From: Greg Kroah-Hartman Date: Fri, 25 Sep 2020 08:52:17 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.148~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=61a75ae297f41e35a254b3eeba424122ebdae03a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch cxgb4-fix-offset-when-clearing-filter-byte-counters.patch geneve-add-transport-ports-in-route-lookup-for-geneve.patch hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch ip-fix-tos-reflection-in-ack-and-reset-packets.patch ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch ipv6-avoid-lockdep-issue-in-fib6_del.patch net-add-__must_check-to-skb_put_padto.patch net-dcb-validate-dcb_attr_dcb_buffer-argument.patch net-dsa-rtl8366-properly-clear-member-config.patch net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch net-qrtr-check-skb_put_padto-return-value.patch net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch nfp-use-correct-define-to-return-none-fec.patch tipc-fix-memory-leak-in-tipc_group_create_member.patch tipc-fix-shutdown-of-connection-oriented-socket.patch tipc-use-skb_unshare-instead-in-tipc_buf_append.patch --- diff --git a/queue-4.19/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch b/queue-4.19/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch new file mode 100644 index 00000000000..06747a2d26c --- /dev/null +++ b/queue-4.19/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch @@ -0,0 +1,109 @@ +From foo@baz Fri Sep 25 10:42:34 AM CEST 2020 +From: Michael Chan +Date: Sun, 20 Sep 2020 21:08:56 -0400 +Subject: bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. + +From: Michael Chan + +[ Upstream commit a53906908148d64423398a62c4435efb0d09652c ] + +All changes related to bp->link_info require the protection of the +link_lock mutex. It's not sufficient to rely just on RTNL. + +Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.") +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++++++++-------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1369,9 +1369,12 @@ static int bnxt_set_pauseparam(struct ne + if (!BNXT_SINGLE_PF(bp)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); + if (epause->autoneg) { +- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) +- return -EINVAL; ++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { ++ rc = -EINVAL; ++ goto pause_exit; ++ } + + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL; + if (bp->hwrm_spec_code >= 0x10201) +@@ -1392,11 +1395,11 @@ static int bnxt_set_pauseparam(struct ne + if (epause->tx_pause) + link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX; + +- if (netif_running(dev)) { +- mutex_lock(&bp->link_lock); ++ if (netif_running(dev)) + rc = bnxt_hwrm_set_pause(bp); +- mutex_unlock(&bp->link_lock); +- } ++ ++pause_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +@@ -2113,8 +2116,7 @@ static int bnxt_set_eee(struct net_devic + struct bnxt *bp = netdev_priv(dev); + struct ethtool_eee *eee = &bp->eee; + struct bnxt_link_info *link_info = &bp->link_info; +- u32 advertising = +- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); ++ u32 advertising; + int rc = 0; + + if (!BNXT_SINGLE_PF(bp)) +@@ -2123,19 +2125,23 @@ static int bnxt_set_eee(struct net_devic + if (!(bp->flags & BNXT_FLAG_EEE_CAP)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); ++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); + if (!edata->eee_enabled) + goto eee_ok; + + if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { + netdev_warn(dev, "EEE requires autoneg\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + if (edata->tx_lpi_enabled) { + if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi || + edata->tx_lpi_timer < bp->lpi_tmr_lo)) { + netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n", + bp->lpi_tmr_lo, bp->lpi_tmr_hi); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } else if (!bp->lpi_tmr_hi) { + edata->tx_lpi_timer = eee->tx_lpi_timer; + } +@@ -2145,7 +2151,8 @@ static int bnxt_set_eee(struct net_devic + } else if (edata->advertised & ~advertising) { + netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n", + edata->advertised, advertising); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + + eee->advertised = edata->advertised; +@@ -2157,6 +2164,8 @@ eee_ok: + if (netif_running(dev)) + rc = bnxt_hwrm_set_link_setting(bp, false, true); + ++eee_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + diff --git a/queue-4.19/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch b/queue-4.19/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch new file mode 100644 index 00000000000..639f2ca8e59 --- /dev/null +++ b/queue-4.19/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch @@ -0,0 +1,72 @@ +From foo@baz Fri Sep 25 10:42:34 AM CEST 2020 +From: Edwin Peer +Date: Sun, 20 Sep 2020 21:08:55 -0400 +Subject: bnxt_en: return proper error codes in bnxt_show_temp + +From: Edwin Peer + +[ Upstream commit d69753fa1ecb3218b56b022722f7a5822735b876 ] + +Returning "unknown" as a temperature value violates the hwmon interface +rules. Appropriate error codes should be returned via device_attribute +show instead. These will ultimately be propagated to the user via the +file system interface. + +In addition to the corrected error handling, it is an even better idea to +not present the sensor in sysfs at all if it is known that the read will +definitely fail. Given that temp1_input is currently the only sensor +reported, ensure no hwmon registration if TEMP_MONITOR_QUERY is not +supported or if it will fail due to access permissions. Something smarter +may be needed if and when other sensors are added. + +Fixes: 12cce90b934b ("bnxt_en: fix HWRM error when querying VF temperature") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6837,18 +6837,16 @@ static ssize_t bnxt_show_temp(struct dev + struct hwrm_temp_monitor_query_output *resp; + struct bnxt *bp = dev_get_drvdata(dev); + u32 len = 0; ++ int rc; + + resp = bp->hwrm_cmd_resp_addr; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); + mutex_lock(&bp->hwrm_cmd_lock); +- if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) ++ rc = _hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); ++ if (!rc) + len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */ + mutex_unlock(&bp->hwrm_cmd_lock); +- +- if (len) +- return len; +- +- return sprintf(buf, "unknown\n"); ++ return rc ?: len; + } + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0); + +@@ -6868,7 +6866,16 @@ static void bnxt_hwmon_close(struct bnxt + + static void bnxt_hwmon_open(struct bnxt *bp) + { ++ struct hwrm_temp_monitor_query_input req = {0}; + struct pci_dev *pdev = bp->pdev; ++ int rc; ++ ++ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); ++ rc = hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); ++ if (rc == -EACCES || rc == -EOPNOTSUPP) { ++ bnxt_hwmon_close(bp); ++ return; ++ } + + bp->hwmon_dev = hwmon_device_register_with_groups(&pdev->dev, + DRV_MODULE_NAME, bp, diff --git a/queue-4.19/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch b/queue-4.19/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch new file mode 100644 index 00000000000..94d88d161fe --- /dev/null +++ b/queue-4.19/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Ganji Aravind +Date: Fri, 4 Sep 2020 15:58:18 +0530 +Subject: cxgb4: Fix offset when clearing filter byte counters + +From: Ganji Aravind + +[ Upstream commit 94cc242a067a869c29800aa789d38b7676136e50 ] + +Pass the correct offset to clear the stale filter hit +bytes counter. Otherwise, the counter starts incrementing +from the stale information, instead of 0. + +Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") +Signed-off-by: Ganji Aravind +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -1591,13 +1591,16 @@ out: + static int configure_filter_tcb(struct adapter *adap, unsigned int tid, + struct filter_entry *f) + { +- if (f->fs.hitcnts) ++ if (f->fs.hitcnts) { + set_tcb_field(adap, f, tid, TCB_TIMESTAMP_W, +- TCB_TIMESTAMP_V(TCB_TIMESTAMP_M) | ++ TCB_TIMESTAMP_V(TCB_TIMESTAMP_M), ++ TCB_TIMESTAMP_V(0ULL), ++ 1); ++ set_tcb_field(adap, f, tid, TCB_RTT_TS_RECENT_AGE_W, + TCB_RTT_TS_RECENT_AGE_V(TCB_RTT_TS_RECENT_AGE_M), +- TCB_TIMESTAMP_V(0ULL) | + TCB_RTT_TS_RECENT_AGE_V(0ULL), + 1); ++ } + + if (f->fs.newdmac) + set_tcb_tflag(adap, f, tid, TF_CCTRL_ECE_S, 1, diff --git a/queue-4.19/geneve-add-transport-ports-in-route-lookup-for-geneve.patch b/queue-4.19/geneve-add-transport-ports-in-route-lookup-for-geneve.patch new file mode 100644 index 00000000000..913835d84ba --- /dev/null +++ b/queue-4.19/geneve-add-transport-ports-in-route-lookup-for-geneve.patch @@ -0,0 +1,181 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Mark Gray +Date: Wed, 16 Sep 2020 05:19:35 -0400 +Subject: geneve: add transport ports in route lookup for geneve + +From: Mark Gray + +[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ] + +This patch adds transport ports information for route lookup so that +IPsec can select Geneve tunnel traffic to do encryption. This is +needed for OVS/OVN IPsec with encrypted Geneve tunnels. + +This can be tested by configuring a host-host VPN using an IKE +daemon and specifying port numbers. For example, for an +Openswan-type configuration, the following parameters should be +configured on both hosts and IPsec set up as-per normal: + +$ cat /etc/ipsec.conf + +conn in +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp/6081 +rightprotoport=udp +... +conn out +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp +rightprotoport=udp/6081 +... + +The tunnel can then be setup using "ip" on both hosts (but +changing the relevant IP addresses): + +$ ip link add tun type geneve id 1000 remote $IP2 +$ ip addr add 192.168.0.1/24 dev tun +$ ip link set tun up + +This can then be tested by pinging from $IP1: + +$ ping 192.168.0.2 + +Without this patch the traffic is unencrypted on the wire. + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Signed-off-by: Qiuyu Xiao +Signed-off-by: Mark Gray +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -721,7 +721,8 @@ static struct rtable *geneve_get_v4_rt(s + struct net_device *dev, + struct geneve_sock *gs4, + struct flowi4 *fl4, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -737,6 +738,8 @@ static struct rtable *geneve_get_v4_rt(s + fl4->flowi4_proto = IPPROTO_UDP; + fl4->daddr = info->key.u.ipv4.dst; + fl4->saddr = info->key.u.ipv4.src; ++ fl4->fl4_dport = dport; ++ fl4->fl4_sport = sport; + + tos = info->key.tos; + if ((tos == 1) && !geneve->collect_md) { +@@ -771,7 +774,8 @@ static struct dst_entry *geneve_get_v6_d + struct net_device *dev, + struct geneve_sock *gs6, + struct flowi6 *fl6, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -787,6 +791,9 @@ static struct dst_entry *geneve_get_v6_d + fl6->flowi6_proto = IPPROTO_UDP; + fl6->daddr = info->key.u.ipv6.dst; + fl6->saddr = info->key.u.ipv6.src; ++ fl6->fl6_dport = dport; ++ fl6->fl6_sport = sport; ++ + prio = info->key.tos; + if ((prio == 1) && !geneve->collect_md) { + prio = ip_tunnel_get_dsfield(ip_hdr(skb), skb); +@@ -833,14 +840,15 @@ static int geneve_xmit_skb(struct sk_buf + __be16 df; + int err; + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + + skb_tunnel_check_pmtu(skb, &rt->dst, + GENEVE_IPV4_HLEN + info->options_len); + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -875,13 +883,14 @@ static int geneve6_xmit_skb(struct sk_bu + __be16 sport; + int err; + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + + skb_tunnel_check_pmtu(skb, dst, GENEVE_IPV6_HLEN + info->options_len); + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -958,13 +967,18 @@ static int geneve_fill_metadata_dst(stru + { + struct ip_tunnel_info *info = skb_tunnel_info(skb); + struct geneve_dev *geneve = netdev_priv(dev); ++ __be16 sport; + + if (ip_tunnel_info_af(info) == AF_INET) { + struct rtable *rt; + struct flowi4 fl4; ++ + struct geneve_sock *gs4 = rcu_dereference(geneve->sock4); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -974,9 +988,13 @@ static int geneve_fill_metadata_dst(stru + } else if (ip_tunnel_info_af(info) == AF_INET6) { + struct dst_entry *dst; + struct flowi6 fl6; ++ + struct geneve_sock *gs6 = rcu_dereference(geneve->sock6); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -987,8 +1005,7 @@ static int geneve_fill_metadata_dst(stru + return -EINVAL; + } + +- info->key.tp_src = udp_flow_src_port(geneve->net, skb, +- 1, USHRT_MAX, true); ++ info->key.tp_src = sport; + info->key.tp_dst = geneve->info.key.tp_dst; + return 0; + } diff --git a/queue-4.19/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch b/queue-4.19/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch new file mode 100644 index 00000000000..d9dade685a4 --- /dev/null +++ b/queue-4.19/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch @@ -0,0 +1,80 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Dan Carpenter +Date: Wed, 9 Sep 2020 12:46:48 +0300 +Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr() + +From: Dan Carpenter + +[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ] + +There are a couple bugs here: +1) If opt[1] is zero then this results in a forever loop. If the value + is less than 2 then it is invalid. +2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can + result in memory corruption. + +In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead +of "len" because, if "opt[1]" is less than sizeof(valid_accm) then +"nak_len" gets out of sync and it can lead to memory corruption in the +next iterations through the loop. In case of LCP_OPTION_MAGIC, the +only valid value for opt[1] is 6, but the code is trying to log invalid +data so we should only discard the data when "len" is less than 6 +because that leads to a read overflow. + +Reported-by: ChenNan Of Chaitin Security Research Lab +Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.") +Signed-off-by: Dan Carpenter +Reviewed-by: Eric Dumazet +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/hdlc_ppp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d + } + + for (opt = data; len; len -= opt[1], opt += opt[1]) { +- if (len < 2 || len < opt[1]) { +- dev->stats.rx_errors++; +- kfree(out); +- return; /* bad packet, drop silently */ +- } ++ if (len < 2 || opt[1] < 2 || len < opt[1]) ++ goto err_out; + + if (pid == PID_LCP) + switch (opt[0]) { +@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d + continue; /* MRU always OK and > 1500 bytes? */ + + case LCP_OPTION_ACCM: /* async control character map */ ++ if (opt[1] < sizeof(valid_accm)) ++ goto err_out; + if (!memcmp(opt, valid_accm, + sizeof(valid_accm))) + continue; +@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d + } + break; + case LCP_OPTION_MAGIC: ++ if (len < 6) ++ goto err_out; + if (opt[1] != 6 || (!opt[2] && !opt[3] && + !opt[4] && !opt[5])) + break; /* reject invalid magic number */ +@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data); + + kfree(out); ++ return; ++ ++err_out: ++ dev->stats.rx_errors++; ++ kfree(out); + } + + static int ppp_rx(struct sk_buff *skb) diff --git a/queue-4.19/ip-fix-tos-reflection-in-ack-and-reset-packets.patch b/queue-4.19/ip-fix-tos-reflection-in-ack-and-reset-packets.patch new file mode 100644 index 00000000000..e112df898d8 --- /dev/null +++ b/queue-4.19/ip-fix-tos-reflection-in-ack-and-reset-packets.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Wei Wang +Date: Tue, 8 Sep 2020 14:09:34 -0700 +Subject: ip: fix tos reflection in ack and reset packets + +From: Wei Wang + +[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ] + +Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we +echo the TOS value of the received packets in the response. +However, we do not want to echo the lower 2 ECN bits in accordance +with RFC 3168 6.1.5 robustness principles. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") + +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -73,6 +73,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1582,7 +1583,7 @@ void ip_send_unicast_reply(struct sock * + if (IS_ERR(rt)) + return; + +- inet_sk(sk)->tos = arg->tos; ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK; + + sk->sk_priority = skb->priority; + sk->sk_protocol = ip_hdr(skb)->protocol; diff --git a/queue-4.19/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch b/queue-4.19/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch new file mode 100644 index 00000000000..d43cc353683 --- /dev/null +++ b/queue-4.19/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch @@ -0,0 +1,159 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: David Ahern +Date: Mon, 14 Sep 2020 21:03:54 -0600 +Subject: ipv4: Update exception handling for multipath routes via same device + +From: David Ahern + +[ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ] + +Kfir reported that pmtu exceptions are not created properly for +deployments where multipath routes use the same device. + +After some digging I see 2 compounding problems: +1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after* + the route lookup. This is the second use case where this has + been a problem (the first is related to use of vti devices with + VRF). I can not find any reason for the oif to be changed after the + lookup; the code goes back to the start of git. It does not seem + logical so remove it. + +2. fib_lookups for exceptions do not call fib_select_path to handle + multipath route selection based on the hash. + +The end result is that the fib_lookup used to add the exception +always creates it based using the first leg of the route. + +An example topology showing the problem: + + | host1 + +------+ + | eth0 | .209 + +------+ + | + +------+ + switch | br0 | + +------+ + | + +---------+---------+ + | host2 | host3 + +------+ +------+ + | eth0 | .250 | eth0 | 192.168.252.252 + +------+ +------+ + + +-----+ +-----+ + | vti | .2 | vti | 192.168.247.3 + +-----+ +-----+ + \ / + ================================= + tunnels + 192.168.247.1/24 + +for h in host1 host2 host3; do + ip netns add ${h} + ip -netns ${h} link set lo up + ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1 +done + +ip netns add switch +ip -netns switch li set lo up +ip -netns switch link add br0 type bridge stp 0 +ip -netns switch link set br0 up + +for n in 1 2 3; do + ip -netns switch link add eth-sw type veth peer name eth-h${n} + ip -netns switch li set eth-h${n} master br0 up + ip -netns switch li set eth-sw netns host${n} name eth0 +done + +ip -netns host1 addr add 192.168.252.209/24 dev eth0 +ip -netns host1 link set dev eth0 up +ip -netns host1 route add 192.168.247.0/24 \ + nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0 + +ip -netns host2 addr add 192.168.252.250/24 dev eth0 +ip -netns host2 link set dev eth0 up + +ip -netns host2 addr add 192.168.252.252/24 dev eth0 +ip -netns host3 link set dev eth0 up + +ip netns add tunnel +ip -netns tunnel li set lo up +ip -netns tunnel li add br0 type bridge +ip -netns tunnel li set br0 up +for n in $(seq 11 20); do + ip -netns tunnel addr add dev br0 192.168.247.${n}/24 +done + +for n in 2 3 +do + ip -netns tunnel link add vti${n} type veth peer name eth${n} + ip -netns tunnel link set eth${n} mtu 1360 master br0 up + ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up + ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24 +done +ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3 + +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11 +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15 +ip -netns host1 ro ls cache + +Before this patch the cache always shows exceptions against the first +leg in the multipath route; 192.168.252.250 per this example. Since the +hash has an initial random seed, you may need to vary the final octet +more than what is listed. In my tests, using addresses between 11 and 19 +usually found 1 that used both legs. + +With this patch, the cache will have exceptions for both legs. + +Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions") +Reported-by: Kfir Itzhak +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -779,6 +779,8 @@ static void __ip_do_redirect(struct rtab + if (fib_lookup(net, fl4, &res, 0) == 0) { + struct fib_nh *nh = &FIB_RES_NH(res); + ++ fib_select_path(net, &res, fl4, skb); ++ nh = &FIB_RES_NH(res); + update_or_create_fnhe(nh, fl4->daddr, new_gw, + 0, false, + jiffies + ip_rt_gc_timeout); +@@ -1004,6 +1006,7 @@ out: kfree_skb(skb); + static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) + { + struct dst_entry *dst = &rt->dst; ++ struct net *net = dev_net(dst->dev); + u32 old_mtu = ipv4_mtu(dst); + struct fib_result res; + bool lock = false; +@@ -1024,9 +1027,11 @@ static void __ip_rt_update_pmtu(struct r + return; + + rcu_read_lock(); +- if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { +- struct fib_nh *nh = &FIB_RES_NH(res); ++ if (fib_lookup(net, fl4, &res, 0) == 0) { ++ struct fib_nh *nh; + ++ fib_select_path(net, &res, fl4, NULL); ++ nh = &FIB_RES_NH(res); + update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } +@@ -2536,8 +2541,6 @@ struct rtable *ip_route_output_key_hash_ + fib_select_path(net, res, fl4, skb); + + dev_out = FIB_RES_DEV(*res); +- fl4->flowi4_oif = dev_out->ifindex; +- + + make_route: + rth = __mkroute_output(res, fl4, orig_oif, dev_out, flags); diff --git a/queue-4.19/ipv6-avoid-lockdep-issue-in-fib6_del.patch b/queue-4.19/ipv6-avoid-lockdep-issue-in-fib6_del.patch new file mode 100644 index 00000000000..60b0a91dedb --- /dev/null +++ b/queue-4.19/ipv6-avoid-lockdep-issue-in-fib6_del.patch @@ -0,0 +1,105 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Eric Dumazet +Date: Tue, 8 Sep 2020 01:20:23 -0700 +Subject: ipv6: avoid lockdep issue in fib6_del() + +From: Eric Dumazet + +[ Upstream commit 843d926b003ea692468c8cc5bea1f9f58dfa8c75 ] + +syzbot reported twice a lockdep issue in fib6_del() [1] +which I think is caused by net->ipv6.fib6_null_entry +having a NULL fib6_table pointer. + +fib6_del() already checks for fib6_null_entry special +case, we only need to return earlier. + +Bug seems to occur very rarely, I have thus chosen +a 'bug origin' that makes backports not too complex. + +[1] +WARNING: suspicious RCU usage +5.9.0-rc4-syzkaller #0 Not tainted +----------------------------- +net/ipv6/ip6_fib.c:1996 suspicious rcu_dereference_protected() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +4 locks held by syz-executor.5/8095: + #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: ppp_release+0x178/0x240 drivers/net/ppp/ppp_generic.c:401 + #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: spin_trylock_bh include/linux/spinlock.h:414 [inline] + #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: fib6_run_gc+0x21b/0x2d0 net/ipv6/ip6_fib.c:2312 + #2: ffffffff89bd6a40 (rcu_read_lock){....}-{1:2}, at: __fib6_clean_all+0x0/0x290 net/ipv6/ip6_fib.c:2613 + #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline] + #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: __fib6_clean_all+0x107/0x290 net/ipv6/ip6_fib.c:2245 + +stack backtrace: +CPU: 1 PID: 8095 Comm: syz-executor.5 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + fib6_del+0x12b4/0x1630 net/ipv6/ip6_fib.c:1996 + fib6_clean_node+0x39b/0x570 net/ipv6/ip6_fib.c:2180 + fib6_walk_continue+0x4aa/0x8e0 net/ipv6/ip6_fib.c:2102 + fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2150 + fib6_clean_tree+0xdb/0x120 net/ipv6/ip6_fib.c:2230 + __fib6_clean_all+0x120/0x290 net/ipv6/ip6_fib.c:2246 + fib6_clean_all net/ipv6/ip6_fib.c:2257 [inline] + fib6_run_gc+0x113/0x2d0 net/ipv6/ip6_fib.c:2320 + ndisc_netdev_event+0x217/0x350 net/ipv6/ndisc.c:1805 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033 + call_netdevice_notifiers_extack net/core/dev.c:2045 [inline] + call_netdevice_notifiers net/core/dev.c:2059 [inline] + dev_close_many+0x30b/0x650 net/core/dev.c:1634 + rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261 + rollback_registered net/core/dev.c:9329 [inline] + unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410 + unregister_netdevice include/linux/netdevice.h:2774 [inline] + ppp_release+0x216/0x240 drivers/net/ppp/ppp_generic.c:403 + __fput+0x285/0x920 fs/file_table.c:281 + task_work_run+0xdd/0x190 kernel/task_work.c:141 + tracehook_notify_resume include/linux/tracehook.h:188 [inline] + exit_to_user_mode_loop kernel/entry/common.c:163 [inline] + exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190 + syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 421842edeaf6 ("net/ipv6: Add fib6_null_entry") +Signed-off-by: Eric Dumazet +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1811,14 +1811,19 @@ static void fib6_del_route(struct fib6_t + /* Need to own table->tb6_lock */ + int fib6_del(struct fib6_info *rt, struct nl_info *info) + { +- struct fib6_node *fn = rcu_dereference_protected(rt->fib6_node, +- lockdep_is_held(&rt->fib6_table->tb6_lock)); +- struct fib6_table *table = rt->fib6_table; + struct net *net = info->nl_net; + struct fib6_info __rcu **rtp; + struct fib6_info __rcu **rtp_next; ++ struct fib6_table *table; ++ struct fib6_node *fn; + +- if (!fn || rt == net->ipv6.fib6_null_entry) ++ if (rt == net->ipv6.fib6_null_entry) ++ return -ENOENT; ++ ++ table = rt->fib6_table; ++ fn = rcu_dereference_protected(rt->fib6_node, ++ lockdep_is_held(&table->tb6_lock)); ++ if (!fn) + return -ENOENT; + + WARN_ON(!(fn->fn_flags & RTN_RTINFO)); diff --git a/queue-4.19/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch b/queue-4.19/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch index 360f444c8d6..81894e2652e 100644 --- a/queue-4.19/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch +++ b/queue-4.19/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch @@ -39,14 +39,12 @@ Link: https://lkml.kernel.org/r/20200903183140.19055-1-rcampbell@nvidia.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- - mm/huge_memory.c | 40 +++++++++++++++++++++++----------------- + mm/huge_memory.c | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 1443ae6fee9bd..8b137248b146d 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c -@@ -2145,7 +2145,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, +@@ -2145,7 +2145,7 @@ static void __split_huge_pmd_locked(stru put_page(page); add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR); return; @@ -55,7 +53,7 @@ index 1443ae6fee9bd..8b137248b146d 100644 /* * FIXME: Do we want to invalidate secondary mmu by calling * mmu_notifier_invalidate_range() see comments below inside -@@ -2233,27 +2233,33 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, +@@ -2233,27 +2233,33 @@ static void __split_huge_pmd_locked(stru pte = pte_offset_map(&_pmd, addr); BUG_ON(!pte_none(*pte)); set_pte_at(mm, addr, pte, entry); @@ -105,6 +103,3 @@ index 1443ae6fee9bd..8b137248b146d 100644 } smp_wmb(); /* make pte visible before pmd */ --- -2.25.1 - diff --git a/queue-4.19/net-add-__must_check-to-skb_put_padto.patch b/queue-4.19/net-add-__must_check-to-skb_put_padto.patch new file mode 100644 index 00000000000..6cf55d59fbc --- /dev/null +++ b/queue-4.19/net-add-__must_check-to-skb_put_padto.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 25 10:42:34 AM CEST 2020 +From: Eric Dumazet +Date: Wed, 9 Sep 2020 01:27:40 -0700 +Subject: net: add __must_check to skb_put_padto() + +From: Eric Dumazet + +[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ] + +skb_put_padto() and __skb_put_padto() callers +must check return values or risk use-after-free. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3014,8 +3014,9 @@ static inline int skb_padto(struct sk_bu + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error if @free_on_error is true. + */ +-static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len, +- bool free_on_error) ++static inline int __must_check __skb_put_padto(struct sk_buff *skb, ++ unsigned int len, ++ bool free_on_error) + { + unsigned int size = skb->len; + +@@ -3038,7 +3039,7 @@ static inline int __skb_put_padto(struct + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error. + */ +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len) ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len) + { + return __skb_put_padto(skb, len, true); + } diff --git a/queue-4.19/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch b/queue-4.19/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch new file mode 100644 index 00000000000..743c5cdc1af --- /dev/null +++ b/queue-4.19/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch @@ -0,0 +1,57 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Petr Machata +Date: Thu, 10 Sep 2020 14:09:05 +0200 +Subject: net: DCB: Validate DCB_ATTR_DCB_BUFFER argument + +From: Petr Machata + +[ Upstream commit 297e77e53eadb332d5062913447b104a772dc33b ] + +The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The +field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where +each value is a number of a buffer to direct that priority's traffic to. +That value is however never validated to lie within the bounds set by +DCBX_MAX_BUFFERS. The only driver that currently implements the callback is +mlx5 (maintainers CCd), and that does not do any validation either, in +particual allowing incorrect configuration if the prio2buffer value does +not fit into 4 bits. + +Instead of offloading the need to validate the buffer index to drivers, do +it right there in core, and bounce the request if the value is too large. + +CC: Parav Pandit +CC: Saeed Mahameed +Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1421,6 +1421,7 @@ static int dcbnl_ieee_set(struct net_dev + { + const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops; + struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1]; ++ int prio; + int err; + + if (!ops) +@@ -1469,6 +1470,13 @@ static int dcbnl_ieee_set(struct net_dev + struct dcbnl_buffer *buffer = + nla_data(ieee[DCB_ATTR_DCB_BUFFER]); + ++ for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) { ++ if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) { ++ err = -EINVAL; ++ goto err; ++ } ++ } ++ + err = ops->dcbnl_setbuffer(netdev, buffer); + if (err) + goto err; diff --git a/queue-4.19/net-dsa-rtl8366-properly-clear-member-config.patch b/queue-4.19/net-dsa-rtl8366-properly-clear-member-config.patch new file mode 100644 index 00000000000..63f0f79c660 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366-properly-clear-member-config.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Linus Walleij +Date: Sat, 5 Sep 2020 12:32:33 +0200 +Subject: net: dsa: rtl8366: Properly clear member config + +From: Linus Walleij + +[ Upstream commit 4ddcaf1ebb5e4e99240f29d531ee69d4244fe416 ] + +When removing a port from a VLAN we are just erasing the +member config for the VLAN, which is wrong: other ports +can be using it. + +Just mask off the port and only zero out the rest of the +member config once ports using of the VLAN are removed +from it. + +Reported-by: Florian Fainelli +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/rtl8366.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -452,13 +452,19 @@ int rtl8366_vlan_del(struct dsa_switch * + return ret; + + if (vid == vlanmc.vid) { +- /* clear VLAN member configurations */ +- vlanmc.vid = 0; +- vlanmc.priority = 0; +- vlanmc.member = 0; +- vlanmc.untag = 0; +- vlanmc.fid = 0; +- ++ /* Remove this port from the VLAN */ ++ vlanmc.member &= ~BIT(port); ++ vlanmc.untag &= ~BIT(port); ++ /* ++ * If no ports are members of this VLAN ++ * anymore then clear the whole member ++ * config so it can be reused. ++ */ ++ if (!vlanmc.member && vlanmc.untag) { ++ vlanmc.vid = 0; ++ vlanmc.priority = 0; ++ vlanmc.fid = 0; ++ } + ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); + if (ret) { + dev_err(smi->dev, diff --git a/queue-4.19/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch b/queue-4.19/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch new file mode 100644 index 00000000000..fa978b73e0e --- /dev/null +++ b/queue-4.19/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Necip Fazil Yildiran +Date: Thu, 17 Sep 2020 19:46:43 +0300 +Subject: net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC + +From: Necip Fazil Yildiran + +[ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ] + +When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_HMAC + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA1 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA256 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and +CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs +are subordinate to CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -321,6 +321,7 @@ config IPV6_SEG6_LWTUNNEL + config IPV6_SEG6_HMAC + bool "IPv6: Segment Routing HMAC support" + depends on IPV6 ++ select CRYPTO + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_SHA256 diff --git a/queue-4.19/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch b/queue-4.19/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch new file mode 100644 index 00000000000..ed33e15c843 --- /dev/null +++ b/queue-4.19/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 25 10:42:34 AM CEST 2020 +From: Florian Fainelli +Date: Wed, 16 Sep 2020 20:43:09 -0700 +Subject: net: phy: Avoid NPD upon phy_detach() when driver is unbound + +From: Florian Fainelli + +[ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ] + +If we have unbound the PHY driver prior to calling phy_detach() (often +via phy_disconnect()) then we can cause a NULL pointer de-reference +accessing the driver owner member. The steps to reproduce are: + +echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind +ip link set eth0 down + +Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1154,7 +1154,8 @@ void phy_detach(struct phy_device *phyde + + phy_led_triggers_unregister(phydev); + +- module_put(phydev->mdio.dev.driver->owner); ++ if (phydev->mdio.dev.driver) ++ module_put(phydev->mdio.dev.driver->owner); + + /* If the device had no specific driver before (i.e. - it + * was using the generic driver), we unbind the device diff --git a/queue-4.19/net-qrtr-check-skb_put_padto-return-value.patch b/queue-4.19/net-qrtr-check-skb_put_padto-return-value.patch new file mode 100644 index 00000000000..523613f6715 --- /dev/null +++ b/queue-4.19/net-qrtr-check-skb_put_padto-return-value.patch @@ -0,0 +1,165 @@ +From foo@baz Fri Sep 25 10:42:34 AM CEST 2020 +From: Eric Dumazet +Date: Wed, 9 Sep 2020 01:27:39 -0700 +Subject: net: qrtr: check skb_put_padto() return value + +From: Eric Dumazet + +[ Upstream commit 3ca1a42a52ca4b4f02061683851692ad65fefac8 ] + +If skb_put_padto() returns an error, skb has been freed. +Better not touch it anymore, as reported by syzbot [1] + +Note to qrtr maintainers : this suggests qrtr_sendmsg() +should adjust sock_alloc_send_skb() second parameter +to account for the potential added alignment to avoid +reallocation. + +[1] + +BUG: KASAN: use-after-free in __skb_insert include/linux/skbuff.h:1907 [inline] +BUG: KASAN: use-after-free in __skb_queue_before include/linux/skbuff.h:2016 [inline] +BUG: KASAN: use-after-free in __skb_queue_tail include/linux/skbuff.h:2049 [inline] +BUG: KASAN: use-after-free in skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146 +Write of size 8 at addr ffff88804d8ab3c0 by task syz-executor.4/4316 + +CPU: 1 PID: 4316 Comm: syz-executor.4 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1d6/0x29e lib/dump_stack.c:118 + print_address_description+0x66/0x620 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report+0x132/0x1d0 mm/kasan/report.c:530 + __skb_insert include/linux/skbuff.h:1907 [inline] + __skb_queue_before include/linux/skbuff.h:2016 [inline] + __skb_queue_tail include/linux/skbuff.h:2049 [inline] + skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146 + qrtr_tun_send+0x1a/0x40 net/qrtr/tun.c:23 + qrtr_node_enqueue+0x44f/0xc00 net/qrtr/qrtr.c:364 + qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d5b9 +Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f84b5b81c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000038b40 RCX: 000000000045d5b9 +RDX: 0000000000000055 RSI: 0000000020001240 RDI: 0000000000000003 +RBP: 00007f84b5b81ca0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000f +R13: 00007ffcbbf86daf R14: 00007f84b5b829c0 R15: 000000000118cf4c + +Allocated by task 4316: + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 + slab_post_alloc_hook+0x3e/0x290 mm/slab.h:518 + slab_alloc mm/slab.c:3312 [inline] + kmem_cache_alloc+0x1c1/0x2d0 mm/slab.c:3482 + skb_clone+0x1b2/0x370 net/core/skbuff.c:1449 + qrtr_bcast_enqueue+0x6d/0x140 net/qrtr/qrtr.c:857 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 4316: + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 + kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 + __cache_free mm/slab.c:3418 [inline] + kmem_cache_free+0x82/0xf0 mm/slab.c:3693 + __skb_pad+0x3f5/0x5a0 net/core/skbuff.c:1823 + __skb_put_padto include/linux/skbuff.h:3233 [inline] + skb_put_padto include/linux/skbuff.h:3252 [inline] + qrtr_node_enqueue+0x62f/0xc00 net/qrtr/qrtr.c:360 + qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff88804d8ab3c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 0 bytes inside of + 224-byte region [ffff88804d8ab3c0, ffff88804d8ab4a0) +The buggy address belongs to the page: +page:00000000ea8cccfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804d8abb40 pfn:0x4d8ab +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0002237ec8 ffffea00029b3388 ffff88821bb66800 +raw: ffff88804d8abb40 ffff88804d8ab000 000000010000000b 0000000000000000 +page dumped because: kasan: bad access detected + +Fixes: ce57785bf91b ("net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Carl Huang +Cc: Wen Gong +Cc: Bjorn Andersson +Cc: Manivannan Sadhasivam +Acked-by: Manivannan Sadhasivam +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -185,7 +185,7 @@ static int qrtr_node_enqueue(struct qrtr + { + struct qrtr_hdr_v1 *hdr; + size_t len = skb->len; +- int rc = -ENODEV; ++ int rc; + + hdr = skb_push(skb, sizeof(*hdr)); + hdr->version = cpu_to_le32(QRTR_PROTO_VER_1); +@@ -203,15 +203,17 @@ static int qrtr_node_enqueue(struct qrtr + hdr->size = cpu_to_le32(len); + hdr->confirm_rx = 0; + +- skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr)); +- +- mutex_lock(&node->ep_lock); +- if (node->ep) +- rc = node->ep->xmit(node->ep, skb); +- else +- kfree_skb(skb); +- mutex_unlock(&node->ep_lock); ++ rc = skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr)); + ++ if (!rc) { ++ mutex_lock(&node->ep_lock); ++ rc = -ENODEV; ++ if (node->ep) ++ rc = node->ep->xmit(node->ep, skb); ++ else ++ kfree_skb(skb); ++ mutex_unlock(&node->ep_lock); ++ } + return rc; + } + diff --git a/queue-4.19/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch b/queue-4.19/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch new file mode 100644 index 00000000000..ca2e3e35d48 --- /dev/null +++ b/queue-4.19/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch @@ -0,0 +1,107 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Yunsheng Lin +Date: Tue, 8 Sep 2020 19:02:34 +0800 +Subject: net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc + +From: Yunsheng Lin + +[ Upstream commit 2fb541c862c987d02dfdf28f1545016deecfa0d5 ] + +Currently there is concurrent reset and enqueue operation for the +same lockless qdisc when there is no lock to synchronize the +q->enqueue() in __dev_xmit_skb() with the qdisc reset operation in +qdisc_deactivate() called by dev_deactivate_queue(), which may cause +out-of-bounds access for priv->ring[] in hns3 driver if user has +requested a smaller queue num when __dev_xmit_skb() still enqueue a +skb with a larger queue_mapping after the corresponding qdisc is +reset, and call hns3_nic_net_xmit() with that skb later. + +Reused the existing synchronize_net() in dev_deactivate_many() to +make sure skb with larger queue_mapping enqueued to old qdisc(which +is saved in dev_queue->qdisc_sleeping) will always be reset when +dev_reset_queue() is called. + +Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") +Signed-off-by: Yunsheng Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_generic.c | 49 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1115,27 +1115,36 @@ static void dev_deactivate_queue(struct + struct netdev_queue *dev_queue, + void *_qdisc_default) + { +- struct Qdisc *qdisc_default = _qdisc_default; +- struct Qdisc *qdisc; ++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc); + +- qdisc = rtnl_dereference(dev_queue->qdisc); + if (qdisc) { +- bool nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- + if (!(qdisc->flags & TCQ_F_BUILTIN)) + set_bit(__QDISC_STATE_DEACTIVATED, &qdisc->state); ++ } ++} + +- rcu_assign_pointer(dev_queue->qdisc, qdisc_default); +- qdisc_reset(qdisc); ++static void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; + +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) +- spin_unlock_bh(&qdisc->seqlock); +- } ++ qdisc = dev_queue->qdisc_sleeping; ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) ++ spin_unlock_bh(&qdisc->seqlock); + } + + static bool some_qdisc_is_busy(struct net_device *dev) +@@ -1196,12 +1205,20 @@ void dev_deactivate_many(struct list_hea + dev_watchdog_down(dev); + } + +- /* Wait for outstanding qdisc-less dev_queue_xmit calls. ++ /* Wait for outstanding qdisc-less dev_queue_xmit calls or ++ * outstanding qdisc enqueuing calls. + * This is avoided if all devices are in dismantle phase : + * Caller will call synchronize_net() for us + */ + synchronize_net(); + ++ list_for_each_entry(dev, head, close_list) { ++ netdev_for_each_tx_queue(dev, dev_reset_queue, NULL); ++ ++ if (dev_ingress_queue(dev)) ++ dev_reset_queue(dev, dev_ingress_queue(dev), NULL); ++ } ++ + /* Wait for outstanding qdisc_run calls. */ + list_for_each_entry(dev, head, close_list) { + while (some_qdisc_is_busy(dev)) diff --git a/queue-4.19/nfp-use-correct-define-to-return-none-fec.patch b/queue-4.19/nfp-use-correct-define-to-return-none-fec.patch new file mode 100644 index 00000000000..114b12c5e1d --- /dev/null +++ b/queue-4.19/nfp-use-correct-define-to-return-none-fec.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Jakub Kicinski +Date: Thu, 17 Sep 2020 10:52:57 -0700 +Subject: nfp: use correct define to return NONE fec + +From: Jakub Kicinski + +[ Upstream commit 5f6857e808a8bd078296575b417c4b9d160b9779 ] + +struct ethtool_fecparam carries bitmasks not bit numbers. +We want to return 1 (NONE), not 0. + +Fixes: 0d0870938337 ("nfp: implement ethtool FEC mode settings") +Signed-off-by: Jakub Kicinski +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -744,8 +744,8 @@ nfp_port_get_fecparam(struct net_device + struct nfp_eth_table_port *eth_port; + struct nfp_port *port; + +- param->active_fec = ETHTOOL_FEC_NONE_BIT; +- param->fec = ETHTOOL_FEC_NONE_BIT; ++ param->active_fec = ETHTOOL_FEC_NONE; ++ param->fec = ETHTOOL_FEC_NONE; + + port = nfp_port_from_netdev(netdev); + eth_port = nfp_port_get_eth_port(port); diff --git a/queue-4.19/series b/queue-4.19/series index 0387cc8025b..45533b5315a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -2,3 +2,22 @@ af_key-pfkey_dump-needs-parameter-validation.patch kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch +cxgb4-fix-offset-when-clearing-filter-byte-counters.patch +geneve-add-transport-ports-in-route-lookup-for-geneve.patch +hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch +ip-fix-tos-reflection-in-ack-and-reset-packets.patch +ipv6-avoid-lockdep-issue-in-fib6_del.patch +net-dcb-validate-dcb_attr_dcb_buffer-argument.patch +net-dsa-rtl8366-properly-clear-member-config.patch +net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch +net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch +nfp-use-correct-define-to-return-none-fec.patch +tipc-fix-memory-leak-in-tipc_group_create_member.patch +tipc-fix-shutdown-of-connection-oriented-socket.patch +tipc-use-skb_unshare-instead-in-tipc_buf_append.patch +bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch +bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch +net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch +net-qrtr-check-skb_put_padto-return-value.patch +net-add-__must_check-to-skb_put_padto.patch +ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch diff --git a/queue-4.19/tipc-fix-memory-leak-in-tipc_group_create_member.patch b/queue-4.19/tipc-fix-memory-leak-in-tipc_group_create_member.patch new file mode 100644 index 00000000000..b9b7bc8bc06 --- /dev/null +++ b/queue-4.19/tipc-fix-memory-leak-in-tipc_group_create_member.patch @@ -0,0 +1,73 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Peilin Ye +Date: Sun, 13 Sep 2020 04:06:05 -0400 +Subject: tipc: Fix memory leak in tipc_group_create_member() + +From: Peilin Ye + +[ Upstream commit bb3a420d47ab00d7e1e5083286cab15235a96680 ] + +tipc_group_add_to_tree() returns silently if `key` matches `nkey` of an +existing node, causing tipc_group_create_member() to leak memory. Let +tipc_group_add_to_tree() return an error in such a case, so that +tipc_group_create_member() can handle it properly. + +Fixes: 75da2163dbb6 ("tipc: introduce communication groups") +Reported-and-tested-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com +Cc: Hillf Danton +Link: https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_fi + return NULL; + } + +-static void tipc_group_add_to_tree(struct tipc_group *grp, +- struct tipc_member *m) ++static int tipc_group_add_to_tree(struct tipc_group *grp, ++ struct tipc_member *m) + { + u64 nkey, key = (u64)m->node << 32 | m->port; + struct rb_node **n, *parent = NULL; +@@ -291,10 +291,11 @@ static void tipc_group_add_to_tree(struc + else if (key > nkey) + n = &(*n)->rb_right; + else +- return; ++ return -EEXIST; + } + rb_link_node(&m->tree_node, parent, n); + rb_insert_color(&m->tree_node, &grp->members); ++ return 0; + } + + static struct tipc_member *tipc_group_create_member(struct tipc_group *grp, +@@ -302,6 +303,7 @@ static struct tipc_member *tipc_group_cr + u32 instance, int state) + { + struct tipc_member *m; ++ int ret; + + m = kzalloc(sizeof(*m), GFP_ATOMIC); + if (!m) +@@ -314,8 +316,12 @@ static struct tipc_member *tipc_group_cr + m->port = port; + m->instance = instance; + m->bc_acked = grp->bc_snd_nxt - 1; ++ ret = tipc_group_add_to_tree(grp, m); ++ if (ret < 0) { ++ kfree(m); ++ return NULL; ++ } + grp->member_cnt++; +- tipc_group_add_to_tree(grp, m); + tipc_nlist_add(&grp->dests, m->node); + m->state = state; + return m; diff --git a/queue-4.19/tipc-fix-shutdown-of-connection-oriented-socket.patch b/queue-4.19/tipc-fix-shutdown-of-connection-oriented-socket.patch new file mode 100644 index 00000000000..aa67b8ed501 --- /dev/null +++ b/queue-4.19/tipc-fix-shutdown-of-connection-oriented-socket.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Tetsuo Handa +Date: Sat, 5 Sep 2020 15:14:47 +0900 +Subject: tipc: fix shutdown() of connection oriented socket + +From: Tetsuo Handa + +[ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ] + +I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix +shutdown() of connectionless socket") also applies to stream socket. + +---------- +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int fds[2] = { -1, -1 }; + socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds); + if (fork() == 0) + _exit(read(fds[0], NULL, 1)); + shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */ + wait(NULL); /* To be woken up by _exit(). */ + return 0; +} +---------- + +Since shutdown(SHUT_RDWR) should affect all processes sharing that socket, +unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right +behavior. + +Signed-off-by: Tetsuo Handa +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2565,10 +2565,7 @@ static int tipc_shutdown(struct socket * + lock_sock(sk); + + __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN); +- if (tipc_sk_type_connectionless(sk)) +- sk->sk_shutdown = SHUTDOWN_MASK; +- else +- sk->sk_shutdown = SEND_SHUTDOWN; ++ sk->sk_shutdown = SHUTDOWN_MASK; + + if (sk->sk_state == TIPC_DISCONNECTING) { + /* Discard any unreceived messages */ diff --git a/queue-4.19/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch b/queue-4.19/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch new file mode 100644 index 00000000000..8cdcd03bfb8 --- /dev/null +++ b/queue-4.19/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: Xin Long +Date: Sun, 13 Sep 2020 19:37:31 +0800 +Subject: tipc: use skb_unshare() instead in tipc_buf_append() + +From: Xin Long + +[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ] + +In tipc_buf_append() it may change skb's frag_list, and it causes +problems when this skb is cloned. skb_unclone() doesn't really +make this skb's flag_list available to change. + +Shuang Li has reported an use-after-free issue because of this +when creating quite a few macvlan dev over the same dev, where +the broadcast packets will be cloned and go up to the stack: + + [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0 + [ ] Call Trace: + [ ] dump_stack+0x7c/0xb0 + [ ] print_address_description.constprop.7+0x1a/0x220 + [ ] kasan_report.cold.10+0x37/0x7c + [ ] check_memory_region+0x183/0x1e0 + [ ] pskb_expand_head+0x86d/0xea0 + [ ] process_backlog+0x1df/0x660 + [ ] net_rx_action+0x3b4/0xc90 + [ ] + [ ] Allocated by task 1786: + [ ] kmem_cache_alloc+0xbf/0x220 + [ ] skb_clone+0x10a/0x300 + [ ] macvlan_broadcast+0x2f6/0x590 [macvlan] + [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan] + [ ] process_one_work+0x66a/0x1060 + [ ] worker_thread+0x87/0xb10 + [ ] + [ ] Freed by task 3253: + [ ] kmem_cache_free+0x82/0x2a0 + [ ] skb_release_data+0x2c3/0x6e0 + [ ] kfree_skb+0x78/0x1d0 + [ ] tipc_recvmsg+0x3be/0xa40 [tipc] + +So fix it by using skb_unshare() instead, which would create a new +skb for the cloned frag and it'll be safe to change its frag_list. +The similar things were also done in sctp_make_reassembled_event(), +which is using skb_copy(). + +Reported-by: Shuang Li +Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **hea + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- if (unlikely(skb_unclone(frag, GFP_ATOMIC))) ++ frag = skb_unshare(frag, GFP_ATOMIC); ++ if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + *buf = NULL;