From: Greg Kroah-Hartman Date: Wed, 26 Aug 2020 14:32:04 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.7.19~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d24f51bb8718e9da1b9c338b5e4c92f1d5c048a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bonding-fix-a-potential-double-unregister.patch bonding-show-saner-speed-for-broadcast-mode.patch ipvlan-fix-device-features.patch net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch --- diff --git a/queue-4.4/bonding-fix-a-potential-double-unregister.patch b/queue-4.4/bonding-fix-a-potential-double-unregister.patch new file mode 100644 index 00000000000..e47830999b1 --- /dev/null +++ b/queue-4.4/bonding-fix-a-potential-double-unregister.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Aug 26 04:19:14 PM CEST 2020 +From: Cong Wang +Date: Fri, 14 Aug 2020 20:05:58 -0700 +Subject: bonding: fix a potential double-unregister + +From: Cong Wang + +[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ] + +When we tear down a network namespace, we unregister all +the netdevices within it. So we may queue a slave device +and a bonding device together in the same unregister queue. + +If the only slave device is non-ethernet, it would +automatically unregister the bonding device as well. Thus, +we may end up unregistering the bonding device twice. + +Workaround this special case by checking reg_state. + +Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()") +Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com +Cc: Eric Dumazet +Cc: Andy Gospodarek +Cc: Jay Vosburgh +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1940,7 +1940,8 @@ static int bond_release_and_destroy(str + int ret; + + ret = bond_release(bond_dev, slave_dev); +- if (ret == 0 && !bond_has_slaves(bond)) { ++ if (ret == 0 && !bond_has_slaves(bond) && ++ bond_dev->reg_state != NETREG_UNREGISTERING) { + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL; + netdev_info(bond_dev, "Destroying bond %s\n", + bond_dev->name); diff --git a/queue-4.4/bonding-show-saner-speed-for-broadcast-mode.patch b/queue-4.4/bonding-show-saner-speed-for-broadcast-mode.patch new file mode 100644 index 00000000000..129871c714a --- /dev/null +++ b/queue-4.4/bonding-show-saner-speed-for-broadcast-mode.patch @@ -0,0 +1,74 @@ +From foo@baz Wed Aug 26 04:19:14 PM CEST 2020 +From: Jarod Wilson +Date: Thu, 13 Aug 2020 10:09:00 -0400 +Subject: bonding: show saner speed for broadcast mode + +From: Jarod Wilson + +[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ] + +Broadcast mode bonds transmit a copy of all traffic simultaneously out of +all interfaces, so the "speed" of the bond isn't really the aggregate of +all interfaces, but rather, the speed of the slowest active interface. + +Also, the type of the speed field is u32, not unsigned long, so adjust +that accordingly, as required to make min() function here without +complaining about mismatching types. + +Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Acked-by: Jay Vosburgh +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4057,13 +4057,23 @@ static netdev_tx_t bond_start_xmit(struc + return ret; + } + ++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed) ++{ ++ if (speed == 0 || speed == SPEED_UNKNOWN) ++ speed = slave->speed; ++ else ++ speed = min(speed, slave->speed); ++ ++ return speed; ++} ++ + static int bond_ethtool_get_settings(struct net_device *bond_dev, + struct ethtool_cmd *ecmd) + { + struct bonding *bond = netdev_priv(bond_dev); +- unsigned long speed = 0; + struct list_head *iter; + struct slave *slave; ++ u32 speed = 0; + + ecmd->duplex = DUPLEX_UNKNOWN; + ecmd->port = PORT_OTHER; +@@ -4075,8 +4085,13 @@ static int bond_ethtool_get_settings(str + */ + bond_for_each_slave(bond, slave, iter) { + if (bond_slave_can_tx(slave)) { +- if (slave->speed != SPEED_UNKNOWN) +- speed += slave->speed; ++ if (slave->speed != SPEED_UNKNOWN) { ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) ++ speed = bond_mode_bcast_speed(slave, ++ speed); ++ else ++ speed += slave->speed; ++ } + if (ecmd->duplex == DUPLEX_UNKNOWN && + slave->duplex != DUPLEX_UNKNOWN) + ecmd->duplex = slave->duplex; diff --git a/queue-4.4/ipvlan-fix-device-features.patch b/queue-4.4/ipvlan-fix-device-features.patch new file mode 100644 index 00000000000..a737ba6412b --- /dev/null +++ b/queue-4.4/ipvlan-fix-device-features.patch @@ -0,0 +1,106 @@ +From foo@baz Wed Aug 26 03:58:58 PM CEST 2020 +From: Mahesh Bandewar +Date: Fri, 14 Aug 2020 22:53:24 -0700 +Subject: ipvlan: fix device features + +From: Mahesh Bandewar + +[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ] + +Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose +NETIF_F_LLTX feature because of the incorrect handling of +features in ipvlan_fix_features(). + +--before-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Actual changes: +vlan-challenged: off [fixed] +tx-lockless: off [fixed] +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: off [fixed] +lpaa10:~# + +--after-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Could not change any device features +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Mahesh Bandewar +Cc: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -87,12 +87,21 @@ static void ipvlan_port_destroy(struct n + static struct lock_class_key ipvlan_netdev_xmit_lock_key; + static struct lock_class_key ipvlan_netdev_addr_lock_key; + ++#define IPVLAN_ALWAYS_ON_OFLOADS \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | \ ++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL) ++ ++#define IPVLAN_ALWAYS_ON \ ++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED) ++ + #define IPVLAN_FEATURES \ + (NETIF_F_SG | NETIF_F_ALL_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ + NETIF_F_GSO | NETIF_F_TSO | NETIF_F_UFO | NETIF_F_GSO_ROBUST | \ + NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \ + NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER) + ++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */ ++ + #define IPVLAN_STATE_MASK \ + ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT)) + +@@ -117,7 +126,9 @@ static int ipvlan_init(struct net_device + dev->state = (dev->state & ~IPVLAN_STATE_MASK) | + (phy_dev->state & IPVLAN_STATE_MASK); + dev->features = phy_dev->features & IPVLAN_FEATURES; +- dev->features |= NETIF_F_LLTX; ++ dev->features |= IPVLAN_ALWAYS_ON; ++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES; ++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS; + dev->gso_max_size = phy_dev->gso_max_size; + dev->hard_header_len = phy_dev->hard_header_len; + +@@ -201,7 +212,14 @@ static netdev_features_t ipvlan_fix_feat + { + struct ipvl_dev *ipvlan = netdev_priv(dev); + +- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features |= NETIF_F_ALL_FOR_ALL; ++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features = netdev_increment_features(ipvlan->phy_dev->features, ++ features, features); ++ features |= IPVLAN_ALWAYS_ON; ++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON); ++ ++ return features; + } + + static void ipvlan_change_rx_flags(struct net_device *dev, int change) +@@ -590,9 +608,8 @@ static int ipvlan_device_event(struct no + + case NETDEV_FEAT_CHANGE: + list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- ipvlan->dev->features = dev->features & IPVLAN_FEATURES; + ipvlan->dev->gso_max_size = dev->gso_max_size; +- netdev_features_change(ipvlan->dev); ++ netdev_update_features(ipvlan->dev); + } + break; + diff --git a/queue-4.4/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch b/queue-4.4/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch new file mode 100644 index 00000000000..5a5e1147113 --- /dev/null +++ b/queue-4.4/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 26 04:28:25 PM CEST 2020 +From: Miaohe Lin +Date: Sat, 15 Aug 2020 04:44:31 -0400 +Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag() + +From: Miaohe Lin + +[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ] + +We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So +we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or +we may access the wrong data. + +Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4370,8 +4370,8 @@ struct sk_buff *skb_vlan_untag(struct sk + skb = skb_share_check(skb, GFP_ATOMIC); + if (unlikely(!skb)) + goto err_free; +- +- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) ++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) + goto err_free; + + vhdr = (struct vlan_hdr *)skb->data; diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..c8222a8be8c --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,5 @@ +net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch +tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch +ipvlan-fix-device-features.patch +bonding-show-saner-speed-for-broadcast-mode.patch +bonding-fix-a-potential-double-unregister.patch diff --git a/queue-4.4/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch b/queue-4.4/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch new file mode 100644 index 00000000000..6f2b9737dd3 --- /dev/null +++ b/queue-4.4/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Aug 26 04:28:25 PM CEST 2020 +From: Cong Wang +Date: Sat, 15 Aug 2020 16:29:15 -0700 +Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit() + +From: Cong Wang + +[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ] + +__tipc_nl_compat_dumpit() has two callers, and it expects them to +pass a valid nlmsghdr via arg->data. This header is artificial and +crafted just for __tipc_nl_compat_dumpit(). + +tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well +as some nested attribute, TIPC_NLA_SOCK. But the other caller +tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized +on this call path. + +Fix this by just adding a similar nlmsghdr without any payload in +tipc_nl_compat_dumpit(). + +This bug exists since day 1, but the recent commit 6ea67769ff33 +("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it +easier to appear. + +Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com +Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat") +Cc: Jon Maloy +Cc: Ying Xue +Cc: Richard Alpe +Signed-off-by: Cong Wang +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -250,8 +250,9 @@ err_out: + static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg) + { +- int err; ++ struct nlmsghdr *nlh; + struct sk_buff *arg; ++ int err; + + if (msg->req_type && (!msg->req_size || + !TLV_CHECK_TYPE(msg->req, msg->req_type))) +@@ -280,6 +281,15 @@ static int tipc_nl_compat_dumpit(struct + return -ENOMEM; + } + ++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI); ++ if (!nlh) { ++ kfree_skb(arg); ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return -EMSGSIZE; ++ } ++ nlmsg_end(arg, nlh); ++ + err = __tipc_nl_compat_dumpit(cmd, msg, arg); + if (err) { + kfree_skb(msg->rep);