From: Greg Kroah-Hartman Date: Sun, 1 Mar 2020 09:26:58 +0000 (+0100) Subject: 5.5-stable patches X-Git-Tag: v4.19.108~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7875ccfc08f51472ddca2acfa01ff9880f43f40b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.5-stable patches added patches: bnxt_en-improve-device-shutdown-method.patch bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch bonding-add-missing-netdev_update_lockdep_key.patch bonding-fix-lockdep-warning-in-bond_get_stats.patch ionic-fix-fw_status-read.patch ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch ipv6-fix-route-replacement-with-dev-only-route.patch net-add-strict-checks-in-netdev_name_node_alt_destroy.patch net-dsa-b53-ensure-the-default-vid-is-untagged.patch net-export-netdev_next_lower_dev_rcu.patch net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch net-macb-properly-handle-phylink-on-at91rm9200.patch net-mscc-fix-in-frame-extraction.patch net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch net-sched-correct-flower-port-blocking.patch net-tls-fix-to-avoid-gettig-invalid-tls-record.patch nfc-pn544-fix-occasional-hw-initialization-failure.patch qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch udp-rehash-on-disconnect.patch --- diff --git a/queue-5.5/bnxt_en-improve-device-shutdown-method.patch b/queue-5.5/bnxt_en-improve-device-shutdown-method.patch new file mode 100644 index 00000000000..66bca7c251c --- /dev/null +++ b/queue-5.5/bnxt_en-improve-device-shutdown-method.patch @@ -0,0 +1,37 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Vasundhara Volam +Date: Thu, 20 Feb 2020 17:26:34 -0500 +Subject: bnxt_en: Improve device shutdown method. + +From: Vasundhara Volam + +[ Upstream commit 5567ae4a8d569d996d0d88d0eceb76205e4c7ce5 ] + +Especially when bnxt_shutdown() is called during kexec, we need to +disable MSIX and disable Bus Master to completely quiesce the device. +Make these 2 calls unconditionally in the shutdown method. + +Fixes: c20dc142dd7b ("bnxt_en: Disable bus master during PCI shutdown and driver unload.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11972,10 +11972,10 @@ static void bnxt_shutdown(struct pci_dev + dev_close(dev); + + bnxt_ulp_shutdown(bp); ++ bnxt_clear_int_mode(bp); ++ pci_disable_device(pdev); + + if (system_state == SYSTEM_POWER_OFF) { +- bnxt_clear_int_mode(bp); +- pci_disable_device(pdev); + pci_wake_from_d3(pdev, bp->wol); + pci_set_power_state(pdev, PCI_D3hot); + } diff --git a/queue-5.5/bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch b/queue-5.5/bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch new file mode 100644 index 00000000000..614c7b0e910 --- /dev/null +++ b/queue-5.5/bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch @@ -0,0 +1,39 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Vasundhara Volam +Date: Thu, 20 Feb 2020 17:26:35 -0500 +Subject: bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs. + +From: Vasundhara Volam + +[ Upstream commit 8743db4a9acfd51f805ac0c87bcaae92c42d1061 ] + +If crashed kernel does not shutdown the NIC properly, PCIe FLR +is required in the kdump kernel in order to initialize all the +functions properly. + +Fixes: d629522e1d66 ("bnxt_en: Reduce memory usage when running in kdump kernel.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11775,6 +11775,14 @@ static int bnxt_init_one(struct pci_dev + if (version_printed++ == 0) + pr_info("%s", version); + ++ /* Clear any pending DMA transactions from crash kernel ++ * while loading driver in capture kernel. ++ */ ++ if (is_kdump_kernel()) { ++ pci_clear_master(pdev); ++ pcie_flr(pdev); ++ } ++ + max_irqs = bnxt_get_max_irq(pdev); + dev = alloc_etherdev_mq(sizeof(*bp), max_irqs); + if (!dev) diff --git a/queue-5.5/bonding-add-missing-netdev_update_lockdep_key.patch b/queue-5.5/bonding-add-missing-netdev_update_lockdep_key.patch new file mode 100644 index 00000000000..f363342f231 --- /dev/null +++ b/queue-5.5/bonding-add-missing-netdev_update_lockdep_key.patch @@ -0,0 +1,150 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Taehee Yoo +Date: Sat, 15 Feb 2020 10:50:08 +0000 +Subject: bonding: add missing netdev_update_lockdep_key() + +From: Taehee Yoo + +[ Upstream commit 064ff66e2bef84f1153087612032b5b9eab005bd ] + +After bond_release(), netdev_update_lockdep_key() should be called. +But both ioctl path and attribute path don't call +netdev_update_lockdep_key(). +This patch adds missing netdev_update_lockdep_key(). + +Test commands: + ip link add bond0 type bond + ip link add bond1 type bond + ifenslave bond0 bond1 + ifenslave -d bond0 bond1 + ifenslave bond1 bond0 + +Splat looks like: +[ 29.501182][ T1046] WARNING: possible circular locking dependency detected +[ 29.501945][ T1039] hardirqs last disabled at (1962): [] handle_mm_fault+0x13f/0x700 +[ 29.503442][ T1046] 5.5.0+ #322 Not tainted +[ 29.503447][ T1046] ------------------------------------------------------ +[ 29.504277][ T1039] softirqs last enabled at (1180): [] __do_softirq+0x678/0x981 +[ 29.505443][ T1046] ifenslave/1046 is trying to acquire lock: +[ 29.505886][ T1039] softirqs last disabled at (1169): [] irq_exit+0x17a/0x1a0 +[ 29.509997][ T1046] ffff88805d5da280 (&dev->addr_list_lock_key#3){+...}, at: dev_mc_sync_multiple+0x95/0x120 +[ 29.511243][ T1046] +[ 29.511243][ T1046] but task is already holding lock: +[ 29.512192][ T1046] ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding] +[ 29.514124][ T1046] +[ 29.514124][ T1046] which lock already depends on the new lock. +[ 29.514124][ T1046] +[ 29.517297][ T1046] +[ 29.517297][ T1046] the existing dependency chain (in reverse order) is: +[ 29.518231][ T1046] +[ 29.518231][ T1046] -> #1 (&dev->addr_list_lock_key#4){+...}: +[ 29.519076][ T1046] _raw_spin_lock+0x30/0x70 +[ 29.519588][ T1046] dev_mc_sync_multiple+0x95/0x120 +[ 29.520208][ T1046] bond_enslave+0x448d/0x47b0 [bonding] +[ 29.520862][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding] +[ 29.521640][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding] +[ 29.522438][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding] +[ 29.523251][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding] +[ 29.524082][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding] +[ 29.524959][ T1046] kernfs_fop_write+0x276/0x410 +[ 29.525620][ T1046] vfs_write+0x197/0x4a0 +[ 29.526218][ T1046] ksys_write+0x141/0x1d0 +[ 29.526818][ T1046] do_syscall_64+0x99/0x4f0 +[ 29.527430][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 29.528265][ T1046] +[ 29.528265][ T1046] -> #0 (&dev->addr_list_lock_key#3){+...}: +[ 29.529272][ T1046] __lock_acquire+0x2d8d/0x3de0 +[ 29.529935][ T1046] lock_acquire+0x164/0x3b0 +[ 29.530638][ T1046] _raw_spin_lock+0x30/0x70 +[ 29.531187][ T1046] dev_mc_sync_multiple+0x95/0x120 +[ 29.531790][ T1046] bond_enslave+0x448d/0x47b0 [bonding] +[ 29.532451][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding] +[ 29.533163][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding] +[ 29.533789][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding] +[ 29.534595][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding] +[ 29.535500][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding] +[ 29.536379][ T1046] kernfs_fop_write+0x276/0x410 +[ 29.537057][ T1046] vfs_write+0x197/0x4a0 +[ 29.537640][ T1046] ksys_write+0x141/0x1d0 +[ 29.538251][ T1046] do_syscall_64+0x99/0x4f0 +[ 29.538870][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 29.539659][ T1046] +[ 29.539659][ T1046] other info that might help us debug this: +[ 29.539659][ T1046] +[ 29.540953][ T1046] Possible unsafe locking scenario: +[ 29.540953][ T1046] +[ 29.541883][ T1046] CPU0 CPU1 +[ 29.542540][ T1046] ---- ---- +[ 29.543209][ T1046] lock(&dev->addr_list_lock_key#4); +[ 29.543880][ T1046] lock(&dev->addr_list_lock_key#3); +[ 29.544873][ T1046] lock(&dev->addr_list_lock_key#4); +[ 29.545863][ T1046] lock(&dev->addr_list_lock_key#3); +[ 29.546525][ T1046] +[ 29.546525][ T1046] *** DEADLOCK *** +[ 29.546525][ T1046] +[ 29.547542][ T1046] 5 locks held by ifenslave/1046: +[ 29.548196][ T1046] #0: ffff88806044c478 (sb_writers#5){.+.+}, at: vfs_write+0x3bb/0x4a0 +[ 29.549248][ T1046] #1: ffff88805af00890 (&of->mutex){+.+.}, at: kernfs_fop_write+0x1cf/0x410 +[ 29.550343][ T1046] #2: ffff88805b8b54b0 (kn->count#157){.+.+}, at: kernfs_fop_write+0x1f2/0x410 +[ 29.551575][ T1046] #3: ffffffffaecf4cf0 (rtnl_mutex){+.+.}, at: bond_opt_tryset_rtnl+0x5f/0xf0 [bonding] +[ 29.552819][ T1046] #4: ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding] +[ 29.554175][ T1046] +[ 29.554175][ T1046] stack backtrace: +[ 29.554907][ T1046] CPU: 0 PID: 1046 Comm: ifenslave Not tainted 5.5.0+ #322 +[ 29.555854][ T1046] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 29.557064][ T1046] Call Trace: +[ 29.557504][ T1046] dump_stack+0x96/0xdb +[ 29.558054][ T1046] check_noncircular+0x371/0x450 +[ 29.558723][ T1046] ? print_circular_bug.isra.35+0x310/0x310 +[ 29.559486][ T1046] ? hlock_class+0x130/0x130 +[ 29.560100][ T1046] ? __lock_acquire+0x2d8d/0x3de0 +[ 29.560761][ T1046] __lock_acquire+0x2d8d/0x3de0 +[ 29.561366][ T1046] ? register_lock_class+0x14d0/0x14d0 +[ 29.562045][ T1046] ? find_held_lock+0x39/0x1d0 +[ 29.562641][ T1046] lock_acquire+0x164/0x3b0 +[ 29.563199][ T1046] ? dev_mc_sync_multiple+0x95/0x120 +[ 29.563872][ T1046] _raw_spin_lock+0x30/0x70 +[ 29.564464][ T1046] ? dev_mc_sync_multiple+0x95/0x120 +[ 29.565146][ T1046] dev_mc_sync_multiple+0x95/0x120 +[ 29.565793][ T1046] bond_enslave+0x448d/0x47b0 [bonding] +[ 29.566487][ T1046] ? bond_update_slave_arr+0x940/0x940 [bonding] +[ 29.567279][ T1046] ? bstr_printf+0xc20/0xc20 +[ 29.567857][ T1046] ? stack_trace_consume_entry+0x160/0x160 +[ 29.568614][ T1046] ? deactivate_slab.isra.77+0x2c5/0x800 +[ 29.569320][ T1046] ? check_chain_key+0x236/0x5d0 +[ 29.569939][ T1046] ? sscanf+0x93/0xc0 +[ 29.570442][ T1046] ? vsscanf+0x1e20/0x1e20 +[ 29.571003][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding] +[ ... ] + +Fixes: ab92d68fc22f ("net: core: add generic lockdep keys") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 2 ++ + drivers/net/bonding/bond_options.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3640,6 +3640,8 @@ static int bond_do_ioctl(struct net_devi + case BOND_RELEASE_OLD: + case SIOCBONDRELEASE: + res = bond_release(bond_dev, slave_dev); ++ if (!res) ++ netdev_update_lockdep_key(slave_dev); + break; + case BOND_SETHWADDR_OLD: + case SIOCBONDSETHWADDR: +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1398,6 +1398,8 @@ static int bond_option_slaves_set(struct + case '-': + slave_dbg(bond->dev, dev, "Releasing interface\n"); + ret = bond_release(bond->dev, dev); ++ if (!ret) ++ netdev_update_lockdep_key(dev); + break; + + default: diff --git a/queue-5.5/bonding-fix-lockdep-warning-in-bond_get_stats.patch b/queue-5.5/bonding-fix-lockdep-warning-in-bond_get_stats.patch new file mode 100644 index 00000000000..b8d80f41594 --- /dev/null +++ b/queue-5.5/bonding-fix-lockdep-warning-in-bond_get_stats.patch @@ -0,0 +1,243 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Taehee Yoo +Date: Sat, 15 Feb 2020 10:50:40 +0000 +Subject: bonding: fix lockdep warning in bond_get_stats() + +From: Taehee Yoo + +[ Upstream commit b3e80d44f5b1b470dd9e2dbc6816e63a5c519709 ] + +In the "struct bonding", there is stats_lock. +This lock protects "bond_stats" in the "struct bonding". +bond_stats is updated in the bond_get_stats() and this function would be +executed concurrently. So, the lock is needed. + +Bonding interfaces would be nested. +So, either stats_lock should use dynamic lockdep class key or stats_lock +should be used by spin_lock_nested(). In the current code, stats_lock is +using a dynamic lockdep class key. +But there is no updating stats_lock_key routine So, lockdep warning +will occur. + +Test commands: + ip link add bond0 type bond + ip link add bond1 type bond + ip link set bond0 master bond1 + ip link set bond0 nomaster + ip link set bond1 master bond0 + +Splat looks like: +[ 38.420603][ T957] 5.5.0+ #394 Not tainted +[ 38.421074][ T957] ------------------------------------------------------ +[ 38.421837][ T957] ip/957 is trying to acquire lock: +[ 38.422399][ T957] ffff888063262cd8 (&bond->stats_lock_key#2){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding] +[ 38.423528][ T957] +[ 38.423528][ T957] but task is already holding lock: +[ 38.424526][ T957] ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding] +[ 38.426075][ T957] +[ 38.426075][ T957] which lock already depends on the new lock. +[ 38.426075][ T957] +[ 38.428536][ T957] +[ 38.428536][ T957] the existing dependency chain (in reverse order) is: +[ 38.429475][ T957] +[ 38.429475][ T957] -> #1 (&bond->stats_lock_key){+.+.}: +[ 38.430273][ T957] _raw_spin_lock+0x30/0x70 +[ 38.430812][ T957] bond_get_stats+0x90/0x4d0 [bonding] +[ 38.431451][ T957] dev_get_stats+0x1ec/0x270 +[ 38.432088][ T957] bond_get_stats+0x1a5/0x4d0 [bonding] +[ 38.432767][ T957] dev_get_stats+0x1ec/0x270 +[ 38.433322][ T957] rtnl_fill_stats+0x44/0xbe0 +[ 38.433866][ T957] rtnl_fill_ifinfo+0xeb2/0x3720 +[ 38.434474][ T957] rtmsg_ifinfo_build_skb+0xca/0x170 +[ 38.435081][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0 +[ 38.436848][ T957] rtnetlink_event+0xcd/0x120 +[ 38.437455][ T957] notifier_call_chain+0x90/0x160 +[ 38.438067][ T957] netdev_change_features+0x74/0xa0 +[ 38.438708][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding] +[ 38.439522][ T957] bond_enslave+0x3639/0x47b0 [bonding] +[ 38.440225][ T957] do_setlink+0xaab/0x2ef0 +[ 38.440786][ T957] __rtnl_newlink+0x9c5/0x1270 +[ 38.441463][ T957] rtnl_newlink+0x65/0x90 +[ 38.442075][ T957] rtnetlink_rcv_msg+0x4a8/0x890 +[ 38.442774][ T957] netlink_rcv_skb+0x121/0x350 +[ 38.443451][ T957] netlink_unicast+0x42e/0x610 +[ 38.444282][ T957] netlink_sendmsg+0x65a/0xb90 +[ 38.444992][ T957] ____sys_sendmsg+0x5ce/0x7a0 +[ 38.445679][ T957] ___sys_sendmsg+0x10f/0x1b0 +[ 38.446365][ T957] __sys_sendmsg+0xc6/0x150 +[ 38.447007][ T957] do_syscall_64+0x99/0x4f0 +[ 38.447668][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 38.448538][ T957] +[ 38.448538][ T957] -> #0 (&bond->stats_lock_key#2){+.+.}: +[ 38.449554][ T957] __lock_acquire+0x2d8d/0x3de0 +[ 38.450148][ T957] lock_acquire+0x164/0x3b0 +[ 38.450711][ T957] _raw_spin_lock+0x30/0x70 +[ 38.451292][ T957] bond_get_stats+0x90/0x4d0 [bonding] +[ 38.451950][ T957] dev_get_stats+0x1ec/0x270 +[ 38.452425][ T957] bond_get_stats+0x1a5/0x4d0 [bonding] +[ 38.453362][ T957] dev_get_stats+0x1ec/0x270 +[ 38.453825][ T957] rtnl_fill_stats+0x44/0xbe0 +[ 38.454390][ T957] rtnl_fill_ifinfo+0xeb2/0x3720 +[ 38.456257][ T957] rtmsg_ifinfo_build_skb+0xca/0x170 +[ 38.456998][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0 +[ 38.459351][ T957] rtnetlink_event+0xcd/0x120 +[ 38.460086][ T957] notifier_call_chain+0x90/0x160 +[ 38.460829][ T957] netdev_change_features+0x74/0xa0 +[ 38.461752][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding] +[ 38.462705][ T957] bond_enslave+0x3639/0x47b0 [bonding] +[ 38.463476][ T957] do_setlink+0xaab/0x2ef0 +[ 38.464141][ T957] __rtnl_newlink+0x9c5/0x1270 +[ 38.464897][ T957] rtnl_newlink+0x65/0x90 +[ 38.465522][ T957] rtnetlink_rcv_msg+0x4a8/0x890 +[ 38.466215][ T957] netlink_rcv_skb+0x121/0x350 +[ 38.466895][ T957] netlink_unicast+0x42e/0x610 +[ 38.467583][ T957] netlink_sendmsg+0x65a/0xb90 +[ 38.468285][ T957] ____sys_sendmsg+0x5ce/0x7a0 +[ 38.469202][ T957] ___sys_sendmsg+0x10f/0x1b0 +[ 38.469884][ T957] __sys_sendmsg+0xc6/0x150 +[ 38.470587][ T957] do_syscall_64+0x99/0x4f0 +[ 38.471245][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 38.472093][ T957] +[ 38.472093][ T957] other info that might help us debug this: +[ 38.472093][ T957] +[ 38.473438][ T957] Possible unsafe locking scenario: +[ 38.473438][ T957] +[ 38.474898][ T957] CPU0 CPU1 +[ 38.476234][ T957] ---- ---- +[ 38.480171][ T957] lock(&bond->stats_lock_key); +[ 38.480808][ T957] lock(&bond->stats_lock_key#2); +[ 38.481791][ T957] lock(&bond->stats_lock_key); +[ 38.482754][ T957] lock(&bond->stats_lock_key#2); +[ 38.483416][ T957] +[ 38.483416][ T957] *** DEADLOCK *** +[ 38.483416][ T957] +[ 38.484505][ T957] 3 locks held by ip/957: +[ 38.485048][ T957] #0: ffffffffbccf6230 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x457/0x890 +[ 38.486198][ T957] #1: ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding] +[ 38.487625][ T957] #2: ffffffffbc9254c0 (rcu_read_lock){....}, at: bond_get_stats+0x5/0x4d0 [bonding] +[ 38.488897][ T957] +[ 38.488897][ T957] stack backtrace: +[ 38.489646][ T957] CPU: 1 PID: 957 Comm: ip Not tainted 5.5.0+ #394 +[ 38.490497][ T957] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 38.492810][ T957] Call Trace: +[ 38.493219][ T957] dump_stack+0x96/0xdb +[ 38.493709][ T957] check_noncircular+0x371/0x450 +[ 38.494344][ T957] ? lookup_address+0x60/0x60 +[ 38.494923][ T957] ? print_circular_bug.isra.35+0x310/0x310 +[ 38.495699][ T957] ? hlock_class+0x130/0x130 +[ 38.496334][ T957] ? __lock_acquire+0x2d8d/0x3de0 +[ 38.496979][ T957] __lock_acquire+0x2d8d/0x3de0 +[ 38.497607][ T957] ? register_lock_class+0x14d0/0x14d0 +[ 38.498333][ T957] ? check_chain_key+0x236/0x5d0 +[ 38.499003][ T957] lock_acquire+0x164/0x3b0 +[ 38.499800][ T957] ? bond_get_stats+0x90/0x4d0 [bonding] +[ 38.500706][ T957] _raw_spin_lock+0x30/0x70 +[ 38.501435][ T957] ? bond_get_stats+0x90/0x4d0 [bonding] +[ 38.502311][ T957] bond_get_stats+0x90/0x4d0 [bonding] +[ ... ] + +But, there is another problem. +The dynamic lockdep class key is protected by RTNL, but bond_get_stats() +would be called outside of RTNL. +So, it would use an invalid dynamic lockdep class key. + +In order to fix this issue, stats_lock uses spin_lock_nested() instead of +a dynamic lockdep key. +The bond_get_stats() calls bond_get_lowest_level_rcu() to get the correct +nest level value, which will be used by spin_lock_nested(). +The "dev->lower_level" indicates lower nest level value, but this value +is invalid outside of RTNL. +So, bond_get_lowest_level_rcu() returns valid lower nest level value in +the RCU critical section. +bond_get_lowest_level_rcu() will be work only when LOCKDEP is enabled. + +Fixes: 089bca2caed0 ("bonding: use dynamic lockdep key instead of subclass") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 53 +++++++++++++++++++++++++++++++++++++--- + 1 file changed, 50 insertions(+), 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3526,6 +3526,47 @@ static void bond_fold_stats(struct rtnl_ + } + } + ++#ifdef CONFIG_LOCKDEP ++static int bond_get_lowest_level_rcu(struct net_device *dev) ++{ ++ struct net_device *ldev, *next, *now, *dev_stack[MAX_NEST_DEV + 1]; ++ struct list_head *niter, *iter, *iter_stack[MAX_NEST_DEV + 1]; ++ int cur = 0, max = 0; ++ ++ now = dev; ++ iter = &dev->adj_list.lower; ++ ++ while (1) { ++ next = NULL; ++ while (1) { ++ ldev = netdev_next_lower_dev_rcu(now, &iter); ++ if (!ldev) ++ break; ++ ++ next = ldev; ++ niter = &ldev->adj_list.lower; ++ dev_stack[cur] = now; ++ iter_stack[cur++] = iter; ++ if (max <= cur) ++ max = cur; ++ break; ++ } ++ ++ if (!next) { ++ if (!cur) ++ return max; ++ next = dev_stack[--cur]; ++ niter = iter_stack[cur]; ++ } ++ ++ now = next; ++ iter = niter; ++ } ++ ++ return max; ++} ++#endif ++ + static void bond_get_stats(struct net_device *bond_dev, + struct rtnl_link_stats64 *stats) + { +@@ -3533,11 +3574,17 @@ static void bond_get_stats(struct net_de + struct rtnl_link_stats64 temp; + struct list_head *iter; + struct slave *slave; ++ int nest_level = 0; + +- spin_lock(&bond->stats_lock); +- memcpy(stats, &bond->bond_stats, sizeof(*stats)); + + rcu_read_lock(); ++#ifdef CONFIG_LOCKDEP ++ nest_level = bond_get_lowest_level_rcu(bond_dev); ++#endif ++ ++ spin_lock_nested(&bond->stats_lock, nest_level); ++ memcpy(stats, &bond->bond_stats, sizeof(*stats)); ++ + bond_for_each_slave_rcu(bond, slave, iter) { + const struct rtnl_link_stats64 *new = + dev_get_stats(slave->dev, &temp); +@@ -3547,10 +3594,10 @@ static void bond_get_stats(struct net_de + /* save off the slave stats for the next run */ + memcpy(&slave->slave_stats, new, sizeof(*new)); + } +- rcu_read_unlock(); + + memcpy(&bond->bond_stats, stats, sizeof(*stats)); + spin_unlock(&bond->stats_lock); ++ rcu_read_unlock(); + } + + static int bond_do_ioctl(struct net_device *bond_dev, struct ifreq *ifr, int cmd) diff --git a/queue-5.5/ionic-fix-fw_status-read.patch b/queue-5.5/ionic-fix-fw_status-read.patch new file mode 100644 index 00000000000..e44d9d1bb3b --- /dev/null +++ b/queue-5.5/ionic-fix-fw_status-read.patch @@ -0,0 +1,59 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Shannon Nelson +Date: Wed, 19 Feb 2020 14:59:42 -0800 +Subject: ionic: fix fw_status read + +From: Shannon Nelson + +[ Upstream commit 68b759a75d6257759d1e37ff13f2d0659baf1112 ] + +The fw_status field is only 8 bits, so fix the read. Also, +we only want to look at the one status bit, to allow for future +use of the other bits, and watch for a bad PCI read. + +Fixes: 97ca486592c0 ("ionic: add heartbeat check") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pensando/ionic/ionic_dev.c | 11 +++++++---- + drivers/net/ethernet/pensando/ionic/ionic_if.h | 1 + + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c +@@ -103,7 +103,7 @@ int ionic_heartbeat_check(struct ionic * + { + struct ionic_dev *idev = &ionic->idev; + unsigned long hb_time; +- u32 fw_status; ++ u8 fw_status; + u32 hb; + + /* wait a little more than one second before testing again */ +@@ -111,9 +111,12 @@ int ionic_heartbeat_check(struct ionic * + if (time_before(hb_time, (idev->last_hb_time + ionic->watchdog_period))) + return 0; + +- /* firmware is useful only if fw_status is non-zero */ +- fw_status = ioread32(&idev->dev_info_regs->fw_status); +- if (!fw_status) ++ /* firmware is useful only if the running bit is set and ++ * fw_status != 0xff (bad PCI read) ++ */ ++ fw_status = ioread8(&idev->dev_info_regs->fw_status); ++ if (fw_status == 0xff || ++ !(fw_status & IONIC_FW_STS_F_RUNNING)) + return -ENXIO; + + /* early FW has no heartbeat, else FW will return non-zero */ +--- a/drivers/net/ethernet/pensando/ionic/ionic_if.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_if.h +@@ -2348,6 +2348,7 @@ union ionic_dev_info_regs { + u8 version; + u8 asic_type; + u8 asic_rev; ++#define IONIC_FW_STS_F_RUNNING 0x1 + u8 fw_status; + u32 fw_heartbeat; + char fw_version[IONIC_DEVINFO_FWVERS_BUFLEN]; diff --git a/queue-5.5/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch b/queue-5.5/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch new file mode 100644 index 00000000000..cc1e871b3b4 --- /dev/null +++ b/queue-5.5/ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch @@ -0,0 +1,49 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Benjamin Poirier +Date: Wed, 12 Feb 2020 10:41:07 +0900 +Subject: ipv6: Fix nlmsg_flags when splitting a multipath route + +From: Benjamin Poirier + +[ Upstream commit afecdb376bd81d7e16578f0cfe82a1aec7ae18f3 ] + +When splitting an RTA_MULTIPATH request into multiple routes and adding the +second and later components, we must not simply remove NLM_F_REPLACE but +instead replace it by NLM_F_CREATE. Otherwise, it may look like the netlink +message was malformed. + +For example, + ip route add 2001:db8::1/128 dev dummy0 + ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 \ + nexthop via fe80::30:2 dev dummy0 +results in the following warnings: +[ 1035.057019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE +[ 1035.057517] IPv6: NLM_F_CREATE should be set when creating new route + +This patch makes the nlmsg sequence look equivalent for __ip6_ins_rt() to +what it would get if the multipath route had been added in multiple netlink +operations: + ip route add 2001:db8::1/128 dev dummy0 + ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 + ip route append 2001:db8::1/128 nexthop via fe80::30:2 dev dummy0 + +Fixes: 27596472473a ("ipv6: fix ECMP route replacement") +Signed-off-by: Benjamin Poirier +Reviewed-by: Michal Kubecek +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5152,6 +5152,7 @@ static int ip6_route_multipath_add(struc + */ + cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL | + NLM_F_REPLACE); ++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE; + nhn++; + } + diff --git a/queue-5.5/ipv6-fix-route-replacement-with-dev-only-route.patch b/queue-5.5/ipv6-fix-route-replacement-with-dev-only-route.patch new file mode 100644 index 00000000000..19803521c93 --- /dev/null +++ b/queue-5.5/ipv6-fix-route-replacement-with-dev-only-route.patch @@ -0,0 +1,74 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Benjamin Poirier +Date: Wed, 12 Feb 2020 10:41:06 +0900 +Subject: ipv6: Fix route replacement with dev-only route + +From: Benjamin Poirier + +[ Upstream commit e404b8c7cfb31654c9024d497cec58a501501692 ] + +After commit 27596472473a ("ipv6: fix ECMP route replacement") it is no +longer possible to replace an ECMP-able route by a non ECMP-able route. +For example, + ip route add 2001:db8::1/128 via fe80::1 dev dummy0 + ip route replace 2001:db8::1/128 dev dummy0 +does not work as expected. + +Tweak the replacement logic so that point 3 in the log of the above commit +becomes: +3. If the new route is not ECMP-able, and no matching non-ECMP-able route +exists, replace matching ECMP-able route (if any) or add the new route. + +We can now summarize the entire replace semantics to: +When doing a replace, prefer replacing a matching route of the same +"ECMP-able-ness" as the replace argument. If there is no such candidate, +fallback to the first route found. + +Fixes: 27596472473a ("ipv6: fix ECMP route replacement") +Signed-off-by: Benjamin Poirier +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 7 ++++--- + tools/testing/selftests/net/fib_tests.sh | 6 ++++++ + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1068,8 +1068,7 @@ static int fib6_add_rt2node(struct fib6_ + found++; + break; + } +- if (rt_can_ecmp) +- fallback_ins = fallback_ins ?: ins; ++ fallback_ins = fallback_ins ?: ins; + goto next_iter; + } + +@@ -1112,7 +1111,9 @@ next_iter: + } + + if (fallback_ins && !found) { +- /* No ECMP-able route found, replace first non-ECMP one */ ++ /* No matching route with same ecmp-able-ness found, replace ++ * first matching route ++ */ + ins = fallback_ins; + iter = rcu_dereference_protected(*ins, + lockdep_is_held(&rt->fib6_table->tb6_lock)); +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -910,6 +910,12 @@ ipv6_rt_replace_mpath() + check_route6 "2001:db8:104::/64 via 2001:db8:101::3 dev veth1 metric 1024" + log_test $? 0 "Multipath with single path via multipath attribute" + ++ # multipath with dev-only ++ add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" ++ run_cmd "$IP -6 ro replace 2001:db8:104::/64 dev veth1" ++ check_route6 "2001:db8:104::/64 dev veth1 metric 1024" ++ log_test $? 0 "Multipath with dev-only" ++ + # route replace fails - invalid nexthop 1 + add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2" + run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:111::3 nexthop via 2001:db8:103::3" diff --git a/queue-5.5/net-add-strict-checks-in-netdev_name_node_alt_destroy.patch b/queue-5.5/net-add-strict-checks-in-netdev_name_node_alt_destroy.patch new file mode 100644 index 00000000000..334fb74ee8d --- /dev/null +++ b/queue-5.5/net-add-strict-checks-in-netdev_name_node_alt_destroy.patch @@ -0,0 +1,178 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Eric Dumazet +Date: Fri, 14 Feb 2020 07:53:53 -0800 +Subject: net: add strict checks in netdev_name_node_alt_destroy() + +From: Eric Dumazet + +[ Upstream commit e08ad80551b4b33c02f2fce1522f6c227d3976cf ] + +netdev_name_node_alt_destroy() does a lookup over all +device names of a namespace. + +We need to make sure the name belongs to the device +of interest, and that we do not destroy its primary +name, since we rely on it being not deleted : +dev->name_node would indeed point to freed memory. + +syzbot report was the following : + +BUG: KASAN: use-after-free in dev_net include/linux/netdevice.h:2206 [inline] +BUG: KASAN: use-after-free in mld_force_mld_version net/ipv6/mcast.c:1172 [inline] +BUG: KASAN: use-after-free in mld_in_v2_mode_only net/ipv6/mcast.c:1180 [inline] +BUG: KASAN: use-after-free in mld_in_v1_mode+0x203/0x230 net/ipv6/mcast.c:1190 +Read of size 8 at addr ffff88809886c588 by task swapper/1/0 + +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + dev_net include/linux/netdevice.h:2206 [inline] + mld_force_mld_version net/ipv6/mcast.c:1172 [inline] + mld_in_v2_mode_only net/ipv6/mcast.c:1180 [inline] + mld_in_v1_mode+0x203/0x230 net/ipv6/mcast.c:1190 + mld_send_initial_cr net/ipv6/mcast.c:2083 [inline] + mld_dad_timer_expire+0x24/0x230 net/ipv6/mcast.c:2118 + call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786 + __do_softirq+0x262/0x98c kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0x19b/0x1e0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:546 [inline] + smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1146 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 +Code: 68 73 c5 f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 be 59 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 be 59 00 fb f4 cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 de 2a 74 f9 e8 09 +RSP: 0018:ffffc90000d3fd68 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 +RAX: 1ffffffff136761a RBX: ffff8880a99fc340 RCX: 0000000000000000 +RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a99fcbd4 +RBP: ffffc90000d3fd98 R08: ffff8880a99fc340 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 +R13: ffffffff8aa5a1c0 R14: 0000000000000000 R15: 0000000000000001 + arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:686 + default_idle_call+0x84/0xb0 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361 + start_secondary+0x2f4/0x410 arch/x86/kernel/smpboot.c:264 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242 + +Allocated by task 10229: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc mm/kasan/common.c:515 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + __do_kmalloc_node mm/slab.c:3616 [inline] + __kmalloc_node+0x4e/0x70 mm/slab.c:3623 + kmalloc_node include/linux/slab.h:578 [inline] + kvmalloc_node+0x68/0x100 mm/util.c:574 + kvmalloc include/linux/mm.h:645 [inline] + kvzalloc include/linux/mm.h:653 [inline] + alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9797 + rtnl_create_link+0x22d/0xaf0 net/core/rtnetlink.c:3047 + __rtnl_newlink+0xf9f/0x1790 net/core/rtnetlink.c:3309 + rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3377 + rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:672 + __sys_sendto+0x262/0x380 net/socket.c:1998 + __do_compat_sys_socketcall net/compat.c:771 [inline] + __se_compat_sys_socketcall net/compat.c:719 [inline] + __ia32_compat_sys_socketcall+0x530/0x710 net/compat.c:719 + do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] + do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 + +Freed by task 10229: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10a/0x2c0 mm/slab.c:3757 + __netdev_name_node_alt_destroy+0x1ff/0x2a0 net/core/dev.c:322 + netdev_name_node_alt_destroy+0x57/0x80 net/core/dev.c:334 + rtnl_alt_ifname net/core/rtnetlink.c:3518 [inline] + rtnl_linkprop.isra.0+0x575/0x6f0 net/core/rtnetlink.c:3567 + rtnl_dellinkprop+0x46/0x60 net/core/rtnetlink.c:3588 + rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:672 + ____sys_sendmsg+0x753/0x880 net/socket.c:2343 + ___sys_sendmsg+0x100/0x170 net/socket.c:2397 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2430 + __compat_sys_sendmsg net/compat.c:642 [inline] + __do_compat_sys_sendmsg net/compat.c:649 [inline] + __se_compat_sys_sendmsg net/compat.c:646 [inline] + __ia32_compat_sys_sendmsg+0x7a/0xb0 net/compat.c:646 + do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] + do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 + +The buggy address belongs to the object at ffff88809886c000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 1416 bytes inside of + 4096-byte region [ffff88809886c000, ffff88809886d000) +The buggy address belongs to the page: +page:ffffea0002621b00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 +flags: 0xfffe0000010200(slab|head) +raw: 00fffe0000010200 ffffea0002610d08 ffffea0002607608 ffff8880aa402000 +raw: 0000000000000000 ffff88809886c000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88809886c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88809886c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88809886c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88809886c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88809886c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jiri Pirko +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -330,6 +330,12 @@ int netdev_name_node_alt_destroy(struct + name_node = netdev_name_node_lookup(net, name); + if (!name_node) + return -ENOENT; ++ /* lookup might have found our primary name or a name belonging ++ * to another device. ++ */ ++ if (name_node == dev->name_node || name_node->dev != dev) ++ return -EINVAL; ++ + __netdev_name_node_alt_destroy(name_node); + + return 0; diff --git a/queue-5.5/net-dsa-b53-ensure-the-default-vid-is-untagged.patch b/queue-5.5/net-dsa-b53-ensure-the-default-vid-is-untagged.patch new file mode 100644 index 00000000000..745c1aae66e --- /dev/null +++ b/queue-5.5/net-dsa-b53-ensure-the-default-vid-is-untagged.patch @@ -0,0 +1,35 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Florian Fainelli +Date: Fri, 14 Feb 2020 15:26:19 -0800 +Subject: net: dsa: b53: Ensure the default VID is untagged + +From: Florian Fainelli + +[ Upstream commit d965a5432d4c3e6b9c3d2bc1d4a800013bbf76f6 ] + +We need to ensure that the default VID is untagged otherwise the switch +will be sending tagged frames and the results can be problematic. This +is especially true with b53 switches that use VID 0 as their default +VLAN since VID 0 has a special meaning. + +Fixes: fea83353177a ("net: dsa: b53: Fix default VLAN ID") +Fixes: 061f6a505ac3 ("net: dsa: Add ndo_vlan_rx_{add, kill}_vid implementation") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1353,6 +1353,9 @@ void b53_vlan_add(struct dsa_switch *ds, + + b53_get_vlan_entry(dev, vid, vl); + ++ if (vid == 0 && vid == b53_default_pvid(dev)) ++ untagged = true; ++ + vl->members |= BIT(port); + if (untagged && !dsa_is_cpu_port(ds, port)) + vl->untag |= BIT(port); diff --git a/queue-5.5/net-export-netdev_next_lower_dev_rcu.patch b/queue-5.5/net-export-netdev_next_lower_dev_rcu.patch new file mode 100644 index 00000000000..f32259c5480 --- /dev/null +++ b/queue-5.5/net-export-netdev_next_lower_dev_rcu.patch @@ -0,0 +1,82 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Taehee Yoo +Date: Sat, 15 Feb 2020 10:50:21 +0000 +Subject: net: export netdev_next_lower_dev_rcu() + +From: Taehee Yoo + +[ Upstream commit 7151affeef8d527f50b4b68a871fd28bd660023f ] + +netdev_next_lower_dev_rcu() will be used to implement a function, +which is to walk all lower interfaces. +There are already functions that they walk their lower interface. +(netdev_walk_all_lower_dev_rcu, netdev_walk_all_lower_dev()). +But, there would be cases that couldn't be covered by given +netdev_walk_all_lower_dev_{rcu}() function. +So, some modules would want to implement own function, +which is to walk all lower interfaces. + +In the next patch, netdev_next_lower_dev_rcu() will be used. +In addition, this patch removes two unused prototypes in netdevice.h. + +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 7 +++---- + net/core/dev.c | 6 +++--- + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -72,6 +72,8 @@ void netdev_set_default_ethtool_ops(stru + #define NET_RX_SUCCESS 0 /* keep 'em coming, baby */ + #define NET_RX_DROP 1 /* packet dropped */ + ++#define MAX_NEST_DEV 8 ++ + /* + * Transmit return codes: transmit return codes originate from three different + * namespaces: +@@ -4323,11 +4325,8 @@ void *netdev_lower_get_next(struct net_d + ldev; \ + ldev = netdev_lower_get_next(dev, &(iter))) + +-struct net_device *netdev_all_lower_get_next(struct net_device *dev, ++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev, + struct list_head **iter); +-struct net_device *netdev_all_lower_get_next_rcu(struct net_device *dev, +- struct list_head **iter); +- + int netdev_walk_all_lower_dev(struct net_device *dev, + int (*fn)(struct net_device *lower_dev, + void *data), +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -146,7 +146,6 @@ + #include "net-sysfs.h" + + #define MAX_GRO_SKBS 8 +-#define MAX_NEST_DEV 8 + + /* This should be increased if a protocol with a bigger head is added. */ + #define GRO_MAX_HEAD (MAX_HEADER + 128) +@@ -7135,8 +7134,8 @@ static int __netdev_walk_all_lower_dev(s + return 0; + } + +-static struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev, +- struct list_head **iter) ++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev, ++ struct list_head **iter) + { + struct netdev_adjacent *lower; + +@@ -7148,6 +7147,7 @@ static struct net_device *netdev_next_lo + + return lower->dev; + } ++EXPORT_SYMBOL(netdev_next_lower_dev_rcu); + + static u8 __netdev_upper_depth(struct net_device *dev) + { diff --git a/queue-5.5/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch b/queue-5.5/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch new file mode 100644 index 00000000000..6c7afc2c947 --- /dev/null +++ b/queue-5.5/net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Jethro Beekman +Date: Wed, 12 Feb 2020 16:43:41 +0100 +Subject: net: fib_rules: Correctly set table field when table number exceeds 8 bits + +From: Jethro Beekman + +[ Upstream commit 540e585a79e9d643ede077b73bcc7aa2d7b4d919 ] + +In 709772e6e06564ed94ba740de70185ac3d792773, RT_TABLE_COMPAT was added to +allow legacy software to deal with routing table numbers >= 256, but the +same change to FIB rule queries was overlooked. + +Signed-off-by: Jethro Beekman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/fib_rules.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -974,7 +974,7 @@ static int fib_nl_fill_rule(struct sk_bu + + frh = nlmsg_data(nlh); + frh->family = ops->family; +- frh->table = rule->table; ++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT; + if (nla_put_u32(skb, FRA_TABLE, rule->table)) + goto nla_put_failure; + if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen)) diff --git a/queue-5.5/net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch b/queue-5.5/net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch new file mode 100644 index 00000000000..bada4990241 --- /dev/null +++ b/queue-5.5/net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch @@ -0,0 +1,46 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Alexandre Belloni +Date: Wed, 12 Feb 2020 17:45:38 +0100 +Subject: net: macb: ensure interface is not suspended on at91rm9200 + +From: Alexandre Belloni + +[ Upstream commit e6a41c23df0d5da01540d2abef41591589c0b4be ] + +Because of autosuspend, at91ether_start is called with clocks disabled. +Ensure that pm_runtime doesn't suspend the interface as soon as it is +opened as there is no pm_runtime support is the other relevant parts of the +platform support for at91rm9200. + +Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support") +Signed-off-by: Alexandre Belloni +Reviewed-by: Claudiu Beznea +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -3751,6 +3751,10 @@ static int at91ether_open(struct net_dev + u32 ctl; + int ret; + ++ ret = pm_runtime_get_sync(&lp->pdev->dev); ++ if (ret < 0) ++ return ret; ++ + /* Clear internal statistics */ + ctl = macb_readl(lp, NCR); + macb_writel(lp, NCR, ctl | MACB_BIT(CLRSTAT)); +@@ -3815,7 +3819,7 @@ static int at91ether_close(struct net_de + q->rx_buffers, q->rx_buffers_dma); + q->rx_buffers = NULL; + +- return 0; ++ return pm_runtime_put(&lp->pdev->dev); + } + + /* Transmit packet */ diff --git a/queue-5.5/net-macb-properly-handle-phylink-on-at91rm9200.patch b/queue-5.5/net-macb-properly-handle-phylink-on-at91rm9200.patch new file mode 100644 index 00000000000..6a675faafa5 --- /dev/null +++ b/queue-5.5/net-macb-properly-handle-phylink-on-at91rm9200.patch @@ -0,0 +1,152 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Alexandre Belloni +Date: Wed, 19 Feb 2020 15:15:51 +0100 +Subject: net: macb: Properly handle phylink on at91rm9200 + +From: Alexandre Belloni + +[ Upstream commit ac2fcfa9fd26db67d7000677c05629c34cc94564 ] + +at91ether_init was handling the phy mode and speed but since the switch to +phylink, the NCFGR register got overwritten by macb_mac_config(). The issue +is that the RM9200_RMII bit and the MACB_CLK_DIV32 field are cleared +but never restored as they conflict with the PAE, GBE and PCSSEL bits. + +Add new capability to differentiate between EMAC and the other versions of +the IP and use it to set and avoid clearing the relevant bits. + +Also, this fixes a NULL pointer dereference in macb_mac_link_up as the EMAC +doesn't use any rings/bufffers/queues. + +Fixes: 7897b071ac3b ("net: macb: convert to phylink") +Signed-off-by: Alexandre Belloni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb.h | 1 + drivers/net/ethernet/cadence/macb_main.c | 60 ++++++++++++++++--------------- + 2 files changed, 33 insertions(+), 28 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb.h ++++ b/drivers/net/ethernet/cadence/macb.h +@@ -645,6 +645,7 @@ + #define MACB_CAPS_GEM_HAS_PTP 0x00000040 + #define MACB_CAPS_BD_RD_PREFETCH 0x00000080 + #define MACB_CAPS_NEEDS_RSTONUBR 0x00000100 ++#define MACB_CAPS_MACB_IS_EMAC 0x08000000 + #define MACB_CAPS_FIFO_MODE 0x10000000 + #define MACB_CAPS_GIGABIT_MODE_AVAILABLE 0x20000000 + #define MACB_CAPS_SG_DISABLED 0x40000000 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -533,8 +533,21 @@ static void macb_mac_config(struct phyli + old_ctrl = ctrl = macb_or_gem_readl(bp, NCFGR); + + /* Clear all the bits we might set later */ +- ctrl &= ~(GEM_BIT(GBE) | MACB_BIT(SPD) | MACB_BIT(FD) | MACB_BIT(PAE) | +- GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL)); ++ ctrl &= ~(MACB_BIT(SPD) | MACB_BIT(FD) | MACB_BIT(PAE)); ++ ++ if (bp->caps & MACB_CAPS_MACB_IS_EMAC) { ++ if (state->interface == PHY_INTERFACE_MODE_RMII) ++ ctrl |= MACB_BIT(RM9200_RMII); ++ } else { ++ ctrl &= ~(GEM_BIT(GBE) | GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL)); ++ ++ /* We do not support MLO_PAUSE_RX yet */ ++ if (state->pause & MLO_PAUSE_TX) ++ ctrl |= MACB_BIT(PAE); ++ ++ if (state->interface == PHY_INTERFACE_MODE_SGMII) ++ ctrl |= GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL); ++ } + + if (state->speed == SPEED_1000) + ctrl |= GEM_BIT(GBE); +@@ -544,13 +557,6 @@ static void macb_mac_config(struct phyli + if (state->duplex) + ctrl |= MACB_BIT(FD); + +- /* We do not support MLO_PAUSE_RX yet */ +- if (state->pause & MLO_PAUSE_TX) +- ctrl |= MACB_BIT(PAE); +- +- if (state->interface == PHY_INTERFACE_MODE_SGMII) +- ctrl |= GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL); +- + /* Apply the new configuration, if any */ + if (old_ctrl ^ ctrl) + macb_or_gem_writel(bp, NCFGR, ctrl); +@@ -569,9 +575,10 @@ static void macb_mac_link_down(struct ph + unsigned int q; + u32 ctrl; + +- for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) +- queue_writel(queue, IDR, +- bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP)); ++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) ++ for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) ++ queue_writel(queue, IDR, ++ bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP)); + + /* Disable Rx and Tx */ + ctrl = macb_readl(bp, NCR) & ~(MACB_BIT(RE) | MACB_BIT(TE)); +@@ -588,17 +595,19 @@ static void macb_mac_link_up(struct phyl + struct macb_queue *queue; + unsigned int q; + +- macb_set_tx_clk(bp->tx_clk, bp->speed, ndev); ++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) { ++ macb_set_tx_clk(bp->tx_clk, bp->speed, ndev); + +- /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down +- * cleared the pipeline and control registers. +- */ +- bp->macbgem_ops.mog_init_rings(bp); +- macb_init_buffers(bp); ++ /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down ++ * cleared the pipeline and control registers. ++ */ ++ bp->macbgem_ops.mog_init_rings(bp); ++ macb_init_buffers(bp); + +- for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) +- queue_writel(queue, IER, +- bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP)); ++ for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) ++ queue_writel(queue, IER, ++ bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP)); ++ } + + /* Enable Rx and Tx */ + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(RE) | MACB_BIT(TE)); +@@ -4002,7 +4011,6 @@ static int at91ether_init(struct platfor + struct net_device *dev = platform_get_drvdata(pdev); + struct macb *bp = netdev_priv(dev); + int err; +- u32 reg; + + bp->queues[0].bp = bp; + +@@ -4016,11 +4024,7 @@ static int at91ether_init(struct platfor + + macb_writel(bp, NCR, 0); + +- reg = MACB_BF(CLK, MACB_CLK_DIV32) | MACB_BIT(BIG); +- if (bp->phy_interface == PHY_INTERFACE_MODE_RMII) +- reg |= MACB_BIT(RM9200_RMII); +- +- macb_writel(bp, NCFGR, reg); ++ macb_writel(bp, NCFGR, MACB_BF(CLK, MACB_CLK_DIV32) | MACB_BIT(BIG)); + + return 0; + } +@@ -4179,7 +4183,7 @@ static const struct macb_config sama5d4_ + }; + + static const struct macb_config emac_config = { +- .caps = MACB_CAPS_NEEDS_RSTONUBR, ++ .caps = MACB_CAPS_NEEDS_RSTONUBR | MACB_CAPS_MACB_IS_EMAC, + .clk_init = at91ether_clk_init, + .init = at91ether_init, + }; diff --git a/queue-5.5/net-mscc-fix-in-frame-extraction.patch b/queue-5.5/net-mscc-fix-in-frame-extraction.patch new file mode 100644 index 00000000000..14696c936cc --- /dev/null +++ b/queue-5.5/net-mscc-fix-in-frame-extraction.patch @@ -0,0 +1,50 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Horatiu Vultur +Date: Mon, 17 Feb 2020 09:31:33 +0100 +Subject: net: mscc: fix in frame extraction + +From: Horatiu Vultur + +[ Upstream commit a81541041ceb55bcec9a8bb8ad3482263f0a205a ] + +Each extracted frame on Ocelot has an IFH. The frame and IFH are extracted +by reading chuncks of 4 bytes from a register. + +In case the IFH and frames were read corretly it would try to read the next +frame. In case there are no more frames in the queue, it checks if there +were any previous errors and in that case clear the queue. But this check +will always succeed also when there are no errors. Because when extracting +the IFH the error is checked against 4(number of bytes read) and then the +error is set only if the extraction of the frame failed. So in a happy case +where there are no errors the err variable is still 4. So it could be +a case where after the check that there are no more frames in the queue, a +frame will arrive in the queue but because the error is not reseted, it +would try to flush the queue. So the frame will be lost. + +The fix consist in resetting the error after reading the IFH. + +Signed-off-by: Horatiu Vultur +Acked-by: Alexandre Belloni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot_board.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/mscc/ocelot_board.c ++++ b/drivers/net/ethernet/mscc/ocelot_board.c +@@ -114,6 +114,14 @@ static irqreturn_t ocelot_xtr_irq_handle + if (err != 4) + break; + ++ /* At this point the IFH was read correctly, so it is safe to ++ * presume that there is no error. The err needs to be reset ++ * otherwise a frame could come in CPU queue between the while ++ * condition and the check for error later on. And in that case ++ * the new frame is just removed and not processed. ++ */ ++ err = 0; ++ + ocelot_parse_ifh(ifh, &info); + + ocelot_port = ocelot->ports[info.port]; diff --git a/queue-5.5/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch b/queue-5.5/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch new file mode 100644 index 00000000000..f3af696590e --- /dev/null +++ b/queue-5.5/net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch @@ -0,0 +1,58 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Arun Parameswaran +Date: Fri, 14 Feb 2020 13:47:46 -0800 +Subject: net: phy: restore mdio regs in the iproc mdio driver + +From: Arun Parameswaran + +The mii management register in iproc mdio block +does not have a retention register so it is lost on suspend. +Save and restore value of register while resuming from suspend. + +Fixes: bb1a619735b4 ("net: phy: Initialize mdio clock at probe function") +Signed-off-by: Arun Parameswaran +Signed-off-by: Scott Branden +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/net/phy/mdio-bcm-iproc.c ++++ b/drivers/net/phy/mdio-bcm-iproc.c +@@ -178,6 +178,23 @@ static int iproc_mdio_remove(struct plat + return 0; + } + ++#ifdef CONFIG_PM_SLEEP ++int iproc_mdio_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev); ++ ++ /* restore the mii clock configuration */ ++ iproc_mdio_config_clk(priv->base); ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops iproc_mdio_pm_ops = { ++ .resume = iproc_mdio_resume ++}; ++#endif /* CONFIG_PM_SLEEP */ ++ + static const struct of_device_id iproc_mdio_of_match[] = { + { .compatible = "brcm,iproc-mdio", }, + { /* sentinel */ }, +@@ -188,6 +205,9 @@ static struct platform_driver iproc_mdio + .driver = { + .name = "iproc-mdio", + .of_match_table = iproc_mdio_of_match, ++#ifdef CONFIG_PM_SLEEP ++ .pm = &iproc_mdio_pm_ops, ++#endif + }, + .probe = iproc_mdio_probe, + .remove = iproc_mdio_remove, diff --git a/queue-5.5/net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch b/queue-5.5/net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch new file mode 100644 index 00000000000..cea65174888 --- /dev/null +++ b/queue-5.5/net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch @@ -0,0 +1,128 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Eric Dumazet +Date: Wed, 12 Feb 2020 20:58:26 -0800 +Subject: net: rtnetlink: fix bugs in rtnl_alt_ifname() + +From: Eric Dumazet + +[ Upstream commit 44bfa9c5e5f06c72540273813e4c66beb5a8c213 ] + +Since IFLA_ALT_IFNAME is an NLA_STRING, we have no +guarantee it is nul terminated. + +We should use nla_strdup() instead of kstrdup(), since this +helper will make sure not accessing out-of-bounds data. + +BUG: KMSAN: uninit-value in strlen+0x5e/0xa0 lib/string.c:535 +CPU: 1 PID: 19157 Comm: syz-executor.5 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + strlen+0x5e/0xa0 lib/string.c:535 + kstrdup+0x7f/0x1a0 mm/util.c:59 + rtnl_alt_ifname net/core/rtnetlink.c:3495 [inline] + rtnl_linkprop+0x85d/0xc00 net/core/rtnetlink.c:3553 + rtnl_newlinkprop+0x9d/0xb0 net/core/rtnetlink.c:3568 + rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45b3b9 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ff1c7b1ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007ff1c7b1b6d4 RCX: 000000000045b3b9 +RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000009cb R14: 00000000004cb3dd R15: 000000000075bf2c + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2774 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] + netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames") +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Reported-by: syzbot +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3499,27 +3499,25 @@ static int rtnl_alt_ifname(int cmd, stru + if (err) + return err; + +- alt_ifname = nla_data(attr); ++ alt_ifname = nla_strdup(attr, GFP_KERNEL); ++ if (!alt_ifname) ++ return -ENOMEM; ++ + if (cmd == RTM_NEWLINKPROP) { +- alt_ifname = kstrdup(alt_ifname, GFP_KERNEL); +- if (!alt_ifname) +- return -ENOMEM; + err = netdev_name_node_alt_create(dev, alt_ifname); +- if (err) { +- kfree(alt_ifname); +- return err; +- } ++ if (!err) ++ alt_ifname = NULL; + } else if (cmd == RTM_DELLINKPROP) { + err = netdev_name_node_alt_destroy(dev, alt_ifname); +- if (err) +- return err; + } else { +- WARN_ON(1); +- return 0; ++ WARN_ON_ONCE(1); ++ err = -EINVAL; + } + +- *changed = true; +- return 0; ++ kfree(alt_ifname); ++ if (!err) ++ *changed = true; ++ return err; + } + + static int rtnl_linkprop(int cmd, struct sk_buff *skb, struct nlmsghdr *nlh, diff --git a/queue-5.5/net-sched-correct-flower-port-blocking.patch b/queue-5.5/net-sched-correct-flower-port-blocking.patch new file mode 100644 index 00000000000..6bca03c97c4 --- /dev/null +++ b/queue-5.5/net-sched-correct-flower-port-blocking.patch @@ -0,0 +1,67 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Jason Baron +Date: Mon, 17 Feb 2020 15:38:09 -0500 +Subject: net: sched: correct flower port blocking + +From: Jason Baron + +[ Upstream commit 8a9093c79863b58cc2f9874d7ae788f0d622a596 ] + +tc flower rules that are based on src or dst port blocking are sometimes +ineffective due to uninitialized stack data. __skb_flow_dissect() extracts +ports from the skb for tc flower to match against. However, the port +dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in +key_control->flags. All callers of __skb_flow_dissect(), zero-out the +key_control field except for fl_classify() as used by the flower +classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to +__skb_flow_dissect(), since key_control is allocated on the stack +and may not be initialized. + +Since key_basic and key_control are present for all flow keys, let's +make sure they are initialized. + +Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments") +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Acked-by: Cong Wang +Signed-off-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/flow_dissector.h | 9 +++++++++ + net/sched/cls_flower.c | 1 + + 2 files changed, 10 insertions(+) + +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + struct sk_buff; +@@ -349,4 +350,12 @@ struct bpf_flow_dissector { + void *data_end; + }; + ++static inline void ++flow_dissector_init_keys(struct flow_dissector_key_control *key_control, ++ struct flow_dissector_key_basic *key_basic) ++{ ++ memset(key_control, 0, sizeof(*key_control)); ++ memset(key_basic, 0, sizeof(*key_basic)); ++} ++ + #endif +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -305,6 +305,7 @@ static int fl_classify(struct sk_buff *s + struct cls_fl_filter *f; + + list_for_each_entry_rcu(mask, &head->masks, list) { ++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic); + fl_clear_masked_range(&skb_key, mask); + + skb_flow_dissect_meta(skb, &mask->dissector, &skb_key); diff --git a/queue-5.5/net-tls-fix-to-avoid-gettig-invalid-tls-record.patch b/queue-5.5/net-tls-fix-to-avoid-gettig-invalid-tls-record.patch new file mode 100644 index 00000000000..0a9a5dae56a --- /dev/null +++ b/queue-5.5/net-tls-fix-to-avoid-gettig-invalid-tls-record.patch @@ -0,0 +1,69 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Rohit Maheshwari +Date: Wed, 19 Feb 2020 09:40:22 +0530 +Subject: net/tls: Fix to avoid gettig invalid tls record + +From: Rohit Maheshwari + +[ Upstream commit 06f5201c6392f998a49ca9c9173e2930c8eb51d8 ] + +Current code doesn't check if tcp sequence number is starting from (/after) +1st record's start sequnce number. It only checks if seq number is before +1st record's end sequnce number. This problem will always be a possibility +in re-transmit case. If a record which belongs to a requested seq number is +already deleted, tls_get_record will start looking into list and as per the +check it will look if seq number is before the end seq of 1st record, which +will always be true and will return 1st record always, it should in fact +return NULL. +As part of the fix, start looking each record only if the sequence number +lies in the list else return NULL. +There is one more check added, driver look for the start marker record to +handle tcp packets which are before the tls offload start sequence number, +hence return 1st record if the record is tls start marker and seq number is +before the 1st record's starting sequence number. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Rohit Maheshwari +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -592,7 +592,7 @@ struct tls_record_info *tls_get_record(s + u32 seq, u64 *p_record_sn) + { + u64 record_sn = context->hint_record_sn; +- struct tls_record_info *info; ++ struct tls_record_info *info, *last; + + info = context->retransmit_hint; + if (!info || +@@ -604,6 +604,24 @@ struct tls_record_info *tls_get_record(s + struct tls_record_info, list); + if (!info) + return NULL; ++ /* send the start_marker record if seq number is before the ++ * tls offload start marker sequence number. This record is ++ * required to handle TCP packets which are before TLS offload ++ * started. ++ * And if it's not start marker, look if this seq number ++ * belongs to the list. ++ */ ++ if (likely(!tls_record_is_start_marker(info))) { ++ /* we have the first record, get the last record to see ++ * if this seq number belongs to the list. ++ */ ++ last = list_last_entry(&context->records_list, ++ struct tls_record_info, list); ++ ++ if (!between(seq, tls_record_start_seq(info), ++ last->end_seq)) ++ return NULL; ++ } + record_sn = context->unacked_record_sn; + } + diff --git a/queue-5.5/nfc-pn544-fix-occasional-hw-initialization-failure.patch b/queue-5.5/nfc-pn544-fix-occasional-hw-initialization-failure.patch new file mode 100644 index 00000000000..9bd32b5a239 --- /dev/null +++ b/queue-5.5/nfc-pn544-fix-occasional-hw-initialization-failure.patch @@ -0,0 +1,43 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Dmitry Osipenko +Date: Wed, 19 Feb 2020 18:01:22 +0300 +Subject: nfc: pn544: Fix occasional HW initialization failure + +From: Dmitry Osipenko + +[ Upstream commit c3331d2fe3fd4d5e321f2467d01f72de7edfb5d0 ] + +The PN544 driver checks the "enable" polarity during of driver's probe and +it's doing that by turning ON and OFF NFC with different polarities until +enabling succeeds. It takes some time for the hardware to power-down, and +thus, to deassert the IRQ that is raised by turning ON the hardware. +Since the delay after last power-down of the polarity-checking process is +missed in the code, the interrupt may trigger immediately after installing +the IRQ handler (right after the checking is done), which results in IRQ +handler trying to touch the disabled HW and ends with marking NFC as +'DEAD' during of the driver's probe: + + pn544_hci_i2c 1-002a: NFC: nfc_en polarity : active high + pn544_hci_i2c 1-002a: NFC: invalid len byte + shdlc: llc_shdlc_recv_frame: NULL Frame -> link is dead + +This patch fixes the occasional NFC initialization failure on Nexus 7 +device. + +Signed-off-by: Dmitry Osipenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn544/i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nfc/pn544/i2c.c ++++ b/drivers/nfc/pn544/i2c.c +@@ -225,6 +225,7 @@ static void pn544_hci_i2c_platform_init( + + out: + gpiod_set_value_cansleep(phy->gpiod_en, !phy->en_polarity); ++ usleep_range(10000, 15000); + } + + static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode) diff --git a/queue-5.5/qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch b/queue-5.5/qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch new file mode 100644 index 00000000000..85e2a909ef7 --- /dev/null +++ b/queue-5.5/qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch @@ -0,0 +1,106 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Michal Kalderon +Date: Mon, 17 Feb 2020 13:37:18 +0200 +Subject: qede: Fix race between rdma destroy workqueue and link change event + +From: Michal Kalderon + +[ Upstream commit af6565adb02d3129d3fae4d9d5da945abaf4417a ] + +If an event is added while the rdma workqueue is being destroyed +it could lead to several races, list corruption, null pointer +dereference during queue_work or init_queue. +This fixes the race between the two flows which can occur during +shutdown. + +A kref object and a completion object are added to the rdma_dev +structure, these are initialized before the workqueue is created. +The refcnt is used to indicate work is being added to the +workqueue and ensures the cleanup flow won't start while we're in +the middle of adding the event. +Once the work is added, the refcnt is decreased and the cleanup flow +is safe to run. + +Fixes: cee9fbd8e2e ("qede: Add qedr framework") +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede.h | 2 + + drivers/net/ethernet/qlogic/qede/qede_rdma.c | 29 ++++++++++++++++++++++++++- + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede.h ++++ b/drivers/net/ethernet/qlogic/qede/qede.h +@@ -163,6 +163,8 @@ struct qede_rdma_dev { + struct list_head entry; + struct list_head rdma_event_list; + struct workqueue_struct *rdma_wq; ++ struct kref refcnt; ++ struct completion event_comp; + bool exp_recovery; + }; + +--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c +@@ -59,6 +59,9 @@ static void _qede_rdma_dev_add(struct qe + static int qede_rdma_create_wq(struct qede_dev *edev) + { + INIT_LIST_HEAD(&edev->rdma_info.rdma_event_list); ++ kref_init(&edev->rdma_info.refcnt); ++ init_completion(&edev->rdma_info.event_comp); ++ + edev->rdma_info.rdma_wq = create_singlethread_workqueue("rdma_wq"); + if (!edev->rdma_info.rdma_wq) { + DP_NOTICE(edev, "qedr: Could not create workqueue\n"); +@@ -83,8 +86,23 @@ static void qede_rdma_cleanup_event(stru + } + } + ++static void qede_rdma_complete_event(struct kref *ref) ++{ ++ struct qede_rdma_dev *rdma_dev = ++ container_of(ref, struct qede_rdma_dev, refcnt); ++ ++ /* no more events will be added after this */ ++ complete(&rdma_dev->event_comp); ++} ++ + static void qede_rdma_destroy_wq(struct qede_dev *edev) + { ++ /* Avoid race with add_event flow, make sure it finishes before ++ * we start accessing the list and cleaning up the work ++ */ ++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event); ++ wait_for_completion(&edev->rdma_info.event_comp); ++ + qede_rdma_cleanup_event(edev); + destroy_workqueue(edev->rdma_info.rdma_wq); + } +@@ -310,15 +328,24 @@ static void qede_rdma_add_event(struct q + if (!edev->rdma_info.qedr_dev) + return; + ++ /* We don't want the cleanup flow to start while we're allocating and ++ * scheduling the work ++ */ ++ if (!kref_get_unless_zero(&edev->rdma_info.refcnt)) ++ return; /* already being destroyed */ ++ + event_node = qede_rdma_get_free_event_node(edev); + if (!event_node) +- return; ++ goto out; + + event_node->event = event; + event_node->ptr = edev; + + INIT_WORK(&event_node->work, qede_rdma_handle_event); + queue_work(edev->rdma_info.rdma_wq, &event_node->work); ++ ++out: ++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event); + } + + void qede_rdma_dev_event_open(struct qede_dev *edev) diff --git a/queue-5.5/revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch b/queue-5.5/revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch new file mode 100644 index 00000000000..d9a09410dd8 --- /dev/null +++ b/queue-5.5/revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch @@ -0,0 +1,59 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Paolo Abeni +Date: Tue, 18 Feb 2020 18:15:44 +0100 +Subject: Revert "net: dev: introduce support for sch BYPASS for lockless qdisc" + +From: Paolo Abeni + +[ Upstream commit 379349e9bc3b42b8b2f8f7a03f64a97623fff323 ] + +This reverts commit ba27b4cdaaa66561aaedb2101876e563738d36fe + +Ahmed reported ouf-of-order issues bisected to commit ba27b4cdaaa6 +("net: dev: introduce support for sch BYPASS for lockless qdisc"). +I can't find any working solution other than a plain revert. + +This will introduce some minor performance regressions for +pfifo_fast qdisc. I plan to address them in net-next with more +indirect call wrapper boilerplate for qdiscs. + +Reported-by: Ahmad Fatoum +Fixes: ba27b4cdaaa6 ("net: dev: introduce support for sch BYPASS for lockless qdisc") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3607,26 +3607,8 @@ static inline int __dev_xmit_skb(struct + qdisc_calculate_pkt_len(skb, q); + + if (q->flags & TCQ_F_NOLOCK) { +- if ((q->flags & TCQ_F_CAN_BYPASS) && READ_ONCE(q->empty) && +- qdisc_run_begin(q)) { +- if (unlikely(test_bit(__QDISC_STATE_DEACTIVATED, +- &q->state))) { +- __qdisc_drop(skb, &to_free); +- rc = NET_XMIT_DROP; +- goto end_run; +- } +- qdisc_bstats_cpu_update(q, skb); +- +- rc = NET_XMIT_SUCCESS; +- if (sch_direct_xmit(skb, q, dev, txq, NULL, true)) +- __qdisc_run(q); +- +-end_run: +- qdisc_run_end(q); +- } else { +- rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK; +- qdisc_run(q); +- } ++ rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK; ++ qdisc_run(q); + + if (unlikely(to_free)) + kfree_skb_list(to_free); diff --git a/queue-5.5/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch b/queue-5.5/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch new file mode 100644 index 00000000000..133caf4ee79 --- /dev/null +++ b/queue-5.5/sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch @@ -0,0 +1,104 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Xin Long +Date: Tue, 18 Feb 2020 12:07:53 +0800 +Subject: sctp: move the format error check out of __sctp_sf_do_9_1_abort + +From: Xin Long + +[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ] + +When T2 timer is to be stopped, the asoc should also be deleted, +otherwise, there will be no chance to call sctp_association_free +and the asoc could last in memory forever. + +However, in sctp_sf_shutdown_sent_abort(), after adding the cmd +SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the +format error from __sctp_sf_do_9_1_abort() and miss adding +SCTP_CMD_ASSOC_FAILED where the asoc will be deleted. + +This patch is to fix it by moving the format error check out of +__sctp_sf_do_9_1_abort(), and do it before adding the cmd +SCTP_CMD_TIMER_STOP for T2 timer. + +Thanks Hangbin for reporting this issue by the fuzz testing. + +v1->v2: + - improve the comment in the code as Marcelo's suggestion. + +Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause") +Reported-by: Hangbin Liu +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -170,6 +170,16 @@ static inline bool sctp_chunk_length_val + return true; + } + ++/* Check for format error in an ABORT chunk */ ++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) ++{ ++ struct sctp_errhdr *err; ++ ++ sctp_walk_errors(err, chunk->chunk_hdr); ++ ++ return (void *)err == (void *)chunk->chunk_end; ++} ++ + /********************************************************** + * These are the state functions for handling chunk events. + **********************************************************/ +@@ -2255,6 +2265,9 @@ enum sctp_disposition sctp_sf_shutdown_p + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); + } + +@@ -2298,6 +2311,9 @@ enum sctp_disposition sctp_sf_shutdown_s + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + /* Stop the T2-shutdown timer. */ + sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, + SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); +@@ -2565,6 +2581,9 @@ enum sctp_disposition sctp_sf_do_9_1_abo + sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) + return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + ++ if (!sctp_err_chunk_valid(chunk)) ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); + } + +@@ -2582,16 +2601,8 @@ static enum sctp_disposition __sctp_sf_d + + /* See if we have an error cause code in the chunk. */ + len = ntohs(chunk->chunk_hdr->length); +- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { +- struct sctp_errhdr *err; +- +- sctp_walk_errors(err, chunk->chunk_hdr); +- if ((void *)err != (void *)chunk->chunk_end) +- return sctp_sf_pdiscard(net, ep, asoc, type, arg, +- commands); +- ++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) + error = ((struct sctp_errhdr *)chunk->skb->data)->cause; +- } + + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); + /* ASSOC_FAILED will DELETE_TCB. */ diff --git a/queue-5.5/series b/queue-5.5/series index 84e80a7fc4f..8e56fba3d5f 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -1 +1,24 @@ edac-skx_common-downgrade-message-importance-on-miss.patch +net-dsa-b53-ensure-the-default-vid-is-untagged.patch +net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch +net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch +net-mscc-fix-in-frame-extraction.patch +net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch +net-sched-correct-flower-port-blocking.patch +net-tls-fix-to-avoid-gettig-invalid-tls-record.patch +nfc-pn544-fix-occasional-hw-initialization-failure.patch +qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch +revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch +udp-rehash-on-disconnect.patch +sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch +bnxt_en-improve-device-shutdown-method.patch +bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch +bonding-add-missing-netdev_update_lockdep_key.patch +net-export-netdev_next_lower_dev_rcu.patch +bonding-fix-lockdep-warning-in-bond_get_stats.patch +ipv6-fix-route-replacement-with-dev-only-route.patch +ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch +ionic-fix-fw_status-read.patch +net-add-strict-checks-in-netdev_name_node_alt_destroy.patch +net-macb-properly-handle-phylink-on-at91rm9200.patch +net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch diff --git a/queue-5.5/udp-rehash-on-disconnect.patch b/queue-5.5/udp-rehash-on-disconnect.patch new file mode 100644 index 00000000000..57bf2c497fb --- /dev/null +++ b/queue-5.5/udp-rehash-on-disconnect.patch @@ -0,0 +1,58 @@ +From foo@baz Sun 01 Mar 2020 10:24:06 AM CET +From: Willem de Bruijn +Date: Wed, 19 Feb 2020 14:16:32 -0500 +Subject: udp: rehash on disconnect + +From: Willem de Bruijn + +[ Upstream commit 303d0403b8c25e994e4a6e45389e173cf8706fb5 ] + +As of the below commit, udp sockets bound to a specific address can +coexist with one bound to the any addr for the same port. + +The commit also phased out the use of socket hashing based only on +port (hslot), in favor of always hashing on {addr, port} (hslot2). + +The change broke the following behavior with disconnect (AF_UNSPEC): + + server binds to 0.0.0.0:1337 + server connects to 127.0.0.1:80 + server disconnects + client connects to 127.0.0.1:1337 + client sends "hello" + server reads "hello" // times out, packet did not find sk + +On connect the server acquires a specific source addr suitable for +routing to its destination. On disconnect it reverts to the any addr. + +The connect call triggers a rehash to a different hslot2. On +disconnect, add the same to return to the original hslot2. + +Skip this step if the socket is going to be unhashed completely. + +Fixes: 4cdeeee9252a ("net: udp: prefer listeners bound to an address") +Reported-by: Pavel Roskin +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1856,8 +1856,12 @@ int __udp_disconnect(struct sock *sk, in + inet->inet_dport = 0; + sock_rps_reset_rxhash(sk); + sk->sk_bound_dev_if = 0; +- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) ++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) { + inet_reset_saddr(sk); ++ if (sk->sk_prot->rehash && ++ (sk->sk_userlocks & SOCK_BINDPORT_LOCK)) ++ sk->sk_prot->rehash(sk); ++ } + + if (!(sk->sk_userlocks & SOCK_BINDPORT_LOCK)) { + sk->sk_prot->unhash(sk);