From: Greg Kroah-Hartman Date: Mon, 2 Mar 2020 17:41:31 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.108~70 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6e636e7e7c524239ac37562e01bc99de784d214b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch ipv6-fix-route-replacement-with-dev-only-route.patch net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch net-sched-correct-flower-port-blocking.patch nfc-pn544-fix-occasional-hw-initialization-failure.patch sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch --- diff --git a/queue-4.4/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch b/queue-4.4/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch new file mode 100644 index 00000000000..91d728a2d41 --- /dev/null +++ b/queue-4.4/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch @@ -0,0 +1,49 @@ +From foo@baz Mon 02 Mar 2020 06:40:09 PM CET +From: Benjamin Poirier +Date: Wed, 12 Feb 2020 10:41:07 +0900 +Subject: ipv6: Fix nlmsg_flags when splitting a multipath route + +From: Benjamin Poirier + +[ Upstream commit afecdb376bd81d7e16578f0cfe82a1aec7ae18f3 ] + +When splitting an RTA_MULTIPATH request into multiple routes and adding the +second and later components, we must not simply remove NLM_F_REPLACE but +instead replace it by NLM_F_CREATE. Otherwise, it may look like the netlink +message was malformed. + +For example, + ip route add 2001:db8::1/128 dev dummy0 + ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 \ + nexthop via fe80::30:2 dev dummy0 +results in the following warnings: +[ 1035.057019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE +[ 1035.057517] IPv6: NLM_F_CREATE should be set when creating new route + +This patch makes the nlmsg sequence look equivalent for __ip6_ins_rt() to +what it would get if the multipath route had been added in multiple netlink +operations: + ip route add 2001:db8::1/128 dev dummy0 + ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 + ip route append 2001:db8::1/128 nexthop via fe80::30:2 dev dummy0 + +Fixes: 27596472473a ("ipv6: fix ECMP route replacement") +Signed-off-by: Benjamin Poirier +Reviewed-by: Michal Kubecek +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2953,6 +2953,7 @@ static int ip6_route_multipath_add(struc + */ + cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL | + NLM_F_REPLACE); ++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE; + nhn++; + } + diff --git a/queue-4.4/ipv6-fix-route-replacement-with-dev-only-route.patch b/queue-4.4/ipv6-fix-route-replacement-with-dev-only-route.patch new file mode 100644 index 00000000000..98d5f911085 --- /dev/null +++ b/queue-4.4/ipv6-fix-route-replacement-with-dev-only-route.patch @@ -0,0 +1,58 @@ +From foo@baz Mon 02 Mar 2020 05:05:39 PM CET +From: Benjamin Poirier +Date: Wed, 12 Feb 2020 10:41:06 +0900 +Subject: ipv6: Fix route replacement with dev-only route + +From: Benjamin Poirier + +[ Upstream commit e404b8c7cfb31654c9024d497cec58a501501692 ] + +After commit 27596472473a ("ipv6: fix ECMP route replacement") it is no +longer possible to replace an ECMP-able route by a non ECMP-able route. +For example, + ip route add 2001:db8::1/128 via fe80::1 dev dummy0 + ip route replace 2001:db8::1/128 dev dummy0 +does not work as expected. + +Tweak the replacement logic so that point 3 in the log of the above commit +becomes: +3. If the new route is not ECMP-able, and no matching non-ECMP-able route +exists, replace matching ECMP-able route (if any) or add the new route. + +We can now summarize the entire replace semantics to: +When doing a replace, prefer replacing a matching route of the same +"ECMP-able-ness" as the replace argument. If there is no such candidate, +fallback to the first route found. + +Fixes: 27596472473a ("ipv6: fix ECMP route replacement") +Signed-off-by: Benjamin Poirier +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -780,8 +780,7 @@ static int fib6_add_rt2node(struct fib6_ + found++; + break; + } +- if (rt_can_ecmp) +- fallback_ins = fallback_ins ?: ins; ++ fallback_ins = fallback_ins ?: ins; + goto next_iter; + } + +@@ -821,7 +820,9 @@ next_iter: + } + + if (fallback_ins && !found) { +- /* No ECMP-able route found, replace first non-ECMP one */ ++ /* No matching route with same ecmp-able-ness found, replace ++ * first matching route ++ */ + ins = fallback_ins; + iter = *ins; + found++; diff --git a/queue-4.4/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch b/queue-4.4/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch new file mode 100644 index 00000000000..b0a84337099 --- /dev/null +++ b/queue-4.4/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch @@ -0,0 +1,31 @@ +From foo@baz Mon 02 Mar 2020 06:40:09 PM CET +From: Jethro Beekman +Date: Wed, 12 Feb 2020 16:43:41 +0100 +Subject: net: fib_rules: Correctly set table field when table number exceeds 8 bits + +From: Jethro Beekman + +[ Upstream commit 540e585a79e9d643ede077b73bcc7aa2d7b4d919 ] + +In 709772e6e06564ed94ba740de70185ac3d792773, RT_TABLE_COMPAT was added to +allow legacy software to deal with routing table numbers >= 256, but the +same change to FIB rule queries was overlooked. + +Signed-off-by: Jethro Beekman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/fib_rules.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -570,7 +570,7 @@ static int fib_nl_fill_rule(struct sk_bu + + frh = nlmsg_data(nlh); + frh->family = ops->family; +- frh->table = rule->table; ++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT; + if (nla_put_u32(skb, FRA_TABLE, rule->table)) + goto nla_put_failure; + if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen)) diff --git a/queue-4.4/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch b/queue-4.4/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch new file mode 100644 index 00000000000..b73f85cd763 --- /dev/null +++ b/queue-4.4/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch @@ -0,0 +1,58 @@ +From foo@baz Mon 02 Mar 2020 06:40:09 PM CET +From: Arun Parameswaran +Date: Fri, 14 Feb 2020 13:47:46 -0800 +Subject: net: phy: restore mdio regs in the iproc mdio driver + +From: Arun Parameswaran + +The mii management register in iproc mdio block +does not have a retention register so it is lost on suspend. +Save and restore value of register while resuming from suspend. + +Fixes: bb1a619735b4 ("net: phy: Initialize mdio clock at probe function") +Signed-off-by: Arun Parameswaran +Signed-off-by: Scott Branden +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/net/phy/mdio-bcm-iproc.c ++++ b/drivers/net/phy/mdio-bcm-iproc.c +@@ -188,6 +188,23 @@ static int iproc_mdio_remove(struct plat + return 0; + } + ++#ifdef CONFIG_PM_SLEEP ++int iproc_mdio_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev); ++ ++ /* restore the mii clock configuration */ ++ iproc_mdio_config_clk(priv->base); ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops iproc_mdio_pm_ops = { ++ .resume = iproc_mdio_resume ++}; ++#endif /* CONFIG_PM_SLEEP */ ++ + static const struct of_device_id iproc_mdio_of_match[] = { + { .compatible = "brcm,iproc-mdio", }, + { /* sentinel */ }, +@@ -198,6 +215,9 @@ static struct platform_driver iproc_mdio + .driver = { + .name = "iproc-mdio", + .of_match_table = iproc_mdio_of_match, ++#ifdef CONFIG_PM_SLEEP ++ .pm = &iproc_mdio_pm_ops, ++#endif + }, + .probe = iproc_mdio_probe, + .remove = iproc_mdio_remove, diff --git a/queue-4.4/net-sched-correct-flower-port-blocking.patch b/queue-4.4/net-sched-correct-flower-port-blocking.patch new file mode 100644 index 00000000000..78827a75c05 --- /dev/null +++ b/queue-4.4/net-sched-correct-flower-port-blocking.patch @@ -0,0 +1,67 @@ +From foo@baz Mon 02 Mar 2020 05:05:39 PM CET +From: Jason Baron +Date: Mon, 17 Feb 2020 15:38:09 -0500 +Subject: net: sched: correct flower port blocking + +From: Jason Baron + +[ Upstream commit 8a9093c79863b58cc2f9874d7ae788f0d622a596 ] + +tc flower rules that are based on src or dst port blocking are sometimes +ineffective due to uninitialized stack data. __skb_flow_dissect() extracts +ports from the skb for tc flower to match against. However, the port +dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in +key_control->flags. All callers of __skb_flow_dissect(), zero-out the +key_control field except for fl_classify() as used by the flower +classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to +__skb_flow_dissect(), since key_control is allocated on the stack +and may not be initialized. + +Since key_basic and key_control are present for all flow keys, let's +make sure they are initialized. + +Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Acked-by: Cong Wang +Signed-off-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/flow_dissector.h | 9 +++++++++ + net/sched/cls_flower.c | 1 + + 2 files changed, 10 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + + /** +@@ -185,4 +186,12 @@ static inline bool flow_keys_have_l4(str + + u32 flow_hash_from_keys(struct flow_keys *keys); + ++static inline void ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control, ++ struct flow_dissector_key_basic *key_basic) ++{ ++ memset(key_control, 0, sizeof(*key_control)); ++ memset(key_basic, 0, sizeof(*key_basic)); ++} ++ + #endif +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -127,6 +127,7 @@ static int fl_classify(struct sk_buff *s + struct fl_flow_key skb_key; + struct fl_flow_key skb_mkey; + ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic); + fl_clear_masked_range(&skb_key, &head->mask); + skb_key.indev_ifindex = skb->skb_iif; + /* skb_flow_dissect() does not set n_proto in case an unknown protocol, diff --git a/queue-4.4/nfc-pn544-fix-occasional-hw-initialization-failure.patch b/queue-4.4/nfc-pn544-fix-occasional-hw-initialization-failure.patch new file mode 100644 index 00000000000..71470b19ecc --- /dev/null +++ b/queue-4.4/nfc-pn544-fix-occasional-hw-initialization-failure.patch @@ -0,0 +1,43 @@ +From foo@baz Mon 02 Mar 2020 05:10:46 PM CET +From: Dmitry Osipenko +Date: Wed, 19 Feb 2020 18:01:22 +0300 +Subject: nfc: pn544: Fix occasional HW initialization failure + +From: Dmitry Osipenko + +[ Upstream commit c3331d2fe3fd4d5e321f2467d01f72de7edfb5d0 ] + +The PN544 driver checks the "enable" polarity during of driver's probe and +it's doing that by turning ON and OFF NFC with different polarities until +enabling succeeds. It takes some time for the hardware to power-down, and +thus, to deassert the IRQ that is raised by turning ON the hardware. +Since the delay after last power-down of the polarity-checking process is +missed in the code, the interrupt may trigger immediately after installing +the IRQ handler (right after the checking is done), which results in IRQ +handler trying to touch the disabled HW and ends with marking NFC as +'DEAD' during of the driver's probe: + + pn544_hci_i2c 1-002a: NFC: nfc_en polarity : active high + pn544_hci_i2c 1-002a: NFC: invalid len byte + shdlc: llc_shdlc_recv_frame: NULL Frame -> link is dead + +This patch fixes the occasional NFC initialization failure on Nexus 7 +device. + +Signed-off-by: Dmitry Osipenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn544/i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/pn544/i2c.c ++++ b/drivers/nfc/pn544/i2c.c +@@ -241,6 +241,7 @@ static void pn544_hci_i2c_platform_init( + + out: + gpio_set_value_cansleep(phy->gpio_en, !phy->en_polarity); ++ usleep_range(10000, 15000); + } + + static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode) diff --git a/queue-4.4/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch b/queue-4.4/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch new file mode 100644 index 00000000000..a72a7b81d3d --- /dev/null +++ b/queue-4.4/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch @@ -0,0 +1,103 @@ +From foo@baz Mon 02 Mar 2020 05:10:46 PM CET +From: Xin Long +Date: Tue, 18 Feb 2020 12:07:53 +0800 +Subject: sctp: move the format error check out of __sctp_sf_do_9_1_abort + +From: Xin Long + +[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ] + +When T2 timer is to be stopped, the asoc should also be deleted, +otherwise, there will be no chance to call sctp_association_free +and the asoc could last in memory forever. + +However, in sctp_sf_shutdown_sent_abort(), after adding the cmd +SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the +format error from __sctp_sf_do_9_1_abort() and miss adding +SCTP_CMD_ASSOC_FAILED where the asoc will be deleted. + +This patch is to fix it by moving the format error check out of +__sctp_sf_do_9_1_abort(), and do it before adding the cmd +SCTP_CMD_TIMER_STOP for T2 timer. + +Thanks Hangbin for reporting this issue by the fuzz testing. + +v1->v2: + - improve the comment in the code as Marcelo's suggestion. + +Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause") +Reported-by: Hangbin Liu +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -177,6 +177,16 @@ sctp_chunk_length_valid(struct sctp_chun + return 1; + } + ++/* Check for format error in an ABORT chunk */ ++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) ++{ ++ struct sctp_errhdr *err; ++ ++ sctp_walk_errors(err, chunk->chunk_hdr); ++ ++ return (void *)err == (void *)chunk->chunk_end; ++} ++ + /********************************************************** + * These are the state functions for handling chunk events. + **********************************************************/ +@@ -2159,6 +2169,9 @@ sctp_disposition_t sctp_sf_shutdown_pend + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); + } + +@@ -2201,6 +2214,9 @@ sctp_disposition_t sctp_sf_shutdown_sent + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Stop the T2-shutdown timer. */ + sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, + SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); +@@ -2466,6 +2482,9 @@ sctp_disposition_t sctp_sf_do_9_1_abort( + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); + } + +@@ -2482,15 +2501,9 @@ static sctp_disposition_t __sctp_sf_do_9 + + /* See if we have an error cause code in the chunk. */ + len = ntohs(chunk->chunk_hdr->length); +- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { +- +- sctp_errhdr_t *err; +- sctp_walk_errors(err, chunk->chunk_hdr); +- if ((void *)err != (void *)chunk->chunk_end) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + ++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) + error = ((sctp_errhdr_t *)chunk->skb->data)->cause; +- } + + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); + /* ASSOC_FAILED will DELETE_TCB. */ diff --git a/queue-4.4/series b/queue-4.4/series index 993fe000b57..de55a1da206 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,10 @@ cifs-fix-mode-output-in-debugging-statements.patch cfg80211-add-missing-policy-for-nl80211_attr_status_.patch sysrq-restore-original-console_loglevel-when-sysrq-disabled.patch sysrq-remove-duplicated-sysrq-message.patch +net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch +net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch +ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch +ipv6-fix-route-replacement-with-dev-only-route.patch +sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch +nfc-pn544-fix-occasional-hw-initialization-failure.patch +net-sched-correct-flower-port-blocking.patch