018 14:14:02 +0300 +Subject: net/mlx5: Fix wrong size allocation for QoS ETC TC regitster + +From: Shay Agroskin + +[ Upstream commit d14fcb8d877caf1b8d6bd65d444bf62b21f2070c ] + +The driver allocates wrong size (due to wrong struct name) when issuing +a query/set request to NIC's register. + +Fixes: d8880795dabf ("net/mlx5e: Implement DCBNL IEEE max rate") +Signed-off-by: Shay Agroskin +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -575,7 +575,7 @@ EXPORT_SYMBOL_GPL(mlx5_set_port_prio_tc) + static int mlx5_set_port_qetcr_reg(struct mlx5_core_dev *mdev, u32 *in, + int inlen) + { +- u32 out[MLX5_ST_SZ_DW(qtct_reg)]; ++ u32 out[MLX5_ST_SZ_DW(qetc_reg)]; + + if (!MLX5_CAP_GEN(mdev, ets)) + return -ENOTSUPP; +@@ -587,7 +587,7 @@ static int mlx5_set_port_qetcr_reg(struc + static int mlx5_query_port_qetcr_reg(struct mlx5_core_dev *mdev, u32 *out, + int outlen) + { +- u32 in[MLX5_ST_SZ_DW(qtct_reg)]; ++ u32 in[MLX5_ST_SZ_DW(qetc_reg)]; + + if (!MLX5_CAP_GEN(mdev, ets)) + return -ENOTSUPP; diff --git a/queue-4.9/net-packet-fix-use-after-free.patch b/queue-4.9/net-packet-fix-use-after-free.patch new file mode 100644 index 00000000000..c5af805499f --- /dev/null +++ b/queue-4.9/net-packet-fix-use-after-free.patch @@ -0,0 +1,174 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Eric Dumazet +Date: Thu, 21 Jun 2018 14:16:02 -0700 +Subject: net/packet: fix use-after-free + +From: Eric Dumazet + +[ Upstream commit 945d015ee0c3095d2290e845565a23dedfd8027c ] + +We should put copy_skb in receive_queue only after +a successful call to virtio_net_hdr_from_skb(). + +syzbot report : + +BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1843 [inline] +BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1863 [inline] +BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815 +Read of size 8 at addr ffff8801b044ecc0 by task syz-executor217/4553 + +CPU: 0 PID: 4553 Comm: syz-executor217 Not tainted 4.18.0-rc1+ #111 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 + __skb_unlink include/linux/skbuff.h:1843 [inline] + __skb_dequeue include/linux/skbuff.h:1863 [inline] + skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815 + skb_queue_purge+0x26/0x40 net/core/skbuff.c:2852 + packet_set_ring+0x675/0x1da0 net/packet/af_packet.c:4331 + packet_release+0x630/0xd90 net/packet/af_packet.c:2991 + __sock_release+0xd7/0x260 net/socket.c:603 + sock_close+0x19/0x20 net/socket.c:1186 + __fput+0x35b/0x8b0 fs/file_table.c:209 + ____fput+0x15/0x20 fs/file_table.c:243 + task_work_run+0x1ec/0x2a0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x1b08/0x2750 kernel/exit.c:865 + do_group_exit+0x177/0x440 kernel/exit.c:968 + __do_sys_exit_group kernel/exit.c:979 [inline] + __se_sys_exit_group kernel/exit.c:977 [inline] + __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4448e9 +Code: Bad RIP value. +RSP: 002b:00007ffd5f777ca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 +RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 +RBP: 00000000006cf018 R08: 00007ffd0000a45b R09: 0000000000000000 +R10: 00007ffd5f777e48 R11: 0000000000000202 R12: 00000000004021f0 +R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 4553: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 + kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 + skb_clone+0x1f5/0x500 net/core/skbuff.c:1282 + tpacket_rcv+0x28f7/0x3200 net/packet/af_packet.c:2221 + deliver_skb net/core/dev.c:1925 [inline] + deliver_ptype_list_skb net/core/dev.c:1940 [inline] + __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 + netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767 + netif_receive_skb+0xbf/0x420 net/core/dev.c:4791 + tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571 + tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981 + tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009 + call_write_iter include/linux/fs.h:1795 [inline] + new_sync_write fs/read_write.c:474 [inline] + __vfs_write+0x6c6/0x9f0 fs/read_write.c:487 + vfs_write+0x1f8/0x560 fs/read_write.c:549 + ksys_write+0x101/0x260 fs/read_write.c:598 + __do_sys_write fs/read_write.c:610 [inline] + __se_sys_write fs/read_write.c:607 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:607 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 4553: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 + __cache_free mm/slab.c:3498 [inline] + kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 + kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 + __kfree_skb net/core/skbuff.c:642 [inline] + kfree_skb+0x1a5/0x580 net/core/skbuff.c:659 + tpacket_rcv+0x189e/0x3200 net/packet/af_packet.c:2385 + deliver_skb net/core/dev.c:1925 [inline] + deliver_ptype_list_skb net/core/dev.c:1940 [inline] + __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 + netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767 + netif_receive_skb+0xbf/0x420 net/core/dev.c:4791 + tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571 + tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981 + tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009 + call_write_iter include/linux/fs.h:1795 [inline] + new_sync_write fs/read_write.c:474 [inline] + __vfs_write+0x6c6/0x9f0 fs/read_write.c:487 + vfs_write+0x1f8/0x560 fs/read_write.c:549 + ksys_write+0x101/0x260 fs/read_write.c:598 + __do_sys_write fs/read_write.c:610 [inline] + __se_sys_write fs/read_write.c:607 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:607 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8801b044ecc0 + which belongs to the cache skbuff_head_cache of size 232 +The buggy address is located 0 bytes inside of + 232-byte region [ffff8801b044ecc0, ffff8801b044eda8) +The buggy address belongs to the page: +page:ffffea0006c11380 count:1 mapcount:0 mapping:ffff8801d9be96c0 index:0x0 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffffea0006c17988 ffff8801d9bec248 ffff8801d9be96c0 +raw: 0000000000000000 ffff8801b044e040 000000010000000c 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801b044eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8801b044ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc +>ffff8801b044ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ^ + ffff8801b044ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8801b044ed80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2265,6 +2265,12 @@ static int tpacket_rcv(struct sk_buff *s + if (po->stats.stats1.tp_drops) + status |= TP_STATUS_LOSING; + } ++ ++ if (do_vnet && ++ __packet_rcv_vnet(skb, h.raw + macoff - ++ sizeof(struct virtio_net_hdr))) ++ goto drop_n_account; ++ + po->stats.stats1.tp_packets++; + if (copy_skb) { + status |= TP_STATUS_COPY; +@@ -2272,14 +2278,6 @@ static int tpacket_rcv(struct sk_buff *s + } + spin_unlock(&sk->sk_receive_queue.lock); + +- if (do_vnet) { +- if (__packet_rcv_vnet(skb, h.raw + macoff - +- sizeof(struct virtio_net_hdr))) { +- spin_lock(&sk->sk_receive_queue.lock); +- goto drop_n_account; +- } +- } +- + skb_copy_bits(skb, 0, h.raw + macoff, snaplen); + + if (!(ts_status = tpacket_get_timestamp(skb, &ts, po->tp_tstamp))) diff --git a/queue-4.9/net-sungem-fix-rx-checksum-support.patch b/queue-4.9/net-sungem-fix-rx-checksum-support.patch new file mode 100644 index 00000000000..6fdbc8e158c --- /dev/null +++ b/queue-4.9/net-sungem-fix-rx-checksum-support.patch @@ -0,0 +1,109 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Eric Dumazet +Date: Tue, 19 Jun 2018 19:18:50 -0700 +Subject: net: sungem: fix rx checksum support + +From: Eric Dumazet + +[ Upstream commit 12b03558cef6d655d0d394f5e98a6fd07c1f6c0f ] + +After commit 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE +are friends"), sungem owners reported the infamous "eth0: hw csum failure" +message. + +CHECKSUM_COMPLETE has in fact never worked for this driver, but this +was masked by the fact that upper stacks had to strip the FCS, and +therefore skb->ip_summed was set back to CHECKSUM_NONE before +my recent change. + +Driver configures a number of bytes to skip when the chip computes +the checksum, and for some reason only half of the Ethernet header +was skipped. + +Then a second problem is that we should strip the FCS by default, +unless the driver is updated to eventually support NETIF_F_RXFCS in +the future. + +Finally, a driver should check if NETIF_F_RXCSUM feature is enabled +or not, so that the admin can turn off rx checksum if wanted. + +Many thanks to Andreas Schwab and Mathieu Malaterre for their +help in debugging this issue. + +Signed-off-by: Eric Dumazet +Reported-by: Meelis Roos +Reported-by: Mathieu Malaterre +Reported-by: Andreas Schwab +Tested-by: Andreas Schwab +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/sungem.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/sun/sungem.c ++++ b/drivers/net/ethernet/sun/sungem.c +@@ -59,8 +59,7 @@ + #include + #include "sungem.h" + +-/* Stripping FCS is causing problems, disabled for now */ +-#undef STRIP_FCS ++#define STRIP_FCS + + #define DEFAULT_MSG (NETIF_MSG_DRV | \ + NETIF_MSG_PROBE | \ +@@ -434,7 +433,7 @@ static int gem_rxmac_reset(struct gem *g + writel(desc_dma & 0xffffffff, gp->regs + RXDMA_DBLOW); + writel(RX_RING_SIZE - 4, gp->regs + RXDMA_KICK); + val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) | +- ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128); ++ (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128); + writel(val, gp->regs + RXDMA_CFG); + if (readl(gp->regs + GREG_BIFCFG) & GREG_BIFCFG_M66EN) + writel(((5 & RXDMA_BLANK_IPKTS) | +@@ -759,7 +758,6 @@ static int gem_rx(struct gem *gp, int wo + struct net_device *dev = gp->dev; + int entry, drops, work_done = 0; + u32 done; +- __sum16 csum; + + if (netif_msg_rx_status(gp)) + printk(KERN_DEBUG "%s: rx interrupt, done: %d, rx_new: %d\n", +@@ -854,9 +852,13 @@ static int gem_rx(struct gem *gp, int wo + skb = copy_skb; + } + +- csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff); +- skb->csum = csum_unfold(csum); +- skb->ip_summed = CHECKSUM_COMPLETE; ++ if (likely(dev->features & NETIF_F_RXCSUM)) { ++ __sum16 csum; ++ ++ csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff); ++ skb->csum = csum_unfold(csum); ++ skb->ip_summed = CHECKSUM_COMPLETE; ++ } + skb->protocol = eth_type_trans(skb, gp->dev); + + napi_gro_receive(&gp->napi, skb); +@@ -1754,7 +1756,7 @@ static void gem_init_dma(struct gem *gp) + writel(0, gp->regs + TXDMA_KICK); + + val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) | +- ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128); ++ (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128); + writel(val, gp->regs + RXDMA_CFG); + + writel(desc_dma >> 32, gp->regs + RXDMA_DBHI); +@@ -2972,8 +2974,8 @@ static int gem_init_one(struct pci_dev * + pci_set_drvdata(pdev, dev); + + /* We can do scatter/gather and HW checksum */ +- dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM; +- dev->features |= dev->hw_features | NETIF_F_RXCSUM; ++ dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_RXCSUM; ++ dev->features = dev->hw_features; + if (pci_using_dac) + dev->features |= NETIF_F_HIGHDMA; + diff --git a/queue-4.9/net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch b/queue-4.9/net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch new file mode 100644 index 00000000000..5aa19db3209 --- /dev/null +++ b/queue-4.9/net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Konstantin Khlebnikov +Date: Fri, 15 Jun 2018 13:27:31 +0300 +Subject: net_sched: blackhole: tell upper qdisc about dropped packets + +From: Konstantin Khlebnikov + +[ Upstream commit 7e85dc8cb35abf16455f1511f0670b57c1a84608 ] + +When blackhole is used on top of classful qdisc like hfsc it breaks +qlen and backlog counters because packets are disappear without notice. + +In HFSC non-zero qlen while all classes are inactive triggers warning: +WARNING: ... at net/sched/sch_hfsc.c:1393 hfsc_dequeue+0xba4/0xe90 [sch_hfsc] +and schedules watchdog work endlessly. + +This patch return __NET_XMIT_BYPASS in addition to NET_XMIT_SUCCESS, +this flag tells upper layer: this packet is gone and isn't queued. + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_blackhole.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_blackhole.c ++++ b/net/sched/sch_blackhole.c +@@ -21,7 +21,7 @@ static int blackhole_enqueue(struct sk_b + struct sk_buff **to_free) + { + qdisc_drop(skb, sch, to_free); +- return NET_XMIT_SUCCESS; ++ return NET_XMIT_SUCCESS | __NET_XMIT_BYPASS; + } + + static struct sk_buff *blackhole_dequeue(struct Qdisc *sch) diff --git a/queue-4.9/qed-fix-use-of-incorrect-size-in-memcpy-call.patch b/queue-4.9/qed-fix-use-of-incorrect-size-in-memcpy-call.patch new file mode 100644 index 00000000000..8238d109414 --- /dev/null +++ b/queue-4.9/qed-fix-use-of-incorrect-size-in-memcpy-call.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Sun, 1 Jul 2018 20:03:07 -0700 +Subject: qed: Fix use of incorrect size in memcpy call. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit cc9b27cdf7bd3c86df73439758ac1564bc8f5bbe ] + +Use the correct size value while copying chassis/port id values. + +Fixes: 6ad8c632e ("qed: Add support for query/config dcbx.") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -677,9 +677,9 @@ qed_dcbx_get_local_lldp_params(struct qe + p_local = &p_hwfn->p_dcbx_info->lldp_local[LLDP_NEAREST_BRIDGE]; + + memcpy(params->lldp_local.local_chassis_id, p_local->local_chassis_id, +- ARRAY_SIZE(p_local->local_chassis_id)); ++ sizeof(p_local->local_chassis_id)); + memcpy(params->lldp_local.local_port_id, p_local->local_port_id, +- ARRAY_SIZE(p_local->local_port_id)); ++ sizeof(p_local->local_port_id)); + } + + static void +@@ -692,9 +692,9 @@ qed_dcbx_get_remote_lldp_params(struct q + p_remote = &p_hwfn->p_dcbx_info->lldp_remote[LLDP_NEAREST_BRIDGE]; + + memcpy(params->lldp_remote.peer_chassis_id, p_remote->peer_chassis_id, +- ARRAY_SIZE(p_remote->peer_chassis_id)); ++ sizeof(p_remote->peer_chassis_id)); + memcpy(params->lldp_remote.peer_port_id, p_remote->peer_port_id, +- ARRAY_SIZE(p_remote->peer_port_id)); ++ sizeof(p_remote->peer_port_id)); + } + + static int diff --git a/queue-4.9/qed-limit-msix-vectors-in-kdump-kernel-to-the-minimum-required-count.patch b/queue-4.9/qed-limit-msix-vectors-in-kdump-kernel-to-the-minimum-required-count.patch new file mode 100644 index 00000000000..8d3e553775a --- /dev/null +++ b/queue-4.9/qed-limit-msix-vectors-in-kdump-kernel-to-the-minimum-required-count.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Sun, 1 Jul 2018 20:03:05 -0700 +Subject: qed: Limit msix vectors in kdump kernel to the minimum required count. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit bb7858ba1102f82470a917e041fd23e6385c31be ] + +Memory size is limited in the kdump kernel environment. Allocation of more +msix-vectors (or queues) consumes few tens of MBs of memory, which might +lead to the kdump kernel failure. +This patch adds changes to limit the number of MSI-X vectors in kdump +kernel to minimum required value (i.e., 2 per engine). + +Fixes: fe56b9e6a ("qed: Add module with basic common support") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "qed.h" + #include "qed_sriov.h" +@@ -701,6 +702,14 @@ static int qed_slowpath_setup_int(struct + /* We want a minimum of one slowpath and one fastpath vector per hwfn */ + cdev->int_params.in.min_msix_cnt = cdev->num_hwfns * 2; + ++ if (is_kdump_kernel()) { ++ DP_INFO(cdev, ++ "Kdump kernel: Limit the max number of requested MSI-X vectors to %hd\n", ++ cdev->int_params.in.min_msix_cnt); ++ cdev->int_params.in.num_vectors = ++ cdev->int_params.in.min_msix_cnt; ++ } ++ + rc = qed_set_int_mode(cdev, false); + if (rc) { + DP_ERR(cdev, "qed_slowpath_setup_int ERR\n"); diff --git a/queue-4.9/qmi_wwan-add-support-for-the-dell-wireless-5821e-module.patch b/queue-4.9/qmi_wwan-add-support-for-the-dell-wireless-5821e-module.patch new file mode 100644 index 00000000000..e2317611f4c --- /dev/null +++ b/queue-4.9/qmi_wwan-add-support-for-the-dell-wireless-5821e-module.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Aleksander Morgado +Date: Sat, 23 Jun 2018 23:22:52 +0200 +Subject: qmi_wwan: add support for the Dell Wireless 5821e module + +From: Aleksander Morgado + +[ Upstream commit e7e197edd09c25774b4f12cab19f9d5462f240f4 ] + +This module exposes two USB configurations: a QMI+AT capable setup on +USB config #1 and a MBIM capable setup on USB config #2. + +By default the kernel will choose the MBIM capable configuration as +long as the cdc_mbim driver is available. This patch adds support for +the QMI port in the secondary configuration. + +Signed-off-by: Aleksander Morgado +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -946,6 +946,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ ++ {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ diff --git a/queue-4.9/r8152-napi-hangup-fix-after-disconnect.patch b/queue-4.9/r8152-napi-hangup-fix-after-disconnect.patch new file mode 100644 index 00000000000..f4c3482b454 --- /dev/null +++ b/queue-4.9/r8152-napi-hangup-fix-after-disconnect.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Jiri Slaby +Date: Mon, 25 Jun 2018 09:26:27 +0200 +Subject: r8152: napi hangup fix after disconnect + +From: Jiri Slaby + +[ Upstream commit 0ee1f4734967af8321ecebaf9c74221ace34f2d5 ] + +When unplugging an r8152 adapter while the interface is UP, the NIC +becomes unusable. usb->disconnect (aka rtl8152_disconnect) deletes +napi. Then, rtl8152_disconnect calls unregister_netdev and that invokes +netdev->ndo_stop (aka rtl8152_close). rtl8152_close tries to +napi_disable, but the napi is already deleted by disconnect above. So +the first while loop in napi_disable never finishes. This results in +complete deadlock of the network layer as there is rtnl_mutex held by +unregister_netdev. + +So avoid the call to napi_disable in rtl8152_close when the device is +already gone. + +The other calls to usb_kill_urb, cancel_delayed_work_sync, +netif_stop_queue etc. seem to be fine. The urb and netdev is not +destroyed yet. + +Signed-off-by: Jiri Slaby +Cc: linux-usb@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3327,7 +3327,8 @@ static int rtl8152_close(struct net_devi + #ifdef CONFIG_PM_SLEEP + unregister_pm_notifier(&tp->pm_notifier); + #endif +- napi_disable(&tp->napi); ++ if (!test_bit(RTL8152_UNPLUG, &tp->flags)) ++ napi_disable(&tp->napi); + clear_bit(WORK_ENABLE, &tp->flags); + usb_kill_urb(tp->intr_urb); + cancel_delayed_work_sync(&tp->schedule); diff --git a/queue-4.9/series b/queue-4.9/series index 8d1de19a251..d7fc4f4468c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,20 @@ bcm63xx_enet-correct-clock-usage.patch bcm63xx_enet-do-not-write-to-random-dma-channel-on-bcm6345.patch crypto-crypto4xx-remove-bad-list_del.patch crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_build_sdr-leak.patch +atm-zatm-fix-potential-spectre-v1.patch +ipvlan-fix-ifla_mtu-ignored-on-newlink.patch +net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch +net-dccp-switch-rx_tstamp_last_feedback-to-monotonic-clock.patch +net-mlx5-fix-incorrect-raw-command-length-parsing.patch +net-mlx5-fix-wrong-size-allocation-for-qos-etc-tc-regitster.patch +net_sched-blackhole-tell-upper-qdisc-about-dropped-packets.patch +net-sungem-fix-rx-checksum-support.patch +qed-fix-use-of-incorrect-size-in-memcpy-call.patch +qed-limit-msix-vectors-in-kdump-kernel-to-the-minimum-required-count.patch +qmi_wwan-add-support-for-the-dell-wireless-5821e-module.patch +r8152-napi-hangup-fix-after-disconnect.patch +tcp-fix-fast-open-key-endianness.patch +tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch +vhost_net-validate-sock-before-trying-to-put-its-fd.patch +net-packet-fix-use-after-free.patch +net-mlx5-fix-command-interface-race-in-polling-mode.patch diff --git a/queue-4.9/tcp-fix-fast-open-key-endianness.patch b/queue-4.9/tcp-fix-fast-open-key-endianness.patch new file mode 100644 index 00000000000..fc51bb90dea --- /dev/null +++ b/queue-4.9/tcp-fix-fast-open-key-endianness.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Yuchung Cheng +Date: Wed, 27 Jun 2018 16:04:48 -0700 +Subject: tcp: fix Fast Open key endianness + +From: Yuchung Cheng + +[ Upstream commit c860e997e9170a6d68f9d1e6e2cf61f572191aaf ] + +Fast Open key could be stored in different endian based on the CPU. +Previously hosts in different endianness in a server farm using +the same key config (sysctl value) would produce different cookies. +This patch fixes it by always storing it as little endian to keep +same API for LE hosts. + +Reported-by: Daniele Iamartino +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/sysctl_net_ipv4.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -212,8 +212,9 @@ static int proc_tcp_fastopen_key(struct + { + struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) }; + struct tcp_fastopen_context *ctxt; +- int ret; + u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ ++ __le32 key[4]; ++ int ret, i; + + tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); + if (!tbl.data) +@@ -222,11 +223,14 @@ static int proc_tcp_fastopen_key(struct + rcu_read_lock(); + ctxt = rcu_dereference(tcp_fastopen_ctx); + if (ctxt) +- memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); ++ memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH); + else +- memset(user_key, 0, sizeof(user_key)); ++ memset(key, 0, sizeof(key)); + rcu_read_unlock(); + ++ for (i = 0; i < ARRAY_SIZE(key); i++) ++ user_key[i] = le32_to_cpu(key[i]); ++ + snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x", + user_key[0], user_key[1], user_key[2], user_key[3]); + ret = proc_dostring(&tbl, write, buffer, lenp, ppos); +@@ -242,12 +246,16 @@ static int proc_tcp_fastopen_key(struct + * first invocation of tcp_fastopen_cookie_gen + */ + tcp_fastopen_init_key_once(false); +- tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH); ++ ++ for (i = 0; i < ARRAY_SIZE(user_key); i++) ++ key[i] = cpu_to_le32(user_key[i]); ++ ++ tcp_fastopen_reset_cipher(key, TCP_FASTOPEN_KEY_LENGTH); + } + + bad_key: + pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n", +- user_key[0], user_key[1], user_key[2], user_key[3], ++ user_key[0], user_key[1], user_key[2], user_key[3], + (char *)tbl.data, ret); + kfree(tbl.data); + return ret; diff --git a/queue-4.9/tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch b/queue-4.9/tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch new file mode 100644 index 00000000000..f747f43d0e5 --- /dev/null +++ b/queue-4.9/tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: "Ilpo Järvinen" +Date: Fri, 29 Jun 2018 13:07:53 +0300 +Subject: tcp: prevent bogus FRTO undos with non-SACK flows + +From: "Ilpo Järvinen" + +[ Upstream commit 1236f22fbae15df3736ab4a984c64c0c6ee6254c ] + +If SACK is not enabled and the first cumulative ACK after the RTO +retransmission covers more than the retransmitted skb, a spurious +FRTO undo will trigger (assuming FRTO is enabled for that RTO). +The reason is that any non-retransmitted segment acknowledged will +set FLAG_ORIG_SACK_ACKED in tcp_clean_rtx_queue even if there is +no indication that it would have been delivered for real (the +scoreboard is not kept with TCPCB_SACKED_ACKED bits in the non-SACK +case so the check for that bit won't help like it does with SACK). +Having FLAG_ORIG_SACK_ACKED set results in the spurious FRTO undo +in tcp_process_loss. + +We need to use more strict condition for non-SACK case and check +that none of the cumulatively ACKed segments were retransmitted +to prove that progress is due to original transmissions. Only then +keep FLAG_ORIG_SACK_ACKED set, allowing FRTO undo to proceed in +non-SACK case. + +(FLAG_ORIG_SACK_ACKED is planned to be renamed to FLAG_ORIG_PROGRESS +to better indicate its purpose but to keep this change minimal, it +will be done in another patch). + +Besides burstiness and congestion control violations, this problem +can result in RTO loop: When the loss recovery is prematurely +undoed, only new data will be transmitted (if available) and +the next retransmission can occur only after a new RTO which in case +of multiple losses (that are not for consecutive packets) requires +one RTO per loss to recover. + +Signed-off-by: Ilpo Järvinen +Tested-by: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3236,6 +3236,15 @@ static int tcp_clean_rtx_queue(struct so + + if (tcp_is_reno(tp)) { + tcp_remove_reno_sacks(sk, pkts_acked); ++ ++ /* If any of the cumulatively ACKed segments was ++ * retransmitted, non-SACK case cannot confirm that ++ * progress was due to original transmission due to ++ * lack of TCPCB_SACKED_ACKED bits even if some of ++ * the packets may have been never retransmitted. ++ */ ++ if (flag & FLAG_RETRANS_DATA_ACKED) ++ flag &= ~FLAG_ORIG_SACK_ACKED; + } else { + int delta; + diff --git a/queue-4.9/vhost_net-validate-sock-before-trying-to-put-its-fd.patch b/queue-4.9/vhost_net-validate-sock-before-trying-to-put-its-fd.patch new file mode 100644 index 00000000000..bb674270a92 --- /dev/null +++ b/queue-4.9/vhost_net-validate-sock-before-trying-to-put-its-fd.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Jul 19 09:11:13 CEST 2018 +From: Jason Wang +Date: Thu, 21 Jun 2018 13:11:31 +0800 +Subject: vhost_net: validate sock before trying to put its fd + +From: Jason Wang + +[ Upstream commit b8f1f65882f07913157c44673af7ec0b308d03eb ] + +Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when +we meet errors during ubuf allocation, the code does not check for +NULL before calling sockfd_put(), this will lead NULL +dereferencing. Fixing by checking sock pointer before. + +Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support") +Reported-by: Dan Carpenter +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1052,7 +1052,8 @@ err_used: + if (ubufs) + vhost_net_ubuf_put_wait_and_free(ubufs); + err_ubufs: +- sockfd_put(sock); ++ if (sock) ++ sockfd_put(sock); + err_vq: + mutex_unlock(&vq->mutex); + err: