From: Greg Kroah-Hartman Date: Wed, 29 Jul 2020 11:42:17 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.232~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=715c19907b928ff6d747bd88d24ca54a95a86e9c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ax.25-fix-out-of-bounds-read-in-ax25_connect.patch ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch dev-defer-free-of-skbs-in-flush_backlog.patch drivers-net-wan-x25_asy-fix-to-make-it-work.patch ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch tcp-allow-at-most-one-tlp-probe-per-flight.patch --- diff --git a/queue-4.9/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch b/queue-4.9/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch new file mode 100644 index 00000000000..697338aec05 --- /dev/null +++ b/queue-4.9/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch @@ -0,0 +1,43 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Peilin Ye +Date: Wed, 22 Jul 2020 11:19:01 -0400 +Subject: AX.25: Fix out-of-bounds read in ax25_connect() + +From: Peilin Ye + +[ Upstream commit 2f2a7ffad5c6cbf3d438e813cfdc88230e185ba6 ] + +Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient. +ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis` +equals to 7 or 8. Fix it. + +This issue has been reported as a KMSAN uninit-value bug, because in such +a case, ax25_connect() reaches into the uninitialized portion of the +`struct sockaddr_storage` statically allocated in __sys_connect(). + +It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because +`addr_len` is guaranteed to be less than or equal to +`sizeof(struct full_sockaddr_ax25)`. + +Reported-by: syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66 +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1191,7 +1191,9 @@ static int __must_check ax25_connect(str + if (addr_len > sizeof(struct sockaddr_ax25) && + fsa->fsa_ax25.sax25_ndigis != 0) { + /* Valid number of digipeaters ? */ +- if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) { ++ if (fsa->fsa_ax25.sax25_ndigis < 1 || ++ addr_len < sizeof(struct sockaddr_ax25) + ++ sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { + err = -EINVAL; + goto out_release; + } diff --git a/queue-4.9/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch b/queue-4.9/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch new file mode 100644 index 00000000000..78f3ff1d3fc --- /dev/null +++ b/queue-4.9/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Dan Carpenter +Date: Thu, 23 Jul 2020 17:49:57 +0300 +Subject: AX.25: Prevent integer overflows in connect and sendmsg + +From: Dan Carpenter + +[ Upstream commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d ] + +We recently added some bounds checking in ax25_connect() and +ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because +they were no longer required. + +Unfortunately, I believe they are required to prevent integer overflows +so I have added them back. + +Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()") +Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1192,6 +1192,7 @@ static int __must_check ax25_connect(str + fsa->fsa_ax25.sax25_ndigis != 0) { + /* Valid number of digipeaters ? */ + if (fsa->fsa_ax25.sax25_ndigis < 1 || ++ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS || + addr_len < sizeof(struct sockaddr_ax25) + + sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { + err = -EINVAL; +@@ -1512,7 +1513,9 @@ static int ax25_sendmsg(struct socket *s + struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax; + + /* Valid number of digipeaters ? */ +- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) + ++ if (usax->sax25_ndigis < 1 || ++ usax->sax25_ndigis > AX25_MAX_DIGIS || ++ addr_len < sizeof(struct sockaddr_ax25) + + sizeof(ax25_address) * usax->sax25_ndigis) { + err = -EINVAL; + goto out; diff --git a/queue-4.9/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch b/queue-4.9/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch new file mode 100644 index 00000000000..9f7aa4b3745 --- /dev/null +++ b/queue-4.9/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch @@ -0,0 +1,36 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Peilin Ye +Date: Wed, 22 Jul 2020 12:05:12 -0400 +Subject: AX.25: Prevent out-of-bounds read in ax25_sendmsg() + +From: Peilin Ye + +[ Upstream commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 ] + +Checks on `addr_len` and `usax->sax25_ndigis` are insufficient. +ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7 +or 8. Fix it. + +It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since +`addr_len` is guaranteed to be less than or equal to +`sizeof(struct full_sockaddr_ax25)` + +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1512,7 +1512,8 @@ static int ax25_sendmsg(struct socket *s + struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax; + + /* Valid number of digipeaters ? */ +- if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) { ++ if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) + ++ sizeof(ax25_address) * usax->sax25_ndigis) { + err = -EINVAL; + goto out; + } diff --git a/queue-4.9/dev-defer-free-of-skbs-in-flush_backlog.patch b/queue-4.9/dev-defer-free-of-skbs-in-flush_backlog.patch new file mode 100644 index 00000000000..6dcb64f256e --- /dev/null +++ b/queue-4.9/dev-defer-free-of-skbs-in-flush_backlog.patch @@ -0,0 +1,31 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Subash Abhinov Kasiviswanathan +Date: Thu, 23 Jul 2020 11:31:48 -0600 +Subject: dev: Defer free of skbs in flush_backlog + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit 7df5cb75cfb8acf96c7f2342530eb41e0c11f4c3 ] + +IRQs are disabled when freeing skbs in input queue. +Use the IRQ safe variant to free skbs here. + +Fixes: 145dd5f9c88f ("net: flush the softnet backlog in process context") +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4392,7 +4392,7 @@ static void flush_backlog(struct work_st + skb_queue_walk_safe(&sd->input_pkt_queue, skb, tmp) { + if (skb->dev->reg_state == NETREG_UNREGISTERING) { + __skb_unlink(skb, &sd->input_pkt_queue); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + input_queue_head_incr(sd); + } + } diff --git a/queue-4.9/drivers-net-wan-x25_asy-fix-to-make-it-work.patch b/queue-4.9/drivers-net-wan-x25_asy-fix-to-make-it-work.patch new file mode 100644 index 00000000000..66298a6c21f --- /dev/null +++ b/queue-4.9/drivers-net-wan-x25_asy-fix-to-make-it-work.patch @@ -0,0 +1,102 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Xie He +Date: Thu, 16 Jul 2020 16:44:33 -0700 +Subject: drivers/net/wan/x25_asy: Fix to make it work + +From: Xie He + +[ Upstream commit 8fdcabeac39824fe67480fd9508d80161c541854 ] + +This driver is not working because of problems of its receiving code. +This patch fixes it to make it work. + +When the driver receives an LAPB frame, it should first pass the frame +to the LAPB module to process. After processing, the LAPB module passes +the data (the packet) back to the driver, the driver should then add a +one-byte pseudo header and pass the data to upper layers. + +The changes to the "x25_asy_bump" function and the +"x25_asy_data_indication" function are to correctly implement this +procedure. + +Also, the "x25_asy_unesc" function ignores any frame that is shorter +than 3 bytes. However the shortest frames are 2-byte long. So we need +to change it to allow 2-byte frames to pass. + +Cc: Eric Dumazet +Cc: Martin Schiller +Signed-off-by: Xie He +Reviewed-by: Martin Schiller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/x25_asy.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -186,7 +186,7 @@ static inline void x25_asy_unlock(struct + netif_wake_queue(sl->dev); + } + +-/* Send one completely decapsulated IP datagram to the IP layer. */ ++/* Send an LAPB frame to the LAPB module to process. */ + + static void x25_asy_bump(struct x25_asy *sl) + { +@@ -198,13 +198,12 @@ static void x25_asy_bump(struct x25_asy + count = sl->rcount; + dev->stats.rx_bytes += count; + +- skb = dev_alloc_skb(count+1); ++ skb = dev_alloc_skb(count); + if (skb == NULL) { + netdev_warn(sl->dev, "memory squeeze, dropping packet\n"); + dev->stats.rx_dropped++; + return; + } +- skb_push(skb, 1); /* LAPB internal control */ + memcpy(skb_put(skb, count), sl->rbuff, count); + skb->protocol = x25_type_trans(skb, sl->dev); + err = lapb_data_received(skb->dev, skb); +@@ -212,7 +211,6 @@ static void x25_asy_bump(struct x25_asy + kfree_skb(skb); + printk(KERN_DEBUG "x25_asy: data received err - %d\n", err); + } else { +- netif_rx(skb); + dev->stats.rx_packets++; + } + } +@@ -358,12 +356,21 @@ static netdev_tx_t x25_asy_xmit(struct s + */ + + /* +- * Called when I frame data arrives. We did the work above - throw it +- * at the net layer. ++ * Called when I frame data arrive. We add a pseudo header for upper ++ * layers and pass it to upper layers. + */ + + static int x25_asy_data_indication(struct net_device *dev, struct sk_buff *skb) + { ++ if (skb_cow(skb, 1)) { ++ kfree_skb(skb); ++ return NET_RX_DROP; ++ } ++ skb_push(skb, 1); ++ skb->data[0] = X25_IFACE_DATA; ++ ++ skb->protocol = x25_type_trans(skb, dev); ++ + return netif_rx(skb); + } + +@@ -659,7 +666,7 @@ static void x25_asy_unesc(struct x25_asy + switch (s) { + case X25_END: + if (!test_and_clear_bit(SLF_ERROR, &sl->flags) && +- sl->rcount > 2) ++ sl->rcount >= 2) + x25_asy_bump(sl); + clear_bit(SLF_ESCAPE, &sl->flags); + sl->rcount = 0; diff --git a/queue-4.9/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch b/queue-4.9/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch new file mode 100644 index 00000000000..86f0c69f52b --- /dev/null +++ b/queue-4.9/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch @@ -0,0 +1,81 @@ +From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST +From: Wei Yongjun +Date: Mon, 13 Jul 2020 23:59:50 +0800 +Subject: ip6_gre: fix null-ptr-deref in ip6gre_init_net() + +From: Wei Yongjun + +[ Upstream commit 46ef5b89ec0ecf290d74c4aee844f063933c4da4 ] + +KASAN report null-ptr-deref error when register_netdev() failed: + +KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7] +CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ #12 +Call Trace: + ip6gre_init_net+0x4ab/0x580 + ? ip6gre_tunnel_uninit+0x3f0/0x3f0 + ops_init+0xa8/0x3c0 + setup_net+0x2de/0x7e0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? ops_init+0x3c0/0x3c0 + ? kasan_unpoison_shadow+0x33/0x40 + ? __kasan_kmalloc.constprop.0+0xc2/0xd0 + copy_net_ns+0x27d/0x530 + create_new_namespaces+0x382/0xa30 + unshare_nsproxy_namespaces+0xa1/0x1d0 + ksys_unshare+0x39c/0x780 + ? walk_process_tree+0x2a0/0x2a0 + ? trace_hardirqs_on+0x4a/0x1b0 + ? _raw_spin_unlock_irq+0x1f/0x30 + ? syscall_trace_enter+0x1a7/0x330 + ? do_syscall_64+0x1c/0xa0 + __x64_sys_unshare+0x2d/0x40 + do_syscall_64+0x56/0xa0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later +access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving +'ign->fb_tunnel_dev' to local variable ndev. + +Fixes: dafabb6590cb ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1130,15 +1130,16 @@ static void ip6gre_destroy_tunnels(struc + static int __net_init ip6gre_init_net(struct net *net) + { + struct ip6gre_net *ign = net_generic(net, ip6gre_net_id); ++ struct net_device *ndev; + int err; + +- ign->fb_tunnel_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0", +- NET_NAME_UNKNOWN, +- ip6gre_tunnel_setup); +- if (!ign->fb_tunnel_dev) { ++ ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0", ++ NET_NAME_UNKNOWN, ip6gre_tunnel_setup); ++ if (!ndev) { + err = -ENOMEM; + goto err_alloc_dev; + } ++ ign->fb_tunnel_dev = ndev; + dev_net_set(ign->fb_tunnel_dev, net); + /* FB netdevice is special: we have one, and only one per netns. + * Allowing to move it to another netns is clearly unsafe. +@@ -1158,7 +1159,7 @@ static int __net_init ip6gre_init_net(st + return 0; + + err_reg_dev: +- ip6gre_dev_free(ign->fb_tunnel_dev); ++ ip6gre_dev_free(ndev); + err_alloc_dev: + return err; + } diff --git a/queue-4.9/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch b/queue-4.9/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch new file mode 100644 index 00000000000..661cf11dc0c --- /dev/null +++ b/queue-4.9/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch @@ -0,0 +1,33 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Xiongfeng Wang +Date: Tue, 21 Jul 2020 15:02:57 +0800 +Subject: net-sysfs: add a newline when printing 'tx_timeout' by sysfs + +From: Xiongfeng Wang + +[ Upstream commit 9bb5fbea59f36a589ef886292549ca4052fe676c ] + +When I cat 'tx_timeout' by sysfs, it displays as follows. It's better to +add a newline for easy reading. + +root@syzkaller:~# cat /sys/devices/virtual/net/lo/queues/tx-0/tx_timeout +0root@syzkaller:~# + +Signed-off-by: Xiongfeng Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1018,7 +1018,7 @@ static ssize_t show_trans_timeout(struct + trans_timeout = queue->trans_timeout; + spin_unlock_irq(&queue->_xmit_lock); + +- return sprintf(buf, "%lu", trans_timeout); ++ return sprintf(buf, fmt_ulong, trans_timeout); + } + + #ifdef CONFIG_XPS diff --git a/queue-4.9/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch b/queue-4.9/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch new file mode 100644 index 00000000000..9b3504aae17 --- /dev/null +++ b/queue-4.9/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch @@ -0,0 +1,43 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Miaohe Lin +Date: Tue, 21 Jul 2020 17:11:44 +0800 +Subject: net: udp: Fix wrong clean up for IS_UDPLITE macro + +From: Miaohe Lin + +[ Upstream commit b0a422772fec29811e293c7c0e6f991c0fd9241d ] + +We can't use IS_UDPLITE to replace udp_sk->pcflag when UDPLITE_RECV_CC is +checked. + +Fixes: b2bf1e2659b1 ("[UDP]: Clean up for IS_UDPLITE macro") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 2 +- + net/ipv6/udp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1554,7 +1554,7 @@ int udp_queue_rcv_skb(struct sock *sk, s + /* + * UDP-Lite specific tests, ignored on UDP sockets + */ +- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { ++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { + + /* + * MIB statistics other than incrementing the error count are +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -601,7 +601,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, + /* + * UDP-Lite specific tests, ignored on UDP sockets (see net/ipv4/udp.c). + */ +- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { ++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { + + if (up->pcrlen == 0) { /* full coverage was set */ + net_dbg_ratelimited("UDPLITE6: partial coverage %d while full coverage %d requested\n", diff --git a/queue-4.9/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch b/queue-4.9/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch new file mode 100644 index 00000000000..f343880abc3 --- /dev/null +++ b/queue-4.9/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch @@ -0,0 +1,51 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: David Howells +Date: Mon, 20 Jul 2020 12:41:46 +0100 +Subject: rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA + +From: David Howells + +[ Upstream commit 639f181f0ee20d3249dbc55f740f0167267180f0 ] + +rxrpc_sendmsg() returns EPIPE if there's an outstanding error, such as if +rxrpc_recvmsg() indicating ENODATA if there's nothing for it to read. + +Change rxrpc_recvmsg() to return EAGAIN instead if there's nothing to read +as this particular error doesn't get stored in ->sk_err by the networking +core. + +Also change rxrpc_sendmsg() so that it doesn't fail with delayed receive +errors (there's no way for it to report which call, if any, the error was +caused by). + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/recvmsg.c | 2 +- + net/rxrpc/sendmsg.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -439,7 +439,7 @@ try_again: + list_empty(&rx->recvmsg_q) && + rx->sk.sk_state != RXRPC_SERVER_LISTENING) { + release_sock(&rx->sk); +- return -ENODATA; ++ return -EAGAIN; + } + + if (list_empty(&rx->recvmsg_q)) { +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -191,7 +191,7 @@ static int rxrpc_send_data(struct rxrpc_ + /* this should be in poll */ + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk); + +- if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) ++ if (sk->sk_shutdown & SEND_SHUTDOWN) + return -EPIPE; + + more = msg->msg_flags & MSG_MORE; diff --git a/queue-4.9/series b/queue-4.9/series index 23b83620d1d..f8f371dc289 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -43,3 +43,13 @@ io-mapping-indicate-mapping-failure.patch parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-regression-with-atheros-9271.patch +ax.25-fix-out-of-bounds-read-in-ax25_connect.patch +ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch +dev-defer-free-of-skbs-in-flush_backlog.patch +net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch +net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch +rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch +ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch +tcp-allow-at-most-one-tlp-probe-per-flight.patch +ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch +drivers-net-wan-x25_asy-fix-to-make-it-work.patch diff --git a/queue-4.9/tcp-allow-at-most-one-tlp-probe-per-flight.patch b/queue-4.9/tcp-allow-at-most-one-tlp-probe-per-flight.patch new file mode 100644 index 00000000000..8335d5eb79d --- /dev/null +++ b/queue-4.9/tcp-allow-at-most-one-tlp-probe-per-flight.patch @@ -0,0 +1,124 @@ +From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST +From: Yuchung Cheng +Date: Thu, 23 Jul 2020 12:00:06 -0700 +Subject: tcp: allow at most one TLP probe per flight + +From: Yuchung Cheng + +[ Upstream commit 76be93fc0702322179bb0ea87295d820ee46ad14 ] + +Previously TLP may send multiple probes of new data in one +flight. This happens when the sender is cwnd limited. After the +initial TLP containing new data is sent, the sender receives another +ACK that acks partial inflight. It may re-arm another TLP timer +to send more, if no further ACK returns before the next TLP timeout +(PTO) expires. The sender may send in theory a large amount of TLP +until send queue is depleted. This only happens if the sender sees +such irregular uncommon ACK pattern. But it is generally undesirable +behavior during congestion especially. + +The original TLP design restrict only one TLP probe per inflight as +published in "Reducing Web Latency: the Virtue of Gentle Aggression", +SIGCOMM 2013. This patch changes TLP to send at most one probe +per inflight. + +Note that if the sender is app-limited, TLP retransmits old data +and did not have this issue. + +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tcp.h | 4 +++- + net/ipv4/tcp_input.c | 11 ++++++----- + net/ipv4/tcp_output.c | 13 ++++++++----- + 3 files changed, 17 insertions(+), 11 deletions(-) + +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -218,6 +218,8 @@ struct tcp_sock { + u8 reord; /* reordering detected */ + } rack; + u16 advmss; /* Advertised MSS */ ++ u8 tlp_retrans:1, /* TLP is a retransmission */ ++ unused_1:7; + u8 rate_app_limited:1, /* rate_{delivered,interval_us} limited? */ + is_sack_reneg:1, /* in recovery from loss with SACK reneg? */ + unused:6; +@@ -234,7 +236,7 @@ struct tcp_sock { + syn_data_acked:1,/* data in SYN is acked by SYN-ACK */ + save_syn:1, /* Save headers of SYN packet */ + is_cwnd_limited:1;/* forward progress limited by snd_cwnd? */ +- u32 tlp_high_seq; /* snd_nxt at the time of TLP retransmit. */ ++ u32 tlp_high_seq; /* snd_nxt at the time of TLP */ + + /* RTT measurement */ + u32 srtt_us; /* smoothed round trip time << 3 in usecs */ +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3566,10 +3566,8 @@ static void tcp_replace_ts_recent(struct + } + } + +-/* This routine deals with acks during a TLP episode. +- * We mark the end of a TLP episode on receiving TLP dupack or when +- * ack is after tlp_high_seq. +- * Ref: loss detection algorithm in draft-dukkipati-tcpm-tcp-loss-probe. ++/* This routine deals with acks during a TLP episode and ends an episode by ++ * resetting tlp_high_seq. Ref: TLP algorithm in draft-ietf-tcpm-rack + */ + static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) + { +@@ -3578,7 +3576,10 @@ static void tcp_process_tlp_ack(struct s + if (before(ack, tp->tlp_high_seq)) + return; + +- if (flag & FLAG_DSACKING_ACK) { ++ if (!tp->tlp_retrans) { ++ /* TLP of new data has been acknowledged */ ++ tp->tlp_high_seq = 0; ++ } else if (flag & FLAG_DSACKING_ACK) { + /* This DSACK means original and TLP probe arrived; no loss */ + tp->tlp_high_seq = 0; + } else if (after(ack, tp->tlp_high_seq)) { +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2357,6 +2357,11 @@ void tcp_send_loss_probe(struct sock *sk + int pcount; + int mss = tcp_current_mss(sk); + ++ /* At most one outstanding TLP */ ++ if (tp->tlp_high_seq) ++ goto rearm_timer; ++ ++ tp->tlp_retrans = 0; + skb = tcp_send_head(sk); + if (skb) { + if (tcp_snd_wnd_test(tp, skb, mss)) { +@@ -2379,10 +2384,6 @@ void tcp_send_loss_probe(struct sock *sk + return; + } + +- /* At most one outstanding TLP retransmission. */ +- if (tp->tlp_high_seq) +- goto rearm_timer; +- + if (skb_still_in_host_queue(sk, skb)) + goto rearm_timer; + +@@ -2403,10 +2404,12 @@ void tcp_send_loss_probe(struct sock *sk + if (__tcp_retransmit_skb(sk, skb, 1)) + goto rearm_timer; + ++ tp->tlp_retrans = 1; ++ ++probe_sent: + /* Record snd_nxt for loss detection. */ + tp->tlp_high_seq = tp->snd_nxt; + +-probe_sent: + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPLOSSPROBES); + /* Reset s.t. tcp_rearm_rto will restart timer from now */ + inet_csk(sk)->icsk_pending = 0;