From: Sasha Levin Date: Mon, 15 Feb 2021 04:28:16 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.4.99~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=611b91229f7498d182036bee023960ff05a366d0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bpf-check-for-integer-overflow-when-using-roundup_po.patch b/queue-4.19/bpf-check-for-integer-overflow-when-using-roundup_po.patch new file mode 100644 index 00000000000..20fbc36c342 --- /dev/null +++ b/queue-4.19/bpf-check-for-integer-overflow-when-using-roundup_po.patch @@ -0,0 +1,37 @@ +From 828ea86f16dcef9b165146e084e01bb0dd7bf963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 06:36:53 +0000 +Subject: bpf: Check for integer overflow when using roundup_pow_of_two() + +From: Bui Quang Minh + +[ Upstream commit 6183f4d3a0a2ad230511987c6c362ca43ec0055f ] + +On 32-bit architecture, roundup_pow_of_two() can return 0 when the argument +has upper most bit set due to resulting 1UL << 32. Add a check for this case. + +Fixes: d5a3b1f69186 ("bpf: introduce BPF_MAP_TYPE_STACK_TRACE") +Signed-off-by: Bui Quang Minh +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210127063653.3576-1-minhquangbui99@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/stackmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c +index 55fff5e6d9831..a47d623f59fe7 100644 +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -114,6 +114,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) + + /* hash table size must be power of 2 */ + n_buckets = roundup_pow_of_two(attr->max_entries); ++ if (!n_buckets) ++ return ERR_PTR(-E2BIG); + + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); + if (cost >= U32_MAX - PAGE_SIZE) +-- +2.27.0 + diff --git a/queue-4.19/firmware_loader-align-.builtin_fw-to-8.patch b/queue-4.19/firmware_loader-align-.builtin_fw-to-8.patch new file mode 100644 index 00000000000..6f597b85006 --- /dev/null +++ b/queue-4.19/firmware_loader-align-.builtin_fw-to-8.patch @@ -0,0 +1,54 @@ +From 0604ce107e47889f8b7e0cf56548d29079fd5836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 13:42:07 -0800 +Subject: firmware_loader: align .builtin_fw to 8 + +From: Fangrui Song + +[ Upstream commit 793f49a87aae24e5bcf92ad98d764153fc936570 ] + +arm64 references the start address of .builtin_fw (__start_builtin_fw) +with a pair of R_AARCH64_ADR_PREL_PG_HI21/R_AARCH64_LDST64_ABS_LO12_NC +relocations. The compiler is allowed to emit the +R_AARCH64_LDST64_ABS_LO12_NC relocation because struct builtin_fw in +include/linux/firmware.h is 8-byte aligned. + +The R_AARCH64_LDST64_ABS_LO12_NC relocation requires the address to be a +multiple of 8, which may not be the case if .builtin_fw is empty. +Unconditionally align .builtin_fw to fix the linker error. 32-bit +architectures could use ALIGN(4) but that would add unnecessary +complexity, so just use ALIGN(8). + +Link: https://lkml.kernel.org/r/20201208054646.2913063-1-maskray@google.com +Link: https://github.com/ClangBuiltLinux/linux/issues/1204 +Fixes: 5658c76 ("firmware: allow firmware files to be built into kernel image") +Signed-off-by: Fangrui Song +Reported-by: kernel test robot +Acked-by: Arnd Bergmann +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Tested-by: Douglas Anderson +Acked-by: Nathan Chancellor +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/asm-generic/vmlinux.lds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index f65a924a75abd..e71c97c3c25ef 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -363,7 +363,7 @@ + } \ + \ + /* Built-in firmware blobs */ \ +- .builtin_fw : AT(ADDR(.builtin_fw) - LOAD_OFFSET) { \ ++ .builtin_fw : AT(ADDR(.builtin_fw) - LOAD_OFFSET) ALIGN(8) { \ + __start_builtin_fw = .; \ + KEEP(*(.builtin_fw)) \ + __end_builtin_fw = .; \ +-- +2.27.0 + diff --git a/queue-4.19/h8300-fix-preemption-build-ti_pre_count-undefined.patch b/queue-4.19/h8300-fix-preemption-build-ti_pre_count-undefined.patch new file mode 100644 index 00000000000..ebe64fe4465 --- /dev/null +++ b/queue-4.19/h8300-fix-preemption-build-ti_pre_count-undefined.patch @@ -0,0 +1,44 @@ +From 44e67a183b957910c92ce954ecf443dc9a5bad2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 20:52:54 -0800 +Subject: h8300: fix PREEMPTION build, TI_PRE_COUNT undefined + +From: Randy Dunlap + +[ Upstream commit ade9679c159d5bbe14fb7e59e97daf6062872e2b ] + +Fix a build error for undefined 'TI_PRE_COUNT' by adding it to +asm-offsets.c. + + h8300-linux-ld: arch/h8300/kernel/entry.o: in function `resume_kernel': (.text+0x29a): undefined reference to `TI_PRE_COUNT' + +Link: https://lkml.kernel.org/r/20210212021650.22740-1-rdunlap@infradead.org +Fixes: df2078b8daa7 ("h8300: Low level entry") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Yoshinori Sato +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/h8300/kernel/asm-offsets.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/h8300/kernel/asm-offsets.c b/arch/h8300/kernel/asm-offsets.c +index 85e60509f0a83..d4b53af657c84 100644 +--- a/arch/h8300/kernel/asm-offsets.c ++++ b/arch/h8300/kernel/asm-offsets.c +@@ -63,6 +63,9 @@ int main(void) + OFFSET(TI_FLAGS, thread_info, flags); + OFFSET(TI_CPU, thread_info, cpu); + OFFSET(TI_PRE, thread_info, preempt_count); ++#ifdef CONFIG_PREEMPTION ++ DEFINE(TI_PRE_COUNT, offsetof(struct thread_info, preempt_count)); ++#endif + + return 0; + } +-- +2.27.0 + diff --git a/queue-4.19/i2c-stm32f7-fix-configuration-of-the-digital-filter.patch b/queue-4.19/i2c-stm32f7-fix-configuration-of-the-digital-filter.patch new file mode 100644 index 00000000000..4f14ca02af2 --- /dev/null +++ b/queue-4.19/i2c-stm32f7-fix-configuration-of-the-digital-filter.patch @@ -0,0 +1,62 @@ +From ec3915f7894a481b35ff243b2cf9a78e3c002235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 09:51:40 +0100 +Subject: i2c: stm32f7: fix configuration of the digital filter + +From: Alain Volmat + +[ Upstream commit 3d6a3d3a2a7a3a60a824e7c04e95fd50dec57812 ] + +The digital filter related computation are present in the driver +however the programming of the filter within the IP is missing. +The maximum value for the DNF is wrong and should be 15 instead of 16. + +Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver") + +Signed-off-by: Alain Volmat +Signed-off-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-stm32f7.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c +index eb7e533b0dd47..6feafebf85feb 100644 +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -49,6 +49,8 @@ + #define STM32F7_I2C_CR1_RXDMAEN BIT(15) + #define STM32F7_I2C_CR1_TXDMAEN BIT(14) + #define STM32F7_I2C_CR1_ANFOFF BIT(12) ++#define STM32F7_I2C_CR1_DNF_MASK GENMASK(11, 8) ++#define STM32F7_I2C_CR1_DNF(n) (((n) & 0xf) << 8) + #define STM32F7_I2C_CR1_ERRIE BIT(7) + #define STM32F7_I2C_CR1_TCIE BIT(6) + #define STM32F7_I2C_CR1_STOPIE BIT(5) +@@ -147,7 +149,7 @@ + #define STM32F7_I2C_MAX_SLAVE 0x2 + + #define STM32F7_I2C_DNF_DEFAULT 0 +-#define STM32F7_I2C_DNF_MAX 16 ++#define STM32F7_I2C_DNF_MAX 15 + + #define STM32F7_I2C_ANALOG_FILTER_ENABLE 1 + #define STM32F7_I2C_ANALOG_FILTER_DELAY_MIN 50 /* ns */ +@@ -645,6 +647,13 @@ static void stm32f7_i2c_hw_config(struct stm32f7_i2c_dev *i2c_dev) + else + stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1, + STM32F7_I2C_CR1_ANFOFF); ++ ++ /* Program the Digital Filter */ ++ stm32f7_i2c_clr_bits(i2c_dev->base + STM32F7_I2C_CR1, ++ STM32F7_I2C_CR1_DNF_MASK); ++ stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1, ++ STM32F7_I2C_CR1_DNF(i2c_dev->setup.dnf)); ++ + stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1, + STM32F7_I2C_CR1_PE); + } +-- +2.27.0 + diff --git a/queue-4.19/mt76-dma-fix-a-possible-memory-leak-in-mt76_add_frag.patch b/queue-4.19/mt76-dma-fix-a-possible-memory-leak-in-mt76_add_frag.patch new file mode 100644 index 00000000000..ecc842a1efc --- /dev/null +++ b/queue-4.19/mt76-dma-fix-a-possible-memory-leak-in-mt76_add_frag.patch @@ -0,0 +1,51 @@ +From fe6804256933203e895bd35097937e963d631653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jan 2021 12:02:13 +0100 +Subject: mt76: dma: fix a possible memory leak in mt76_add_fragment() + +From: Lorenzo Bianconi + +[ Upstream commit 93a1d4791c10d443bc67044def7efee2991d48b7 ] + +Fix a memory leak in mt76_add_fragment routine returning the buffer +to the page_frag_cache when we receive a new fragment and the +skb_shared_info frag array is full. + +Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/dma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c +index cc6840377bc27..8ce6a167dd2cc 100644 +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -393,15 +393,17 @@ static void + mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, + int len, bool more) + { +- struct page *page = virt_to_head_page(data); +- int offset = data - page_address(page); + struct sk_buff *skb = q->rx_head; + struct skb_shared_info *shinfo = skb_shinfo(skb); + + if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) { +- offset += q->buf_offset; ++ struct page *page = virt_to_head_page(data); ++ int offset = data - page_address(page) + q->buf_offset; ++ + skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len, + q->buf_size); ++ } else { ++ skb_free_frag(data); + } + + if (more) +-- +2.27.0 + diff --git a/queue-4.19/net-hns3-add-a-check-for-queue_id-in-hclge_reset_vf_.patch b/queue-4.19/net-hns3-add-a-check-for-queue_id-in-hclge_reset_vf_.patch new file mode 100644 index 00000000000..443f0ac4e9c --- /dev/null +++ b/queue-4.19/net-hns3-add-a-check-for-queue_id-in-hclge_reset_vf_.patch @@ -0,0 +1,49 @@ +From 92bb6816bd7fe8e4dbf865ed2c935b8842a12af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 17:03:05 +0800 +Subject: net: hns3: add a check for queue_id in hclge_reset_vf_queue() + +From: Yufeng Mo + +[ Upstream commit 67a69f84cab60484f02eb8cbc7a76edffbb28a25 ] + +The queue_id is received from vf, if use it directly, +an out-of-bound issue may be caused, so add a check for +this queue_id before using it in hclge_reset_vf_queue(). + +Fixes: 1a426f8b40fc ("net: hns3: fix the VF queue reset flow error") +Signed-off-by: Yufeng Mo +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index d575dd9a329d9..16ab000454f91 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5182,12 +5182,19 @@ void hclge_reset_tqp(struct hnae3_handle *handle, u16 queue_id) + + void hclge_reset_vf_queue(struct hclge_vport *vport, u16 queue_id) + { ++ struct hnae3_handle *handle = &vport->nic; + struct hclge_dev *hdev = vport->back; + int reset_try_times = 0; + int reset_status; + u16 queue_gid; + int ret; + ++ if (queue_id >= handle->kinfo.num_tqps) { ++ dev_warn(&hdev->pdev->dev, "Invalid vf queue id(%u)\n", ++ queue_id); ++ return; ++ } ++ + queue_gid = hclge_covert_handle_qid_global(&vport->nic, queue_id); + + ret = hclge_send_reset_tqp_cmd(hdev, queue_gid, true); +-- +2.27.0 + diff --git a/queue-4.19/net-stmmac-set-txq-mode-back-to-dcb-after-disabling-.patch b/queue-4.19/net-stmmac-set-txq-mode-back-to-dcb-after-disabling-.patch new file mode 100644 index 00000000000..0899c05e0e4 --- /dev/null +++ b/queue-4.19/net-stmmac-set-txq-mode-back-to-dcb-after-disabling-.patch @@ -0,0 +1,52 @@ +From 58846148f63f8687bc0676c35130e159949c130b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 22:03:16 +0800 +Subject: net: stmmac: set TxQ mode back to DCB after disabling CBS + +From: Mohammad Athari Bin Ismail + +[ Upstream commit f317e2ea8c88737aa36228167b2292baef3f0430 ] + +When disable CBS, mode_to_use parameter is not updated even the operation +mode of Tx Queue is changed to Data Centre Bridging (DCB). Therefore, +when tc_setup_cbs() function is called to re-enable CBS, the operation +mode of Tx Queue remains at DCB, which causing CBS fails to work. + +This patch updates the value of mode_to_use parameter to MTL_QUEUE_DCB +after operation mode of Tx Queue is changed to DCB in stmmac_dma_qmode() +callback function. + +Fixes: 1f705bc61aee ("net: stmmac: Add support for CBS QDISC") +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Mohammad Athari Bin Ismail +Signed-off-by: Song, Yoong Siang +Reviewed-by: Jesse Brandeburg +Acked-by: Vinicius Costa Gomes +Link: https://lore.kernel.org/r/1612447396-20351-1-git-send-email-yoong.siang.song@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 37c0bc699cd9c..cc1895a32b9d3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -314,7 +314,12 @@ static int tc_setup_cbs(struct stmmac_priv *priv, + + priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_AVB; + } else if (!qopt->enable) { +- return stmmac_dma_qmode(priv, priv->ioaddr, queue, MTL_QUEUE_DCB); ++ ret = stmmac_dma_qmode(priv, priv->ioaddr, queue, ++ MTL_QUEUE_DCB); ++ if (ret) ++ return ret; ++ ++ priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_DCB; + } + + /* Port Transmit Rate and Speed Divider */ +-- +2.27.0 + diff --git a/queue-4.19/netfilter-conntrack-skip-identical-origin-tuple-in-s.patch b/queue-4.19/netfilter-conntrack-skip-identical-origin-tuple-in-s.patch new file mode 100644 index 00000000000..5a38d7dafc6 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-skip-identical-origin-tuple-in-s.patch @@ -0,0 +1,43 @@ +From bae57c9eb607f7eb0157dffb57a381415da554c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 12:56:43 +0100 +Subject: netfilter: conntrack: skip identical origin tuple in same zone only + +From: Florian Westphal + +[ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ] + +The origin skip check needs to re-test the zone. Else, we might skip +a colliding tuple in the reply direction. + +This only occurs when using 'directional zones' where origin tuples +reside in different zones but the reply tuples share the same zone. + +This causes the new conntrack entry to be dropped at confirmation time +because NAT clash resolution was elided. + +Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index ad1da6b2fb607..1dceda3c0e759 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1063,7 +1063,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + * Let nf_ct_resolve_clash() deal with this later. + */ + if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, +- &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) ++ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) && ++ nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) + continue; + + NF_CT_STAT_INC_ATOMIC(net, found); +-- +2.27.0 + diff --git a/queue-4.19/netfilter-flowtable-fix-tcp-and-udp-header-checksum-.patch b/queue-4.19/netfilter-flowtable-fix-tcp-and-udp-header-checksum-.patch new file mode 100644 index 00000000000..fe6d7c75655 --- /dev/null +++ b/queue-4.19/netfilter-flowtable-fix-tcp-and-udp-header-checksum-.patch @@ -0,0 +1,54 @@ +From fb658efcc825cbabfa3b770dcfaeb03906b640c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 18:01:16 +0100 +Subject: netfilter: flowtable: fix tcp and udp header checksum update + +From: Sven Auhagen + +[ Upstream commit 8d6bca156e47d68551750a384b3ff49384c67be3 ] + +When updating the tcp or udp header checksum on port nat the function +inet_proto_csum_replace2 with the last parameter pseudohdr as true. +This leads to an error in the case that GRO is used and packets are +split up in GSO. The tcp or udp checksum of all packets is incorrect. + +The error is probably masked due to the fact the most network driver +implement tcp/udp checksum offloading. It also only happens when GRO is +applied and not on single packets. + +The error is most visible when using a pppoe connection which is not +triggering the tcp/udp checksum offload. + +Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure") +Signed-off-by: Sven Auhagen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_flow_table_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c +index 890799c16aa41..b3957fe7eced2 100644 +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -360,7 +360,7 @@ static int nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff, + return -1; + + tcph = (void *)(skb_network_header(skb) + thoff); +- inet_proto_csum_replace2(&tcph->check, skb, port, new_port, true); ++ inet_proto_csum_replace2(&tcph->check, skb, port, new_port, false); + + return 0; + } +@@ -377,7 +377,7 @@ static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff, + udph = (void *)(skb_network_header(skb) + thoff); + if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) { + inet_proto_csum_replace2(&udph->check, skb, port, +- new_port, true); ++ new_port, false); + if (!udph->check) + udph->check = CSUM_MANGLED_0; + } +-- +2.27.0 + diff --git a/queue-4.19/netfilter-nftables-fix-possible-uaf-over-chains-from.patch b/queue-4.19/netfilter-nftables-fix-possible-uaf-over-chains-from.patch new file mode 100644 index 00000000000..667794d6018 --- /dev/null +++ b/queue-4.19/netfilter-nftables-fix-possible-uaf-over-chains-from.patch @@ -0,0 +1,88 @@ +From 142e293ce46a1c63cb167af6743e2b8abb6581df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 16:07:37 +0100 +Subject: netfilter: nftables: fix possible UAF over chains from packet path in + netns + +From: Pablo Neira Ayuso + +[ Upstream commit 767d1216bff82507c945e92fe719dff2083bb2f4 ] + +Although hooks are released via call_rcu(), chain and rule objects are +immediately released while packets are still walking over these bits. + +This patch adds the .pre_exit callback which is invoked before +synchronize_rcu() in the netns framework to stay safe. + +Remove a comment which is not valid anymore since the core does not use +synchronize_net() anymore since 8c873e219970 ("netfilter: core: free +hooks with call_rcu"). + +Suggested-by: Florian Westphal +Fixes: df05ef874b28 ("netfilter: nf_tables: release objects on netns destruction") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 9cc8e92f4b000..e669e20120446 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7303,6 +7303,17 @@ int __nft_release_basechain(struct nft_ctx *ctx) + } + EXPORT_SYMBOL_GPL(__nft_release_basechain); + ++static void __nft_release_hooks(struct net *net) ++{ ++ struct nft_table *table; ++ struct nft_chain *chain; ++ ++ list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(chain, &table->chains, list) ++ nf_tables_unregister_hook(net, table, chain); ++ } ++} ++ + static void __nft_release_tables(struct net *net) + { + struct nft_flowtable *flowtable, *nf; +@@ -7318,10 +7329,6 @@ static void __nft_release_tables(struct net *net) + + list_for_each_entry_safe(table, nt, &net->nft.tables, list) { + ctx.family = table->family; +- +- list_for_each_entry(chain, &table->chains, list) +- nf_tables_unregister_hook(net, table, chain); +- /* No packets are walking on these chains anymore. */ + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { + ctx.chain = chain; +@@ -7368,6 +7375,11 @@ static int __net_init nf_tables_init_net(struct net *net) + return 0; + } + ++static void __net_exit nf_tables_pre_exit_net(struct net *net) ++{ ++ __nft_release_hooks(net); ++} ++ + static void __net_exit nf_tables_exit_net(struct net *net) + { + mutex_lock(&net->nft.commit_mutex); +@@ -7379,8 +7391,9 @@ static void __net_exit nf_tables_exit_net(struct net *net) + } + + static struct pernet_operations nf_tables_net_ops = { +- .init = nf_tables_init_net, +- .exit = nf_tables_exit_net, ++ .init = nf_tables_init_net, ++ .pre_exit = nf_tables_pre_exit_net, ++ .exit = nf_tables_exit_net, + }; + + static int __init nf_tables_module_init(void) +-- +2.27.0 + diff --git a/queue-4.19/netfilter-xt_recent-fix-attempt-to-update-deleted-en.patch b/queue-4.19/netfilter-xt_recent-fix-attempt-to-update-deleted-en.patch new file mode 100644 index 00000000000..69f7769b837 --- /dev/null +++ b/queue-4.19/netfilter-xt_recent-fix-attempt-to-update-deleted-en.patch @@ -0,0 +1,66 @@ +From 7ef5b9da9ba7848ea512ff01e3160b38709aac8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 20:57:43 +0100 +Subject: netfilter: xt_recent: Fix attempt to update deleted entry + +From: Jozsef Kadlecsik + +[ Upstream commit b1bdde33b72366da20d10770ab7a49fe87b5e190 ] + +When both --reap and --update flag are specified, there's a code +path at which the entry to be updated is reaped beforehand, +which then leads to kernel crash. Reap only entries which won't be +updated. + +Fixes kernel bugzilla #207773. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207773 +Reported-by: Reindl Harald +Fixes: 0079c5aee348 ("netfilter: xt_recent: add an entry reaper") +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_recent.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index 570144507df11..cb58bc7ae30d3 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -155,7 +155,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e) + /* + * Drop entries with timestamps older then 'time'. + */ +-static void recent_entry_reap(struct recent_table *t, unsigned long time) ++static void recent_entry_reap(struct recent_table *t, unsigned long time, ++ struct recent_entry *working, bool update) + { + struct recent_entry *e; + +@@ -164,6 +165,12 @@ static void recent_entry_reap(struct recent_table *t, unsigned long time) + */ + e = list_entry(t->lru_list.next, struct recent_entry, lru_list); + ++ /* ++ * Do not reap the entry which are going to be updated. ++ */ ++ if (e == working && update) ++ return; ++ + /* + * The last time stamp is the most recent. + */ +@@ -306,7 +313,8 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) + + /* info->seconds must be non-zero */ + if (info->check_set & XT_RECENT_REAP) +- recent_entry_reap(t, time); ++ recent_entry_reap(t, time, e, ++ info->check_set & XT_RECENT_UPDATE && ret); + } + + if (info->check_set & XT_RECENT_SET || +-- +2.27.0 + diff --git a/queue-4.19/series b/queue-4.19/series index fd6907d949b..d6232477524 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -13,3 +13,15 @@ bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch arm-ensure-the-signal-page-contains-defined-contents.patch arm-kexec-fix-oops-after-tlb-are-invalidated.patch +mt76-dma-fix-a-possible-memory-leak-in-mt76_add_frag.patch +bpf-check-for-integer-overflow-when-using-roundup_po.patch +netfilter-xt_recent-fix-attempt-to-update-deleted-en.patch +netfilter-nftables-fix-possible-uaf-over-chains-from.patch +netfilter-flowtable-fix-tcp-and-udp-header-checksum-.patch +xen-netback-avoid-race-in-xenvif_rx_ring_slots_avail.patch +net-stmmac-set-txq-mode-back-to-dcb-after-disabling-.patch +netfilter-conntrack-skip-identical-origin-tuple-in-s.patch +net-hns3-add-a-check-for-queue_id-in-hclge_reset_vf_.patch +firmware_loader-align-.builtin_fw-to-8.patch +i2c-stm32f7-fix-configuration-of-the-digital-filter.patch +h8300-fix-preemption-build-ti_pre_count-undefined.patch diff --git a/queue-4.19/xen-netback-avoid-race-in-xenvif_rx_ring_slots_avail.patch b/queue-4.19/xen-netback-avoid-race-in-xenvif_rx_ring_slots_avail.patch new file mode 100644 index 00000000000..a6578c0add7 --- /dev/null +++ b/queue-4.19/xen-netback-avoid-race-in-xenvif_rx_ring_slots_avail.patch @@ -0,0 +1,58 @@ +From 777e789cb8c7bf10914dfc795d71dacd1b4219a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 08:09:38 +0100 +Subject: xen/netback: avoid race in xenvif_rx_ring_slots_available() + +From: Juergen Gross + +[ Upstream commit ec7d8e7dd3a59528e305a18e93f1cb98f7faf83b ] + +Since commit 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding") +xenvif_rx_ring_slots_available() is no longer called only from the rx +queue kernel thread, so it needs to access the rx queue with the +associated queue held. + +Reported-by: Igor Druzhinin +Fixes: 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding") +Signed-off-by: Juergen Gross +Acked-by: Wei Liu +Link: https://lore.kernel.org/r/20210202070938.7863-1-jgross@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/rx.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c +index 9b62f65b630e4..48e2006f96ce6 100644 +--- a/drivers/net/xen-netback/rx.c ++++ b/drivers/net/xen-netback/rx.c +@@ -38,10 +38,15 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue) + RING_IDX prod, cons; + struct sk_buff *skb; + int needed; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&queue->rx_queue.lock, flags); + + skb = skb_peek(&queue->rx_queue); +- if (!skb) ++ if (!skb) { ++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags); + return false; ++ } + + needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE); + if (skb_is_gso(skb)) +@@ -49,6 +54,8 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue) + if (skb->sw_hash) + needed++; + ++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags); ++ + do { + prod = queue->rx.sring->req_prod; + cons = queue->rx.req_cons; +-- +2.27.0 +