From: Greg Kroah-Hartman Date: Thu, 21 Feb 2019 07:50:47 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.136~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63f6579a1911f1c3338e9ebd5d953418a0725475;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch net-add-header-for-usage-of-fls64.patch net-crypto-set-sk-to-null-when-af_alg_release.patch net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch net-fix-for_each_netdev_feature-on-big-endian.patch net-phy-xgmiitorgmii-support-generic-phy-status-read.patch net-stmmac-fix-a-race-in-eee-enable-callback.patch net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch net-validate-untrusted-gso-packets-without-csum-offload.patch sky2-increase-d3-delay-again.patch tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch tcp-tcp_v4_err-should-be-more-careful.patch vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch --- diff --git a/queue-4.14/mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch b/queue-4.14/mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch new file mode 100644 index 00000000000..a37dc14f406 --- /dev/null +++ b/queue-4.14/mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Petr Machata +Date: Sun, 17 Feb 2019 07:18:41 +0000 +Subject: mlxsw: __mlxsw_sp_port_headroom_set(): Fix a use of local variable + +From: Petr Machata + +[ Upstream commit 289460404f6947ef1c38e67d680be9a84161250b ] + +The function-local variable "delay" enters the loop interpreted as delay +in bits. However, inside the loop it gets overwritten by the result of +mlxsw_sp_pg_buf_delay_get(), and thus leaves the loop as quantity in +cells. Thus on second and further loop iterations, the headroom for a +given priority is configured with a wrong size. + +Fix by introducing a loop-local variable, delay_cells. Rename thres to +thres_cells for consistency. + +Fixes: f417f04da589 ("mlxsw: spectrum: Refactor port buffer configuration") +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -1161,8 +1161,9 @@ int __mlxsw_sp_port_headroom_set(struct + for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) { + bool configure = false; + bool pfc = false; ++ u16 thres_cells; ++ u16 delay_cells; + bool lossy; +- u16 thres; + + for (j = 0; j < IEEE_8021QAZ_MAX_TCS; j++) { + if (prio_tc[j] == i) { +@@ -1176,10 +1177,11 @@ int __mlxsw_sp_port_headroom_set(struct + continue; + + lossy = !(pfc || pause_en); +- thres = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu); +- delay = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay, pfc, +- pause_en); +- mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres + delay, thres, lossy); ++ thres_cells = mlxsw_sp_pg_buf_threshold_get(mlxsw_sp, mtu); ++ delay_cells = mlxsw_sp_pg_buf_delay_get(mlxsw_sp, mtu, delay, ++ pfc, pause_en); ++ mlxsw_sp_pg_buf_pack(pbmc_pl, i, thres_cells + delay_cells, ++ thres_cells, lossy); + } + + return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(pbmc), pbmc_pl); diff --git a/queue-4.14/net-add-header-for-usage-of-fls64.patch b/queue-4.14/net-add-header-for-usage-of-fls64.patch new file mode 100644 index 00000000000..aee6e89c46a --- /dev/null +++ b/queue-4.14/net-add-header-for-usage-of-fls64.patch @@ -0,0 +1,27 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: "David S. Miller" +Date: Sat, 16 Feb 2019 13:44:39 -0800 +Subject: net: Add header for usage of fls64() + +From: "David S. Miller" + +[ Upstream commit 8681ef1f3d295bd3600315325f3b3396d76d02f6 ] + +Fixes: 3b89ea9c5902 ("net: Fix for_each_netdev_feature on Big endian") +Suggested-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdev_features.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -11,6 +11,7 @@ + #define _LINUX_NETDEV_FEATURES_H + + #include ++#include + #include + + typedef u64 netdev_features_t; diff --git a/queue-4.14/net-crypto-set-sk-to-null-when-af_alg_release.patch b/queue-4.14/net-crypto-set-sk-to-null-when-af_alg_release.patch new file mode 100644 index 00000000000..4a8826b35a7 --- /dev/null +++ b/queue-4.14/net-crypto-set-sk-to-null-when-af_alg_release.patch @@ -0,0 +1,121 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Mao Wenan +Date: Mon, 18 Feb 2019 10:44:44 +0800 +Subject: net: crypto set sk to NULL when af_alg_release. + +From: Mao Wenan + +[ Upstream commit 9060cb719e61b685ec0102574e10337fa5f445ea ] + +KASAN has found use-after-free in sockfs_setattr. +The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close() +and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore +that crypto module forgets to set the sk to NULL after af_alg_release. + +KASAN report details as below: +BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150 +Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186 + +CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.10.2-1ubuntu1 04/01/2014 +Call Trace: + dump_stack+0xca/0x13e + print_address_description+0x79/0x330 + ? vprintk_func+0x5e/0xf0 + kasan_report+0x18a/0x2e0 + ? sockfs_setattr+0x120/0x150 + sockfs_setattr+0x120/0x150 + ? sock_register+0x2d0/0x2d0 + notify_change+0x90c/0xd40 + ? chown_common+0x2ef/0x510 + chown_common+0x2ef/0x510 + ? chmod_common+0x3b0/0x3b0 + ? __lock_is_held+0xbc/0x160 + ? __sb_start_write+0x13d/0x2b0 + ? __mnt_want_write+0x19a/0x250 + do_fchownat+0x15c/0x190 + ? __ia32_sys_chmod+0x80/0x80 + ? trace_hardirqs_on_thunk+0x1a/0x1c + __x64_sys_fchownat+0xbf/0x160 + ? lockdep_hardirqs_on+0x39a/0x5e0 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462589 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 +f7 48 89 d6 48 89 +ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 +48 c7 c1 bc ff ff +ff f7 d8 64 89 01 48 +RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104 +RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589 +RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007 +RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc +R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff + +Allocated by task 4185: + kasan_kmalloc+0xa0/0xd0 + __kmalloc+0x14a/0x350 + sk_prot_alloc+0xf6/0x290 + sk_alloc+0x3d/0xc00 + af_alg_accept+0x9e/0x670 + hash_accept+0x4a3/0x650 + __sys_accept4+0x306/0x5c0 + __x64_sys_accept4+0x98/0x100 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 4184: + __kasan_slab_free+0x12e/0x180 + kfree+0xeb/0x2f0 + __sk_destruct+0x4e6/0x6a0 + sk_destruct+0x48/0x70 + __sk_free+0xa9/0x270 + sk_free+0x2a/0x30 + af_alg_release+0x5c/0x70 + __sock_release+0xd3/0x280 + sock_close+0x1a/0x20 + __fput+0x27f/0x7f0 + task_work_run+0x136/0x1b0 + exit_to_usermode_loop+0x1a7/0x1d0 + do_syscall_64+0x461/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Syzkaller reproducer: +r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, +0xffffffffffffffff, 0x0) +r1 = socket$alg(0x26, 0x5, 0x0) +getrusage(0x0, 0x0) +bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0, +'sha256-ssse3\x00'}, 0x80) +r2 = accept(r1, 0x0, 0x0) +r3 = accept4$unix(r2, 0x0, 0x0, 0x0) +r4 = dup3(r3, r0, 0x0) +fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000) + +Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()") +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -122,8 +122,10 @@ static void alg_do_release(const struct + + int af_alg_release(struct socket *sock) + { +- if (sock->sk) ++ if (sock->sk) { + sock_put(sock->sk); ++ sock->sk = NULL; ++ } + return 0; + } + EXPORT_SYMBOL_GPL(af_alg_release); diff --git a/queue-4.14/net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch b/queue-4.14/net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch new file mode 100644 index 00000000000..e8c529d588f --- /dev/null +++ b/queue-4.14/net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Alexander Duyck +Date: Fri, 15 Feb 2019 14:44:18 -0800 +Subject: net: Do not allocate page fragments that are not skb aligned + +From: Alexander Duyck + +[ Upstream commit 3bed3cc4156eedf652b4df72bdb35d4f1a2a739d ] + +This patch addresses the fact that there are drivers, specifically tun, +that will call into the network page fragment allocators with buffer sizes +that are not cache aligned. Doing this could result in data alignment +and DMA performance issues as these fragment pools are also shared with the +skb allocator and any other devices that will use napi_alloc_frags or +netdev_alloc_frags. + +Fixes: ffde7328a36d ("net: Split netdev_alloc_frag into __alloc_page_frag and add __napi_alloc_frag") +Reported-by: Jann Horn +Signed-off-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -353,6 +353,8 @@ static void *__netdev_alloc_frag(unsigne + */ + void *netdev_alloc_frag(unsigned int fragsz) + { ++ fragsz = SKB_DATA_ALIGN(fragsz); ++ + return __netdev_alloc_frag(fragsz, GFP_ATOMIC | __GFP_COLD); + } + EXPORT_SYMBOL(netdev_alloc_frag); +@@ -366,6 +368,8 @@ static void *__napi_alloc_frag(unsigned + + void *napi_alloc_frag(unsigned int fragsz) + { ++ fragsz = SKB_DATA_ALIGN(fragsz); ++ + return __napi_alloc_frag(fragsz, GFP_ATOMIC | __GFP_COLD); + } + EXPORT_SYMBOL(napi_alloc_frag); diff --git a/queue-4.14/net-fix-for_each_netdev_feature-on-big-endian.patch b/queue-4.14/net-fix-for_each_netdev_feature-on-big-endian.patch new file mode 100644 index 00000000000..e9ebc849a0f --- /dev/null +++ b/queue-4.14/net-fix-for_each_netdev_feature-on-big-endian.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Hauke Mehrtens +Date: Fri, 15 Feb 2019 17:58:54 +0100 +Subject: net: Fix for_each_netdev_feature on Big endian + +From: Hauke Mehrtens + +[ Upstream commit 3b89ea9c5902acccdbbdec307c85edd1bf52515e ] + +The features attribute is of type u64 and stored in the native endianes on +the system. The for_each_set_bit() macro takes a pointer to a 32 bit array +and goes over the bits in this area. On little Endian systems this also +works with an u64 as the most significant bit is on the highest address, +but on big endian the words are swapped. When we expect bit 15 here we get +bit 47 (15 + 32). + +This patch converts it more or less to its own for_each_set_bit() +implementation which works on 64 bit integers directly. This is then +completely in host endianness and should work like expected. + +Fixes: fd867d51f ("net/core: generic support for disabling netdev features down stack") +Signed-off-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdev_features.h | 23 +++++++++++++++++++++-- + net/core/dev.c | 4 ++-- + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -11,6 +11,7 @@ + #define _LINUX_NETDEV_FEATURES_H + + #include ++#include + + typedef u64 netdev_features_t; + +@@ -143,8 +144,26 @@ enum { + #define NETIF_F_HW_ESP_TX_CSUM __NETIF_F(HW_ESP_TX_CSUM) + #define NETIF_F_RX_UDP_TUNNEL_PORT __NETIF_F(RX_UDP_TUNNEL_PORT) + +-#define for_each_netdev_feature(mask_addr, bit) \ +- for_each_set_bit(bit, (unsigned long *)mask_addr, NETDEV_FEATURE_COUNT) ++/* Finds the next feature with the highest number of the range of start till 0. ++ */ ++static inline int find_next_netdev_feature(u64 feature, unsigned long start) ++{ ++ /* like BITMAP_LAST_WORD_MASK() for u64 ++ * this sets the most significant 64 - start to 0. ++ */ ++ feature &= ~0ULL >> (-start & ((sizeof(feature) * 8) - 1)); ++ ++ return fls64(feature) - 1; ++} ++ ++/* This goes for the MSB to the LSB through the set feature bits, ++ * mask_addr should be a u64 and bit an int ++ */ ++#define for_each_netdev_feature(mask_addr, bit) \ ++ for ((bit) = find_next_netdev_feature((mask_addr), \ ++ NETDEV_FEATURE_COUNT); \ ++ (bit) >= 0; \ ++ (bit) = find_next_netdev_feature((mask_addr), (bit) - 1)) + + /* Features valid for ethtool to change */ + /* = all defined minus driver/device-class-related */ +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7260,7 +7260,7 @@ static netdev_features_t netdev_sync_upp + netdev_features_t feature; + int feature_bit; + +- for_each_netdev_feature(&upper_disables, feature_bit) { ++ for_each_netdev_feature(upper_disables, feature_bit) { + feature = __NETIF_F_BIT(feature_bit); + if (!(upper->wanted_features & feature) + && (features & feature)) { +@@ -7280,7 +7280,7 @@ static void netdev_sync_lower_features(s + netdev_features_t feature; + int feature_bit; + +- for_each_netdev_feature(&upper_disables, feature_bit) { ++ for_each_netdev_feature(upper_disables, feature_bit) { + feature = __NETIF_F_BIT(feature_bit); + if (!(features & feature) && (lower->features & feature)) { + netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n", diff --git a/queue-4.14/net-phy-xgmiitorgmii-support-generic-phy-status-read.patch b/queue-4.14/net-phy-xgmiitorgmii-support-generic-phy-status-read.patch new file mode 100644 index 00000000000..3a79967e087 --- /dev/null +++ b/queue-4.14/net-phy-xgmiitorgmii-support-generic-phy-status-read.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Paul Kocialkowski +Date: Fri, 15 Feb 2019 17:17:08 +0100 +Subject: net: phy: xgmiitorgmii: Support generic PHY status read + +From: Paul Kocialkowski + +[ Upstream commit 197f9ab7f08ce4b9ece662f747c3991b2f0fbb57 ] + +Some PHY drivers like the generic one do not provide a read_status +callback on their own but rely on genphy_read_status being called +directly. + +With the current code, this results in a NULL function pointer call. +Call genphy_read_status instead when there is no specific callback. + +Fixes: f411a6160bd4 ("net: phy: Add gmiitorgmii converter support") +Signed-off-by: Paul Kocialkowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/xilinx_gmii2rgmii.c ++++ b/drivers/net/phy/xilinx_gmii2rgmii.c +@@ -42,7 +42,10 @@ static int xgmiitorgmii_read_status(stru + u16 val = 0; + int err; + +- err = priv->phy_drv->read_status(phydev); ++ if (priv->phy_drv->read_status) ++ err = priv->phy_drv->read_status(phydev); ++ else ++ err = genphy_read_status(phydev); + if (err < 0) + return err; + diff --git a/queue-4.14/net-stmmac-fix-a-race-in-eee-enable-callback.patch b/queue-4.14/net-stmmac-fix-a-race-in-eee-enable-callback.patch new file mode 100644 index 00000000000..6b10bab245e --- /dev/null +++ b/queue-4.14/net-stmmac-fix-a-race-in-eee-enable-callback.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Jose Abreu +Date: Mon, 18 Feb 2019 14:35:03 +0100 +Subject: net: stmmac: Fix a race in EEE enable callback + +From: Jose Abreu + +[ Upstream commit 8a7493e58ad688eb23b81e45461c5d314f4402f1 ] + +We are saving the status of EEE even before we try to enable it. This +leads to a race with XMIT function that tries to arm EEE timer before we +set it up. + +Fix this by only saving the EEE parameters after all operations are +performed with success. + +Signed-off-by: Jose Abreu +Fixes: d765955d2ae0 ("stmmac: add the Energy Efficient Ethernet support") +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 22 ++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -675,25 +675,27 @@ static int stmmac_ethtool_op_set_eee(str + struct ethtool_eee *edata) + { + struct stmmac_priv *priv = netdev_priv(dev); ++ int ret; + +- priv->eee_enabled = edata->eee_enabled; +- +- if (!priv->eee_enabled) ++ if (!edata->eee_enabled) { + stmmac_disable_eee_mode(priv); +- else { ++ } else { + /* We are asking for enabling the EEE but it is safe + * to verify all by invoking the eee_init function. + * In case of failure it will return an error. + */ +- priv->eee_enabled = stmmac_eee_init(priv); +- if (!priv->eee_enabled) ++ edata->eee_enabled = stmmac_eee_init(priv); ++ if (!edata->eee_enabled) + return -EOPNOTSUPP; +- +- /* Do not change tx_lpi_timer in case of failure */ +- priv->tx_lpi_timer = edata->tx_lpi_timer; + } + +- return phy_ethtool_set_eee(dev->phydev, edata); ++ ret = phy_ethtool_set_eee(dev->phydev, edata); ++ if (ret) ++ return ret; ++ ++ priv->eee_enabled = edata->eee_enabled; ++ priv->tx_lpi_timer = edata->tx_lpi_timer; ++ return 0; + } + + static u32 stmmac_usec2riwt(u32 usec, struct stmmac_priv *priv) diff --git a/queue-4.14/net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch b/queue-4.14/net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch new file mode 100644 index 00000000000..c69be34775e --- /dev/null +++ b/queue-4.14/net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Alexandre Torgue +Date: Fri, 15 Feb 2019 10:49:09 +0100 +Subject: net: stmmac: handle endianness in dwmac4_get_timestamp + +From: Alexandre Torgue + +[ Upstream commit 224babd62d6f19581757a6d8bae3bf9501fc10de ] + +GMAC IP is little-endian and used on several kind of CPU (big or little +endian). Main callbacks functions of the stmmac drivers take care about +it. It was not the case for dwmac4_get_timestamp function. + +Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4") +Signed-off-by: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +@@ -238,15 +238,18 @@ static inline u64 dwmac4_get_timestamp(v + static int dwmac4_rx_check_timestamp(void *desc) + { + struct dma_desc *p = (struct dma_desc *)desc; ++ unsigned int rdes0 = le32_to_cpu(p->des0); ++ unsigned int rdes1 = le32_to_cpu(p->des1); ++ unsigned int rdes3 = le32_to_cpu(p->des3); + u32 own, ctxt; + int ret = 1; + +- own = p->des3 & RDES3_OWN; +- ctxt = ((p->des3 & RDES3_CONTEXT_DESCRIPTOR) ++ own = rdes3 & RDES3_OWN; ++ ctxt = ((rdes3 & RDES3_CONTEXT_DESCRIPTOR) + >> RDES3_CONTEXT_DESCRIPTOR_SHIFT); + + if (likely(!own && ctxt)) { +- if ((p->des0 == 0xffffffff) && (p->des1 == 0xffffffff)) ++ if ((rdes0 == 0xffffffff) && (rdes1 == 0xffffffff)) + /* Corrupted value */ + ret = -EINVAL; + else diff --git a/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch b/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch new file mode 100644 index 00000000000..98b959d3a46 --- /dev/null +++ b/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Willem de Bruijn +Date: Fri, 15 Feb 2019 12:15:47 -0500 +Subject: net: validate untrusted gso packets without csum offload + +From: Willem de Bruijn + +[ Upstream commit d5be7f632bad0f489879eed0ff4b99bd7fe0b74c ] + +Syzkaller again found a path to a kernel crash through bad gso input. +By building an excessively large packet to cause an skb field to wrap. + +If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in +skb_partial_csum_set. + +GSO packets that do not set checksum offload are suspicious and rare. +Most callers of virtio_net_hdr_to_skb already pass them to +skb_probe_transport_header. + +Move that test forward, change it to detect parse failure and drop +packets on failure as those cleary are not one of the legitimate +VIRTIO_NET_HDR_GSO types. + +Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") +Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + include/linux/virtio_net.h | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2377,7 +2377,7 @@ static inline void skb_probe_transport_h + return; + else if (skb_flow_dissect_flow_keys(skb, &keys, 0)) + skb_set_transport_header(skb, keys.control.thoff); +- else ++ else if (offset_hint >= 0) + skb_set_transport_header(skb, offset_hint); + } + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -57,6 +57,15 @@ static inline int virtio_net_hdr_to_skb( + + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; ++ } else { ++ /* gso packets without NEEDS_CSUM do not set transport_offset. ++ * probe and drop if does not match one of the above types. ++ */ ++ if (gso_type) { ++ skb_probe_transport_header(skb, -1); ++ if (!skb_transport_header_was_set(skb)) ++ return -EINVAL; ++ } + } + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { diff --git a/queue-4.14/series b/queue-4.14/series index 21a0d8bfcbd..4dbca409516 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,16 @@ net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirec.patch vsock-cope-with-memory-allocation-failure-at-socket-.patch vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_di.patch +mlxsw-__mlxsw_sp_port_headroom_set-fix-a-use-of-local-variable.patch +net-crypto-set-sk-to-null-when-af_alg_release.patch +net-fix-for_each_netdev_feature-on-big-endian.patch +net-phy-xgmiitorgmii-support-generic-phy-status-read.patch +net-stmmac-fix-a-race-in-eee-enable-callback.patch +net-stmmac-handle-endianness-in-dwmac4_get_timestamp.patch +net-validate-untrusted-gso-packets-without-csum-offload.patch +sky2-increase-d3-delay-again.patch +vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch +net-add-header-for-usage-of-fls64.patch +tcp-tcp_v4_err-should-be-more-careful.patch +net-do-not-allocate-page-fragments-that-are-not-skb-aligned.patch +tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch diff --git a/queue-4.14/sky2-increase-d3-delay-again.patch b/queue-4.14/sky2-increase-d3-delay-again.patch new file mode 100644 index 00000000000..72408fa0293 --- /dev/null +++ b/queue-4.14/sky2-increase-d3-delay-again.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Kai-Heng Feng +Date: Tue, 19 Feb 2019 23:45:29 +0800 +Subject: sky2: Increase D3 delay again + +From: Kai-Heng Feng + +[ Upstream commit 1765f5dcd00963e33f1b8a4e0f34061fbc0e2f7f ] + +Another platform requires even longer delay to make the device work +correctly after S3. + +So increase the delay to 300ms. + +BugLink: https://bugs.launchpad.net/bugs/1798921 + +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5087,7 +5087,7 @@ static int sky2_probe(struct pci_dev *pd + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 200; ++ pdev->d3_delay = 300; + + return 0; + diff --git a/queue-4.14/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch b/queue-4.14/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch new file mode 100644 index 00000000000..9ea228fb729 --- /dev/null +++ b/queue-4.14/tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Feb 2019 13:36:20 -0800 +Subject: tcp: clear icsk_backoff in tcp_write_queue_purge() + +From: Eric Dumazet + +[ Upstream commit 04c03114be82194d4a4858d41dba8e286ad1787c ] + +soukjin bae reported a crash in tcp_v4_err() handling +ICMP_DEST_UNREACH after tcp_write_queue_head(sk) +returned a NULL pointer. + +Current logic should have prevented this : + + if (seq != tp->snd_una || !icsk->icsk_retransmits || + !icsk->icsk_backoff || fastopen) + break; + +Problem is the write queue might have been purged +and icsk_backoff has not been cleared. + +Signed-off-by: Eric Dumazet +Reported-by: soukjin bae +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1622,6 +1622,7 @@ static inline void tcp_write_queue_purge + tcp_clear_all_retrans_hints(tcp_sk(sk)); + tcp_init_send_head(sk); + tcp_sk(sk)->packets_out = 0; ++ inet_csk(sk)->icsk_backoff = 0; + } + + static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk) +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2347,7 +2347,6 @@ int tcp_disconnect(struct sock *sk, int + tp->write_seq += tp->max_window + 2; + if (tp->write_seq == 0) + tp->write_seq = 1; +- icsk->icsk_backoff = 0; + tp->snd_cwnd = 2; + icsk->icsk_probes_out = 0; + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; diff --git a/queue-4.14/tcp-tcp_v4_err-should-be-more-careful.patch b/queue-4.14/tcp-tcp_v4_err-should-be-more-careful.patch new file mode 100644 index 00000000000..1819f72e23a --- /dev/null +++ b/queue-4.14/tcp-tcp_v4_err-should-be-more-careful.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Feb 2019 13:36:21 -0800 +Subject: tcp: tcp_v4_err() should be more careful + +From: Eric Dumazet + +[ Upstream commit 2c4cc9712364c051b1de2d175d5fbea6be948ebf ] + +ICMP handlers are not very often stressed, we should +make them more resilient to bugs that might surface in +the future. + +If there is no packet in retransmit queue, we should +avoid a NULL deref. + +Signed-off-by: Eric Dumazet +Reported-by: soukjin bae +Acked-by: Neal Cardwell +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -475,14 +475,15 @@ void tcp_v4_err(struct sk_buff *icmp_skb + if (sock_owned_by_user(sk)) + break; + ++ skb = tcp_write_queue_head(sk); ++ if (WARN_ON_ONCE(!skb)) ++ break; ++ + icsk->icsk_backoff--; + icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) : + TCP_TIMEOUT_INIT; + icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX); + +- skb = tcp_write_queue_head(sk); +- BUG_ON(!skb); +- + tcp_mstamp_refresh(tp); + delta_us = (u32)(tp->tcp_mstamp - skb->skb_mstamp); + remaining = icsk->icsk_rto - diff --git a/queue-4.14/vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch b/queue-4.14/vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch new file mode 100644 index 00000000000..6d5f57b695f --- /dev/null +++ b/queue-4.14/vhost-correctly-check-the-return-value-of-translate_desc-in-log_used.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Feb 21 07:26:37 CET 2019 +From: Jason Wang +Date: Tue, 19 Feb 2019 14:53:44 +0800 +Subject: vhost: correctly check the return value of translate_desc() in log_used() + +From: Jason Wang + +[ Upstream commit 816db7663565cd23f74ed3d5c9240522e3fb0dda ] + +When fail, translate_desc() returns negative value, otherwise the +number of iovs. So we should fail when the return value is negative +instead of a blindly check against zero. + +Detected by CoverityScan, CID# 1442593: Control flow issues (DEADCODE) + +Fixes: cc5e71075947 ("vhost: log dirty page correctly") +Acked-by: Michael S. Tsirkin +Reported-by: Stephen Hemminger +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1776,7 +1776,7 @@ static int log_used(struct vhost_virtque + + ret = translate_desc(vq, (uintptr_t)vq->used + used_offset, + len, iov, 64, VHOST_ACCESS_WO); +- if (ret) ++ if (ret < 0) + return ret; + + for (i = 0; i < ret; i++) {