From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 2 Feb 2021 13:19:09 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.255~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ccdde52f4dccfe34b4cc0db819dd4ec1fe08212;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	nfc-fix-possible-resource-leak.patch
	nfc-fix-resource-leak-when-target-index-is-invalid.patch
	tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
	team-protect-features-update-by-rcu-to-avoid-deadlock.patch
---

diff --git a/queue-4.14/nfc-fix-possible-resource-leak.patch b/queue-4.14/nfc-fix-possible-resource-leak.patch
new file mode 100644
index 00000000000..e8ce2a03322
--- /dev/null
+++ b/queue-4.14/nfc-fix-possible-resource-leak.patch
@@ -0,0 +1,32 @@
+From d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 21 Jan 2021 07:37:45 -0800
+Subject: NFC: fix possible resource leak
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 upstream.
+
+Put the device to avoid resource leak on path that the polling flag is
+invalid.
+
+Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's already stopped")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121153745.122184-1-bianpan2016@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -884,6 +884,7 @@ static int nfc_genl_stop_poll(struct sk_
+ 
+ 	if (!dev->polling) {
+ 		device_unlock(&dev->dev);
++		nfc_put_device(dev);
+ 		return -EINVAL;
+ 	}
+ 
diff --git a/queue-4.14/nfc-fix-resource-leak-when-target-index-is-invalid.patch b/queue-4.14/nfc-fix-resource-leak-when-target-index-is-invalid.patch
new file mode 100644
index 00000000000..c5e0faa0112
--- /dev/null
+++ b/queue-4.14/nfc-fix-resource-leak-when-target-index-is-invalid.patch
@@ -0,0 +1,33 @@
+From 3a30537cee233fb7da302491b28c832247d89bbe Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 21 Jan 2021 07:27:48 -0800
+Subject: NFC: fix resource leak when target index is invalid
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 3a30537cee233fb7da302491b28c832247d89bbe upstream.
+
+Goto to the label put_dev instead of the label error to fix potential
+resource leak on path that the target index is invalid.
+
+Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121152748.98409-1-bianpan2016@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/rawsock.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -117,7 +117,7 @@ static int rawsock_connect(struct socket
+ 	if (addr->target_idx > dev->target_next_idx - 1 ||
+ 	    addr->target_idx < dev->target_next_idx - dev->n_targets) {
+ 		rc = -EINVAL;
+-		goto error;
++		goto put_dev;
+ 	}
+ 
+ 	rc = nfc_activate_target(dev, addr->target_idx, addr->nfc_protocol);
diff --git a/queue-4.14/series b/queue-4.14/series
index eb905b9fefd..0ea2a5712c9 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -24,3 +24,7 @@ x86-entry-64-compat-preserve-r8-r11-in-int-0x80.patch
 x86-entry-64-compat-fix-x86-entry-64-compat-preserve-r8-r11-in-int-0x80.patch
 iommu-vt-d-gracefully-handle-dmar-units-with-no-supported-address-widths.patch
 iommu-vt-d-don-t-dereference-iommu_device-if-iommu_api-is-not-built.patch
+nfc-fix-resource-leak-when-target-index-is-invalid.patch
+nfc-fix-possible-resource-leak.patch
+team-protect-features-update-by-rcu-to-avoid-deadlock.patch
+tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
diff --git a/queue-4.14/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch b/queue-4.14/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
new file mode 100644
index 00000000000..da885146eb6
--- /dev/null
+++ b/queue-4.14/tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch
@@ -0,0 +1,110 @@
+From 62d9f1a6945ba69c125e548e72a36d203b30596e Mon Sep 17 00:00:00 2001
+From: Pengcheng Yang <yangpc@wangsu.com>
+Date: Sun, 24 Jan 2021 13:07:14 +0800
+Subject: tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+commit 62d9f1a6945ba69c125e548e72a36d203b30596e upstream.
+
+Upon receiving a cumulative ACK that changes the congestion state from
+Disorder to Open, the TLP timer is not set. If the sender is app-limited,
+it can only wait for the RTO timer to expire and retransmit.
+
+The reason for this is that the TLP timer is set before the congestion
+state changes in tcp_ack(), so we delay the time point of calling
+tcp_set_xmit_timer() until after tcp_fastretrans_alert() returns and
+remove the FLAG_SET_XMIT_TIMER from ack_flag when the RACK reorder timer
+is set.
+
+This commit has two additional benefits:
+1) Make sure to reset RTO according to RFC6298 when receiving ACK, to
+avoid spurious RTO caused by RTO timer early expires.
+2) Reduce the xmit timer reschedule once per ACK when the RACK reorder
+timer is set.
+
+Fixes: df92c8394e6e ("tcp: fix xmit timer to only be reset if data ACKed/SACKed")
+Link: https://lore.kernel.org/netdev/1611311242-6675-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/1611464834-23030-1-git-send-email-yangpc@wangsu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/tcp.h       |    2 +-
+ net/ipv4/tcp_input.c    |   10 ++++++----
+ net/ipv4/tcp_recovery.c |    5 +++--
+ 3 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1969,7 +1969,7 @@ void tcp_v4_init(void);
+ void tcp_init(void);
+ 
+ /* tcp_recovery.c */
+-extern void tcp_rack_mark_lost(struct sock *sk);
++extern bool tcp_rack_mark_lost(struct sock *sk);
+ extern void tcp_rack_advance(struct tcp_sock *tp, u8 sacked, u32 end_seq,
+ 			     u64 xmit_time);
+ extern void tcp_rack_reo_timeout(struct sock *sk);
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2803,7 +2803,8 @@ static void tcp_rack_identify_loss(struc
+ 	if (sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION) {
+ 		u32 prior_retrans = tp->retrans_out;
+ 
+-		tcp_rack_mark_lost(sk);
++		if (tcp_rack_mark_lost(sk))
++			*ack_flag &= ~FLAG_SET_XMIT_TIMER;
+ 		if (prior_retrans > tp->retrans_out)
+ 			*ack_flag |= FLAG_LOST_RETRANS;
+ 	}
+@@ -3688,15 +3689,16 @@ static int tcp_ack(struct sock *sk, cons
+ 
+ 	if (tp->tlp_high_seq)
+ 		tcp_process_tlp_ack(sk, ack, flag);
+-	/* If needed, reset TLP/RTO timer; RACK may later override this. */
+-	if (flag & FLAG_SET_XMIT_TIMER)
+-		tcp_set_xmit_timer(sk);
+ 
+ 	if (tcp_ack_is_dubious(sk, flag)) {
+ 		is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));
+ 		tcp_fastretrans_alert(sk, acked, is_dupack, &flag, &rexmit);
+ 	}
+ 
++	/* If needed, reset TLP/RTO timer when RACK doesn't set. */
++	if (flag & FLAG_SET_XMIT_TIMER)
++		tcp_set_xmit_timer(sk);
++
+ 	if ((flag & FLAG_FORWARD_PROGRESS) || !(flag & FLAG_NOT_DUP))
+ 		sk_dst_confirm(sk);
+ 
+--- a/net/ipv4/tcp_recovery.c
++++ b/net/ipv4/tcp_recovery.c
+@@ -102,13 +102,13 @@ static void tcp_rack_detect_loss(struct
+ 	}
+ }
+ 
+-void tcp_rack_mark_lost(struct sock *sk)
++bool tcp_rack_mark_lost(struct sock *sk)
+ {
+ 	struct tcp_sock *tp = tcp_sk(sk);
+ 	u32 timeout;
+ 
+ 	if (!tp->rack.advanced)
+-		return;
++		return false;
+ 
+ 	/* Reset the advanced flag to avoid unnecessary queue scanning */
+ 	tp->rack.advanced = 0;
+@@ -118,6 +118,7 @@ void tcp_rack_mark_lost(struct sock *sk)
+ 		inet_csk_reset_xmit_timer(sk, ICSK_TIME_REO_TIMEOUT,
+ 					  timeout, inet_csk(sk)->icsk_rto);
+ 	}
++	return !!timeout;
+ }
+ 
+ /* Record the most recently (re)sent time among the (s)acked packets
diff --git a/queue-4.14/team-protect-features-update-by-rcu-to-avoid-deadlock.patch b/queue-4.14/team-protect-features-update-by-rcu-to-avoid-deadlock.patch
new file mode 100644
index 00000000000..f1e80f1c51a
--- /dev/null
+++ b/queue-4.14/team-protect-features-update-by-rcu-to-avoid-deadlock.patch
@@ -0,0 +1,80 @@
+From f0947d0d21b219e03940b9be6628a43445c0de7a Mon Sep 17 00:00:00 2001
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Mon, 25 Jan 2021 08:44:16 +0100
+Subject: team: protect features update by RCU to avoid deadlock
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+commit f0947d0d21b219e03940b9be6628a43445c0de7a upstream.
+
+Function __team_compute_features() is protected by team->lock
+mutex when it is called from team_compute_features() used when
+features of an underlying device is changed. This causes
+a deadlock when NETDEV_FEAT_CHANGE notifier for underlying device
+is fired due to change propagated from team driver (e.g. MTU
+change). It's because callbacks like team_change_mtu() or
+team_vlan_rx_{add,del}_vid() protect their port list traversal
+by team->lock mutex.
+
+Example (r8169 case where this driver disables TSO for certain MTU
+values):
+...
+[ 6391.348202]  __mutex_lock.isra.6+0x2d0/0x4a0
+[ 6391.358602]  team_device_event+0x9d/0x160 [team]
+[ 6391.363756]  notifier_call_chain+0x47/0x70
+[ 6391.368329]  netdev_update_features+0x56/0x60
+[ 6391.373207]  rtl8169_change_mtu+0x14/0x50 [r8169]
+[ 6391.378457]  dev_set_mtu_ext+0xe1/0x1d0
+[ 6391.387022]  dev_set_mtu+0x52/0x90
+[ 6391.390820]  team_change_mtu+0x64/0xf0 [team]
+[ 6391.395683]  dev_set_mtu_ext+0xe1/0x1d0
+[ 6391.399963]  do_setlink+0x231/0xf50
+...
+
+In fact team_compute_features() called from team_device_event()
+does not need to be protected by team->lock mutex and rcu_read_lock()
+is sufficient there for port list traversal.
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Cc: Saeed Mahameed <saeed@kernel.org>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20210125074416.4056484-1-ivecera@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1002,7 +1002,8 @@ static void __team_compute_features(stru
+ 	unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
+ 					IFF_XMIT_DST_RELEASE_PERM;
+ 
+-	list_for_each_entry(port, &team->port_list, list) {
++	rcu_read_lock();
++	list_for_each_entry_rcu(port, &team->port_list, list) {
+ 		vlan_features = netdev_increment_features(vlan_features,
+ 					port->dev->vlan_features,
+ 					TEAM_VLAN_FEATURES);
+@@ -1016,6 +1017,7 @@ static void __team_compute_features(stru
+ 		if (port->dev->hard_header_len > max_hard_header_len)
+ 			max_hard_header_len = port->dev->hard_header_len;
+ 	}
++	rcu_read_unlock();
+ 
+ 	team->dev->vlan_features = vlan_features;
+ 	team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
+@@ -1030,9 +1032,7 @@ static void __team_compute_features(stru
+ 
+ static void team_compute_features(struct team *team)
+ {
+-	mutex_lock(&team->lock);
+ 	__team_compute_features(team);
+-	mutex_unlock(&team->lock);
+ 	netdev_change_features(team->dev);
+ }
+