From: Greg Kroah-Hartman Date: Fri, 8 Mar 2019 06:38:32 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v5.0.1~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84a1316e4359ef608dd8d709f77a239caeae27b4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch geneve-correctly-handle-ipv6.disable-module-parameter.patch hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch ipv4-add-icmpv6-support-when-parse-route-ipproto.patch ipv4-pass-original-device-to-ip_rcv_finish_core.patch ipv4-return-error-for-rta_via-attribute.patch ipv6-return-error-for-rta_via-attribute.patch lan743x-fix-tx-stall-issue.patch mpls-return-error-for-rta_gateway-attribute.patch net-add-__icmp_send-helper.patch net-avoid-use-ipcb-in-cipso_v4_error.patch net-dsa-mv88e6xxx-add-call-to-mv88e6xxx_ports_cmode_init-to-probe-for-new-dsa-framework.patch net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch net-dsa-mv88e6xxx-fix-u64-statistics.patch net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch net-mscc-enable-all-ports-in-qsgmii.patch net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch net-sched-put-back-q.qlen-into-a-single-location.patch net-sit-fix-memory-leak-in-sit_init_net.patch net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch netlabel-fix-out-of-bounds-memory-accesses.patch qmi_wwan-add-support-for-quectel-eg12-em12.patch sctp-call-iov_iter_revert-after-sending-abort.patch sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch team-free-bpf-filter-when-unregistering-netdev.patch tipc-fix-race-condition-causing-hung-sendto.patch tipc-fix-rdm-dgram-connect-regression.patch tun-fix-blocking-read.patch tun-remove-unnecessary-memory-barrier.patch xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch --- diff --git a/queue-4.20/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch b/queue-4.20/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch new file mode 100644 index 00000000000..6fb71202d1b --- /dev/null +++ b/queue-4.20/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Michael Chan +Date: Wed, 27 Feb 2019 03:58:53 -0500 +Subject: bnxt_en: Drop oversize TX packets to prevent errors. + +From: Michael Chan + +[ Upstream commit 2b3c6885386020b1b9d92d45e8349637e27d1f66 ] + +There have been reports of oversize UDP packets being sent to the +driver to be transmitted, causing error conditions. The issue is +likely caused by the dst of the SKB switching between 'lo' with +64K MTU and the hardware device with a smaller MTU. Patches are +being proposed by Mahesh Bandewar to fix the +issue. + +In the meantime, add a quick length check in the driver to prevent +the error. The driver uses the TX packet size as index to look up an +array to setup the TX BD. The array is large enough to support all MTU +sizes supported by the driver. The oversize TX packet causes the +driver to index beyond the array and put garbage values into the +TX BD. Add a simple check to prevent this. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -497,6 +497,12 @@ normal_tx: + } + + length >>= 9; ++ if (unlikely(length >= ARRAY_SIZE(bnxt_lhint_arr))) { ++ dev_warn_ratelimited(&pdev->dev, "Dropped oversize %d bytes TX packet.\n", ++ skb->len); ++ i = 0; ++ goto tx_dma_error; ++ } + flags |= bnxt_lhint_arr[length]; + txbd->tx_bd_len_flags_type = cpu_to_le32(flags); + diff --git a/queue-4.20/geneve-correctly-handle-ipv6.disable-module-parameter.patch b/queue-4.20/geneve-correctly-handle-ipv6.disable-module-parameter.patch new file mode 100644 index 00000000000..451510246c1 --- /dev/null +++ b/queue-4.20/geneve-correctly-handle-ipv6.disable-module-parameter.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Jiri Benc +Date: Thu, 28 Feb 2019 14:56:04 +0100 +Subject: geneve: correctly handle ipv6.disable module parameter + +From: Jiri Benc + +[ Upstream commit cf1c9ccba7308e48a68fa77f476287d9d614e4c7 ] + +When IPv6 is compiled but disabled at runtime, geneve_sock_add returns +-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole +operation of bringing up the tunnel. + +Ignore failure of IPv6 socket creation for metadata based tunnels caused by +IPv6 not being available. + +This is the same fix as what commit d074bf960044 ("vxlan: correctly handle +ipv6.disable module parameter") is doing for vxlan. + +Note there's also commit c0a47e44c098 ("geneve: should not call rt6_lookup() +when ipv6 was disabled") which fixes a similar issue but for regular +tunnels, while this patch is needed for metadata based tunnels. + +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -637,15 +637,20 @@ out: + static int geneve_open(struct net_device *dev) + { + struct geneve_dev *geneve = netdev_priv(dev); +- bool ipv6 = !!(geneve->info.mode & IP_TUNNEL_INFO_IPV6); + bool metadata = geneve->collect_md; ++ bool ipv4, ipv6; + int ret = 0; + ++ ipv6 = geneve->info.mode & IP_TUNNEL_INFO_IPV6 || metadata; ++ ipv4 = !ipv6 || metadata; + #if IS_ENABLED(CONFIG_IPV6) +- if (ipv6 || metadata) ++ if (ipv6) { + ret = geneve_sock_add(geneve, true); ++ if (ret < 0 && ret != -EAFNOSUPPORT) ++ ipv4 = false; ++ } + #endif +- if (!ret && (!ipv6 || metadata)) ++ if (ipv4) + ret = geneve_sock_add(geneve, false); + if (ret < 0) + geneve_sock_release(geneve); diff --git a/queue-4.20/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch b/queue-4.20/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch new file mode 100644 index 00000000000..c5489a6fd5c --- /dev/null +++ b/queue-4.20/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Haiyang Zhang +Date: Fri, 22 Feb 2019 18:25:03 +0000 +Subject: hv_netvsc: Fix IP header checksum for coalesced packets + +From: Haiyang Zhang + +[ Upstream commit bf48648d650db1146b75b9bd358502431e86cf4f ] + +Incoming packets may have IP header checksum verified by the host. +They may not have IP header checksum computed after coalescing. +This patch re-compute the checksum when necessary, otherwise the +packets may be dropped, because Linux network stack always checks it. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -744,6 +744,14 @@ void netvsc_linkstatus_callback(struct n + schedule_delayed_work(&ndev_ctx->dwork, 0); + } + ++static void netvsc_comp_ipcsum(struct sk_buff *skb) ++{ ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ iph->check = 0; ++ iph->check = ip_fast_csum(iph, iph->ihl); ++} ++ + static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net, + struct netvsc_channel *nvchan) + { +@@ -770,9 +778,17 @@ static struct sk_buff *netvsc_alloc_recv + /* skb is already created with CHECKSUM_NONE */ + skb_checksum_none_assert(skb); + +- /* +- * In Linux, the IP checksum is always checked. +- * Do L4 checksum offload if enabled and present. ++ /* Incoming packets may have IP header checksum verified by the host. ++ * They may not have IP header checksum computed after coalescing. ++ * We compute it here if the flags are set, because on Linux, the IP ++ * checksum is always checked. ++ */ ++ if (csum_info && csum_info->receive.ip_checksum_value_invalid && ++ csum_info->receive.ip_checksum_succeeded && ++ skb->protocol == htons(ETH_P_IP)) ++ netvsc_comp_ipcsum(skb); ++ ++ /* Do L4 checksum offload if enabled and present. + */ + if (csum_info && (net->features & NETIF_F_RXCSUM)) { + if (csum_info->receive.tcp_checksum_succeeded || diff --git a/queue-4.20/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch b/queue-4.20/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch new file mode 100644 index 00000000000..26f93ba9bc5 --- /dev/null +++ b/queue-4.20/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Ido Schimmel +Date: Sun, 3 Mar 2019 07:34:57 +0000 +Subject: ip6mr: Do not call __IP6_INC_STATS() from preemptible context + +From: Ido Schimmel + +[ Upstream commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf ] + +Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from +improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot +assume preemption is disabled when incrementing the counter and +accessing a per-CPU variable. + +Preemption can be enabled when we add a route in process context that +corresponds to packets stored in the unresolved queue, which are then +forwarded using this route [1]. + +Fix this by using IP6_INC_STATS() which takes care of disabling +preemption on architectures where it is needed. + +[1] +[ 157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314 +[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0 +[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336 +[ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016 +[ 157.460461] Call Trace: +[ 157.460486] dump_stack+0xf9/0x1be +[ 157.460553] check_preemption_disabled+0x1d6/0x200 +[ 157.460576] ip6mr_forward2+0x73e/0x10e0 +[ 157.460705] ip6_mr_forward+0x9a0/0x1510 +[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00 +[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0 +[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060 +[ 157.462013] ipv6_setsockopt+0x90/0x110 +[ 157.462036] rawv6_setsockopt+0x4a/0x120 +[ 157.462058] __sys_setsockopt+0x16b/0x340 +[ 157.462198] __x64_sys_setsockopt+0xbf/0x160 +[ 157.462220] do_syscall_64+0x14d/0x610 +[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().") +Signed-off-by: Ido Schimmel +Reported-by: Amit Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1964,10 +1964,10 @@ int ip6mr_compat_ioctl(struct sock *sk, + + static inline int ip6mr_forward2_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTFORWDATAGRAMS); +- __IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTOCTETS, skb->len); + return dst_output(net, sk, skb); + } + diff --git a/queue-4.20/ipv4-add-icmpv6-support-when-parse-route-ipproto.patch b/queue-4.20/ipv4-add-icmpv6-support-when-parse-route-ipproto.patch new file mode 100644 index 00000000000..bef8969d6d6 --- /dev/null +++ b/queue-4.20/ipv4-add-icmpv6-support-when-parse-route-ipproto.patch @@ -0,0 +1,100 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Hangbin Liu +Date: Wed, 27 Feb 2019 16:15:29 +0800 +Subject: ipv4: Add ICMPv6 support when parse route ipproto + +From: Hangbin Liu + +[ Upstream commit 5e1a99eae84999a2536f50a0beaf5d5262337f40 ] + +For ip rules, we need to use 'ipproto ipv6-icmp' to match ICMPv6 headers. +But for ip -6 route, currently we only support tcp, udp and icmp. + +Add ICMPv6 support so we can match ipv6-icmp rules for route lookup. + +v2: As David Ahern and Sabrina Dubroca suggested, Add an argument to +rtm_getroute_parse_ip_proto() to handle ICMP/ICMPv6 with different family. + +Reported-by: Jianlin Shi +Fixes: eacb9384a3fe ("ipv6: support sport, dport and ip_proto in RTM_GETROUTE") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 2 +- + net/ipv4/netlink.c | 17 +++++++++++++---- + net/ipv4/route.c | 2 +- + net/ipv6/route.c | 3 ++- + 4 files changed, 17 insertions(+), 7 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -714,7 +714,7 @@ extern int sysctl_icmp_msgs_burst; + int ip_misc_proc_init(void); + #endif + +-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, ++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family, + struct netlink_ext_ack *extack); + + #endif /* _IP_H */ +--- a/net/ipv4/netlink.c ++++ b/net/ipv4/netlink.c +@@ -3,9 +3,10 @@ + #include + #include + #include ++#include + #include + +-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, ++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family, + struct netlink_ext_ack *extack) + { + *ip_proto = nla_get_u8(attr); +@@ -13,11 +14,19 @@ int rtm_getroute_parse_ip_proto(struct n + switch (*ip_proto) { + case IPPROTO_TCP: + case IPPROTO_UDP: ++ return 0; + case IPPROTO_ICMP: ++ if (family != AF_INET) ++ break; ++ return 0; ++#if IS_ENABLED(CONFIG_IPV6) ++ case IPPROTO_ICMPV6: ++ if (family != AF_INET6) ++ break; + return 0; +- default: +- NL_SET_ERR_MSG(extack, "Unsupported ip proto"); +- return -EOPNOTSUPP; ++#endif + } ++ NL_SET_ERR_MSG(extack, "Unsupported ip proto"); ++ return -EOPNOTSUPP; + } + EXPORT_SYMBOL_GPL(rtm_getroute_parse_ip_proto); +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2803,7 +2803,7 @@ static int inet_rtm_getroute(struct sk_b + + if (tb[RTA_IP_PROTO]) { + err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO], +- &ip_proto, extack); ++ &ip_proto, AF_INET, extack); + if (err) + return err; + } +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4880,7 +4880,8 @@ static int inet6_rtm_getroute(struct sk_ + + if (tb[RTA_IP_PROTO]) { + err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO], +- &fl6.flowi6_proto, extack); ++ &fl6.flowi6_proto, AF_INET6, ++ extack); + if (err) + goto errout; + } diff --git a/queue-4.20/ipv4-pass-original-device-to-ip_rcv_finish_core.patch b/queue-4.20/ipv4-pass-original-device-to-ip_rcv_finish_core.patch new file mode 100644 index 00000000000..f4bb39aa3b2 --- /dev/null +++ b/queue-4.20/ipv4-pass-original-device-to-ip_rcv_finish_core.patch @@ -0,0 +1,72 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: David Ahern +Date: Mon, 25 Feb 2019 13:55:48 -0800 +Subject: ipv4: Pass original device to ip_rcv_finish_core + +From: David Ahern + +[ Upstream commit a1fd1ad2552fad9e649eeb85fd79301e2880a886 ] + +ip_route_input_rcu expects the original ingress device (e.g., for +proper multicast handling). The skb->dev can be changed by l3mdev_ip_rcv, +so dev needs to be saved prior to calling it. This was the behavior prior +to the listify changes. + +Fixes: 5fa12739a53d0 ("net: ipv4: listify ip_rcv_finish") +Cc: Edward Cree +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_input.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -308,11 +308,10 @@ drop: + } + + static int ip_rcv_finish_core(struct net *net, struct sock *sk, +- struct sk_buff *skb) ++ struct sk_buff *skb, struct net_device *dev) + { + const struct iphdr *iph = ip_hdr(skb); + int (*edemux)(struct sk_buff *skb); +- struct net_device *dev = skb->dev; + struct rtable *rt; + int err; + +@@ -401,6 +400,7 @@ drop_error: + + static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { ++ struct net_device *dev = skb->dev; + int ret; + + /* if ingress device is enslaved to an L3 master device pass the +@@ -410,7 +410,7 @@ static int ip_rcv_finish(struct net *net + if (!skb) + return NET_RX_SUCCESS; + +- ret = ip_rcv_finish_core(net, sk, skb); ++ ret = ip_rcv_finish_core(net, sk, skb, dev); + if (ret != NET_RX_DROP) + ret = dst_input(skb); + return ret; +@@ -546,6 +546,7 @@ static void ip_list_rcv_finish(struct ne + + INIT_LIST_HEAD(&sublist); + list_for_each_entry_safe(skb, next, head, list) { ++ struct net_device *dev = skb->dev; + struct dst_entry *dst; + + skb_list_del_init(skb); +@@ -555,7 +556,7 @@ static void ip_list_rcv_finish(struct ne + skb = l3mdev_ip_rcv(skb); + if (!skb) + continue; +- if (ip_rcv_finish_core(net, sk, skb) == NET_RX_DROP) ++ if (ip_rcv_finish_core(net, sk, skb, dev) == NET_RX_DROP) + continue; + + dst = skb_dst(skb); diff --git a/queue-4.20/ipv4-return-error-for-rta_via-attribute.patch b/queue-4.20/ipv4-return-error-for-rta_via-attribute.patch new file mode 100644 index 00000000000..0d596b27137 --- /dev/null +++ b/queue-4.20/ipv4-return-error-for-rta_via-attribute.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:02 -0800 +Subject: ipv4: Return error for RTA_VIA attribute + +From: David Ahern + +[ Upstream commit b6e9e5df4ecf100f6a10ab2ade8e46d47a4b9779 ] + +IPv4 currently does not support nexthops outside of the AF_INET family. +Specifically, it does not handle RTA_VIA attribute. If it is passed +in a route add request, the actual route added only uses the device +which is clearly not what the user intended: + + $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0 + $ ip ro ls + ... + 172.16.1.0/24 dev eth0 + +Catch this and fail the route add: + $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0 + Error: IPv4 does not support RTA_VIA attribute. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -710,6 +710,10 @@ static int rtm_to_fib_config(struct net + case RTA_GATEWAY: + cfg->fc_gw = nla_get_be32(attr); + break; ++ case RTA_VIA: ++ NL_SET_ERR_MSG(extack, "IPv4 does not support RTA_VIA attribute"); ++ err = -EINVAL; ++ goto errout; + case RTA_PRIORITY: + cfg->fc_priority = nla_get_u32(attr); + break; diff --git a/queue-4.20/ipv6-return-error-for-rta_via-attribute.patch b/queue-4.20/ipv6-return-error-for-rta_via-attribute.patch new file mode 100644 index 00000000000..b57a47b2961 --- /dev/null +++ b/queue-4.20/ipv6-return-error-for-rta_via-attribute.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:03 -0800 +Subject: ipv6: Return error for RTA_VIA attribute + +From: David Ahern + +[ Upstream commit e3818541b49fb88650ba339d33cc53e4095da5b3 ] + +IPv6 currently does not support nexthops outside of the AF_INET6 family. +Specifically, it does not handle RTA_VIA attribute. If it is passed +in a route add request, the actual route added only uses the device +which is clearly not what the user intended: + + $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0 + $ ip ro ls + ... + 2001:db8:2::/64 dev eth0 metric 1024 pref medium + +Catch this and fail the route add: + $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0 + Error: IPv6 does not support RTA_VIA attribute. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4163,6 +4163,10 @@ static int rtm_to_fib6_config(struct sk_ + cfg->fc_gateway = nla_get_in6_addr(tb[RTA_GATEWAY]); + cfg->fc_flags |= RTF_GATEWAY; + } ++ if (tb[RTA_VIA]) { ++ NL_SET_ERR_MSG(extack, "IPv6 does not support RTA_VIA attribute"); ++ goto errout; ++ } + + if (tb[RTA_DST]) { + int plen = (rtm->rtm_dst_len + 7) >> 3; diff --git a/queue-4.20/lan743x-fix-tx-stall-issue.patch b/queue-4.20/lan743x-fix-tx-stall-issue.patch new file mode 100644 index 00000000000..2f0a602c0cf --- /dev/null +++ b/queue-4.20/lan743x-fix-tx-stall-issue.patch @@ -0,0 +1,73 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Bryan Whitehead +Date: Tue, 26 Feb 2019 14:06:26 -0500 +Subject: lan743x: Fix TX Stall Issue + +From: Bryan Whitehead + +[ Upstream commit 90490ef7269906423a1c1b917fc24be8b1602658 ] + +It has been observed that tx queue stalls while downloading +from certain web sites (example www.speedtest.net) + +The cause has been tracked down to a corner case where +dma descriptors where not setup properly. And there for a tx +completion interrupt was not signaled. + +This fix corrects the problem by properly marking the end of +a multi descriptor transmission. + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Bryan Whitehead +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1400,7 +1400,8 @@ static int lan743x_tx_frame_start(struct + } + + static void lan743x_tx_frame_add_lso(struct lan743x_tx *tx, +- unsigned int frame_length) ++ unsigned int frame_length, ++ int nr_frags) + { + /* called only from within lan743x_tx_xmit_frame. + * assuming tx->ring_lock has already been acquired. +@@ -1410,6 +1411,10 @@ static void lan743x_tx_frame_add_lso(str + + /* wrap up previous descriptor */ + tx->frame_data0 |= TX_DESC_DATA0_EXT_; ++ if (nr_frags <= 0) { ++ tx->frame_data0 |= TX_DESC_DATA0_LS_; ++ tx->frame_data0 |= TX_DESC_DATA0_IOC_; ++ } + tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail]; + tx_descriptor->data0 = tx->frame_data0; + +@@ -1514,8 +1519,11 @@ static void lan743x_tx_frame_end(struct + u32 tx_tail_flags = 0; + + /* wrap up previous descriptor */ +- tx->frame_data0 |= TX_DESC_DATA0_LS_; +- tx->frame_data0 |= TX_DESC_DATA0_IOC_; ++ if ((tx->frame_data0 & TX_DESC_DATA0_DTYPE_MASK_) == ++ TX_DESC_DATA0_DTYPE_DATA_) { ++ tx->frame_data0 |= TX_DESC_DATA0_LS_; ++ tx->frame_data0 |= TX_DESC_DATA0_IOC_; ++ } + + tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail]; + buffer_info = &tx->buffer_info[tx->frame_tail]; +@@ -1600,7 +1608,7 @@ static netdev_tx_t lan743x_tx_xmit_frame + } + + if (gso) +- lan743x_tx_frame_add_lso(tx, frame_length); ++ lan743x_tx_frame_add_lso(tx, frame_length, nr_frags); + + if (nr_frags <= 0) + goto finish; diff --git a/queue-4.20/mpls-return-error-for-rta_gateway-attribute.patch b/queue-4.20/mpls-return-error-for-rta_gateway-attribute.patch new file mode 100644 index 00000000000..156b320039d --- /dev/null +++ b/queue-4.20/mpls-return-error-for-rta_gateway-attribute.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:04 -0800 +Subject: mpls: Return error for RTA_GATEWAY attribute + +From: David Ahern + +[ Upstream commit be48220edd48ca0d569782992840488a52373a24 ] + +MPLS does not support nexthops with an MPLS address family. +Specifically, it does not handle RTA_GATEWAY attribute. Make it +clear by returning an error. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mpls/af_mpls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1838,6 +1838,9 @@ static int rtm_to_route_config(struct sk + goto errout; + break; + } ++ case RTA_GATEWAY: ++ NL_SET_ERR_MSG(extack, "MPLS does not support RTA_GATEWAY attribute"); ++ goto errout; + case RTA_VIA: + { + if (nla_get_via(nla, &cfg->rc_via_alen, diff --git a/queue-4.20/net-add-__icmp_send-helper.patch b/queue-4.20/net-add-__icmp_send-helper.patch new file mode 100644 index 00000000000..2766100a0f7 --- /dev/null +++ b/queue-4.20/net-add-__icmp_send-helper.patch @@ -0,0 +1,75 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Nazarov Sergey +Date: Mon, 25 Feb 2019 19:24:15 +0300 +Subject: net: Add __icmp_send helper. + +From: Nazarov Sergey + +[ Upstream commit 9ef6b42ad6fd7929dd1b6092cb02014e382c6a91 ] + +Add __icmp_send function having ip_options struct parameter + +Signed-off-by: Sergey Nazarov +Reviewed-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/icmp.h | 9 ++++++++- + net/ipv4/icmp.c | 7 ++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/include/net/icmp.h ++++ b/include/net/icmp.h +@@ -22,6 +22,7 @@ + + #include + #include ++#include + + struct icmp_err { + int errno; +@@ -39,7 +40,13 @@ struct net_proto_family; + struct sk_buff; + struct net; + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info); ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt); ++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++{ ++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); ++} ++ + int icmp_rcv(struct sk_buff *skb); + void icmp_err(struct sk_buff *skb, u32 info); + int icmp_init(void); +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -570,7 +570,8 @@ relookup_failed: + * MUST reply to only the first fragment. + */ + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt) + { + struct iphdr *iph; + int room; +@@ -691,7 +692,7 @@ void icmp_send(struct sk_buff *skb_in, i + iph->tos; + mark = IP4_REPLY_MARK(net, skb_in->mark); + +- if (ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in)) ++ if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt)) + goto out_unlock; + + +@@ -742,7 +743,7 @@ out_bh_enable: + local_bh_enable(); + out:; + } +-EXPORT_SYMBOL(icmp_send); ++EXPORT_SYMBOL(__icmp_send); + + + static void icmp_socket_deliver(struct sk_buff *skb, u32 info) diff --git a/queue-4.20/net-avoid-use-ipcb-in-cipso_v4_error.patch b/queue-4.20/net-avoid-use-ipcb-in-cipso_v4_error.patch new file mode 100644 index 00000000000..fec7340c0e9 --- /dev/null +++ b/queue-4.20/net-avoid-use-ipcb-in-cipso_v4_error.patch @@ -0,0 +1,103 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Nazarov Sergey +Date: Mon, 25 Feb 2019 19:27:15 +0300 +Subject: net: avoid use IPCB in cipso_v4_error + +From: Nazarov Sergey + +[ Upstream commit 3da1ed7ac398f34fff1694017a07054d69c5f5c5 ] + +Extract IP options in cipso_v4_error and use __icmp_send. + +Signed-off-by: Sergey Nazarov +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 2 ++ + net/ipv4/cipso_ipv4.c | 17 +++++++++++++++-- + net/ipv4/ip_options.c | 22 +++++++++++++++++----- + 3 files changed, 34 insertions(+), 7 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -665,6 +665,8 @@ static inline int ip_options_echo(struct + } + + void ip_options_fragment(struct sk_buff *skb); ++int __ip_options_compile(struct net *net, struct ip_options *opt, ++ struct sk_buff *skb, __be32 *info); + int ip_options_compile(struct net *net, struct ip_options *opt, + struct sk_buff *skb); + int ip_options_get(struct net *net, struct ip_options_rcu **optp, +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1736,13 +1736,26 @@ validate_return: + */ + void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) + { ++ unsigned char optbuf[sizeof(struct ip_options) + 40]; ++ struct ip_options *opt = (struct ip_options *)optbuf; ++ + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) + return; + ++ /* ++ * We might be called above the IP layer, ++ * so we can not use icmp_send and IPCB here. ++ */ ++ ++ memset(opt, 0, sizeof(struct ip_options)); ++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL)) ++ return; ++ + if (gateway) +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt); + else +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt); + } + + /** +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_d + * If opt == NULL, then skb->data should point to IP header. + */ + +-int ip_options_compile(struct net *net, +- struct ip_options *opt, struct sk_buff *skb) ++int __ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb, ++ __be32 *info) + { + __be32 spec_dst = htonl(INADDR_ANY); + unsigned char *pp_ptr = NULL; +@@ -468,11 +469,22 @@ eol: + return 0; + + error: +- if (skb) { +- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); +- } ++ if (info) ++ *info = htonl((pp_ptr-iph)<<24); + return -EINVAL; + } ++ ++int ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb) ++{ ++ int ret; ++ __be32 info; ++ ++ ret = __ip_options_compile(net, opt, skb, &info); ++ if (ret != 0 && skb) ++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info); ++ return ret; ++} + EXPORT_SYMBOL(ip_options_compile); + + /* diff --git a/queue-4.20/net-dsa-mv88e6xxx-add-call-to-mv88e6xxx_ports_cmode_init-to-probe-for-new-dsa-framework.patch b/queue-4.20/net-dsa-mv88e6xxx-add-call-to-mv88e6xxx_ports_cmode_init-to-probe-for-new-dsa-framework.patch new file mode 100644 index 00000000000..f95e57de9fb --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-add-call-to-mv88e6xxx_ports_cmode_init-to-probe-for-new-dsa-framework.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Heiner Kallweit +Date: Mon, 4 Mar 2019 19:39:03 +0100 +Subject: net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework + +From: Heiner Kallweit + +[ Upstream commit 3acca1dd17060332cfab15693733cdaf9fba1c90 ] + +In the original patch I missed to add mv88e6xxx_ports_cmode_init() +to the second probe function, the one for the new DSA framework. + +Fixes: ed8fe20205ac ("net: dsa: mv88e6xxx: prevent interrupt storm caused by mv88e6390x_port_set_cmode") +Reported-by: Shaokun Zhang +Suggested-by: Andrew Lunn +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4821,6 +4821,7 @@ static int mv88e6xxx_probe(struct mdio_d + if (err) + goto out; + ++ mv88e6xxx_ports_cmode_init(chip); + mv88e6xxx_phy_init(chip); + + if (chip->info->ops->get_eeprom) { diff --git a/queue-4.20/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch b/queue-4.20/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch new file mode 100644 index 00000000000..18de359d136 --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Andrew Lunn +Date: Fri, 1 Mar 2019 23:43:39 +0100 +Subject: net: dsa: mv88e6xxx: Fix statistics on mv88e6161 + +From: Andrew Lunn + +[ Upstream commit a6da21bb0eae459a375d5bd48baed821d14301d0 ] + +Despite what the datesheet says, the silicon implements the older way +of snapshoting the statistics. Change the op. + +Reported-by: Chris.Healy@zii.aero +Tested-by: Chris.Healy@zii.aero +Fixes: 0ac64c394900 ("net: dsa: mv88e6xxx: mv88e6161 uses mv88e6320 stats snapshot") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3082,7 +3082,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_disable_pri_override = mv88e6xxx_port_disable_pri_override, + .port_link_state = mv88e6352_port_link_state, + .port_get_cmode = mv88e6185_port_get_cmode, +- .stats_snapshot = mv88e6320_g1_stats_snapshot, ++ .stats_snapshot = mv88e6xxx_g1_stats_snapshot, + .stats_set_histogram = mv88e6095_g1_stats_set_histogram, + .stats_get_sset_count = mv88e6095_stats_get_sset_count, + .stats_get_strings = mv88e6095_stats_get_strings, diff --git a/queue-4.20/net-dsa-mv88e6xxx-fix-u64-statistics.patch b/queue-4.20/net-dsa-mv88e6xxx-fix-u64-statistics.patch new file mode 100644 index 00000000000..06373ea2ab2 --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-fix-u64-statistics.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Andrew Lunn +Date: Thu, 28 Feb 2019 18:14:03 +0100 +Subject: net: dsa: mv88e6xxx: Fix u64 statistics + +From: Andrew Lunn + +[ Upstream commit 6e46e2d821bb22b285ae8187959096b65d063b0d ] + +The switch maintains u64 counters for the number of octets sent and +received. These are kept as two u32's which need to be combined. Fix +the combing, which wrongly worked on u16's. + +Fixes: 80c4627b2719 ("dsa: mv88x6xxx: Refactor getting a single statistic") +Reported-by: Chris Healy +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -896,7 +896,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s + default: + return U64_MAX; + } +- value = (((u64)high) << 16) | low; ++ value = (((u64)high) << 32) | low; + return value; + } + diff --git a/queue-4.20/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch b/queue-4.20/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch new file mode 100644 index 00000000000..8e04ac84626 --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Heiner Kallweit +Date: Fri, 1 Mar 2019 19:53:57 +0100 +Subject: net: dsa: mv88e6xxx: handle unknown duplex modes gracefully in mv88e6xxx_port_set_duplex + +From: Heiner Kallweit + +[ Upstream commit c6195a8bdfc62a7cecf7df685e64847a4b700275 ] + +When testing another issue I faced the problem that +mv88e6xxx_port_setup_mac() failed due to DUPLEX_UNKNOWN being passed +as argument to mv88e6xxx_port_set_duplex(). We should handle this case +gracefully and return -EOPNOTSUPP, like e.g. mv88e6xxx_port_set_speed() +is doing it. + +Fixes: 7f1ae07b51e8 ("net: dsa: mv88e6xxx: add port duplex setter") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -190,7 +190,7 @@ int mv88e6xxx_port_set_duplex(struct mv8 + /* normal duplex detection */ + break; + default: +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + err = mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_MAC_CTL, reg); diff --git a/queue-4.20/net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch b/queue-4.20/net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch new file mode 100644 index 00000000000..7d4fc67c677 --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Maxime Chevallier +Date: Thu, 28 Feb 2019 22:14:33 +0100 +Subject: net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X + +From: Maxime Chevallier + +[ Upstream commit d235c48b40d399328585a68f3f9bf7cc3062d586 ] + +Upon setting the cmode on 6390 and 6390X, the associated serdes +interfaces must be powered off/on. + +Both 6390X and 6390 share code to do so, but it currently uses the 6390 +specific helper mv88e6390_serdes_power() to disable and enable the +serdes interface. + +This call will fail silently on 6390X when trying so set a 10G interface +such as XAUI or RXAUI, since mv88e6390_serdes_power() internally grabs +the lane number based on modes supported by the 6390, and returns 0 when +getting -ENODEV as a lane number. + +Using mv88e6390x_serdes_power() should be safe here, since we explicitly +rule-out all ports but the 9 and 10, and because modes supported by 6390 +ports 9 and 10 are a subset of those supported on 6390X. + +This was tested on 6390X using RXAUI mode. + +Fixes: 364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change") +Signed-off-by: Maxime Chevallier +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/port.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -405,7 +405,7 @@ int mv88e6390x_port_set_cmode(struct mv8 + return err; + } + +- err = mv88e6390_serdes_power(chip, port, false); ++ err = mv88e6390x_serdes_power(chip, port, false); + if (err) + return err; + +@@ -421,7 +421,7 @@ int mv88e6390x_port_set_cmode(struct mv8 + if (err) + return err; + +- err = mv88e6390_serdes_power(chip, port, true); ++ err = mv88e6390x_serdes_power(chip, port, true); + if (err) + return err; + diff --git a/queue-4.20/net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch b/queue-4.20/net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch new file mode 100644 index 00000000000..9d728b0c588 --- /dev/null +++ b/queue-4.20/net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch @@ -0,0 +1,86 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Heiner Kallweit +Date: Thu, 28 Feb 2019 07:39:15 +0100 +Subject: net: dsa: mv88e6xxx: prevent interrupt storm caused by mv88e6390x_port_set_cmode + +From: Heiner Kallweit + +[ Upstream commit ed8fe20205ac054bf585156709de3913d1890f30 ] + +When debugging another issue I faced an interrupt storm in this +driver (88E6390, port 9 in SGMII mode), consisting of alternating +link-up / link-down interrupts. Analysis showed that the driver +wanted to set a cmode that was set already. But so far +mv88e6390x_port_set_cmode() doesn't check this and powers down +SERDES, what causes the link to break, and eventually results in +the described interrupt storm. + +Fix this by checking whether the cmode actually changes. We want +that the very first call to mv88e6390x_port_set_cmode() always +configures the registers, therefore initialize port.cmode with +a value that is different from any supported cmode value. +We have to take care that we only init the ports cmode once +chip->info->num_ports is set. + +v2: +- add small helper and init the number of actual ports only + +Fixes: 364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 10 ++++++++++ + drivers/net/dsa/mv88e6xxx/port.c | 4 ++++ + drivers/net/dsa/mv88e6xxx/port.h | 1 + + 3 files changed, 15 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4579,6 +4579,14 @@ static int mv88e6xxx_smi_init(struct mv8 + return 0; + } + ++static void mv88e6xxx_ports_cmode_init(struct mv88e6xxx_chip *chip) ++{ ++ int i; ++ ++ for (i = 0; i < mv88e6xxx_num_ports(chip); i++) ++ chip->ports[i].cmode = MV88E6XXX_PORT_STS_CMODE_INVALID; ++} ++ + static enum dsa_tag_protocol mv88e6xxx_get_tag_protocol(struct dsa_switch *ds, + int port) + { +@@ -4615,6 +4623,8 @@ static const char *mv88e6xxx_drv_probe(s + if (err) + goto free; + ++ mv88e6xxx_ports_cmode_init(chip); ++ + mutex_lock(&chip->reg_lock); + err = mv88e6xxx_switch_reset(chip); + mutex_unlock(&chip->reg_lock); +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -395,6 +395,10 @@ int mv88e6390x_port_set_cmode(struct mv8 + cmode = 0; + } + ++ /* cmode doesn't change, nothing to do for us */ ++ if (cmode == chip->ports[port].cmode) ++ return 0; ++ + lane = mv88e6390x_serdes_get_lane(chip, port); + if (lane < 0) + return lane; +--- a/drivers/net/dsa/mv88e6xxx/port.h ++++ b/drivers/net/dsa/mv88e6xxx/port.h +@@ -52,6 +52,7 @@ + #define MV88E6185_PORT_STS_CMODE_1000BASE_X 0x0005 + #define MV88E6185_PORT_STS_CMODE_PHY 0x0006 + #define MV88E6185_PORT_STS_CMODE_DISABLED 0x0007 ++#define MV88E6XXX_PORT_STS_CMODE_INVALID 0xff + + /* Offset 0x01: MAC (or PCS or Physical) Control Register */ + #define MV88E6XXX_PORT_MAC_CTL 0x01 diff --git a/queue-4.20/net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch b/queue-4.20/net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch new file mode 100644 index 00000000000..057350bb766 --- /dev/null +++ b/queue-4.20/net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch @@ -0,0 +1,80 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Heiner Kallweit +Date: Sat, 2 Mar 2019 10:06:05 +0100 +Subject: net: dsa: mv8e6xxx: fix number of internal PHYs for 88E6x90 family + +From: Heiner Kallweit + +[ Upstream commit 95150f29ae480276e76368cdf8a9524b5a96c0ca ] + +Ports 9 and 10 don't have internal PHY's but are (dependent on the +version) SERDES/SGMII/XAUI/RXAUI ports. + +v2: +- fix it for all 88E6x90 family members + +Fixes: bc3931557d1d ("net: dsa: mv88e6xxx: Add number of internal PHYs") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4206,7 +4206,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6190", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .num_gpio = 16, + .max_vid = 8191, + .port_base_addr = 0x0, +@@ -4229,7 +4229,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6190X", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .num_gpio = 16, + .max_vid = 8191, + .port_base_addr = 0x0, +@@ -4252,7 +4252,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6191", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .max_vid = 8191, + .port_base_addr = 0x0, + .phy_base_addr = 0x0, +@@ -4299,7 +4299,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6290", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .num_gpio = 16, + .max_vid = 8191, + .port_base_addr = 0x0, +@@ -4461,7 +4461,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6390", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .num_gpio = 16, + .max_vid = 8191, + .port_base_addr = 0x0, +@@ -4484,7 +4484,7 @@ static const struct mv88e6xxx_info mv88e + .name = "Marvell 88E6390X", + .num_databases = 4096, + .num_ports = 11, /* 10 + Z80 */ +- .num_internal_phys = 11, ++ .num_internal_phys = 9, + .num_gpio = 16, + .max_vid = 8191, + .port_base_addr = 0x0, diff --git a/queue-4.20/net-mscc-enable-all-ports-in-qsgmii.patch b/queue-4.20/net-mscc-enable-all-ports-in-qsgmii.patch new file mode 100644 index 00000000000..e74180bcce4 --- /dev/null +++ b/queue-4.20/net-mscc-enable-all-ports-in-qsgmii.patch @@ -0,0 +1,62 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Kavya Sree Kotagiri +Date: Thu, 28 Feb 2019 07:32:22 +0000 +Subject: net: mscc: Enable all ports in QSGMII + +From: Kavya Sree Kotagiri + +[ Upstream commit 084e5bb16bd7dc2b551bbd9fb358bf73e03ee8d8 ] + +When Ocelot phy-mode is QSGMII, all 4 ports involved in +QSGMII shall be kept out of reset and +Tx lanes shall be enabled to pass the data. + +Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support") +Signed-off-by: Kavya Sree Kotagiri +Signed-off-by: Steen Hegelund +Co-developed-by: Steen Hegelund +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot_board.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mscc/ocelot_board.c ++++ b/drivers/net/ethernet/mscc/ocelot_board.c +@@ -266,6 +266,7 @@ static int mscc_ocelot_probe(struct plat + struct phy *serdes; + void __iomem *regs; + char res_name[8]; ++ int phy_mode; + u32 port; + + if (of_property_read_u32(portnp, "reg", &port)) +@@ -291,11 +292,11 @@ static int mscc_ocelot_probe(struct plat + if (err) + return err; + +- err = of_get_phy_mode(portnp); +- if (err < 0) ++ phy_mode = of_get_phy_mode(portnp); ++ if (phy_mode < 0) + ocelot->ports[port]->phy_mode = PHY_INTERFACE_MODE_NA; + else +- ocelot->ports[port]->phy_mode = err; ++ ocelot->ports[port]->phy_mode = phy_mode; + + switch (ocelot->ports[port]->phy_mode) { + case PHY_INTERFACE_MODE_NA: +@@ -303,6 +304,13 @@ static int mscc_ocelot_probe(struct plat + case PHY_INTERFACE_MODE_SGMII: + break; + case PHY_INTERFACE_MODE_QSGMII: ++ /* Ensure clock signals and speed is set on all ++ * QSGMII links ++ */ ++ ocelot_port_writel(ocelot->ports[port], ++ DEV_CLOCK_CFG_LINK_SPEED ++ (OCELOT_SPEED_1000), ++ DEV_CLOCK_CFG); + break; + default: + dev_err(ocelot->dev, diff --git a/queue-4.20/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch b/queue-4.20/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch new file mode 100644 index 00000000000..212c72cf702 --- /dev/null +++ b/queue-4.20/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch @@ -0,0 +1,108 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Sheng Lan +Date: Thu, 28 Feb 2019 18:47:58 +0800 +Subject: net: netem: fix skb length BUG_ON in __skb_to_sgvec + +From: Sheng Lan + +[ Upstream commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 ] + +It can be reproduced by following steps: +1. virtio_net NIC is configured with gso/tso on +2. configure nginx as http server with an index file bigger than 1M bytes +3. use tc netem to produce duplicate packets and delay: + tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90% +4. continually curl the nginx http server to get index file on client +5. BUG_ON is seen quickly + +[10258690.371129] kernel BUG at net/core/skbuff.c:4028! +[10258690.371748] invalid opcode: 0000 [#1] SMP PTI +[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2 +[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202 +[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea +[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002 +[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028 +[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000 +[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0 +[10258690.372094] Call Trace: +[10258690.372094] +[10258690.372094] skb_to_sgvec+0x11/0x40 +[10258690.372094] start_xmit+0x38c/0x520 [virtio_net] +[10258690.372094] dev_hard_start_xmit+0x9b/0x200 +[10258690.372094] sch_direct_xmit+0xff/0x260 +[10258690.372094] __qdisc_run+0x15e/0x4e0 +[10258690.372094] net_tx_action+0x137/0x210 +[10258690.372094] __do_softirq+0xd6/0x2a9 +[10258690.372094] irq_exit+0xde/0xf0 +[10258690.372094] smp_apic_timer_interrupt+0x74/0x140 +[10258690.372094] apic_timer_interrupt+0xf/0x20 +[10258690.372094] + +In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's +linear data size and nonlinear data size, thus BUG_ON triggered. +Because the skb is cloned and a part of nonlinear data is split off. + +Duplicate packet is cloned in netem_enqueue() and may be delayed +some time in qdisc. When qdisc len reached the limit and returns +NET_XMIT_DROP, the skb will be retransmit later in write queue. +the skb will be fragmented by tso_fragment(), the limit size +that depends on cwnd and mss decrease, the skb's nonlinear +data will be split off. The length of the skb cloned by netem +will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(), +the BUG_ON trigger. + +To fix it, netem returns NET_XMIT_SUCCESS to upper stack +when it clones a duplicate packet. + +Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()") +Signed-off-by: Sheng Lan +Reported-by: Qin Ji +Suggested-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -430,6 +430,7 @@ static int netem_enqueue(struct sk_buff + int nb = 0; + int count = 1; + int rc = NET_XMIT_SUCCESS; ++ int rc_drop = NET_XMIT_DROP; + + /* Do not fool qdisc_drop_all() */ + skb->prev = NULL; +@@ -469,6 +470,7 @@ static int netem_enqueue(struct sk_buff + q->duplicate = 0; + rootq->enqueue(skb2, rootq, to_free); + q->duplicate = dupsave; ++ rc_drop = NET_XMIT_SUCCESS; + } + + /* +@@ -481,7 +483,7 @@ static int netem_enqueue(struct sk_buff + if (skb_is_gso(skb)) { + segs = netem_segment(skb, sch, to_free); + if (!segs) +- return NET_XMIT_DROP; ++ return rc_drop; + } else { + segs = skb; + } +@@ -504,8 +506,10 @@ static int netem_enqueue(struct sk_buff + 1<<(prandom_u32() % 8); + } + +- if (unlikely(sch->q.qlen >= sch->limit)) +- return qdisc_drop_all(skb, sch, to_free); ++ if (unlikely(sch->q.qlen >= sch->limit)) { ++ qdisc_drop_all(skb, sch, to_free); ++ return rc_drop; ++ } + + qdisc_qstats_backlog_inc(sch, skb); + diff --git a/queue-4.20/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch b/queue-4.20/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch new file mode 100644 index 00000000000..fc3956ce31a --- /dev/null +++ b/queue-4.20/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch @@ -0,0 +1,156 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: YueHaibing +Date: Fri, 22 Feb 2019 15:37:58 +0800 +Subject: net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails + +From: YueHaibing + +[ Upstream commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 ] + +KASAN report this: + +BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] +Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401 + +CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + kasan_report+0x171/0x18d mm/kasan/report.c:321 + memcpy+0x1f/0x50 mm/kasan/common.c:130 + nfc_llcp_build_gb+0x37f/0x540 [nfc] + nfc_llcp_register_device+0x6eb/0xb50 [nfc] + nfc_register_device+0x50/0x1d0 [nfc] + nfcsim_device_new+0x394/0x67d [nfcsim] + ? 0xffffffffc1080000 + nfcsim_init+0x6b/0x1000 [nfcsim] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 +RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +nfc_llcp_build_tlv will return NULL on fails, caller should check it, +otherwise will trigger a NULL dereference. + +Reported-by: Hulk Robot +Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames") +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_commands.c | 20 ++++++++++++++++++++ + net/nfc/llcp_core.c | 24 ++++++++++++++++++++---- + 2 files changed, 40 insertions(+), 4 deletions(-) + +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llc + sock->service_name, + sock->service_name_len, + &service_name_tlv_length); ++ if (!service_name_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += service_name_tlv_length; + } + +@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llc + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len); +@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size); +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -532,10 +532,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru + + static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { +- u8 *gb_cur, *version_tlv, version, version_length; +- u8 *lto_tlv, lto_length; +- u8 *wks_tlv, wks_length; +- u8 *miux_tlv, miux_length; ++ u8 *gb_cur, version, version_length; ++ u8 lto_length, wks_length, miux_length; ++ u8 *version_tlv = NULL, *lto_tlv = NULL, ++ *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; + int ret = 0; +@@ -543,17 +543,33 @@ static int nfc_llcp_build_gb(struct nfc_ + version = LLCP_VERSION_11; + version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version, + 1, &version_length); ++ if (!version_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += version_length; + + lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length); ++ if (!lto_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += lto_length; + + pr_debug("Local wks 0x%lx\n", local->local_wks); + wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length); ++ if (!wks_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += wks_length; + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0, + &miux_length); ++ if (!miux_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += miux_length; + + gb_len += ARRAY_SIZE(llcp_magic); diff --git a/queue-4.20/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch b/queue-4.20/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch new file mode 100644 index 00000000000..2c48a769287 --- /dev/null +++ b/queue-4.20/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch @@ -0,0 +1,101 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Rajasingh Thavamani +Date: Wed, 27 Feb 2019 17:43:19 +0530 +Subject: net: phy: Micrel KSZ8061: link failure after cable connect + +From: Rajasingh Thavamani + +[ Upstream commit 232ba3a51cc224b339c7114888ed7f0d4d95695e ] + +With Micrel KSZ8061 PHY, the link may occasionally not come up after +Ethernet cable connect. The vendor's (Microchip, former Micrel) errata +sheet 80000688A.pdf descripes the problem and possible workarounds in +detail, see below. +The batch implements workaround 1, which permanently fixes the issue. + +DESCRIPTION +Link-up may not occur properly when the Ethernet cable is initially +connected. This issue occurs more commonly when the cable is connected +slowly, but it may occur any time a cable is connected. This issue occurs +in the auto-negotiation circuit, and will not occur if auto-negotiation +is disabled (which requires that the two link partners be set to the +same speed and duplex). + +END USER IMPLICATIONS +When this issue occurs, link is not established. Subsequent cable +plug/unplaug cycle will not correct the issue. + +WORk AROUND +There are four approaches to work around this issue: +1. This issue can be prevented by setting bit 15 in MMD device address 1, + register 2, prior to connecting the cable or prior to setting the + Restart Auto-negotiation bit in register 0h. The MMD registers are + accessed via the indirect access registers Dh and Eh, or via the Micrel + EthUtil utility as shown here: + . if using the EthUtil utility (usually with a Micrel KSZ8061 + Evaluation Board), type the following commands: + > address 1 + > mmd 1 + > iw 2 b61a + . Alternatively, write the following registers to write to the + indirect MMD register: + Write register Dh, data 0001h + Write register Eh, data 0002h + Write register Dh, data 4001h + Write register Eh, data B61Ah +2. The issue can be avoided by disabling auto-negotiation in the KSZ8061, + either by the strapping option, or by clearing bit 12 in register 0h. + Care must be taken to ensure that the KSZ8061 and the link partner + will link with the same speed and duplex. Note that the KSZ8061 + defaults to full-duplex when auto-negotiation is off, but other + devices may default to half-duplex in the event of failed + auto-negotiation. +3. The issue can be avoided by connecting the cable prior to powering-up + or resetting the KSZ8061, and leaving it plugged in thereafter. +4. If the above measures are not taken and the problem occurs, link can + be recovered by setting the Restart Auto-Negotiation bit in + register 0h, or by resetting or power cycling the device. Reset may + be either hardware reset or software reset (register 0h, bit 15). + +PLAN +This errata will not be corrected in the future revision. + +Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs") +Signed-off-by: Alexander Onnasch +Signed-off-by: Rajasingh Thavamani +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -339,6 +339,17 @@ static int ksz8041_config_aneg(struct ph + return genphy_config_aneg(phydev); + } + ++static int ksz8061_config_init(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A); ++ if (ret) ++ return ret; ++ ++ return kszphy_config_init(phydev); ++} ++ + static int ksz9021_load_values_from_of(struct phy_device *phydev, + const struct device_node *of_node, + u16 reg, +@@ -920,7 +931,7 @@ static struct phy_driver ksphy_driver[] + .features = PHY_BASIC_FEATURES, + .flags = PHY_HAS_INTERRUPT, + .driver_data = &ks8737_type, +- .config_init = kszphy_config_init, ++ .config_init = ksz8061_config_init, + .ack_interrupt = kszphy_ack_interrupt, + .config_intr = kszphy_config_intr, + .suspend = genphy_suspend, diff --git a/queue-4.20/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch b/queue-4.20/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch new file mode 100644 index 00000000000..4631df05212 --- /dev/null +++ b/queue-4.20/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch @@ -0,0 +1,41 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Heiner Kallweit +Date: Tue, 26 Feb 2019 19:29:22 +0100 +Subject: net: phy: phylink: fix uninitialized variable in phylink_get_mac_state + +From: Heiner Kallweit + +[ Upstream commit d25ed413d5e51644e18f66e34eec049f17a7abcb ] + +When debugging an issue I found implausible values in state->pause. +Reason in that state->pause isn't initialized and later only single +bits are changed. Also the struct itself isn't initialized in +phylink_resolve(). So better initialize state->pause and other +not yet initialized fields. + +v2: +- use right function name in subject +v3: +- initialize additional fields + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -321,6 +321,10 @@ static int phylink_get_mac_state(struct + linkmode_zero(state->lp_advertising); + state->interface = pl->link_config.interface; + state->an_enabled = pl->link_config.an_enabled; ++ state->speed = SPEED_UNKNOWN; ++ state->duplex = DUPLEX_UNKNOWN; ++ state->pause = MLO_PAUSE_NONE; ++ state->an_complete = 0; + state->link = 1; + + return pl->ops->mac_link_state(ndev, state); diff --git a/queue-4.20/net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch b/queue-4.20/net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch new file mode 100644 index 00000000000..010dd6c3862 --- /dev/null +++ b/queue-4.20/net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch @@ -0,0 +1,58 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Davide Caratti +Date: Fri, 22 Feb 2019 12:33:25 +0100 +Subject: net/sched: act_ipt: fix refcount leak when replace fails + +From: Davide Caratti + +[ Upstream commit 8f67c90ee9148eab3d2b4393c3cf76489b27f87c ] + +After commit 4e8ddd7f1758 ("net: sched: don't release reference on action +overwrite"), the error path of all actions was converted to drop refcount +also when the action was being overwritten. But we forgot act_ipt_init(), +in case allocation of 'tname' was not successful: + + # tc action add action xt -j LOG --log-prefix hello index 100 + tablename: mangle hook: NF_IP_POST_ROUTING + target: LOG level warning prefix "hello" index 100 + # tc action show action xt + total acts 1 + + action order 0: tablename: mangle hook: NF_IP_POST_ROUTING + target LOG level warning prefix "hello" + index 100 ref 1 bind 0 + # tc action replace action xt -j LOG --log-prefix world index 100 + tablename: mangle hook: NF_IP_POST_ROUTING + target: LOG level warning prefix "world" index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action show action xt + total acts 1 + + action order 0: tablename: mangle hook: NF_IP_POST_ROUTING + target LOG level warning prefix "hello" + index 100 ref 2 bind 0 + +Ensure we call tcf_idr_release(), in case 'tname' allocation failed, also +when the action is being replaced. + +Fixes: 4e8ddd7f1758 ("net: sched: don't release reference on action overwrite") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ipt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -199,8 +199,7 @@ err3: + err2: + kfree(tname); + err1: +- if (ret == ACT_P_CREATED) +- tcf_idr_release(*a, bind); ++ tcf_idr_release(*a, bind); + return err; + } + diff --git a/queue-4.20/net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch b/queue-4.20/net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch new file mode 100644 index 00000000000..7dd900701db --- /dev/null +++ b/queue-4.20/net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Davide Caratti +Date: Fri, 22 Feb 2019 12:33:26 +0100 +Subject: net/sched: act_skbedit: fix refcount leak when replace fails + +From: Davide Caratti + +[ Upstream commit 6191da98062d25276a3b88fb2a94dcbcfb3ea65d ] + +when act_skbedit was converted to use RCU in the data plane, we added an +error path, but we forgot to drop the action refcount in case of failure +during a 'replace' operation: + + # tc actions add action skbedit ptype otherhost pass index 100 + # tc action show action skbedit + total acts 1 + + action order 0: skbedit ptype otherhost pass + index 100 ref 1 bind 0 + # tc actions replace action skbedit ptype otherhost drop index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action show action skbedit + total acts 1 + + action order 0: skbedit ptype otherhost pass + index 100 ref 2 bind 0 + +Ensure we call tcf_idr_release(), in case 'params_new' allocation failed, +also when the action is being replaced. + +Fixes: c749cdda9089 ("net/sched: act_skbedit: don't use spinlock in the data path") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_skbedit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sched/act_skbedit.c ++++ b/net/sched/act_skbedit.c +@@ -189,8 +189,7 @@ static int tcf_skbedit_init(struct net * + + params_new = kzalloc(sizeof(*params_new), GFP_KERNEL); + if (unlikely(!params_new)) { +- if (ret == ACT_P_CREATED) +- tcf_idr_release(*a, bind); ++ tcf_idr_release(*a, bind); + return -ENOMEM; + } + diff --git a/queue-4.20/net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch b/queue-4.20/net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch new file mode 100644 index 00000000000..5c79c683fef --- /dev/null +++ b/queue-4.20/net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Vlad Buslov +Date: Mon, 25 Feb 2019 17:28:27 +0200 +Subject: net: sched: act_tunnel_key: fix NULL pointer dereference during init + +From: Vlad Buslov + +[ Upstream commit a3df633a3c92bb96b06552c3f828d7c267774379 ] + +Metadata pointer is only initialized for action TCA_TUNNEL_KEY_ACT_SET, but +it is unconditionally dereferenced in tunnel_key_init() error handler. +Verify that metadata pointer is not NULL before dereferencing it in +tunnel_key_init error handling code. + +Fixes: ee28bb56ac5b ("net/sched: fix memory leak in act_tunnel_key_init()") +Signed-off-by: Vlad Buslov +Reviewed-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_tunnel_key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -377,7 +377,8 @@ static int tunnel_key_init(struct net *n + return ret; + + release_tun_meta: +- dst_release(&metadata->dst); ++ if (metadata) ++ dst_release(&metadata->dst); + + err_out: + if (exists) diff --git a/queue-4.20/net-sched-put-back-q.qlen-into-a-single-location.patch b/queue-4.20/net-sched-put-back-q.qlen-into-a-single-location.patch new file mode 100644 index 00000000000..314fa47c065 --- /dev/null +++ b/queue-4.20/net-sched-put-back-q.qlen-into-a-single-location.patch @@ -0,0 +1,219 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Eric Dumazet +Date: Thu, 28 Feb 2019 12:55:43 -0800 +Subject: net: sched: put back q.qlen into a single location + +From: Eric Dumazet + +[ Upstream commit 46b1c18f9deb326a7e18348e668e4c7ab7c7458b ] + +In the series fc8b81a5981f ("Merge branch 'lockless-qdisc-series'") +John made the assumption that the data path had no need to read +the qdisc qlen (number of packets in the qdisc). + +It is true when pfifo_fast is used as the root qdisc, or as direct MQ/MQPRIO +children. + +But pfifo_fast can be used as leaf in class full qdiscs, and existing +logic needs to access the child qlen in an efficient way. + +HTB breaks badly, since it uses cl->leaf.q->q.qlen in : + htb_activate() -> WARN_ON() + htb_dequeue_tree() to decide if a class can be htb_deactivated + when it has no more packets. + +HFSC, DRR, CBQ, QFQ have similar issues, and some calls to +qdisc_tree_reduce_backlog() also read q.qlen directly. + +Using qdisc_qlen_sum() (which iterates over all possible cpus) +in the data path is a non starter. + +It seems we have to put back qlen in a central location, +at least for stable kernels. + +For all qdisc but pfifo_fast, qlen is guarded by the qdisc lock, +so the existing q.qlen{++|--} are correct. + +For 'lockless' qdisc (pfifo_fast so far), we need to use atomic_{inc|dec}() +because the spinlock might be not held (for example from +pfifo_fast_enqueue() and pfifo_fast_dequeue()) + +This patch adds atomic_qlen (in the same location than qlen) +and renames the following helpers, since we want to express +they can be used without qdisc lock, and that qlen is no longer percpu. + +- qdisc_qstats_cpu_qlen_dec -> qdisc_qstats_atomic_qlen_dec() +- qdisc_qstats_cpu_qlen_inc -> qdisc_qstats_atomic_qlen_inc() + +Later (net-next) we might revert this patch by tracking all these +qlen uses and replace them by a more efficient method (not having +to access a precise qlen, but an empty/non_empty status that might +be less expensive to maintain/track). + +Another possibility is to have a legacy pfifo_fast version that would +be used when used a a child qdisc, since the parent qdisc needs +a spinlock anyway. But then, future lockless qdiscs would also +have the same problem. + +Fixes: 7e66016f2c65 ("net: sched: helpers to sum qlen and qlen for per cpu logic") +Signed-off-by: Eric Dumazet +Cc: John Fastabend +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sch_generic.h | 31 +++++++++++++------------------ + net/core/gen_stats.c | 2 -- + net/sched/sch_generic.c | 13 ++++++------- + 3 files changed, 19 insertions(+), 27 deletions(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -48,7 +48,10 @@ struct qdisc_size_table { + struct qdisc_skb_head { + struct sk_buff *head; + struct sk_buff *tail; +- __u32 qlen; ++ union { ++ u32 qlen; ++ atomic_t atomic_qlen; ++ }; + spinlock_t lock; + }; + +@@ -405,27 +408,19 @@ static inline void qdisc_cb_private_vali + BUILD_BUG_ON(sizeof(qcb->data) < sz); + } + +-static inline int qdisc_qlen_cpu(const struct Qdisc *q) +-{ +- return this_cpu_ptr(q->cpu_qstats)->qlen; +-} +- + static inline int qdisc_qlen(const struct Qdisc *q) + { + return q->q.qlen; + } + +-static inline int qdisc_qlen_sum(const struct Qdisc *q) ++static inline u32 qdisc_qlen_sum(const struct Qdisc *q) + { +- __u32 qlen = q->qstats.qlen; +- int i; ++ u32 qlen = q->qstats.qlen; + +- if (q->flags & TCQ_F_NOLOCK) { +- for_each_possible_cpu(i) +- qlen += per_cpu_ptr(q->cpu_qstats, i)->qlen; +- } else { ++ if (q->flags & TCQ_F_NOLOCK) ++ qlen += atomic_read(&q->q.atomic_qlen); ++ else + qlen += q->q.qlen; +- } + + return qlen; + } +@@ -798,14 +793,14 @@ static inline void qdisc_qstats_cpu_back + this_cpu_add(sch->cpu_qstats->backlog, qdisc_pkt_len(skb)); + } + +-static inline void qdisc_qstats_cpu_qlen_inc(struct Qdisc *sch) ++static inline void qdisc_qstats_atomic_qlen_inc(struct Qdisc *sch) + { +- this_cpu_inc(sch->cpu_qstats->qlen); ++ atomic_inc(&sch->q.atomic_qlen); + } + +-static inline void qdisc_qstats_cpu_qlen_dec(struct Qdisc *sch) ++static inline void qdisc_qstats_atomic_qlen_dec(struct Qdisc *sch) + { +- this_cpu_dec(sch->cpu_qstats->qlen); ++ atomic_dec(&sch->q.atomic_qlen); + } + + static inline void qdisc_qstats_cpu_requeues_inc(struct Qdisc *sch) +--- a/net/core/gen_stats.c ++++ b/net/core/gen_stats.c +@@ -291,7 +291,6 @@ __gnet_stats_copy_queue_cpu(struct gnet_ + for_each_possible_cpu(i) { + const struct gnet_stats_queue *qcpu = per_cpu_ptr(q, i); + +- qstats->qlen = 0; + qstats->backlog += qcpu->backlog; + qstats->drops += qcpu->drops; + qstats->requeues += qcpu->requeues; +@@ -307,7 +306,6 @@ void __gnet_stats_copy_queue(struct gnet + if (cpu) { + __gnet_stats_copy_queue_cpu(qstats, cpu); + } else { +- qstats->qlen = q->qlen; + qstats->backlog = q->backlog; + qstats->drops = q->drops; + qstats->requeues = q->requeues; +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -68,7 +68,7 @@ static inline struct sk_buff *__skb_dequ + skb = __skb_dequeue(&q->skb_bad_txq); + if (qdisc_is_percpu_stats(q)) { + qdisc_qstats_cpu_backlog_dec(q, skb); +- qdisc_qstats_cpu_qlen_dec(q); ++ qdisc_qstats_atomic_qlen_dec(q); + } else { + qdisc_qstats_backlog_dec(q, skb); + q->q.qlen--; +@@ -108,7 +108,7 @@ static inline void qdisc_enqueue_skb_bad + + if (qdisc_is_percpu_stats(q)) { + qdisc_qstats_cpu_backlog_inc(q, skb); +- qdisc_qstats_cpu_qlen_inc(q); ++ qdisc_qstats_atomic_qlen_inc(q); + } else { + qdisc_qstats_backlog_inc(q, skb); + q->q.qlen++; +@@ -147,7 +147,7 @@ static inline int dev_requeue_skb_locked + + qdisc_qstats_cpu_requeues_inc(q); + qdisc_qstats_cpu_backlog_inc(q, skb); +- qdisc_qstats_cpu_qlen_inc(q); ++ qdisc_qstats_atomic_qlen_inc(q); + + skb = next; + } +@@ -252,7 +252,7 @@ static struct sk_buff *dequeue_skb(struc + skb = __skb_dequeue(&q->gso_skb); + if (qdisc_is_percpu_stats(q)) { + qdisc_qstats_cpu_backlog_dec(q, skb); +- qdisc_qstats_cpu_qlen_dec(q); ++ qdisc_qstats_atomic_qlen_dec(q); + } else { + qdisc_qstats_backlog_dec(q, skb); + q->q.qlen--; +@@ -645,7 +645,7 @@ static int pfifo_fast_enqueue(struct sk_ + if (unlikely(err)) + return qdisc_drop_cpu(skb, qdisc, to_free); + +- qdisc_qstats_cpu_qlen_inc(qdisc); ++ qdisc_qstats_atomic_qlen_inc(qdisc); + /* Note: skb can not be used after skb_array_produce(), + * so we better not use qdisc_qstats_cpu_backlog_inc() + */ +@@ -670,7 +670,7 @@ static struct sk_buff *pfifo_fast_dequeu + if (likely(skb)) { + qdisc_qstats_cpu_backlog_dec(qdisc, skb); + qdisc_bstats_cpu_update(qdisc, skb); +- qdisc_qstats_cpu_qlen_dec(qdisc); ++ qdisc_qstats_atomic_qlen_dec(qdisc); + } + + return skb; +@@ -714,7 +714,6 @@ static void pfifo_fast_reset(struct Qdis + struct gnet_stats_queue *q = per_cpu_ptr(qdisc->cpu_qstats, i); + + q->backlog = 0; +- q->qlen = 0; + } + } + diff --git a/queue-4.20/net-sit-fix-memory-leak-in-sit_init_net.patch b/queue-4.20/net-sit-fix-memory-leak-in-sit_init_net.patch new file mode 100644 index 00000000000..d6fa4a76256 --- /dev/null +++ b/queue-4.20/net-sit-fix-memory-leak-in-sit_init_net.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Mao Wenan +Date: Fri, 1 Mar 2019 23:06:40 +0800 +Subject: net: sit: fix memory leak in sit_init_net() + +From: Mao Wenan + +[ Upstream commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d ] + +If register_netdev() is failed to register sitn->fb_tunnel_dev, +it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev). + +BUG: memory leak +unreferenced object 0xffff888378daad00 (size 512): + comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s) + hex dump (first 32 bytes): + 00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: + [<00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline] + [<00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline] + [<00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline] + [<00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970 + [<00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848 + [<00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129 + [<00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314 + [<0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437 + [<0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107 + [<00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165 + [<0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919 + [<00000000fff78746>] copy_process kernel/fork.c:1713 [inline] + [<00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224 + [<000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 + [<00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<0000000039acff8a>] 0xffffffffffffffff + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1873,6 +1873,7 @@ static int __net_init sit_init_net(struc + + err_reg_dev: + ipip6_dev_free(sitn->fb_tunnel_dev); ++ free_netdev(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; + } diff --git a/queue-4.20/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch b/queue-4.20/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch new file mode 100644 index 00000000000..273c3724e29 --- /dev/null +++ b/queue-4.20/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch @@ -0,0 +1,85 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Eric Biggers +Date: Thu, 21 Feb 2019 14:13:56 -0800 +Subject: net: socket: set sock->sk to NULL after calling proto_ops::release() + +From: Eric Biggers + +[ Upstream commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf ] + +Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.") +fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is +closed concurrently with fchownat(). However, it ignored that many +other proto_ops::release() methods don't set sock->sk to NULL and +therefore allow the same use-after-free: + + - base_sock_release + - bnep_sock_release + - cmtp_sock_release + - data_sock_release + - dn_release + - hci_sock_release + - hidp_sock_release + - iucv_sock_release + - l2cap_sock_release + - llcp_sock_release + - llc_ui_release + - rawsock_release + - rfcomm_sock_release + - sco_sock_release + - svc_release + - vcc_release + - x25_release + +Rather than fixing all these and relying on every socket type to get +this right forever, just make __sock_release() set sock->sk to NULL +itself after calling proto_ops::release(). + +Reproducer that produces the KASAN splat when any of these socket types +are configured into the kernel: + + #include + #include + #include + #include + + pthread_t t; + volatile int fd; + + void *close_thread(void *arg) + { + for (;;) { + usleep(rand() % 100); + close(fd); + } + } + + int main() + { + pthread_create(&t, NULL, close_thread, NULL); + for (;;) { + fd = socket(rand() % 50, rand() % 11, 0); + fchownat(fd, "", 1000, 1000, 0x1000); + close(fd); + } + } + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Eric Biggers +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -577,6 +577,7 @@ static void __sock_release(struct socket + if (inode) + inode_lock(inode); + sock->ops->release(sock); ++ sock->sk = NULL; + if (inode) + inode_unlock(inode); + sock->ops = NULL; diff --git a/queue-4.20/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch b/queue-4.20/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch new file mode 100644 index 00000000000..524bd3a97aa --- /dev/null +++ b/queue-4.20/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: YueHaibing +Date: Sat, 2 Mar 2019 10:34:55 +0800 +Subject: net-sysfs: Fix mem leak in netdev_register_kobject + +From: YueHaibing + +[ Upstream commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab ] + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffff88837a71a500 (size 256): + comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ........ ....... + backtrace: + [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751 + [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516 + [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline] + [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883 + [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline] + [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690 + [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705 + [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline] + [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline] + [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710 + [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 + [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000115be9bb>] 0xffffffffffffffff + +It should call kset_unregister to free 'dev->queues_kset' +in error path of register_queue_kobjects, otherwise will cause a mem leak. + +Reported-by: Hulk Robot +Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1547,6 +1547,9 @@ static int register_queue_kobjects(struc + error: + netdev_queue_update_kobjects(dev, txq, 0); + net_rx_queue_update_kobjects(dev, rxq, 0); ++#ifdef CONFIG_SYSFS ++ kset_unregister(dev->queues_kset); ++#endif + return error; + } + diff --git a/queue-4.20/netlabel-fix-out-of-bounds-memory-accesses.patch b/queue-4.20/netlabel-fix-out-of-bounds-memory-accesses.patch new file mode 100644 index 00000000000..2fc1b94ad8e --- /dev/null +++ b/queue-4.20/netlabel-fix-out-of-bounds-memory-accesses.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Paul Moore +Date: Mon, 25 Feb 2019 19:06:06 -0500 +Subject: netlabel: fix out-of-bounds memory accesses + +From: Paul Moore + +[ Upstream commit 5578de4834fe0f2a34fedc7374be691443396d1f ] + +There are two array out-of-bounds memory accesses, one in +cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both +errors are embarassingly simple, and the fixes are straightforward. + +As a FYI for anyone backporting this patch to kernels prior to v4.8, +you'll want to apply the netlbl_bitmap_walk() patch to +cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before +Linux v4.8. + +Reported-by: Jann Horn +Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") +Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.") +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 3 ++- + net/netlabel/netlabel_kapi.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const + case CIPSO_V4_MAP_PASS: + return 0; + case CIPSO_V4_MAP_TRANS: +- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) ++ if ((level < doi_def->map.std->lvl.cipso_size) && ++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) + return 0; + break; + } +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned ch + (state == 0 && (byte & bitmask) == 0)) + return bit_spot; + +- bit_spot++; ++ if (++bit_spot >= bitmap_len) ++ return -1; + bitmask >>= 1; + if (bitmask == 0) { + byte = bitmap[++byte_offset]; diff --git a/queue-4.20/qmi_wwan-add-support-for-quectel-eg12-em12.patch b/queue-4.20/qmi_wwan-add-support-for-quectel-eg12-em12.patch new file mode 100644 index 00000000000..5aa889978e7 --- /dev/null +++ b/queue-4.20/qmi_wwan-add-support-for-quectel-eg12-em12.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Kristian Evensen +Date: Sat, 2 Mar 2019 13:32:26 +0100 +Subject: qmi_wwan: Add support for Quectel EG12/EM12 + +From: Kristian Evensen + +[ Upstream commit 822e44b45eb991c63487c5e2ce7d636411870a8d ] + +Quectel EG12 (module)/EM12 (M.2 card) is a Cat. 12 LTE modem. The modem +behaves in the same way as the EP06, so the "set DTR"-quirk must be +applied and the diagnostic-interface check performed. Since the +diagnostic-check now applies to more modems, I have renamed the function +from quectel_ep06_diag_detected() to quectel_diag_detected(). + +Signed-off-by: Kristian Evensen +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -976,6 +976,13 @@ static const struct usb_device_id produc + 0xff), + .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr, + }, ++ { /* Quectel EG12/EM12 */ ++ USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0512, ++ USB_CLASS_VENDOR_SPEC, ++ USB_SUBCLASS_VENDOR_SPEC, ++ 0xff), ++ .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr, ++ }, + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +@@ -1343,17 +1350,20 @@ static bool quectel_ec20_detected(struct + return false; + } + +-static bool quectel_ep06_diag_detected(struct usb_interface *intf) ++static bool quectel_diag_detected(struct usb_interface *intf) + { + struct usb_device *dev = interface_to_usbdev(intf); + struct usb_interface_descriptor intf_desc = intf->cur_altsetting->desc; ++ u16 id_vendor = le16_to_cpu(dev->descriptor.idVendor); ++ u16 id_product = le16_to_cpu(dev->descriptor.idProduct); + +- if (le16_to_cpu(dev->descriptor.idVendor) == 0x2c7c && +- le16_to_cpu(dev->descriptor.idProduct) == 0x0306 && +- intf_desc.bNumEndpoints == 2) +- return true; ++ if (id_vendor != 0x2c7c || intf_desc.bNumEndpoints != 2) ++ return false; + +- return false; ++ if (id_product == 0x0306 || id_product == 0x0512) ++ return true; ++ else ++ return false; + } + + static int qmi_wwan_probe(struct usb_interface *intf, +@@ -1390,13 +1400,13 @@ static int qmi_wwan_probe(struct usb_int + return -ENODEV; + } + +- /* Quectel EP06/EM06/EG06 supports dynamic interface configuration, so ++ /* Several Quectel modems supports dynamic interface configuration, so + * we need to match on class/subclass/protocol. These values are + * identical for the diagnostic- and QMI-interface, but bNumEndpoints is + * different. Ignore the current interface if the number of endpoints + * the number for the diag interface (two). + */ +- if (quectel_ep06_diag_detected(intf)) ++ if (quectel_diag_detected(intf)) + return -ENODEV; + + return usbnet_probe(intf, id); diff --git a/queue-4.20/sctp-call-iov_iter_revert-after-sending-abort.patch b/queue-4.20/sctp-call-iov_iter_revert-after-sending-abort.patch new file mode 100644 index 00000000000..845cb6f93ae --- /dev/null +++ b/queue-4.20/sctp-call-iov_iter_revert-after-sending-abort.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Xin Long +Date: Sun, 3 Mar 2019 16:50:26 +0800 +Subject: sctp: call iov_iter_revert() after sending ABORT + +From: Xin Long + +[ Upstream commit 901efe12318b1ea8d3e2c88a7b75ed6e6d5d7245 ] + +The user msg is also copied to the abort packet when doing SCTP_ABORT in +sctp_sendmsg_check_sflags(). When SCTP_SENDALL is set, iov_iter_revert() +should have been called for sending abort on the next asoc with copying +this msg. Otherwise, memcpy_from_msg() in sctp_make_abort_user() will +fail and return error. + +Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") +Reported-by: Ying Xu +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1866,6 +1866,7 @@ static int sctp_sendmsg_check_sflags(str + + pr_debug("%s: aborting association:%p\n", __func__, asoc); + sctp_primitive_ABORT(net, asoc, chunk); ++ iov_iter_revert(&msg->msg_iter, msg_len); + + return 0; + } diff --git a/queue-4.20/series b/queue-4.20/series index 50bc83692b0..8986f3a6f7f 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -15,3 +15,45 @@ staging-wilc1000-fix-to-set-correct-value-for-vif_num.patch staging-android-ion-fix-sys-heap-pool-s-gfp_flags.patch staging-android-ashmem-don-t-call-fallocate-with-ashmem_mutex-held.patch staging-android-ashmem-avoid-range_alloc-allocation-with-ashmem_mutex-held.patch +ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch +net-dsa-mv88e6xxx-add-call-to-mv88e6xxx_ports_cmode_init-to-probe-for-new-dsa-framework.patch +net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch +net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch +net-mscc-enable-all-ports-in-qsgmii.patch +net-sched-put-back-q.qlen-into-a-single-location.patch +net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch +qmi_wwan-add-support-for-quectel-eg12-em12.patch +sctp-call-iov_iter_revert-after-sending-abort.patch +sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch +team-free-bpf-filter-when-unregistering-netdev.patch +tipc-fix-rdm-dgram-connect-regression.patch +bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch +geneve-correctly-handle-ipv6.disable-module-parameter.patch +hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch +ipv4-add-icmpv6-support-when-parse-route-ipproto.patch +lan743x-fix-tx-stall-issue.patch +net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch +net-dsa-mv88e6xxx-fix-u64-statistics.patch +netlabel-fix-out-of-bounds-memory-accesses.patch +net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch +net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch +net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch +net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch +net-sit-fix-memory-leak-in-sit_init_net.patch +net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch +tipc-fix-race-condition-causing-hung-sendto.patch +tun-fix-blocking-read.patch +xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch +xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch +tun-remove-unnecessary-memory-barrier.patch +net-add-__icmp_send-helper.patch +net-avoid-use-ipcb-in-cipso_v4_error.patch +ipv4-return-error-for-rta_via-attribute.patch +ipv6-return-error-for-rta_via-attribute.patch +mpls-return-error-for-rta_gateway-attribute.patch +ipv4-pass-original-device-to-ip_rcv_finish_core.patch +net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch +net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch +net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch +net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch +net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch diff --git a/queue-4.20/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch b/queue-4.20/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch new file mode 100644 index 00000000000..bba6d92eb13 --- /dev/null +++ b/queue-4.20/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Kai-Heng Feng +Date: Mon, 4 Mar 2019 15:00:03 +0800 +Subject: sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 + +From: Kai-Heng Feng + +[ Upstream commit b33b7cd6fd86478dd2890a9abeb6f036aa01fdf7 ] + +Some sky2 chips fire IRQ after S3, before the driver is fully resumed: +[ 686.804877] do_IRQ: 1.37 No irq handler for vector + +This is likely a platform bug that device isn't fully quiesced during +S3. Use MSI-X, maskable MSI or INTx can prevent this issue from +happening. + +Since MSI-X and maskable MSI are not supported by this device, fallback +to use INTx on affected platforms. + +BugLink: https://bugs.launchpad.net/bugs/1807259 +BugLink: https://bugs.launchpad.net/bugs/1809843 +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #include + +@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128 + module_param(copybreak, int, 0); + MODULE_PARM_DESC(copybreak, "Receive copy threshold"); + +-static int disable_msi = 0; ++static int disable_msi = -1; + module_param(disable_msi, int, 0); + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)"); + +@@ -4931,6 +4932,24 @@ static const char *sky2_name(u8 chipid, + return buf; + } + ++static const struct dmi_system_id msi_blacklist[] = { ++ { ++ .ident = "Dell Inspiron 1545", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"), ++ }, ++ }, ++ { ++ .ident = "Gateway P-79", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"), ++ }, ++ }, ++ {} ++}; ++ + static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *dev, *dev1; +@@ -5042,6 +5061,9 @@ static int sky2_probe(struct pci_dev *pd + goto err_out_free_pci; + } + ++ if (disable_msi == -1) ++ disable_msi = !!dmi_check_system(msi_blacklist); ++ + if (!disable_msi && pci_enable_msi(pdev) == 0) { + err = sky2_test_msi(hw); + if (err) { diff --git a/queue-4.20/team-free-bpf-filter-when-unregistering-netdev.patch b/queue-4.20/team-free-bpf-filter-when-unregistering-netdev.patch new file mode 100644 index 00000000000..af1f6404ae7 --- /dev/null +++ b/queue-4.20/team-free-bpf-filter-when-unregistering-netdev.patch @@ -0,0 +1,99 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Ido Schimmel +Date: Sun, 3 Mar 2019 07:35:51 +0000 +Subject: team: Free BPF filter when unregistering netdev + +From: Ido Schimmel + +[ Upstream commit 692c31bd4054212312396b1d303bffab2c5b93a7 ] + +When team is used in loadbalance mode a BPF filter can be used to +provide a hash which will determine the Tx port. + +When the netdev is later unregistered the filter is not freed which +results in memory leaks [1]. + +Fix by freeing the program and the corresponding filter when +unregistering the netdev. + +[1] +unreferenced object 0xffff8881dbc47cc8 (size 16): + comm "teamd", pid 3068, jiffies 4294997779 (age 438.247s) + hex dump (first 16 bytes): + a3 00 6b 6b 6b 6b 6b 6b 88 a5 82 e1 81 88 ff ff ..kkkkkk........ + backtrace: + [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0 + [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080 + [<00000000610ef838>] genl_rcv_msg+0xca/0x170 + [<00000000a281df93>] netlink_rcv_skb+0x132/0x380 + [<000000004d9448a2>] genl_rcv+0x29/0x40 + [<000000000321b2f4>] netlink_unicast+0x4c0/0x690 + [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10 + [<00000000068298c5>] sock_sendmsg+0xc8/0x110 + [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0 + [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250 + [<0000000027c5f11a>] do_syscall_64+0x14d/0x610 + [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000e23197e2>] 0xffffffffffffffff +unreferenced object 0xffff8881e182a588 (size 2048): + comm "teamd", pid 3068, jiffies 4294997780 (age 438.247s) + hex dump (first 32 bytes): + 20 00 00 00 02 00 00 00 30 00 00 00 28 f0 ff ff .......0...(... + 07 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 ........(....... + backtrace: + [<000000002daf01fb>] lb_bpf_func_set+0x45c/0x6d0 + [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0 + [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080 + [<00000000610ef838>] genl_rcv_msg+0xca/0x170 + [<00000000a281df93>] netlink_rcv_skb+0x132/0x380 + [<000000004d9448a2>] genl_rcv+0x29/0x40 + [<000000000321b2f4>] netlink_unicast+0x4c0/0x690 + [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10 + [<00000000068298c5>] sock_sendmsg+0xc8/0x110 + [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0 + [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250 + [<0000000027c5f11a>] do_syscall_64+0x14d/0x610 + [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000e23197e2>] 0xffffffffffffffff + +Fixes: 01d7f30a9f96 ("team: add loadbalance mode") +Signed-off-by: Ido Schimmel +Reported-by: Amit Cohen +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/team/team_mode_loadbalance.c ++++ b/drivers/net/team/team_mode_loadbalance.c +@@ -325,6 +325,20 @@ static int lb_bpf_func_set(struct team * + return 0; + } + ++static void lb_bpf_func_free(struct team *team) ++{ ++ struct lb_priv *lb_priv = get_lb_priv(team); ++ struct bpf_prog *fp; ++ ++ if (!lb_priv->ex->orig_fprog) ++ return; ++ ++ __fprog_destroy(lb_priv->ex->orig_fprog); ++ fp = rcu_dereference_protected(lb_priv->fp, ++ lockdep_is_held(&team->lock)); ++ bpf_prog_destroy(fp); ++} ++ + static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx) + { + struct lb_priv *lb_priv = get_lb_priv(team); +@@ -639,6 +653,7 @@ static void lb_exit(struct team *team) + + team_options_unregister(team, lb_options, + ARRAY_SIZE(lb_options)); ++ lb_bpf_func_free(team); + cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw); + free_percpu(lb_priv->pcpu_stats); + kfree(lb_priv->ex); diff --git a/queue-4.20/tipc-fix-race-condition-causing-hung-sendto.patch b/queue-4.20/tipc-fix-race-condition-causing-hung-sendto.patch new file mode 100644 index 00000000000..73ae2f217e4 --- /dev/null +++ b/queue-4.20/tipc-fix-race-condition-causing-hung-sendto.patch @@ -0,0 +1,85 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Tung Nguyen +Date: Mon, 25 Feb 2019 10:57:20 +0700 +Subject: tipc: fix race condition causing hung sendto + +From: Tung Nguyen + +[ Upstream commit bfd07f3dd4f111b884d7922b37eb239280f83d8c ] + +When sending multicast messages via blocking socket, +if sending link is congested (tsk->cong_link_cnt is set to 1), +the sending thread will be put into sleeping state. However, +tipc_sk_filter_rcv() is called under socket spin lock but +tipc_wait_for_cond() is not. So, there is no guarantee that +the setting of tsk->cong_link_cnt to 0 in tipc_sk_proto_rcv() in +CPU-1 will be perceived by CPU-0. If that is the case, the sending +thread in CPU-0 after being waken up, will continue to see +tsk->cong_link_cnt as 1 and put the sending thread into sleeping +state again. The sending thread will sleep forever. + +CPU-0 | CPU-1 +tipc_wait_for_cond() | +{ | + // condition_ = !tsk->cong_link_cnt | + while ((rc_ = !(condition_))) { | + ... | + release_sock(sk_); | + wait_woken(); | + | if (!sock_owned_by_user(sk)) + | tipc_sk_filter_rcv() + | { + | ... + | tipc_sk_proto_rcv() + | { + | ... + | tsk->cong_link_cnt--; + | ... + | sk->sk_write_space(sk); + | ... + | } + | ... + | } + sched_annotate_sleep(); | + lock_sock(sk_); | + remove_wait_queue(); | + } | +} | + +This commit fixes it by adding memory barrier to tipc_sk_proto_rcv() +and tipc_wait_for_cond(). + +Acked-by: Jon Maloy +Signed-off-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -376,11 +376,13 @@ static int tipc_sk_sock_err(struct socke + + #define tipc_wait_for_cond(sock_, timeo_, condition_) \ + ({ \ ++ DEFINE_WAIT_FUNC(wait_, woken_wake_function); \ + struct sock *sk_; \ + int rc_; \ + \ + while ((rc_ = !(condition_))) { \ +- DEFINE_WAIT_FUNC(wait_, woken_wake_function); \ ++ /* coupled with smp_wmb() in tipc_sk_proto_rcv() */ \ ++ smp_rmb(); \ + sk_ = (sock_)->sk; \ + rc_ = tipc_sk_sock_err((sock_), timeo_); \ + if (rc_) \ +@@ -1968,6 +1970,8 @@ static void tipc_sk_proto_rcv(struct soc + return; + case SOCK_WAKEUP: + tipc_dest_del(&tsk->cong_links, msg_orignode(hdr), 0); ++ /* coupled with smp_rmb() in tipc_wait_for_cond() */ ++ smp_wmb(); + tsk->cong_link_cnt--; + wakeup = true; + break; diff --git a/queue-4.20/tipc-fix-rdm-dgram-connect-regression.patch b/queue-4.20/tipc-fix-rdm-dgram-connect-regression.patch new file mode 100644 index 00000000000..67387258ba1 --- /dev/null +++ b/queue-4.20/tipc-fix-rdm-dgram-connect-regression.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Erik Hugne +Date: Mon, 4 Mar 2019 23:26:10 +0100 +Subject: tipc: fix RDM/DGRAM connect() regression + +From: Erik Hugne + +[ Upstream commit 0e63208915a8d7590d0a6218dadb2a6a00ac705a ] + +Fix regression bug introduced in +commit 365ad353c256 ("tipc: reduce risk of user starvation during link +congestion") + +Only signal -EDESTADDRREQ for RDM/DGRAM if we don't have a cached +sockaddr. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Signed-off-by: Erik Hugne +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1320,7 +1320,7 @@ static int __tipc_sendmsg(struct socket + + if (unlikely(!dest)) { + dest = &tsk->peer; +- if (!syn || dest->family != AF_TIPC) ++ if (!syn && dest->family != AF_TIPC) + return -EDESTADDRREQ; + } + diff --git a/queue-4.20/tun-fix-blocking-read.patch b/queue-4.20/tun-fix-blocking-read.patch new file mode 100644 index 00000000000..d835c75a547 --- /dev/null +++ b/queue-4.20/tun-fix-blocking-read.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Timur Celik +Date: Sat, 23 Feb 2019 12:53:13 +0100 +Subject: tun: fix blocking read + +From: Timur Celik + +[ Upstream commit 71828b2240692cec0e68b8d867bc00e1745e7fae ] + +This patch moves setting of the current state into the loop. Otherwise +the task may end up in a busy wait loop if none of the break conditions +are met. + +Signed-off-by: Timur Celik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2147,9 +2147,9 @@ static void *tun_ring_recv(struct tun_fi + } + + add_wait_queue(&tfile->wq.wait, &wait); +- current->state = TASK_INTERRUPTIBLE; + + while (1) { ++ set_current_state(TASK_INTERRUPTIBLE); + ptr = ptr_ring_consume(&tfile->tx_ring); + if (ptr) + break; +@@ -2165,7 +2165,7 @@ static void *tun_ring_recv(struct tun_fi + schedule(); + } + +- current->state = TASK_RUNNING; ++ set_current_state(TASK_RUNNING); + remove_wait_queue(&tfile->wq.wait, &wait); + + out: diff --git a/queue-4.20/tun-remove-unnecessary-memory-barrier.patch b/queue-4.20/tun-remove-unnecessary-memory-barrier.patch new file mode 100644 index 00000000000..3aaeb16a7d0 --- /dev/null +++ b/queue-4.20/tun-remove-unnecessary-memory-barrier.patch @@ -0,0 +1,31 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Timur Celik +Date: Mon, 25 Feb 2019 21:13:13 +0100 +Subject: tun: remove unnecessary memory barrier + +From: Timur Celik + +[ Upstream commit ecef67cb10db7b83b3b71c61dbb29aa070ab0112 ] + +Replace set_current_state with __set_current_state since no memory +barrier is needed at this point. + +Signed-off-by: Timur Celik +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2165,7 +2165,7 @@ static void *tun_ring_recv(struct tun_fi + schedule(); + } + +- set_current_state(TASK_RUNNING); ++ __set_current_state(TASK_RUNNING); + remove_wait_queue(&tfile->wq.wait, &wait); + + out: diff --git a/queue-4.20/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch b/queue-4.20/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch new file mode 100644 index 00000000000..f445101255b --- /dev/null +++ b/queue-4.20/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Igor Druzhinin +Date: Thu, 28 Feb 2019 14:11:26 +0000 +Subject: xen-netback: don't populate the hash cache on XenBus disconnect + +From: Igor Druzhinin + +[ Upstream commit a2288d4e355992d369c50c45d017a85f6061ff71 ] + +Occasionally, during the disconnection procedure on XenBus which +includes hash cache deinitialization there might be some packets +still in-flight on other processors. Handling of these packets includes +hashing and hash cache population that finally results in hash cache +data structure corruption. + +In order to avoid this we prevent hashing of those packets if there +are no queues initialized. In that case RCU protection of queues guards +the hash cache as well. + +Signed-off-by: Igor Druzhinin +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/hash.c | 2 ++ + drivers/net/xen-netback/interface.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -454,6 +454,8 @@ void xenvif_init_hash(struct xenvif *vif + if (xenvif_hash_cache_size == 0) + return; + ++ BUG_ON(vif->hash.cache.count); ++ + spin_lock_init(&vif->hash.cache.lock); + INIT_LIST_HEAD(&vif->hash.cache.list); + } +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -153,6 +153,13 @@ static u16 xenvif_select_queue(struct ne + { + struct xenvif *vif = netdev_priv(dev); + unsigned int size = vif->hash.size; ++ unsigned int num_queues; ++ ++ /* If queues are not set up internally - always return 0 ++ * as the packet going to be dropped anyway */ ++ num_queues = READ_ONCE(vif->num_queues); ++ if (num_queues < 1) ++ return 0; + + if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE) + return fallback(dev, skb, NULL) % dev->real_num_tx_queues; diff --git a/queue-4.20/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch b/queue-4.20/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch new file mode 100644 index 00000000000..89d6aebb889 --- /dev/null +++ b/queue-4.20/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Mar 8 07:37:54 CET 2019 +From: Igor Druzhinin +Date: Thu, 28 Feb 2019 12:48:03 +0000 +Subject: xen-netback: fix occasional leak of grant ref mappings under memory pressure + +From: Igor Druzhinin + +[ Upstream commit 99e87f56b48f490fb16b6e0f74691c1e664dea95 ] + +Zero-copy callback flag is not yet set on frag list skb at the moment +xenvif_handle_frag_list() returns -ENOMEM. This eventually results in +leaking grant ref mappings since xenvif_zerocopy_callback() is never +called for these fragments. Those eventually build up and cause Xen +to kill Dom0 as the slots get reused for new mappings: + +"d0v0 Attempt to implicitly unmap a granted PTE c010000329fce005" + +That behavior is observed under certain workloads where sudden spikes +of page cache writes coexist with active atomic skb allocations from +network traffic. Additionally, rework the logic to deal with frag_list +deallocation in a single place. + +Signed-off-by: Paul Durrant +Signed-off-by: Igor Druzhinin +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1072,11 +1072,6 @@ static int xenvif_handle_frag_list(struc + skb_frag_size_set(&frags[i], len); + } + +- /* Copied all the bits from the frag list -- free it. */ +- skb_frag_list_init(skb); +- xenvif_skb_zerocopy_prepare(queue, nskb); +- kfree_skb(nskb); +- + /* Release all the original (foreign) frags. */ + for (f = 0; f < skb_shinfo(skb)->nr_frags; f++) + skb_frag_unref(skb, f); +@@ -1145,6 +1140,8 @@ static int xenvif_tx_submit(struct xenvi + xenvif_fill_frags(queue, skb); + + if (unlikely(skb_has_frag_list(skb))) { ++ struct sk_buff *nskb = skb_shinfo(skb)->frag_list; ++ xenvif_skb_zerocopy_prepare(queue, nskb); + if (xenvif_handle_frag_list(queue, skb)) { + if (net_ratelimit()) + netdev_err(queue->vif->dev, +@@ -1153,6 +1150,9 @@ static int xenvif_tx_submit(struct xenvi + kfree_skb(skb); + continue; + } ++ /* Copied all the bits from the frag list -- free it. */ ++ skb_frag_list_init(skb); ++ kfree_skb(nskb); + } + + skb->dev = queue->vif->dev;