From: Greg Kroah-Hartman Date: Sun, 15 Mar 2020 12:59:04 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.110~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=746abf28bcfd12a0221c74a266c05b3c4239961c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch fib-add-missing-attribute-validation-for-tun_id.patch gre-fix-uninit-value-in-__iptunnel_pull_header.patch ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch ipvlan-egress-mcast-packets-are-not-exceptional.patch macsec-add-missing-attribute-validation-for-port.patch macvlan-add-cond_resched-during-multicast-processing.patch net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch net-fq-add-missing-attribute-validation-for-orphan-mask.patch net-macsec-update-sci-upon-mac-address-change.patch net-nfc-fix-bounds-checking-bugs-on-pipe.patch net-phy-fix-mdio-bus-pm-phy-resuming.patch nfc-add-missing-attribute-validation-for-se-api.patch nfc-add-missing-attribute-validation-for-vendor-subcommand.patch nl802154-add-missing-attribute-validation-for-dev_type.patch nl802154-add-missing-attribute-validation.patch r8152-check-disconnect-status-after-long-sleep.patch slip-make-slhc_compress-more-robust-against-malicious-packets.patch team-add-missing-attribute-validation-for-array-index.patch team-add-missing-attribute-validation-for-port-ifindex.patch --- diff --git a/queue-4.9/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch b/queue-4.9/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch new file mode 100644 index 00000000000..892a608b873 --- /dev/null +++ b/queue-4.9/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch @@ -0,0 +1,45 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Vasundhara Volam +Date: Sun, 1 Mar 2020 22:07:17 -0500 +Subject: bnxt_en: reinitialize IRQs when MTU is modified + +From: Vasundhara Volam + +[ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ] + +MTU changes may affect the number of IRQs so we must call +bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter +set to true. The reason is that a larger MTU may require +aggregation rings not needed with smaller MTU. We may not be +able to allocate the required number of aggregation rings and +so we reduce the number of channels which will change the number +of IRQs. Without this patch, it may crash eventually in +pci_disable_msix() when the IRQs are not properly unwound. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6439,13 +6439,13 @@ static int bnxt_change_mtu(struct net_de + return -EINVAL; + + if (netif_running(dev)) +- bnxt_close_nic(bp, false, false); ++ bnxt_close_nic(bp, true, false); + + dev->mtu = new_mtu; + bnxt_set_ring_params(bp); + + if (netif_running(dev)) +- return bnxt_open_nic(bp, false, false); ++ return bnxt_open_nic(bp, true, false); + + return 0; + } diff --git a/queue-4.9/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch b/queue-4.9/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch new file mode 100644 index 00000000000..cae8fc78ec1 --- /dev/null +++ b/queue-4.9/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch @@ -0,0 +1,155 @@ +From foo@baz Sun 15 Mar 2020 11:34:22 AM CET +From: Eric Dumazet +Date: Wed, 4 Mar 2020 09:32:16 -0800 +Subject: bonding/alb: make sure arp header is pulled before accessing it + +From: Eric Dumazet + +Similar to commit 38f88c454042 ("bonding/alb: properly access headers +in bond_alb_xmit()"), we need to make sure arp header was pulled +in skb->head before blindly accessing it in rlb_arp_xmit(). + +Remove arp_pkt() private helper, since it is more readable/obvious +to have the following construct back to back : + + if (!pskb_network_may_pull(skb, sizeof(*arp))) + return NULL; + arp = (struct arp_pkt *)skb_network_header(skb); + +syzbot reported : + +BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline] +BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline] +BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477 +CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + bond_slave_has_mac_rx include/net/bonding.h:704 [inline] + rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline] + bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477 + __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline] + bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282 + __netdev_start_xmit include/linux/netdevice.h:4524 [inline] + netdev_start_xmit include/linux/netdevice.h:4538 [inline] + xmit_one net/core/dev.c:3470 [inline] + dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486 + __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096 + packet_snd net/packet/af_packet.c:2967 [inline] + packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + __sys_sendto+0xc1b/0xc50 net/socket.c:1998 + __do_sys_sendto net/socket.c:2010 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:2006 + __x64_sys_sendto+0x6e/0x90 net/socket.c:2006 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45c479 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479 +RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003 +RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766 + sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242 + packet_alloc_skb net/packet/af_packet.c:2815 [inline] + packet_snd net/packet/af_packet.c:2910 [inline] + packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + __sys_sendto+0xc1b/0xc50 net/socket.c:1998 + __do_sys_sendto net/socket.c:2010 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:2006 + __x64_sys_sendto+0x6e/0x90 net/socket.c:2006 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -71,11 +71,6 @@ struct arp_pkt { + }; + #pragma pack() + +-static inline struct arp_pkt *arp_pkt(const struct sk_buff *skb) +-{ +- return (struct arp_pkt *)skb_network_header(skb); +-} +- + /* Forward declaration */ + static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[], + bool strict_match); +@@ -574,10 +569,11 @@ static void rlb_req_update_subnet_client + spin_unlock(&bond->mode_lock); + } + +-static struct slave *rlb_choose_channel(struct sk_buff *skb, struct bonding *bond) ++static struct slave *rlb_choose_channel(struct sk_buff *skb, ++ struct bonding *bond, ++ const struct arp_pkt *arp) + { + struct alb_bond_info *bond_info = &(BOND_ALB_INFO(bond)); +- struct arp_pkt *arp = arp_pkt(skb); + struct slave *assigned_slave, *curr_active_slave; + struct rlb_client_info *client_info; + u32 hash_index = 0; +@@ -674,8 +670,12 @@ static struct slave *rlb_choose_channel( + */ + static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond) + { +- struct arp_pkt *arp = arp_pkt(skb); + struct slave *tx_slave = NULL; ++ struct arp_pkt *arp; ++ ++ if (!pskb_network_may_pull(skb, sizeof(*arp))) ++ return NULL; ++ arp = (struct arp_pkt *)skb_network_header(skb); + + /* Don't modify or load balance ARPs that do not originate locally + * (e.g.,arrive via a bridge). +@@ -685,7 +685,7 @@ static struct slave *rlb_arp_xmit(struct + + if (arp->op_code == htons(ARPOP_REPLY)) { + /* the arp must be sent on the selected rx channel */ +- tx_slave = rlb_choose_channel(skb, bond); ++ tx_slave = rlb_choose_channel(skb, bond, arp); + if (tx_slave) + ether_addr_copy(arp->mac_src, tx_slave->dev->dev_addr); + netdev_dbg(bond->dev, "Server sent ARP Reply packet\n"); +@@ -695,7 +695,7 @@ static struct slave *rlb_arp_xmit(struct + * When the arp reply is received the entry will be updated + * with the correct unicast address of the client. + */ +- rlb_choose_channel(skb, bond); ++ rlb_choose_channel(skb, bond, arp); + + /* The ARP reply packets must be delayed so that + * they can cancel out the influence of the ARP request. diff --git a/queue-4.9/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch b/queue-4.9/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch new file mode 100644 index 00000000000..d582bd74d2f --- /dev/null +++ b/queue-4.9/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch @@ -0,0 +1,124 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Shakeel Butt +Date: Mon, 9 Mar 2020 22:16:05 -0700 +Subject: cgroup: memcg: net: do not associate sock with unrelated cgroup + +From: Shakeel Butt + +[ Upstream commit e876ecc67db80dfdb8e237f71e5b43bb88ae549c ] + +We are testing network memory accounting in our setup and noticed +inconsistent network memory usage and often unrelated cgroups network +usage correlates with testing workload. On further inspection, it +seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in +irq context specially for cgroup v1. + +mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context +and kind of assumes that this can only happen from sk_clone_lock() +and the source sock object has already associated cgroup. However in +cgroup v1, where network memory accounting is opt-in, the source sock +can be unassociated with any cgroup and the new cloned sock can get +associated with unrelated interrupted cgroup. + +Cgroup v2 can also suffer if the source sock object was created by +process in the root cgroup or if sk_alloc() is called in irq context. +The fix is to just do nothing in interrupt. + +WARNING: Please note that about half of the TCP sockets are allocated +from the IRQ context, so, memory used by such sockets will not be +accouted by the memcg. + +The stack trace of mem_cgroup_sk_alloc() from IRQ-context: + +CPU: 70 PID: 12720 Comm: ssh Tainted: 5.6.0-smp-DEV #1 +Hardware name: ... +Call Trace: + + dump_stack+0x57/0x75 + mem_cgroup_sk_alloc+0xe9/0xf0 + sk_clone_lock+0x2a7/0x420 + inet_csk_clone_lock+0x1b/0x110 + tcp_create_openreq_child+0x23/0x3b0 + tcp_v6_syn_recv_sock+0x88/0x730 + tcp_check_req+0x429/0x560 + tcp_v6_rcv+0x72d/0xa40 + ip6_protocol_deliver_rcu+0xc9/0x400 + ip6_input+0x44/0xd0 + ? ip6_protocol_deliver_rcu+0x400/0x400 + ip6_rcv_finish+0x71/0x80 + ipv6_rcv+0x5b/0xe0 + ? ip6_sublist_rcv+0x2e0/0x2e0 + process_backlog+0x108/0x1e0 + net_rx_action+0x26b/0x460 + __do_softirq+0x104/0x2a6 + do_softirq_own_stack+0x2a/0x40 + + do_softirq.part.19+0x40/0x50 + __local_bh_enable_ip+0x51/0x60 + ip6_finish_output2+0x23d/0x520 + ? ip6table_mangle_hook+0x55/0x160 + __ip6_finish_output+0xa1/0x100 + ip6_finish_output+0x30/0xd0 + ip6_output+0x73/0x120 + ? __ip6_finish_output+0x100/0x100 + ip6_xmit+0x2e3/0x600 + ? ipv6_anycast_cleanup+0x50/0x50 + ? inet6_csk_route_socket+0x136/0x1e0 + ? skb_free_head+0x1e/0x30 + inet6_csk_xmit+0x95/0xf0 + __tcp_transmit_skb+0x5b4/0xb20 + __tcp_send_ack.part.60+0xa3/0x110 + tcp_send_ack+0x1d/0x20 + tcp_rcv_state_process+0xe64/0xe80 + ? tcp_v6_connect+0x5d1/0x5f0 + tcp_v6_do_rcv+0x1b1/0x3f0 + ? tcp_v6_do_rcv+0x1b1/0x3f0 + __release_sock+0x7f/0xd0 + release_sock+0x30/0xa0 + __inet_stream_connect+0x1c3/0x3b0 + ? prepare_to_wait+0xb0/0xb0 + inet_stream_connect+0x3b/0x60 + __sys_connect+0x101/0x120 + ? __sys_getsockopt+0x11b/0x140 + __x64_sys_connect+0x1a/0x20 + do_syscall_64+0x51/0x200 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The stack trace of mem_cgroup_sk_alloc() from IRQ-context: +Fixes: 2d7580738345 ("mm: memcontrol: consolidate cgroup socket tracking") +Fixes: d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets") +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup.c | 4 ++++ + mm/memcontrol.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -6335,6 +6335,10 @@ void cgroup_sk_alloc(struct sock_cgroup_ + return; + } + ++ /* Don't associate the sock with unrelated interrupted task's cgroup. */ ++ if (in_interrupt()) ++ return; ++ + rcu_read_lock(); + + while (true) { +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5726,6 +5726,10 @@ void mem_cgroup_sk_alloc(struct sock *sk + return; + } + ++ /* Do not associate the sock with unrelated interrupted task's memcg. */ ++ if (in_interrupt()) ++ return; ++ + rcu_read_lock(); + memcg = mem_cgroup_from_task(current); + if (memcg == root_mem_cgroup) diff --git a/queue-4.9/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch b/queue-4.9/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch new file mode 100644 index 00000000000..57f185ec8a2 --- /dev/null +++ b/queue-4.9/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch @@ -0,0 +1,121 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Dmitry Yakunin +Date: Thu, 5 Mar 2020 17:45:57 +0300 +Subject: cgroup, netclassid: periodically release file_lock on classid updating + +From: Dmitry Yakunin + +[ Upstream commit 018d26fcd12a75fb9b5fe233762aa3f2f0854b88 ] + +In our production environment we have faced with problem that updating +classid in cgroup with heavy tasks cause long freeze of the file tables +in this tasks. By heavy tasks we understand tasks with many threads and +opened sockets (e.g. balancers). This freeze leads to an increase number +of client timeouts. + +This patch implements following logic to fix this issue: +аfter iterating 1000 file descriptors file table lock will be released +thus providing a time gap for socket creation/deletion. + +Now update is non atomic and socket may be skipped using calls: + +dup2(oldfd, newfd); +close(oldfd); + +But this case is not typical. Moreover before this patch skip is possible +too by hiding socket fd in unix socket buffer. + +New sockets will be allocated with updated classid because cgroup state +is updated before start of the file descriptors iteration. + +So in common cases this patch has no side effects. + +Signed-off-by: Dmitry Yakunin +Reviewed-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netclassid_cgroup.c | 47 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 10 deletions(-) + +--- a/net/core/netclassid_cgroup.c ++++ b/net/core/netclassid_cgroup.c +@@ -55,30 +55,60 @@ static void cgrp_css_free(struct cgroup_ + kfree(css_cls_state(css)); + } + ++/* ++ * To avoid freezing of sockets creation for tasks with big number of threads ++ * and opened sockets lets release file_lock every 1000 iterated descriptors. ++ * New sockets will already have been created with new classid. ++ */ ++ ++struct update_classid_context { ++ u32 classid; ++ unsigned int batch; ++}; ++ ++#define UPDATE_CLASSID_BATCH 1000 ++ + static int update_classid_sock(const void *v, struct file *file, unsigned n) + { + int err; ++ struct update_classid_context *ctx = (void *)v; + struct socket *sock = sock_from_file(file, &err); + + if (sock) { + spin_lock(&cgroup_sk_update_lock); +- sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, +- (unsigned long)v); ++ sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, ctx->classid); + spin_unlock(&cgroup_sk_update_lock); + } ++ if (--ctx->batch == 0) { ++ ctx->batch = UPDATE_CLASSID_BATCH; ++ return n + 1; ++ } + return 0; + } + ++static void update_classid_task(struct task_struct *p, u32 classid) ++{ ++ struct update_classid_context ctx = { ++ .classid = classid, ++ .batch = UPDATE_CLASSID_BATCH ++ }; ++ unsigned int fd = 0; ++ ++ do { ++ task_lock(p); ++ fd = iterate_fd(p->files, fd, update_classid_sock, &ctx); ++ task_unlock(p); ++ cond_resched(); ++ } while (fd); ++} ++ + static void cgrp_attach(struct cgroup_taskset *tset) + { + struct cgroup_subsys_state *css; + struct task_struct *p; + + cgroup_taskset_for_each(p, css, tset) { +- task_lock(p); +- iterate_fd(p->files, 0, update_classid_sock, +- (void *)(unsigned long)css_cls_state(css)->classid); +- task_unlock(p); ++ update_classid_task(p, css_cls_state(css)->classid); + } + } + +@@ -100,10 +130,7 @@ static int write_classid(struct cgroup_s + + css_task_iter_start(css, &it); + while ((p = css_task_iter_next(&it))) { +- task_lock(p); +- iterate_fd(p->files, 0, update_classid_sock, +- (void *)(unsigned long)cs->classid); +- task_unlock(p); ++ update_classid_task(p, cs->classid); + cond_resched(); + } + css_task_iter_end(&it); diff --git a/queue-4.9/fib-add-missing-attribute-validation-for-tun_id.patch b/queue-4.9/fib-add-missing-attribute-validation-for-tun_id.patch new file mode 100644 index 00000000000..9ebe0147cd2 --- /dev/null +++ b/queue-4.9/fib-add-missing-attribute-validation-for-tun_id.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:13 -0800 +Subject: fib: add missing attribute validation for tun_id + +From: Jakub Kicinski + +[ Upstream commit 4c16d64ea04056f1b1b324ab6916019f6a064114 ] + +Add missing netlink policy entry for FRA_TUN_ID. + +Fixes: e7030878fc84 ("fib: Add fib rule match on tunnel id") +Signed-off-by: Jakub Kicinski +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/fib_rules.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/fib_rules.h ++++ b/include/net/fib_rules.h +@@ -87,6 +87,7 @@ struct fib_rules_ops { + [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \ + [FRA_PRIORITY] = { .type = NLA_U32 }, \ + [FRA_FWMARK] = { .type = NLA_U32 }, \ ++ [FRA_TUN_ID] = { .type = NLA_U64 }, \ + [FRA_FWMASK] = { .type = NLA_U32 }, \ + [FRA_TABLE] = { .type = NLA_U32 }, \ + [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \ diff --git a/queue-4.9/gre-fix-uninit-value-in-__iptunnel_pull_header.patch b/queue-4.9/gre-fix-uninit-value-in-__iptunnel_pull_header.patch new file mode 100644 index 00000000000..cc3114424a0 --- /dev/null +++ b/queue-4.9/gre-fix-uninit-value-in-__iptunnel_pull_header.patch @@ -0,0 +1,138 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Eric Dumazet +Date: Sat, 7 Mar 2020 22:05:14 -0800 +Subject: gre: fix uninit-value in __iptunnel_pull_header + +From: Eric Dumazet + +[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ] + +syzbot found an interesting case of the kernel reading +an uninit-value [1] + +Problem is in the handling of ETH_P_WCCP in gre_parse_header() + +We look at the byte following GRE options to eventually decide +if the options are four bytes longer. + +Use skb_header_pointer() to not pull bytes if we found +that no more bytes were needed. + +All callers of gre_parse_header() are properly using pskb_may_pull() +anyway before proceeding to next header. + +[1] +BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline] +BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94 +CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + pskb_may_pull include/linux/skbuff.h:2303 [inline] + __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94 + iptunnel_pull_header include/net/ip_tunnels.h:411 [inline] + gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606 + ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432 + ip6_input_finish net/ipv6/ip6_input.c:473 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ip6_input net/ipv6/ip6_input.c:482 [inline] + ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576 + dst_input include/net/dst.h:442 [inline] + ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306 + __netif_receive_skb_one_core net/core/dev.c:5198 [inline] + __netif_receive_skb net/core/dev.c:5312 [inline] + netif_receive_skb_internal net/core/dev.c:5402 [inline] + netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461 + tun_rx_batched include/linux/skbuff.h:4321 [inline] + tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997 + tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write fs/read_write.c:483 [inline] + __vfs_write+0xa5a/0xca0 fs/read_write.c:496 + vfs_write+0x44a/0x8f0 fs/read_write.c:558 + ksys_write+0x267/0x450 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:620 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f62d99 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580 +RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004 +RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766 + sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242 + tun_alloc_skb drivers/net/tun.c:1529 [inline] + tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843 + tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write fs/read_write.c:483 [inline] + __vfs_write+0xa5a/0xca0 fs/read_write.c:496 + vfs_write+0x44a/0x8f0 fs/read_write.c:558 + ksys_write+0x267/0x450 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:620 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 + +Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers") +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/gre_demux.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv4/gre_demux.c ++++ b/net/ipv4/gre_demux.c +@@ -60,7 +60,9 @@ int gre_del_protocol(const struct gre_pr + } + EXPORT_SYMBOL_GPL(gre_del_protocol); + +-/* Fills in tpi and returns header length to be pulled. */ ++/* Fills in tpi and returns header length to be pulled. ++ * Note that caller must use pskb_may_pull() before pulling GRE header. ++ */ + int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, + bool *csum_err, __be16 proto, int nhs) + { +@@ -114,8 +116,14 @@ int gre_parse_header(struct sk_buff *skb + * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header + */ + if (greh->flags == 0 && tpi->proto == htons(ETH_P_WCCP)) { ++ u8 _val, *val; ++ ++ val = skb_header_pointer(skb, nhs + hdr_len, ++ sizeof(_val), &_val); ++ if (!val) ++ return -EINVAL; + tpi->proto = proto; +- if ((*(u8 *)options & 0xF0) != 0x40) ++ if ((*val & 0xF0) != 0x40) + hdr_len += 4; + } + tpi->hdr_len = hdr_len; diff --git a/queue-4.9/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch b/queue-4.9/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch new file mode 100644 index 00000000000..d7b95e3011a --- /dev/null +++ b/queue-4.9/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch @@ -0,0 +1,73 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Hangbin Liu +Date: Tue, 10 Mar 2020 15:27:37 +0800 +Subject: ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface + +From: Hangbin Liu + +[ Upstream commit 60380488e4e0b95e9e82aa68aa9705baa86de84c ] + +Rafał found an issue that for non-Ethernet interface, if we down and up +frequently, the memory will be consumed slowly. + +The reason is we add allnodes/allrouters addressed in multicast list in +ipv6_add_dev(). When link down, we call ipv6_mc_down(), store all multicast +addresses via mld_add_delrec(). But when link up, we don't call ipv6_mc_up() +for non-Ethernet interface to remove the addresses. This makes idev->mc_tomb +getting bigger and bigger. The call stack looks like: + +addrconf_notify(NETDEV_REGISTER) + ipv6_add_dev + ipv6_dev_mc_inc(ff01::1) + ipv6_dev_mc_inc(ff02::1) + ipv6_dev_mc_inc(ff02::2) + +addrconf_notify(NETDEV_UP) + addrconf_dev_config + /* Alas, we support only Ethernet autoconfiguration. */ + return; + +addrconf_notify(NETDEV_DOWN) + addrconf_ifdown + ipv6_mc_down + igmp6_group_dropped(ff02::2) + mld_add_delrec(ff02::2) + igmp6_group_dropped(ff02::1) + igmp6_group_dropped(ff01::1) + +After investigating, I can't found a rule to disable multicast on +non-Ethernet interface. In RFC2460, the link could be Ethernet, PPP, ATM, +tunnels, etc. In IPv4, it doesn't check the dev type when calls ip_mc_up() +in inetdev_event(). Even for IPv6, we don't check the dev type and call +ipv6_add_dev(), ipv6_dev_mc_inc() after register device. + +So I think it's OK to fix this memory consumer by calling ipv6_mc_up() for +non-Ethernet interface. + +v2: Also check IFF_MULTICAST flag to make sure the interface supports + multicast + +Reported-by: Rafał Miłecki +Tested-by: Rafał Miłecki +Fixes: 74235a25c673 ("[IPV6] addrconf: Fix IPv6 on tuntap tunnels") +Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3189,6 +3189,10 @@ static void addrconf_dev_config(struct n + (dev->type != ARPHRD_6LOWPAN) && + (dev->type != ARPHRD_NONE)) { + /* Alas, we support only Ethernet autoconfiguration. */ ++ idev = __in6_dev_get(dev); ++ if (!IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP && ++ dev->flags & IFF_MULTICAST) ++ ipv6_mc_up(idev); + return; + } + diff --git a/queue-4.9/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch b/queue-4.9/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch new file mode 100644 index 00000000000..d9f057e628e --- /dev/null +++ b/queue-4.9/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch @@ -0,0 +1,114 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:57:02 -0700 +Subject: ipvlan: add cond_resched_rcu() while processing muticast backlog + +From: Mahesh Bandewar + +[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ] + +If there are substantial number of slaves created as simulated by +Syzbot, the backlog processing could take much longer and result +into the issue found in the Syzbot report. + +INFO: rcu_sched detected stalls on CPUs/tasks: + (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752) +All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0 +syz-executor.1 R running task on cpu 1 10984 11210 3866 0x30020008 179034491270 +Call Trace: + + [] _sched_show_task kernel/sched/core.c:8063 [inline] + [] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030 + [] sched_show_task+0xb/0x10 kernel/sched/core.c:8073 + [] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline] + [] check_cpu_stall kernel/rcu/tree.c:1695 [inline] + [] __rcu_pending kernel/rcu/tree.c:3478 [inline] + [] rcu_pending kernel/rcu/tree.c:3540 [inline] + [] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876 + [] update_process_times+0x32/0x80 kernel/time/timer.c:1635 + [] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161 + [] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193 + [] __run_hrtimer kernel/time/hrtimer.c:1393 [inline] + [] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455 + [] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513 + [] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline] + [] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056 + [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778 +RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153 +RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12 +RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000 +RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0 +RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273 +R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8 +R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0 + [] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline] + [] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240 + [] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006 + [] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482 + [] dst_input include/net/dst.h:449 [inline] + [] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78 + [] NF_HOOK include/linux/netfilter.h:292 [inline] + [] NF_HOOK include/linux/netfilter.h:286 [inline] + [] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278 + [] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303 + [] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417 + [] process_backlog+0x216/0x6c0 net/core/dev.c:6243 + [] napi_poll net/core/dev.c:6680 [inline] + [] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748 + [] __do_softirq+0x2c8/0x99a kernel/softirq.c:317 + [] invoke_softirq kernel/softirq.c:399 [inline] + [] irq_exit+0x16a/0x1a0 kernel/softirq.c:439 + [] exiting_irq arch/x86/include/asm/apic.h:561 [inline] + [] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058 + [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778 + +RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102 +RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12 +RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000 +RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005 +RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000 +R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 + [] do_futex+0x151/0x1d50 kernel/futex.c:3548 + [] C_SYSC_futex kernel/futex_compat.c:201 [inline] + [] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175 + [] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline] + [] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415 + [] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f23c69 +RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0 +RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c +RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1 +rcu_sched R running task on cpu 1 13048 8 2 0x90000000 179099587640 +Call Trace: + [] context_switch+0x60f/0xa60 kernel/sched/core.c:3209 + [] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934 + [] schedule+0x8f/0x1b0 kernel/sched/core.c:4011 + [] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803 + [] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327 + [] kthread+0x348/0x420 kernel/kthread.c:246 + [] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393 + +Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”) +Signed-off-by: Mahesh Bandewar +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -240,6 +240,7 @@ void ipvlan_process_multicast(struct wor + ret = netif_rx(nskb); + acct: + ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true); ++ cond_resched_rcu(); + } + rcu_read_unlock(); + diff --git a/queue-4.9/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch b/queue-4.9/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch new file mode 100644 index 00000000000..843dbff718d --- /dev/null +++ b/queue-4.9/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch @@ -0,0 +1,70 @@ +From foo@baz Sun 15 Mar 2020 12:39:05 PM CET +From: Jiri Wiesner +Date: Sat, 7 Mar 2020 13:31:57 +0100 +Subject: ipvlan: do not add hardware address of master to its unicast filter list + +From: Jiri Wiesner + +[ Upstream commit 63aae7b17344d4b08a7d05cb07044de4c0f9dcc6 ] + +There is a problem when ipvlan slaves are created on a master device that +is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not +support unicast address filtering. When an ipvlan device is brought up in +ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware +address of the vmxnet3 master device to the unicast address list of the +master device, phy_dev->uc. This inevitably leads to the vmxnet3 master +device being forced into promiscuous mode by __dev_set_rx_mode(). + +Promiscuous mode is switched on the master despite the fact that there is +still only one hardware address that the master device should use for +filtering in order for the ipvlan device to be able to receive packets. +The comment above struct net_device describes the uc_promisc member as a +"counter, that indicates, that promiscuous mode has been enabled due to +the need to listen to additional unicast addresses in a device that does +not implement ndo_set_rx_mode()". Moreover, the design of ipvlan +guarantees that only the hardware address of a master device, +phy_dev->dev_addr, will be used to transmit and receive all packets from +its ipvlan slaves. Thus, the unicast address list of the master device +should not be modified by ipvlan_open() and ipvlan_stop() in order to make +ipvlan a workable option on masters that do not support unicast address +filtering. + +Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver") +Reported-by: Per Sundstrom +Signed-off-by: Jiri Wiesner +Reviewed-by: Eric Dumazet +Acked-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -217,7 +217,6 @@ static void ipvlan_uninit(struct net_dev + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); +- struct net_device *phy_dev = ipvlan->phy_dev; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -229,7 +228,7 @@ static int ipvlan_open(struct net_device + list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_add(ipvlan, addr); + +- return dev_uc_add(phy_dev, phy_dev->dev_addr); ++ return 0; + } + + static int ipvlan_stop(struct net_device *dev) +@@ -241,8 +240,6 @@ static int ipvlan_stop(struct net_device + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- dev_uc_del(phy_dev, phy_dev->dev_addr); +- + list_for_each_entry(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); + diff --git a/queue-4.9/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch b/queue-4.9/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch new file mode 100644 index 00000000000..f4e8778785e --- /dev/null +++ b/queue-4.9/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch @@ -0,0 +1,43 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Eric Dumazet +Date: Mon, 9 Mar 2020 18:22:58 -0700 +Subject: ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() + +From: Eric Dumazet + +[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ] + +Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while +processing muticast backlog") added a cond_resched_rcu() in a loop +using rcu protection to iterate over slaves. + +This is breaking rcu rules, so lets instead use cond_resched() +at a point we can reschedule + +Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog") +Signed-off-by: Eric Dumazet +Cc: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -240,7 +240,6 @@ void ipvlan_process_multicast(struct wor + ret = netif_rx(nskb); + acct: + ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true); +- cond_resched_rcu(); + } + rcu_read_unlock(); + +@@ -252,6 +251,7 @@ acct: + } else { + kfree_skb(skb); + } ++ cond_resched(); + } + } + diff --git a/queue-4.9/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch b/queue-4.9/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch new file mode 100644 index 00000000000..9f992e637f1 --- /dev/null +++ b/queue-4.9/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:56:56 -0700 +Subject: ipvlan: don't deref eth hdr before checking it's set + +From: Mahesh Bandewar + +[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ] + +IPvlan in L3 mode discards outbound multicast packets but performs +the check before ensuring the ether-header is set or not. This is +an error that Eric found through code browsing. + +Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”) +Signed-off-by: Mahesh Bandewar +Reported-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -444,19 +444,21 @@ static int ipvlan_process_outbound(struc + struct ethhdr *ethh = eth_hdr(skb); + int ret = NET_XMIT_DROP; + +- /* In this mode we dont care about multicast and broadcast traffic */ +- if (is_multicast_ether_addr(ethh->h_dest)) { +- pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n", +- ntohs(skb->protocol)); +- kfree_skb(skb); +- goto out; +- } +- + /* The ipvlan is a pseudo-L2 device, so the packets that we receive + * will have L2; which need to discarded and processed further + * in the net-ns of the main-device. + */ + if (skb_mac_header_was_set(skb)) { ++ /* In this mode we dont care about ++ * multicast and broadcast traffic */ ++ if (is_multicast_ether_addr(ethh->h_dest)) { ++ pr_debug_ratelimited( ++ "Dropped {multi|broad}cast of type=[%x]\n", ++ ntohs(skb->protocol)); ++ kfree_skb(skb); ++ goto out; ++ } ++ + skb_pull(skb, sizeof(*ethh)); + skb->mac_header = (typeof(skb->mac_header))~0U; + skb_reset_network_header(skb); diff --git a/queue-4.9/ipvlan-egress-mcast-packets-are-not-exceptional.patch b/queue-4.9/ipvlan-egress-mcast-packets-are-not-exceptional.patch new file mode 100644 index 00000000000..9d3d8ccd49d --- /dev/null +++ b/queue-4.9/ipvlan-egress-mcast-packets-are-not-exceptional.patch @@ -0,0 +1,39 @@ +From cccc200fcaf04cff4342036a72e51d6adf6c98c1 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 28 Feb 2018 11:43:27 +0100 +Subject: ipvlan: egress mcast packets are not exceptional + +From: Paolo Abeni + +commit cccc200fcaf04cff4342036a72e51d6adf6c98c1 upstream. + +Currently, if IPv6 is enabled on top of an ipvlan device in l3 +mode, the following warning message: + + Dropped {multi|broad}cast of type= [86dd] + +is emitted every time that a RS is generated and dmseg is soon +filled with irrelevant messages. Replace pr_warn with pr_debug, +to preserve debuggability, without scaring the sysadmin. + +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ipvlan/ipvlan_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -446,8 +446,8 @@ static int ipvlan_process_outbound(struc + + /* In this mode we dont care about multicast and broadcast traffic */ + if (is_multicast_ether_addr(ethh->h_dest)) { +- pr_warn_ratelimited("Dropped {multi|broad}cast of type= [%x]\n", +- ntohs(skb->protocol)); ++ pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n", ++ ntohs(skb->protocol)); + kfree_skb(skb); + goto out; + } diff --git a/queue-4.9/macsec-add-missing-attribute-validation-for-port.patch b/queue-4.9/macsec-add-missing-attribute-validation-for-port.patch new file mode 100644 index 00000000000..f8caaf46615 --- /dev/null +++ b/queue-4.9/macsec-add-missing-attribute-validation-for-port.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:17 -0800 +Subject: macsec: add missing attribute validation for port + +From: Jakub Kicinski + +[ Upstream commit 31d9a1c524964bac77b7f9d0a1ac140dc6b57461 ] + +Add missing attribute validation for IFLA_MACSEC_PORT +to the netlink policy. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2982,6 +2982,7 @@ static const struct device_type macsec_t + + static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { + [IFLA_MACSEC_SCI] = { .type = NLA_U64 }, ++ [IFLA_MACSEC_PORT] = { .type = NLA_U16 }, + [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 }, + [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 }, + [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 }, diff --git a/queue-4.9/macvlan-add-cond_resched-during-multicast-processing.patch b/queue-4.9/macvlan-add-cond_resched-during-multicast-processing.patch new file mode 100644 index 00000000000..da91310d047 --- /dev/null +++ b/queue-4.9/macvlan-add-cond_resched-during-multicast-processing.patch @@ -0,0 +1,40 @@ +From foo@baz Sun 15 Mar 2020 11:34:22 AM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:57:07 -0700 +Subject: macvlan: add cond_resched() during multicast processing + +From: Mahesh Bandewar + +[ Upstream commit ce9a4186f9ac475c415ffd20348176a4ea366670 ] + +The Rx bound multicast packets are deferred to a workqueue and +macvlan can also suffer from the same attack that was discovered +by Syzbot for IPvlan. This solution is not as effective as in +IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing +to a workqueue while macvlan does this way only for the Rx. This +fix should address the Rx codition to certain extent. + +Tx is still suseptible. Tx multicast processing happens when +.ndo_start_xmit is called, hence we cannot add cond_resched(). +However, it's not that severe since the user which is generating + / flooding will be affected the most. + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -309,6 +309,8 @@ static void macvlan_process_broadcast(st + if (src) + dev_put(src->dev); + kfree_skb(skb); ++ ++ cond_resched(); + } + } + diff --git a/queue-4.9/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch b/queue-4.9/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch new file mode 100644 index 00000000000..33b42ce392e --- /dev/null +++ b/queue-4.9/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch @@ -0,0 +1,46 @@ +From foo@baz Sun 15 Mar 2020 11:34:22 AM CET +From: Jakub Kicinski +Date: Tue, 10 Mar 2020 20:36:16 -0700 +Subject: net: fec: validate the new settings in fec_enet_set_coalesce() + +From: Jakub Kicinski + +[ Upstream commit ab14961d10d02d20767612c78ce148f6eb85bd58 ] + +fec_enet_set_coalesce() validates the previously set params +and if they are within range proceeds to apply the new ones. +The new ones, however, are not validated. This seems backwards, +probably a copy-paste error? + +Compile tested only. + +Fixes: d851b47b22fc ("net: fec: add interrupt coalescence feature support") +Signed-off-by: Jakub Kicinski +Acked-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2470,15 +2470,15 @@ fec_enet_set_coalesce(struct net_device + return -EINVAL; + } + +- cycle = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr); ++ cycle = fec_enet_us_to_itr_clock(ndev, ec->rx_coalesce_usecs); + if (cycle > 0xFFFF) { + pr_err("Rx coalesced usec exceed hardware limitation\n"); + return -EINVAL; + } + +- cycle = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr); ++ cycle = fec_enet_us_to_itr_clock(ndev, ec->tx_coalesce_usecs); + if (cycle > 0xFFFF) { +- pr_err("Rx coalesced usec exceed hardware limitation\n"); ++ pr_err("Tx coalesced usec exceed hardware limitation\n"); + return -EINVAL; + } + diff --git a/queue-4.9/net-fq-add-missing-attribute-validation-for-orphan-mask.patch b/queue-4.9/net-fq-add-missing-attribute-validation-for-orphan-mask.patch new file mode 100644 index 00000000000..33889eff3b7 --- /dev/null +++ b/queue-4.9/net-fq-add-missing-attribute-validation-for-orphan-mask.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:19 -0800 +Subject: net: fq: add missing attribute validation for orphan mask + +From: Jakub Kicinski + +[ Upstream commit 7e6dc03eeb023e18427a373522f1d247b916a641 ] + +Add missing attribute validation for TCA_FQ_ORPHAN_MASK +to the netlink policy. + +Fixes: 06eb395fa985 ("pkt_sched: fq: better control of DDOS traffic") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -697,6 +697,7 @@ static const struct nla_policy fq_policy + [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 }, + [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 }, + [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 }, ++ [TCA_FQ_ORPHAN_MASK] = { .type = NLA_U32 }, + [TCA_FQ_LOW_RATE_THRESHOLD] = { .type = NLA_U32 }, + }; + diff --git a/queue-4.9/net-macsec-update-sci-upon-mac-address-change.patch b/queue-4.9/net-macsec-update-sci-upon-mac-address-change.patch new file mode 100644 index 00000000000..c95ce59dbff --- /dev/null +++ b/queue-4.9/net-macsec-update-sci-upon-mac-address-change.patch @@ -0,0 +1,55 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Dmitry Bogdanov +Date: Tue, 10 Mar 2020 18:22:24 +0300 +Subject: net: macsec: update SCI upon MAC address change. + +From: Dmitry Bogdanov + +[ Upstream commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823 ] + +SCI should be updated, because it contains MAC in its first 6 octets. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Mark Starovoytov +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2871,6 +2871,11 @@ static void macsec_dev_set_rx_mode(struc + dev_uc_sync(real_dev, dev); + } + ++static sci_t dev_to_sci(struct net_device *dev, __be16 port) ++{ ++ return make_sci(dev->dev_addr, port); ++} ++ + static int macsec_set_mac_address(struct net_device *dev, void *p) + { + struct macsec_dev *macsec = macsec_priv(dev); +@@ -2892,6 +2897,7 @@ static int macsec_set_mac_address(struct + + out: + ether_addr_copy(dev->dev_addr, addr->sa_data); ++ macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES); + return 0; + } + +@@ -3160,11 +3166,6 @@ static bool sci_exists(struct net_device + return false; + } + +-static sci_t dev_to_sci(struct net_device *dev, __be16 port) +-{ +- return make_sci(dev->dev_addr, port); +-} +- + static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) + { + struct macsec_dev *macsec = macsec_priv(dev); diff --git a/queue-4.9/net-nfc-fix-bounds-checking-bugs-on-pipe.patch b/queue-4.9/net-nfc-fix-bounds-checking-bugs-on-pipe.patch new file mode 100644 index 00000000000..408583a7f23 --- /dev/null +++ b/queue-4.9/net-nfc-fix-bounds-checking-bugs-on-pipe.patch @@ -0,0 +1,67 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Dan Carpenter +Date: Wed, 4 Mar 2020 17:24:31 +0300 +Subject: net: nfc: fix bounds checking bugs on "pipe" + +From: Dan Carpenter + +[ Upstream commit a3aefbfe45751bf7b338c181b97608e276b5bb73 ] + +This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory +corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0 +("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which +added range checks on "pipe". + +The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work(). +It's in the 0-255 range. We're using it as the array index into the +hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members. + +Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/hci/core.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/net/nfc/hci/core.c ++++ b/net/nfc/hci/core.c +@@ -193,13 +193,20 @@ exit: + void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, + struct sk_buff *skb) + { +- u8 gate = hdev->pipes[pipe].gate; + u8 status = NFC_HCI_ANY_OK; + struct hci_create_pipe_resp *create_info; + struct hci_delete_pipe_noti *delete_info; + struct hci_all_pipe_cleared_noti *cleared_info; ++ u8 gate; + +- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd); ++ pr_debug("from pipe %x cmd %x\n", pipe, cmd); ++ ++ if (pipe >= NFC_HCI_MAX_PIPES) { ++ status = NFC_HCI_ANY_E_NOK; ++ goto exit; ++ } ++ ++ gate = hdev->pipes[pipe].gate; + + switch (cmd) { + case NFC_HCI_ADM_NOTIFY_PIPE_CREATED: +@@ -387,8 +394,14 @@ void nfc_hci_event_received(struct nfc_h + struct sk_buff *skb) + { + int r = 0; +- u8 gate = hdev->pipes[pipe].gate; ++ u8 gate; ++ ++ if (pipe >= NFC_HCI_MAX_PIPES) { ++ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe); ++ goto exit; ++ } + ++ gate = hdev->pipes[pipe].gate; + if (gate == NFC_HCI_INVALID_GATE) { + pr_err("Discarded event %x to unopened pipe %x\n", event, pipe); + goto exit; diff --git a/queue-4.9/net-phy-fix-mdio-bus-pm-phy-resuming.patch b/queue-4.9/net-phy-fix-mdio-bus-pm-phy-resuming.patch new file mode 100644 index 00000000000..3bba81cb09e --- /dev/null +++ b/queue-4.9/net-phy-fix-mdio-bus-pm-phy-resuming.patch @@ -0,0 +1,72 @@ +From foo@baz Sun 15 Mar 2020 12:39:05 PM CET +From: Heiner Kallweit +Date: Thu, 12 Mar 2020 22:25:20 +0100 +Subject: net: phy: fix MDIO bus PM PHY resuming + +From: Heiner Kallweit + +[ Upstream commit 611d779af7cad2b87487ff58e4931a90c20b113c ] + +So far we have the unfortunate situation that mdio_bus_phy_may_suspend() +is called in suspend AND resume path, assuming that function result is +the same. After the original change this is no longer the case, +resulting in broken resume as reported by Geert. + +To fix this call mdio_bus_phy_may_suspend() in the suspend path only, +and let the phy_device store the info whether it was suspended by +MDIO bus PM. + +Fixes: 503ba7c69610 ("net: phy: Avoid multiple suspends") +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Heiner Kallweit +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 6 +++++- + include/linux/phy.h | 2 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -129,6 +129,8 @@ static int mdio_bus_phy_suspend(struct d + if (!mdio_bus_phy_may_suspend(phydev)) + return 0; + ++ phydev->suspended_by_mdio_bus = true; ++ + return phy_suspend(phydev); + } + +@@ -137,9 +139,11 @@ static int mdio_bus_phy_resume(struct de + struct phy_device *phydev = to_phy_device(dev); + int ret; + +- if (!mdio_bus_phy_may_suspend(phydev)) ++ if (!phydev->suspended_by_mdio_bus) + goto no_resume; + ++ phydev->suspended_by_mdio_bus = false; ++ + ret = phy_resume(phydev); + if (ret < 0) + return ret; +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -333,6 +333,7 @@ struct phy_c45_device_ids { + * is_pseudo_fixed_link: Set to true if this phy is an Ethernet switch, etc. + * has_fixups: Set to true if this phy has fixups/quirks. + * suspended: Set to true if this phy has been suspended successfully. ++ * suspended_by_mdio_bus: Set to true if this phy was suspended by MDIO bus. + * state: state of the PHY for management purposes + * dev_flags: Device-specific flags used by the PHY driver. + * link_timeout: The number of timer firings to wait before the +@@ -369,6 +370,7 @@ struct phy_device { + bool is_pseudo_fixed_link; + bool has_fixups; + bool suspended; ++ bool suspended_by_mdio_bus; + + enum phy_state state; + diff --git a/queue-4.9/nfc-add-missing-attribute-validation-for-se-api.patch b/queue-4.9/nfc-add-missing-attribute-validation-for-se-api.patch new file mode 100644 index 00000000000..c43f0b8d729 --- /dev/null +++ b/queue-4.9/nfc-add-missing-attribute-validation-for-se-api.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:24 -0800 +Subject: nfc: add missing attribute validation for SE API + +From: Jakub Kicinski + +[ Upstream commit 361d23e41ca6e504033f7e66a03b95788377caae ] + +Add missing attribute validation for NFC_ATTR_SE_INDEX +to the netlink policy. + +Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -62,6 +62,7 @@ static const struct nla_policy nfc_genl_ + [NFC_ATTR_LLC_SDP] = { .type = NLA_NESTED }, + [NFC_ATTR_FIRMWARE_NAME] = { .type = NLA_STRING, + .len = NFC_FIRMWARE_NAME_MAXSIZE }, ++ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 }, + [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY }, + [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY }, + diff --git a/queue-4.9/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch b/queue-4.9/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch new file mode 100644 index 00000000000..8b601ae5c80 --- /dev/null +++ b/queue-4.9/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:26 -0800 +Subject: nfc: add missing attribute validation for vendor subcommand + +From: Jakub Kicinski + +[ Upstream commit 6ba3da446551f2150fadbf8c7788edcb977683d3 ] + +Add missing attribute validation for vendor subcommand attributes +to the netlink policy. + +Fixes: 9e58095f9660 ("NFC: netlink: Implement vendor command support") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -64,6 +64,8 @@ static const struct nla_policy nfc_genl_ + .len = NFC_FIRMWARE_NAME_MAXSIZE }, + [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 }, + [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY }, ++ [NFC_ATTR_VENDOR_ID] = { .type = NLA_U32 }, ++ [NFC_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 }, + [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY }, + + }; diff --git a/queue-4.9/nl802154-add-missing-attribute-validation-for-dev_type.patch b/queue-4.9/nl802154-add-missing-attribute-validation-for-dev_type.patch new file mode 100644 index 00000000000..095d0ac4a30 --- /dev/null +++ b/queue-4.9/nl802154-add-missing-attribute-validation-for-dev_type.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:15 -0800 +Subject: nl802154: add missing attribute validation for dev_type + +From: Jakub Kicinski + +[ Upstream commit b60673c4c418bef7550d02faf53c34fbfeb366bf ] + +Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE +to the netlink policy. + +Fixes: 90c049b2c6ae ("ieee802154: interface type to be added") +Signed-off-by: Jakub Kicinski +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl_policy.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ieee802154/nl_policy.c ++++ b/net/ieee802154/nl_policy.c +@@ -36,6 +36,7 @@ const struct nla_policy ieee802154_polic + [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, }, + [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_DEV_TYPE] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, }, + [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, }, + [IEEE802154_ATTR_COORD_PAN_ID] = { .type = NLA_U16, }, diff --git a/queue-4.9/nl802154-add-missing-attribute-validation.patch b/queue-4.9/nl802154-add-missing-attribute-validation.patch new file mode 100644 index 00000000000..313b074f4b7 --- /dev/null +++ b/queue-4.9/nl802154-add-missing-attribute-validation.patch @@ -0,0 +1,34 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:14 -0800 +Subject: nl802154: add missing attribute validation + +From: Jakub Kicinski + +[ Upstream commit 9322cd7c4af2ccc7fe7c5f01adb53f4f77949e92 ] + +Add missing attribute validation for several u8 types. + +Fixes: 2c21d11518b6 ("net: add NL802154 interface for configuration of 802.15.4 devices") +Signed-off-by: Jakub Kicinski +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl_policy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ieee802154/nl_policy.c ++++ b/net/ieee802154/nl_policy.c +@@ -30,6 +30,11 @@ const struct nla_policy ieee802154_polic + [IEEE802154_ATTR_HW_ADDR] = { .type = NLA_HW_ADDR, }, + [IEEE802154_ATTR_PAN_ID] = { .type = NLA_U16, }, + [IEEE802154_ATTR_CHANNEL] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_BCN_ORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_SF_ORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_PAN_COORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, }, + [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, }, + [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, }, diff --git a/queue-4.9/r8152-check-disconnect-status-after-long-sleep.patch b/queue-4.9/r8152-check-disconnect-status-after-long-sleep.patch new file mode 100644 index 00000000000..dcded9f489f --- /dev/null +++ b/queue-4.9/r8152-check-disconnect-status-after-long-sleep.patch @@ -0,0 +1,124 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: You-Sheng Yang +Date: Wed, 26 Feb 2020 23:37:10 +0800 +Subject: r8152: check disconnect status after long sleep + +From: You-Sheng Yang + +[ Upstream commit d64c7a08034b32c285e576208ae44fc3ba3fa7df ] + +Dell USB Type C docking WD19/WD19DC attaches additional peripherals as: + + /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M + |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M + |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M + |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class, + Driver=r8152, 5000M + +where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock. + +When hotplugging such dock with additional usb devices already attached on +it, the probing process may reset usb 2.1 port, therefore r8152 ethernet +device is also reset. However, during r8152 device init there are several +for-loops that, when it's unable to retrieve hardware registers due to +being disconnected from USB, may take up to 14 seconds each in practice, +and that has to be completed before USB may re-enumerate devices on the +bus. As a result, devices attached to the dock will only be available +after nearly 1 minute after the dock was plugged in: + + [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface + [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id + [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready + [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr + [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail + +This happens in, for example, r8153_init: + + static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size, + void *data, u16 type) + { + if (test_bit(RTL8152_UNPLUG, &tp->flags)) + return -ENODEV; + ... + } + + static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index) + { + u32 data; + ... + generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen); + + data = __le32_to_cpu(tmp); + ... + return (u16)data; + } + + static void r8153_init(struct r8152 *tp) + { + ... + if (test_bit(RTL8152_UNPLUG, &tp->flags)) + return; + + for (i = 0; i < 500; i++) { + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) + break; + msleep(20); + } + ... + } + +Since ocp_read_word() doesn't check the return status of +generic_ocp_read(), and the only exit condition for the loop is to have +a match in the returned value, such loops will only ends after exceeding +its maximum runs when the device has been marked as disconnected, which +takes 500 * 20ms = 10 seconds in theory, 14 in practice. + +To solve this long latency another test to RTL8152_UNPLUG flag should be +added after those 20ms sleep to skip unnecessary loops, so that the device +probe can complete early and proceed to parent port reset/reprobe process. + +This can be reproduced on all kernel versions up to latest v5.6-rc2, but +after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less +while it was around 1/2. + +Signed-off-by: You-Sheng Yang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -2789,6 +2789,8 @@ static void r8153_aldps_en(struct r8152 + data &= ~EN_ALDPS; + ocp_reg_write(tp, OCP_POWER_CFG, data); + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + } + +@@ -3423,7 +3425,10 @@ static void r8153_init(struct r8152 *tp) + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) + break; ++ + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + + for (i = 0; i < 500; i++) { +@@ -3447,7 +3452,10 @@ static void r8153_init(struct r8152 *tp) + ocp_data = ocp_reg_read(tp, OCP_PHY_STATUS) & PHY_STAT_MASK; + if (ocp_data == PHY_STAT_LAN_ON) + break; ++ + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + + usb_disable_lpm(tp->udev); diff --git a/queue-4.9/series b/queue-4.9/series index e3ed750743f..c6cf38593f7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,30 @@ nfs-remove-superfluous-kmap-in-nfs_readdir_xdr_to_ar.patch phy-revert-toggling-reset-changes.patch net-phy-avoid-multiple-suspends.patch +cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch +gre-fix-uninit-value-in-__iptunnel_pull_header.patch +ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch +net-macsec-update-sci-upon-mac-address-change.patch +net-nfc-fix-bounds-checking-bugs-on-pipe.patch +r8152-check-disconnect-status-after-long-sleep.patch +bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch +fib-add-missing-attribute-validation-for-tun_id.patch +nl802154-add-missing-attribute-validation.patch +nl802154-add-missing-attribute-validation-for-dev_type.patch +macsec-add-missing-attribute-validation-for-port.patch +net-fq-add-missing-attribute-validation-for-orphan-mask.patch +team-add-missing-attribute-validation-for-port-ifindex.patch +team-add-missing-attribute-validation-for-array-index.patch +nfc-add-missing-attribute-validation-for-se-api.patch +nfc-add-missing-attribute-validation-for-vendor-subcommand.patch +ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch +ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch +ipvlan-egress-mcast-packets-are-not-exceptional.patch +ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch +ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch +macvlan-add-cond_resched-during-multicast-processing.patch +net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch +slip-make-slhc_compress-more-robust-against-malicious-packets.patch +bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch +cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch +net-phy-fix-mdio-bus-pm-phy-resuming.patch diff --git a/queue-4.9/slip-make-slhc_compress-more-robust-against-malicious-packets.patch b/queue-4.9/slip-make-slhc_compress-more-robust-against-malicious-packets.patch new file mode 100644 index 00000000000..3544d5bd860 --- /dev/null +++ b/queue-4.9/slip-make-slhc_compress-more-robust-against-malicious-packets.patch @@ -0,0 +1,119 @@ +From foo@baz Sun 15 Mar 2020 11:34:22 AM CET +From: Eric Dumazet +Date: Wed, 4 Mar 2020 15:51:43 -0800 +Subject: slip: make slhc_compress() more robust against malicious packets + +From: Eric Dumazet + +[ Upstream commit 110a40dfb708fe940a3f3704d470e431c368d256 ] + +Before accessing various fields in IPV4 network header +and TCP header, make sure the packet : + +- Has IP version 4 (ip->version == 4) +- Has not a silly network length (ip->ihl >= 5) +- Is big enough to hold network and transport headers +- Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4) + +syzbot reported : + +BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270 +CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270 + ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline] + __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495 + ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516 + ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512 + do_loop_readv_writev fs/read_write.c:717 [inline] + do_iter_write+0x812/0xdc0 fs/read_write.c:1000 + compat_writev+0x2df/0x5a0 fs/read_write.c:1351 + do_compat_pwritev64 fs/read_write.c:1400 [inline] + __do_compat_sys_pwritev fs/read_write.c:1420 [inline] + __se_compat_sys_pwritev fs/read_write.c:1414 [inline] + __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f7cd99 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 +RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500 + do_loop_readv_writev fs/read_write.c:717 [inline] + do_iter_write+0x812/0xdc0 fs/read_write.c:1000 + compat_writev+0x2df/0x5a0 fs/read_write.c:1351 + do_compat_pwritev64 fs/read_write.c:1400 [inline] + __do_compat_sys_pwritev fs/read_write.c:1420 [inline] + __se_compat_sys_pwritev fs/read_write.c:1414 [inline] + __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 + +Fixes: b5451d783ade ("slip: Move the SLIP drivers") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slhc.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, u + register struct cstate *cs = lcs->next; + register unsigned long deltaS, deltaA; + register short changes = 0; +- int hlen; ++ int nlen, hlen; + unsigned char new_seq[16]; + register unsigned char *cp = new_seq; + struct iphdr *ip; +@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, u + return isize; + + ip = (struct iphdr *) icp; ++ if (ip->version != 4 || ip->ihl < 5) ++ return isize; + + /* Bail if this packet isn't TCP, or is an IP fragment */ + if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) { +@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, u + comp->sls_o_tcp++; + return isize; + } +- /* Extract TCP header */ ++ nlen = ip->ihl * 4; ++ if (isize < nlen + sizeof(*th)) ++ return isize; + +- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4); +- hlen = ip->ihl*4 + th->doff*4; ++ th = (struct tcphdr *)(icp + nlen); ++ if (th->doff < sizeof(struct tcphdr) / 4) ++ return isize; ++ hlen = nlen + th->doff * 4; + + /* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or + * some other control bit is set). Also uncompressible if diff --git a/queue-4.9/team-add-missing-attribute-validation-for-array-index.patch b/queue-4.9/team-add-missing-attribute-validation-for-array-index.patch new file mode 100644 index 00000000000..ee680802888 --- /dev/null +++ b/queue-4.9/team-add-missing-attribute-validation-for-array-index.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:22 -0800 +Subject: team: add missing attribute validation for array index + +From: Jakub Kicinski + +[ Upstream commit 669fcd7795900cd1880237cbbb57a7db66cb9ac8 ] + +Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX +to the netlink policy. + +Fixes: b13033262d24 ("team: introduce array options") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2217,6 +2217,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M + [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 }, + [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY }, + [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 }, ++ [TEAM_ATTR_OPTION_ARRAY_INDEX] = { .type = NLA_U32 }, + }; + + static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info) diff --git a/queue-4.9/team-add-missing-attribute-validation-for-port-ifindex.patch b/queue-4.9/team-add-missing-attribute-validation-for-port-ifindex.patch new file mode 100644 index 00000000000..c9f0ac34a68 --- /dev/null +++ b/queue-4.9/team-add-missing-attribute-validation-for-port-ifindex.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 01:01:22 PM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:21 -0800 +Subject: team: add missing attribute validation for port ifindex + +From: Jakub Kicinski + +[ Upstream commit dd25cb272ccce4db67dc8509278229099e4f5e99 ] + +Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX +to the netlink policy. + +Fixes: 80f7c6683fe0 ("team: add support for per-port options") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2216,6 +2216,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M + [TEAM_ATTR_OPTION_CHANGED] = { .type = NLA_FLAG }, + [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 }, + [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY }, ++ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 }, + }; + + static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)