From: Greg Kroah-Hartman Date: Fri, 25 Oct 2019 01:58:25 +0000 (-0400) Subject: 4.4-stable patches X-Git-Tag: v4.4.198~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a1efabf67686feb2324ce409ec15ffaf801843b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch net-avoid-potential-infinite-loop-in-tc_ctl_action.patch net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch sctp-change-sctp_prot-.no_autobind-with-true.patch --- diff --git a/queue-4.4/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch b/queue-4.4/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch new file mode 100644 index 00000000000..ac6b960f8fb --- /dev/null +++ b/queue-4.4/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch @@ -0,0 +1,94 @@ +From foo@baz Thu 24 Oct 2019 09:47:17 PM EDT +From: Stefano Brivio +Date: Wed, 16 Oct 2019 20:52:09 +0200 +Subject: ipv4: Return -ENETUNREACH if we can't create route but saddr is valid + +From: Stefano Brivio + +[ Upstream commit 595e0651d0296bad2491a4a29a7a43eae6328b02 ] + +...instead of -EINVAL. An issue was found with older kernel versions +while unplugging a NFS client with pending RPCs, and the wrong error +code here prevented it from recovering once link is back up with a +configured address. + +Incidentally, this is not an issue anymore since commit 4f8943f80883 +("SUNRPC: Replace direct task wakeups from softirq context"), included +in 5.2-rc7, had the effect of decoupling the forwarding of this error +by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin +Coddington. + +To the best of my knowledge, this isn't currently causing any further +issue, but the error code doesn't look appropriate anyway, and we +might hit this in other paths as well. + +In detail, as analysed by Gonzalo Siero, once the route is deleted +because the interface is down, and can't be resolved and we return +-EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(), +as the socket error seen by tcp_write_err(), called by +tcp_retransmit_timer(). + +In turn, tcp_write_err() indirectly calls xs_error_report(), which +wakes up the RPC pending tasks with a status of -EINVAL. This is then +seen by call_status() in the SUN RPC implementation, which aborts the +RPC call calling rpc_exit(), instead of handling this as a +potentially temporary condition, i.e. as a timeout. + +Return -EINVAL only if the input parameters passed to +ip_route_output_key_hash_rcu() are actually invalid (this is the case +if the specified source address is multicast, limited broadcast or +all zeroes), but return -ENETUNREACH in all cases where, at the given +moment, the given source address doesn't allow resolving the route. + +While at it, drop the initialisation of err to -ENETUNREACH, which +was added to __ip_route_output_key() back then by commit +0315e3827048 ("net: Fix behaviour of unreachable, blackhole and +prohibit routes"), but actually had no effect, as it was, and is, +overwritten by the fib_lookup() return code assignment, and anyway +ignored in all other branches, including the if (fl4->saddr) one: +I find this rather confusing, as it would look like -ENETUNREACH is +the "default" error, while that statement has no effect. + +Also note that after commit fc75fc8339e7 ("ipv4: dont create routes +on down devices"), we would get -ENETUNREACH if the device is down, +but -EINVAL if the source address is specified and we can't resolve +the route, and this appears to be rather inconsistent. + +Reported-by: Stefan Walter +Analysed-by: Benjamin Coddington +Analysed-by: Gonzalo Siero +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2209,7 +2209,7 @@ struct rtable *__ip_route_output_key_has + struct fib_result res; + struct rtable *rth; + int orig_oif; +- int err = -ENETUNREACH; ++ int err; + + res.tclassid = 0; + res.fi = NULL; +@@ -2224,11 +2224,14 @@ struct rtable *__ip_route_output_key_has + + rcu_read_lock(); + if (fl4->saddr) { +- rth = ERR_PTR(-EINVAL); + if (ipv4_is_multicast(fl4->saddr) || + ipv4_is_lbcast(fl4->saddr) || +- ipv4_is_zeronet(fl4->saddr)) ++ ipv4_is_zeronet(fl4->saddr)) { ++ rth = ERR_PTR(-EINVAL); + goto out; ++ } ++ ++ rth = ERR_PTR(-ENETUNREACH); + + /* I removed check for oif == dev_out->oif here. + It was wrong for two reasons: diff --git a/queue-4.4/loop-add-loop_set_direct_io-to-compat-ioctl.patch b/queue-4.4/loop-add-loop_set_direct_io-to-compat-ioctl.patch index fdd9e280cdd..daf38bc438d 100644 --- a/queue-4.4/loop-add-loop_set_direct_io-to-compat-ioctl.patch +++ b/queue-4.4/loop-add-loop_set_direct_io-to-compat-ioctl.patch @@ -22,14 +22,12 @@ Signed-off-by: Alessio Balsini Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- - drivers/block/loop.c | 1 + + drivers/block/loop.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index da3902ac16c86..8aadd4d0c3a88 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -1557,6 +1557,7 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, +@@ -1557,6 +1557,7 @@ static int lo_compat_ioctl(struct block_ arg = (unsigned long) compat_ptr(arg); case LOOP_SET_FD: case LOOP_CHANGE_FD: @@ -37,6 +35,3 @@ index da3902ac16c86..8aadd4d0c3a88 100644 err = lo_ioctl(bdev, mode, cmd, arg); break; default: --- -2.20.1 - diff --git a/queue-4.4/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch b/queue-4.4/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch new file mode 100644 index 00000000000..09b0a902502 --- /dev/null +++ b/queue-4.4/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 24 Oct 2019 09:41:49 PM EDT +From: Eric Dumazet +Date: Mon, 14 Oct 2019 11:22:30 -0700 +Subject: net: avoid potential infinite loop in tc_ctl_action() + +From: Eric Dumazet + +[ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ] + +tc_ctl_action() has the ability to loop forever if tcf_action_add() +returns -EAGAIN. + +This special case has been done in case a module needed to be loaded, +but it turns out that tcf_add_notify() could also return -EAGAIN +if the socket sk_rcvbuf limit is hit. + +We need to separate the two cases, and only loop for the module +loading case. + +While we are at it, add a limit of 10 attempts since unbounded +loops are always scary. + +syzbot repro was something like : + +socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3 +write(3, ..., 38) = 38 +setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 +sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...) + +NMI backtrace for cpu 0 +CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 + nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 + arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 + trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] + check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] + watchdog+0x9d0/0xef0 kernel/hung_task.c:289 + kthread+0x361/0x430 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline] +RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453 +Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6 +RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046 +RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914 +RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1 +R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f +R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003 +FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159 + __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122 + __wake_up+0xe/0x10 kernel/sched/wait.c:142 + netlink_unlock_table net/netlink/af_netlink.c:466 [inline] + netlink_unlock_table net/netlink/af_netlink.c:463 [inline] + netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514 + netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534 + rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714 + tcf_add_notify net/sched/act_api.c:1343 [inline] + tcf_action_add+0x243/0x370 net/sched/act_api.c:1362 + tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410 + rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x803/0x920 net/socket.c:2311 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 + __do_sys_sendmsg net/socket.c:2365 [inline] + __se_sys_sendmsg net/socket.c:2363 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 + do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440939 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -946,10 +946,15 @@ static int + tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n, + u32 portid, int ovr) + { +- int ret = 0; ++ int loop, ret; + LIST_HEAD(actions); + +- ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); ++ for (loop = 0; loop < 10; loop++) { ++ ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); ++ if (ret != -EAGAIN) ++ break; ++ } ++ + if (ret) + goto done; + +@@ -992,10 +997,7 @@ static int tc_ctl_action(struct sk_buff + */ + if (n->nlmsg_flags & NLM_F_REPLACE) + ovr = 1; +-replay: + ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr); +- if (ret == -EAGAIN) +- goto replay; + break; + case RTM_DELACTION: + ret = tca_action_gd(net, tca[TCA_ACT_TAB], n, diff --git a/queue-4.4/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch b/queue-4.4/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch new file mode 100644 index 00000000000..08962645886 --- /dev/null +++ b/queue-4.4/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT +From: Florian Fainelli +Date: Tue, 15 Oct 2019 10:45:47 -0700 +Subject: net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 + +From: Florian Fainelli + +[ Upstream commit efb86fede98cdc70b674692ff617b1162f642c49 ] + +The RGMII_MODE_EN bit value was 0 for GENET versions 1 through 3, and +became 6 for GENET v4 and above, account for that difference. + +Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") +Signed-off-by: Florian Fainelli +Acked-by: Doug Berger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 1 + + drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -362,6 +362,7 @@ struct bcmgenet_mib_counters { + #define EXT_ENERGY_DET_MASK (1 << 12) + + #define EXT_RGMII_OOB_CTRL 0x0C ++#define RGMII_MODE_EN_V123 (1 << 0) + #define RGMII_LINK (1 << 4) + #define OOB_DISABLE (1 << 5) + #define RGMII_MODE_EN (1 << 6) +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -328,7 +328,11 @@ int bcmgenet_mii_config(struct net_devic + */ + if (priv->ext_phy) { + reg = bcmgenet_ext_readl(priv, EXT_RGMII_OOB_CTRL); +- reg |= RGMII_MODE_EN | id_mode_dis; ++ reg |= id_mode_dis; ++ if (GENET_IS_V1(priv) || GENET_IS_V2(priv) || GENET_IS_V3(priv)) ++ reg |= RGMII_MODE_EN_V123; ++ else ++ reg |= RGMII_MODE_EN; + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + } + diff --git a/queue-4.4/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch b/queue-4.4/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch new file mode 100644 index 00000000000..914d9ebfdb9 --- /dev/null +++ b/queue-4.4/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch @@ -0,0 +1,40 @@ +From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT +From: Florian Fainelli +Date: Fri, 11 Oct 2019 12:53:49 -0700 +Subject: net: bcmgenet: Set phydev->dev_flags only for internal PHYs + +From: Florian Fainelli + +[ Upstream commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ] + +phydev->dev_flags is entirely dependent on the PHY device driver which +is going to be used, setting the internal GENET PHY revision in those +bits only makes sense when drivers/net/phy/bcm7xxx.c is the PHY driver +being used. + +Fixes: 487320c54143 ("net: bcmgenet: communicate integrated PHY revision to PHY driver") +Signed-off-by: Florian Fainelli +Acked-by: Doug Berger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -346,11 +346,12 @@ int bcmgenet_mii_probe(struct net_device + struct bcmgenet_priv *priv = netdev_priv(dev); + struct device_node *dn = priv->pdev->dev.of_node; + struct phy_device *phydev; +- u32 phy_flags; ++ u32 phy_flags = 0; + int ret; + + /* Communicate the integrated PHY revision */ +- phy_flags = priv->gphy_rev; ++ if (priv->internal_phy) ++ phy_flags = priv->gphy_rev; + + /* Initialize link state variables that bcmgenet_mii_setup() uses */ + priv->old_link = -1; diff --git a/queue-4.4/sctp-change-sctp_prot-.no_autobind-with-true.patch b/queue-4.4/sctp-change-sctp_prot-.no_autobind-with-true.patch new file mode 100644 index 00000000000..928b64bd812 --- /dev/null +++ b/queue-4.4/sctp-change-sctp_prot-.no_autobind-with-true.patch @@ -0,0 +1,71 @@ +From foo@baz Thu 24 Oct 2019 09:53:59 PM EDT +From: Xin Long +Date: Tue, 15 Oct 2019 15:24:38 +0800 +Subject: sctp: change sctp_prot .no_autobind with true + +From: Xin Long + +[ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ] + +syzbot reported a memory leak: + + BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64): + backtrace: + + [...] slab_alloc mm/slab.c:3319 [inline] + [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483 + [...] sctp_bucket_create net/sctp/socket.c:8523 [inline] + [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270 + [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402 + [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497 + [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022 + [...] sctp_setsockopt net/sctp/socket.c:4641 [inline] + [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611 + [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147 + [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 + [...] __do_sys_setsockopt net/socket.c:2100 [inline] + +It was caused by when sending msgs without binding a port, in the path: +inet_sendmsg() -> inet_send_prepare() -> inet_autobind() -> +.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is +not. Later when binding another port by sctp_setsockopt_bindx(), a new +bucket will be created as bp->port is not set. + +sctp's autobind is supposed to call sctp_autobind() where it does all +things including setting bp->port. Since sctp_autobind() is called in +sctp_sendmsg() if the sk is not yet bound, it should have skipped the +auto bind. + +THis patch is to avoid calling inet_autobind() in inet_send_prepare() +by changing sctp_prot .no_autobind with true, also remove the unused +.get_port. + +Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7443,7 +7443,7 @@ struct proto sctp_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp_sock), + .sysctl_mem = sysctl_sctp_mem, + .sysctl_rmem = sysctl_sctp_rmem, +@@ -7482,7 +7482,7 @@ struct proto sctpv6_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp6_sock), + .sysctl_mem = sysctl_sctp_mem, + .sysctl_rmem = sysctl_sctp_rmem, diff --git a/queue-4.4/series b/queue-4.4/series index d21e3285ae8..5317de136fb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,8 @@ namespace-fix-namespace.pl-script-to-support-relativ.patch mips-treat-loongson-extensions-as-ases.patch mips-elf_hwcap-export-userspace-ases.patch loop-add-loop_set_direct_io-to-compat-ioctl.patch +net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch +net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch +sctp-change-sctp_prot-.no_autobind-with-true.patch +net-avoid-potential-infinite-loop-in-tc_ctl_action.patch +ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch