From: Greg Kroah-Hartman Date: Wed, 7 Feb 2018 19:30:54 +0000 (-0800) Subject: 4.14-stable patches X-Git-Tag: v4.15.3~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f7552c4004a66243492e722d6ed4beae00618ba;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ip6mr-fix-stale-iterator.patch ipv6-fix-so_reuseport-udp-socket-with-implicit-sk_ipv6only.patch net-igmp-add-a-missing-rcu-locking-section.patch net-ipv6-send-unsolicited-na-after-dad.patch qlcnic-fix-deadlock-bug.patch qmi_wwan-add-support-for-quectel-ep06.patch r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch revert-defer-call-to-mem_cgroup_sk_alloc.patch rocker-fix-possible-null-pointer-dereference-in-rocker_router_fib_event_work.patch soreuseport-fix-mem-leak-in-reuseport_add_sock.patch tcp-release-sk_frag.page-in-tcp_disconnect.patch tcp_bbr-fix-pacing_gain-to-always-be-unity-when-using-lt_bw.patch vhost_net-stop-device-during-reset-owner.patch --- diff --git a/queue-4.14/ip6mr-fix-stale-iterator.patch b/queue-4.14/ip6mr-fix-stale-iterator.patch new file mode 100644 index 00000000000..6c9db038cc2 --- /dev/null +++ b/queue-4.14/ip6mr-fix-stale-iterator.patch @@ -0,0 +1,114 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Nikolay Aleksandrov +Date: Wed, 31 Jan 2018 16:29:30 +0200 +Subject: ip6mr: fix stale iterator + +From: Nikolay Aleksandrov + + +[ Upstream commit 4adfa79fc254efb7b0eb3cd58f62c2c3f805f1ba ] + +When we dump the ip6mr mfc entries via proc, we initialize an iterator +with the table to dump but we don't clear the cache pointer which might +be initialized from a prior read on the same descriptor that ended. This +can result in lock imbalance (an unnecessary unlock) leading to other +crashes and hangs. Clear the cache pointer like ipmr does to fix the issue. +Thanks for the reliable reproducer. + +Here's syzbot's trace: + WARNING: bad unlock balance detected! + 4.15.0-rc3+ #128 Not tainted + syzkaller971460/3195 is trying to release lock (mrt_lock) at: + [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553 + but there are no more locks to release! + + other info that might help us debug this: + 1 lock held by syzkaller971460/3195: + #0: (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0 + fs/seq_file.c:165 + + stack backtrace: + CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561 + __lock_release kernel/locking/lockdep.c:3775 [inline] + lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023 + __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] + _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255 + ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553 + traverse+0x3bc/0xa00 fs/seq_file.c:135 + seq_read+0x96a/0x13d0 fs/seq_file.c:189 + proc_reg_read+0xef/0x170 fs/proc/inode.c:217 + do_loop_readv_writev fs/read_write.c:673 [inline] + do_iter_read+0x3db/0x5b0 fs/read_write.c:897 + compat_readv+0x1bf/0x270 fs/read_write.c:1140 + do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189 + C_SYSC_preadv fs/read_write.c:1209 [inline] + compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203 + do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] + do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 + entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 + RIP: 0023:0xf7f73c79 + RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d + RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0 + RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + BUG: sleeping function called from invalid context at lib/usercopy.c:25 + in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460 + INFO: lockdep is turned off. + CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060 + __might_sleep+0x95/0x190 kernel/sched/core.c:6013 + __might_fault+0xab/0x1d0 mm/memory.c:4525 + _copy_to_user+0x2c/0xc0 lib/usercopy.c:25 + copy_to_user include/linux/uaccess.h:155 [inline] + seq_read+0xcb4/0x13d0 fs/seq_file.c:279 + proc_reg_read+0xef/0x170 fs/proc/inode.c:217 + do_loop_readv_writev fs/read_write.c:673 [inline] + do_iter_read+0x3db/0x5b0 fs/read_write.c:897 + compat_readv+0x1bf/0x270 fs/read_write.c:1140 + do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189 + C_SYSC_preadv fs/read_write.c:1209 [inline] + compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203 + do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] + do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 + entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 + RIP: 0023:0xf7f73c79 + RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d + RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0 + RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0 + lib/usercopy.c:26 + +Reported-by: syzbot +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -496,6 +496,7 @@ static void *ipmr_mfc_seq_start(struct s + return ERR_PTR(-ENOENT); + + it->mrt = mrt; ++ it->cache = NULL; + return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1) + : SEQ_START_TOKEN; + } diff --git a/queue-4.14/ipv6-fix-so_reuseport-udp-socket-with-implicit-sk_ipv6only.patch b/queue-4.14/ipv6-fix-so_reuseport-udp-socket-with-implicit-sk_ipv6only.patch new file mode 100644 index 00000000000..52656395ec9 --- /dev/null +++ b/queue-4.14/ipv6-fix-so_reuseport-udp-socket-with-implicit-sk_ipv6only.patch @@ -0,0 +1,82 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Martin KaFai Lau +Date: Wed, 24 Jan 2018 23:15:27 -0800 +Subject: ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only + +From: Martin KaFai Lau + + +[ Upstream commit 7ece54a60ee2ba7a386308cae73c790bd580589c ] + +If a sk_v6_rcv_saddr is !IPV6_ADDR_ANY and !IPV6_ADDR_MAPPED, it +implicitly implies it is an ipv6only socket. However, in inet6_bind(), +this addr_type checking and setting sk->sk_ipv6only to 1 are only done +after sk->sk_prot->get_port(sk, snum) has been completed successfully. + +This inconsistency between sk_v6_rcv_saddr and sk_ipv6only confuses +the 'get_port()'. + +In particular, when binding SO_REUSEPORT UDP sockets, +udp_reuseport_add_sock(sk,...) is called. udp_reuseport_add_sock() +checks "ipv6_only_sock(sk2) == ipv6_only_sock(sk)" before adding sk to +sk2->sk_reuseport_cb. In this case, ipv6_only_sock(sk2) could be +1 while ipv6_only_sock(sk) is still 0 here. The end result is, +reuseport_alloc(sk) is called instead of adding sk to the existing +sk2->sk_reuseport_cb. + +It can be reproduced by binding two SO_REUSEPORT UDP sockets on an +IPv6 address (!ANY and !MAPPED). Only one of the socket will +receive packet. + +The fix is to set the implicit sk_ipv6only before calling get_port(). +The original sk_ipv6only has to be saved such that it can be restored +in case get_port() failed. The situation is similar to the +inet_reset_saddr(sk) after get_port() has failed. + +Thanks to Calvin Owens who created an easy +reproduction which leads to a fix. + +Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection") +Signed-off-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/af_inet6.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -284,6 +284,7 @@ int inet6_bind(struct socket *sock, stru + struct net *net = sock_net(sk); + __be32 v4addr = 0; + unsigned short snum; ++ bool saved_ipv6only; + int addr_type = 0; + int err = 0; + +@@ -389,19 +390,21 @@ int inet6_bind(struct socket *sock, stru + if (!(addr_type & IPV6_ADDR_MULTICAST)) + np->saddr = addr->sin6_addr; + ++ saved_ipv6only = sk->sk_ipv6only; ++ if (addr_type != IPV6_ADDR_ANY && addr_type != IPV6_ADDR_MAPPED) ++ sk->sk_ipv6only = 1; ++ + /* Make sure we are allowed to bind here. */ + if ((snum || !inet->bind_address_no_port) && + sk->sk_prot->get_port(sk, snum)) { ++ sk->sk_ipv6only = saved_ipv6only; + inet_reset_saddr(sk); + err = -EADDRINUSE; + goto out; + } + +- if (addr_type != IPV6_ADDR_ANY) { ++ if (addr_type != IPV6_ADDR_ANY) + sk->sk_userlocks |= SOCK_BINDADDR_LOCK; +- if (addr_type != IPV6_ADDR_MAPPED) +- sk->sk_ipv6only = 1; +- } + if (snum) + sk->sk_userlocks |= SOCK_BINDPORT_LOCK; + inet->inet_sport = htons(inet->inet_num); diff --git a/queue-4.14/net-igmp-add-a-missing-rcu-locking-section.patch b/queue-4.14/net-igmp-add-a-missing-rcu-locking-section.patch new file mode 100644 index 00000000000..c41d92f4f67 --- /dev/null +++ b/queue-4.14/net-igmp-add-a-missing-rcu-locking-section.patch @@ -0,0 +1,81 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Eric Dumazet +Date: Thu, 1 Feb 2018 10:26:57 -0800 +Subject: net: igmp: add a missing rcu locking section + +From: Eric Dumazet + + +[ Upstream commit e7aadb27a5415e8125834b84a74477bfbee4eff5 ] + +Newly added igmpv3_get_srcaddr() needs to be called under rcu lock. + +Timer callbacks do not ensure this locking. + +============================= +WARNING: suspicious RCU usage +4.15.0+ #200 Not tainted +----------------------------- +./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +3 locks held by syzkaller616973/4074: + #0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355 + #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline] + #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316 + #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline] + #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600 + +stack backtrace: +CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 + __in_dev_get_rcu include/linux/inetdevice.h:216 [inline] + igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline] + igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389 + add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432 + add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565 + igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605 + igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722 + igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831 + call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 + expire_timers kernel/time/timer.c:1363 [inline] + __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 + run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 + __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 + invoke_softirq kernel/softirq.c:365 [inline] + irq_exit+0x1cc/0x200 kernel/softirq.c:405 + exiting_irq arch/x86/include/asm/apic.h:541 [inline] + smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 + apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938 + +Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports") +Signed-off-by: Eric Dumazet +Reported-by: syzbot + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -386,7 +386,11 @@ static struct sk_buff *igmpv3_newpack(st + pip->frag_off = htons(IP_DF); + pip->ttl = 1; + pip->daddr = fl4.daddr; ++ ++ rcu_read_lock(); + pip->saddr = igmpv3_get_srcaddr(dev, &fl4); ++ rcu_read_unlock(); ++ + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ + ip_select_ident(net, skb, NULL); diff --git a/queue-4.14/net-ipv6-send-unsolicited-na-after-dad.patch b/queue-4.14/net-ipv6-send-unsolicited-na-after-dad.patch new file mode 100644 index 00000000000..836e063019a --- /dev/null +++ b/queue-4.14/net-ipv6-send-unsolicited-na-after-dad.patch @@ -0,0 +1,119 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: David Ahern +Date: Thu, 25 Jan 2018 20:16:29 -0800 +Subject: net: ipv6: send unsolicited NA after DAD + +From: David Ahern + + +[ Upstream commit c76fe2d98c726224a975a0d0198c3fb50406d325 ] + +Unsolicited IPv6 neighbor advertisements should be sent after DAD +completes. Update ndisc_send_unsol_na to skip tentative, non-optimistic +addresses and have those sent by addrconf_dad_completed after DAD. + +Fixes: 4a6e3c5def13c ("net: ipv6: send unsolicited NA on admin up") +Reported-by: Vivek Venkatraman +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 30 ++++++++++++++++++++++++++---- + net/ipv6/ndisc.c | 5 +++++ + 2 files changed, 31 insertions(+), 4 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -184,7 +184,8 @@ static struct rt6_info *addrconf_get_pre + + static void addrconf_dad_start(struct inet6_ifaddr *ifp); + static void addrconf_dad_work(struct work_struct *w); +-static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id); ++static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id, ++ bool send_na); + static void addrconf_dad_run(struct inet6_dev *idev); + static void addrconf_rs_timer(unsigned long data); + static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifa); +@@ -3825,12 +3826,17 @@ static void addrconf_dad_begin(struct in + idev->cnf.accept_dad < 1) || + !(ifp->flags&IFA_F_TENTATIVE) || + ifp->flags & IFA_F_NODAD) { ++ bool send_na = false; ++ ++ if (ifp->flags & IFA_F_TENTATIVE && ++ !(ifp->flags & IFA_F_OPTIMISTIC)) ++ send_na = true; + bump_id = ifp->flags & IFA_F_TENTATIVE; + ifp->flags &= ~(IFA_F_TENTATIVE|IFA_F_OPTIMISTIC|IFA_F_DADFAILED); + spin_unlock(&ifp->lock); + read_unlock_bh(&idev->lock); + +- addrconf_dad_completed(ifp, bump_id); ++ addrconf_dad_completed(ifp, bump_id, send_na); + return; + } + +@@ -3959,16 +3965,21 @@ static void addrconf_dad_work(struct wor + } + + if (ifp->dad_probes == 0) { ++ bool send_na = false; ++ + /* + * DAD was successful + */ + ++ if (ifp->flags & IFA_F_TENTATIVE && ++ !(ifp->flags & IFA_F_OPTIMISTIC)) ++ send_na = true; + bump_id = ifp->flags & IFA_F_TENTATIVE; + ifp->flags &= ~(IFA_F_TENTATIVE|IFA_F_OPTIMISTIC|IFA_F_DADFAILED); + spin_unlock(&ifp->lock); + write_unlock_bh(&idev->lock); + +- addrconf_dad_completed(ifp, bump_id); ++ addrconf_dad_completed(ifp, bump_id, send_na); + + goto out; + } +@@ -4006,7 +4017,8 @@ static bool ipv6_lonely_lladdr(struct in + return true; + } + +-static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id) ++static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id, ++ bool send_na) + { + struct net_device *dev = ifp->idev->dev; + struct in6_addr lladdr; +@@ -4038,6 +4050,16 @@ static void addrconf_dad_completed(struc + if (send_mld) + ipv6_mc_dad_complete(ifp->idev); + ++ /* send unsolicited NA if enabled */ ++ if (send_na && ++ (ifp->idev->cnf.ndisc_notify || ++ dev_net(dev)->ipv6.devconf_all->ndisc_notify)) { ++ ndisc_send_na(dev, &in6addr_linklocal_allnodes, &ifp->addr, ++ /*router=*/ !!ifp->idev->cnf.forwarding, ++ /*solicited=*/ false, /*override=*/ true, ++ /*inc_opt=*/ true); ++ } ++ + if (send_rs) { + /* + * If a host as already performed a random delay +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -558,6 +558,11 @@ static void ndisc_send_unsol_na(struct n + + read_lock_bh(&idev->lock); + list_for_each_entry(ifa, &idev->addr_list, if_list) { ++ /* skip tentative addresses until dad completes */ ++ if (ifa->flags & IFA_F_TENTATIVE && ++ !(ifa->flags & IFA_F_OPTIMISTIC)) ++ continue; ++ + ndisc_send_na(dev, &in6addr_linklocal_allnodes, &ifa->addr, + /*router=*/ !!idev->cnf.forwarding, + /*solicited=*/ false, /*override=*/ true, diff --git a/queue-4.14/qlcnic-fix-deadlock-bug.patch b/queue-4.14/qlcnic-fix-deadlock-bug.patch new file mode 100644 index 00000000000..160a2bf6ba9 --- /dev/null +++ b/queue-4.14/qlcnic-fix-deadlock-bug.patch @@ -0,0 +1,191 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Junxiao Bi +Date: Mon, 29 Jan 2018 17:53:42 +0800 +Subject: qlcnic: fix deadlock bug + +From: Junxiao Bi + + +[ Upstream commit 233ac3891607f501f08879134d623b303838f478 ] + +The following soft lockup was caught. This is a deadlock caused by +recusive locking. + +Process kworker/u40:1:28016 was holding spin lock "mbx->queue_lock" in +qlcnic_83xx_mailbox_worker(), while a softirq came in and ask the same spin +lock in qlcnic_83xx_enqueue_mbx_cmd(). This lock should be hold by disable +bh.. + +[161846.962125] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [kworker/u40:1:28016] +[161846.962367] Modules linked in: tun ocfs2 xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn xenfs xen_privcmd autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc sunrpc 8021q mrp garp bridge stp llc bonding dm_round_robin dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 shpchp lpc_ich mfd_core ioatdma ipmi_devintf ipmi_si ipmi_msghandler sg ext4 jbd2 mbcache2 sr_mod cdrom sd_mod igb i2c_algo_bit i2c_core ahci libahci megaraid_sas ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel qla2xxx scsi_transport_fc qlcnic crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi dm_mirror dm_region_hash dm_log dm_mod +[161846.962454] +[161846.962460] CPU: 1 PID: 28016 Comm: kworker/u40:1 Not tainted 4.1.12-94.5.9.el6uek.x86_64 #2 +[161846.962463] Hardware name: Oracle Corporation SUN SERVER X4-2L /ASSY,MB,X4-2L , BIOS 26050100 09/19/2017 +[161846.962489] Workqueue: qlcnic_mailbox qlcnic_83xx_mailbox_worker [qlcnic] +[161846.962493] task: ffff8801f2e34600 ti: ffff88004ca5c000 task.ti: ffff88004ca5c000 +[161846.962496] RIP: e030:[] [] xen_hypercall_sched_op+0xa/0x20 +[161846.962506] RSP: e02b:ffff880202e43388 EFLAGS: 00000206 +[161846.962509] RAX: 0000000000000000 RBX: ffff8801f6996b70 RCX: ffffffff810013aa +[161846.962511] RDX: ffff880202e433cc RSI: ffff880202e433b0 RDI: 0000000000000003 +[161846.962513] RBP: ffff880202e433d0 R08: 0000000000000000 R09: ffff8801fe893200 +[161846.962516] R10: ffff8801fe400538 R11: 0000000000000206 R12: ffff880202e4b000 +[161846.962518] R13: 0000000000000050 R14: 0000000000000001 R15: 000000000000020d +[161846.962528] FS: 0000000000000000(0000) GS:ffff880202e40000(0000) knlGS:ffff880202e40000 +[161846.962531] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[161846.962533] CR2: 0000000002612640 CR3: 00000001bb796000 CR4: 0000000000042660 +[161846.962536] Stack: +[161846.962538] ffff880202e43608 0000000000000000 ffffffff813f0442 ffff880202e433b0 +[161846.962543] 0000000000000000 ffff880202e433cc ffffffff00000001 0000000000000000 +[161846.962547] 00000009813f03d6 ffff880202e433e0 ffffffff813f0460 ffff880202e43440 +[161846.962552] Call Trace: +[161846.962555] +[161846.962565] [] ? xen_poll_irq_timeout+0x42/0x50 +[161846.962570] [] xen_poll_irq+0x10/0x20 +[161846.962578] [] xen_lock_spinning+0xe2/0x110 +[161846.962583] [] __raw_callee_save_xen_lock_spinning+0x11/0x20 +[161846.962592] [] ? _raw_spin_lock+0x57/0x80 +[161846.962609] [] qlcnic_83xx_enqueue_mbx_cmd+0x7c/0xe0 [qlcnic] +[161846.962623] [] qlcnic_83xx_issue_cmd+0x58/0x210 [qlcnic] +[161846.962636] [] qlcnic_83xx_sre_macaddr_change+0x162/0x1d0 [qlcnic] +[161846.962649] [] qlcnic_83xx_change_l2_filter+0x2b/0x30 [qlcnic] +[161846.962657] [] ? __skb_flow_dissect+0x18b/0x650 +[161846.962670] [] qlcnic_send_filter+0x205/0x250 [qlcnic] +[161846.962682] [] qlcnic_xmit_frame+0x547/0x7b0 [qlcnic] +[161846.962691] [] xmit_one+0x82/0x1a0 +[161846.962696] [] dev_hard_start_xmit+0x50/0xa0 +[161846.962701] [] sch_direct_xmit+0x112/0x220 +[161846.962706] [] __dev_queue_xmit+0x1df/0x5e0 +[161846.962710] [] dev_queue_xmit_sk+0x13/0x20 +[161846.962721] [] bond_dev_queue_xmit+0x35/0x80 [bonding] +[161846.962729] [] __bond_start_xmit+0x1cb/0x210 [bonding] +[161846.962736] [] bond_start_xmit+0x31/0x60 [bonding] +[161846.962740] [] xmit_one+0x82/0x1a0 +[161846.962745] [] dev_hard_start_xmit+0x50/0xa0 +[161846.962749] [] __dev_queue_xmit+0x4ee/0x5e0 +[161846.962754] [] dev_queue_xmit_sk+0x13/0x20 +[161846.962760] [] vlan_dev_hard_start_xmit+0xb2/0x150 [8021q] +[161846.962764] [] xmit_one+0x82/0x1a0 +[161846.962769] [] dev_hard_start_xmit+0x50/0xa0 +[161846.962773] [] __dev_queue_xmit+0x4ee/0x5e0 +[161846.962777] [] dev_queue_xmit_sk+0x13/0x20 +[161846.962789] [] br_dev_queue_push_xmit+0x54/0xa0 [bridge] +[161846.962797] [] br_forward_finish+0x2f/0x90 [bridge] +[161846.962807] [] ? ttwu_do_wakeup+0x1d/0x100 +[161846.962811] [] ? __alloc_skb+0x8b/0x1f0 +[161846.962818] [] __br_forward+0x8d/0x120 [bridge] +[161846.962822] [] ? __kmalloc_reserve+0x3b/0xa0 +[161846.962829] [] ? update_rq_runnable_avg+0xee/0x230 +[161846.962836] [] br_forward+0x96/0xb0 [bridge] +[161846.962845] [] br_handle_frame_finish+0x1ae/0x420 [bridge] +[161846.962853] [] br_handle_frame+0x17f/0x260 [bridge] +[161846.962862] [] ? br_handle_frame_finish+0x420/0x420 [bridge] +[161846.962867] [] __netif_receive_skb_core+0x1f7/0x870 +[161846.962872] [] __netif_receive_skb+0x22/0x70 +[161846.962877] [] netif_receive_skb_internal+0x23/0x90 +[161846.962884] [] ? xenvif_idx_release+0xea/0x100 [xen_netback] +[161846.962889] [] ? _raw_spin_unlock_irqrestore+0x20/0x50 +[161846.962893] [] netif_receive_skb_sk+0x24/0x90 +[161846.962899] [] xenvif_tx_submit+0x2ca/0x3f0 [xen_netback] +[161846.962906] [] xenvif_tx_action+0x9c/0xd0 [xen_netback] +[161846.962915] [] xenvif_poll+0x35/0x70 [xen_netback] +[161846.962920] [] napi_poll+0xcb/0x1e0 +[161846.962925] [] net_rx_action+0x90/0x1c0 +[161846.962931] [] __do_softirq+0x10a/0x350 +[161846.962938] [] irq_exit+0x125/0x130 +[161846.962943] [] xen_evtchn_do_upcall+0x39/0x50 +[161846.962950] [] xen_do_hypervisor_callback+0x1e/0x40 +[161846.962952] +[161846.962959] [] ? _raw_spin_lock+0x4a/0x80 +[161846.962964] [] ? _raw_spin_lock_irqsave+0x1e/0xa0 +[161846.962978] [] ? qlcnic_83xx_mailbox_worker+0xb9/0x2a0 [qlcnic] +[161846.962991] [] ? process_one_work+0x151/0x4b0 +[161846.962995] [] ? check_events+0x12/0x20 +[161846.963001] [] ? worker_thread+0x120/0x480 +[161846.963005] [] ? __schedule+0x30b/0x890 +[161846.963010] [] ? process_one_work+0x4b0/0x4b0 +[161846.963015] [] ? process_one_work+0x4b0/0x4b0 +[161846.963021] [] ? kthread+0xce/0xf0 +[161846.963025] [] ? kthread_freezable_should_stop+0x70/0x70 +[161846.963031] [] ? ret_from_fork+0x42/0x70 +[161846.963035] [] ? kthread_freezable_should_stop+0x70/0x70 +[161846.963037] Code: cc 51 41 53 b8 1c 00 00 00 0f 05 41 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 41 53 b8 1d 00 00 00 0f 05 <41> 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc + +Signed-off-by: Junxiao Bi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3891,7 +3891,7 @@ static void qlcnic_83xx_flush_mbx_queue( + struct list_head *head = &mbx->cmd_q; + struct qlcnic_cmd_args *cmd = NULL; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + while (!list_empty(head)) { + cmd = list_entry(head->next, struct qlcnic_cmd_args, list); +@@ -3902,7 +3902,7 @@ static void qlcnic_83xx_flush_mbx_queue( + qlcnic_83xx_notify_cmd_completion(adapter, cmd); + } + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + } + + static int qlcnic_83xx_check_mbx_status(struct qlcnic_adapter *adapter) +@@ -3938,12 +3938,12 @@ static void qlcnic_83xx_dequeue_mbx_cmd( + { + struct qlcnic_mailbox *mbx = adapter->ahw->mailbox; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + list_del(&cmd->list); + mbx->num_cmds--; + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + qlcnic_83xx_notify_cmd_completion(adapter, cmd); + } +@@ -4008,7 +4008,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(s + init_completion(&cmd->completion); + cmd->rsp_opcode = QLC_83XX_MBX_RESPONSE_UNKNOWN; + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + list_add_tail(&cmd->list, &mbx->cmd_q); + mbx->num_cmds++; +@@ -4016,7 +4016,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(s + *timeout = cmd->total_cmds * QLC_83XX_MBX_TIMEOUT; + queue_work(mbx->work_q, &mbx->work); + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + return 0; + } +@@ -4112,15 +4112,15 @@ static void qlcnic_83xx_mailbox_worker(s + mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT; + spin_unlock_irqrestore(&mbx->aen_lock, flags); + +- spin_lock(&mbx->queue_lock); ++ spin_lock_bh(&mbx->queue_lock); + + if (list_empty(head)) { +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + return; + } + cmd = list_entry(head->next, struct qlcnic_cmd_args, list); + +- spin_unlock(&mbx->queue_lock); ++ spin_unlock_bh(&mbx->queue_lock); + + mbx_ops->encode_cmd(adapter, cmd); + mbx_ops->nofity_fw(adapter, QLC_83XX_MBX_REQUEST); diff --git a/queue-4.14/qmi_wwan-add-support-for-quectel-ep06.patch b/queue-4.14/qmi_wwan-add-support-for-quectel-ep06.patch new file mode 100644 index 00000000000..e70a3f7f7b6 --- /dev/null +++ b/queue-4.14/qmi_wwan-add-support-for-quectel-ep06.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Kristian Evensen +Date: Tue, 30 Jan 2018 14:12:55 +0100 +Subject: qmi_wwan: Add support for Quectel EP06 + +From: Kristian Evensen + + +[ Upstream commit c0b91a56a2e57a5a370655b25d677ae0ebf8a2d0 ] + +The Quectel EP06 is a Cat. 6 LTE modem. It uses the same interface as +the EC20/EC25 for QMI, and requires the same "set DTR"-quirk to work. + +Signed-off-by: Kristian Evensen +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1243,6 +1243,7 @@ static const struct usb_device_id produc + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ + {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ ++ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0306, 4)}, /* Quectel EP06 Mini PCIe */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-4.14/r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch b/queue-4.14/r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch new file mode 100644 index 00000000000..494ef4754cf --- /dev/null +++ b/queue-4.14/r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Chunhao Lin +Date: Wed, 31 Jan 2018 01:32:36 +0800 +Subject: r8169: fix RTL8168EP take too long to complete driver initialization. + +From: Chunhao Lin + + +[ Upstream commit 086ca23d03c0d2f4088f472386778d293e15c5f6 ] + +Driver check the wrong register bit in rtl_ocp_tx_cond() that keep driver +waiting until timeout. + +Fix this by waiting for the right register bit. + +Signed-off-by: Chunhao Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -1388,7 +1388,7 @@ DECLARE_RTL_COND(rtl_ocp_tx_cond) + { + void __iomem *ioaddr = tp->mmio_addr; + +- return RTL_R8(IBISR0) & 0x02; ++ return RTL_R8(IBISR0) & 0x20; + } + + static void rtl8168ep_stop_cmac(struct rtl8169_private *tp) +@@ -1396,7 +1396,7 @@ static void rtl8168ep_stop_cmac(struct r + void __iomem *ioaddr = tp->mmio_addr; + + RTL_W8(IBCR2, RTL_R8(IBCR2) & ~0x01); +- rtl_msleep_loop_wait_low(tp, &rtl_ocp_tx_cond, 50, 2000); ++ rtl_msleep_loop_wait_high(tp, &rtl_ocp_tx_cond, 50, 2000); + RTL_W8(IBISR0, RTL_R8(IBISR0) | 0x20); + RTL_W8(IBCR0, RTL_R8(IBCR0) & ~0x01); + } diff --git a/queue-4.14/revert-defer-call-to-mem_cgroup_sk_alloc.patch b/queue-4.14/revert-defer-call-to-mem_cgroup_sk_alloc.patch new file mode 100644 index 00000000000..c94ab24388d --- /dev/null +++ b/queue-4.14/revert-defer-call-to-mem_cgroup_sk_alloc.patch @@ -0,0 +1,97 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Roman Gushchin +Date: Fri, 2 Feb 2018 15:26:57 +0000 +Subject: Revert "defer call to mem_cgroup_sk_alloc()" + +From: Roman Gushchin + + +[ Upstream commit edbe69ef2c90fc86998a74b08319a01c508bd497 ] + +This patch effectively reverts commit 9f1c2674b328 ("net: memcontrol: +defer call to mem_cgroup_sk_alloc()"). + +Moving mem_cgroup_sk_alloc() to the inet_csk_accept() completely breaks +memcg socket memory accounting, as packets received before memcg +pointer initialization are not accounted and are causing refcounting +underflow on socket release. + +Actually the free-after-use problem was fixed by +commit c0576e397508 ("net: call cgroup_sk_alloc() earlier in +sk_clone_lock()") for the cgroup pointer. + +So, let's revert it and call mem_cgroup_sk_alloc() just before +cgroup_sk_alloc(). This is safe, as we hold a reference to the socket +we're cloning, and it holds a reference to the memcg. + +Also, let's drop BUG_ON(mem_cgroup_is_root()) check from +mem_cgroup_sk_alloc(). I see no reasons why bumping the root +memcg counter is a good reason to panic, and there are no realistic +ways to hit it. + +Signed-off-by: Roman Gushchin +Cc: Eric Dumazet +Cc: David S. Miller +Cc: Johannes Weiner +Cc: Tejun Heo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 14 ++++++++++++++ + net/core/sock.c | 5 +---- + net/ipv4/inet_connection_sock.c | 1 - + 3 files changed, 15 insertions(+), 5 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5828,6 +5828,20 @@ void mem_cgroup_sk_alloc(struct sock *sk + if (!mem_cgroup_sockets_enabled) + return; + ++ /* ++ * Socket cloning can throw us here with sk_memcg already ++ * filled. It won't however, necessarily happen from ++ * process context. So the test for root memcg given ++ * the current task's memcg won't help us in this case. ++ * ++ * Respecting the original socket's memcg is a better ++ * decision in this case. ++ */ ++ if (sk->sk_memcg) { ++ css_get(&sk->sk_memcg->css); ++ return; ++ } ++ + rcu_read_lock(); + memcg = mem_cgroup_from_task(current); + if (memcg == root_mem_cgroup) +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1677,16 +1677,13 @@ struct sock *sk_clone_lock(const struct + newsk->sk_dst_pending_confirm = 0; + newsk->sk_wmem_queued = 0; + newsk->sk_forward_alloc = 0; +- +- /* sk->sk_memcg will be populated at accept() time */ +- newsk->sk_memcg = NULL; +- + atomic_set(&newsk->sk_drops, 0); + newsk->sk_send_head = NULL; + newsk->sk_userlocks = sk->sk_userlocks & ~SOCK_BINDPORT_LOCK; + atomic_set(&newsk->sk_zckey, 0); + + sock_reset_flag(newsk, SOCK_DONE); ++ mem_cgroup_sk_alloc(newsk); + cgroup_sk_alloc(&newsk->sk_cgrp_data); + + rcu_read_lock(); +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -475,7 +475,6 @@ struct sock *inet_csk_accept(struct sock + } + spin_unlock_bh(&queue->fastopenq.lock); + } +- mem_cgroup_sk_alloc(newsk); + out: + release_sock(sk); + if (req) diff --git a/queue-4.14/rocker-fix-possible-null-pointer-dereference-in-rocker_router_fib_event_work.patch b/queue-4.14/rocker-fix-possible-null-pointer-dereference-in-rocker_router_fib_event_work.patch new file mode 100644 index 00000000000..41fd581e1ef --- /dev/null +++ b/queue-4.14/rocker-fix-possible-null-pointer-dereference-in-rocker_router_fib_event_work.patch @@ -0,0 +1,79 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Jiri Pirko +Date: Thu, 1 Feb 2018 12:21:15 +0100 +Subject: rocker: fix possible null pointer dereference in rocker_router_fib_event_work + +From: Jiri Pirko + + +[ Upstream commit a83165f00f16c0e0ef5b7cec3cbd0d4788699265 ] + +Currently, rocker user may experience following null pointer +derefence bug: + +[ 3.062141] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0 +[ 3.065163] IP: rocker_router_fib_event_work+0x36/0x110 [rocker] + +The problem is uninitialized rocker->wops pointer that is initialized +only with the first initialized port. So move the port initialization +before registering the fib events. + +Fixes: 936bd486564a ("rocker: use FIB notifications instead of switchdev calls") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rocker/rocker_main.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -2902,6 +2902,12 @@ static int rocker_probe(struct pci_dev * + goto err_alloc_ordered_workqueue; + } + ++ err = rocker_probe_ports(rocker); ++ if (err) { ++ dev_err(&pdev->dev, "failed to probe ports\n"); ++ goto err_probe_ports; ++ } ++ + /* Only FIBs pointing to our own netdevs are programmed into + * the device, so no need to pass a callback. + */ +@@ -2918,22 +2924,16 @@ static int rocker_probe(struct pci_dev * + + rocker->hw.id = rocker_read64(rocker, SWITCH_ID); + +- err = rocker_probe_ports(rocker); +- if (err) { +- dev_err(&pdev->dev, "failed to probe ports\n"); +- goto err_probe_ports; +- } +- + dev_info(&pdev->dev, "Rocker switch with id %*phN\n", + (int)sizeof(rocker->hw.id), &rocker->hw.id); + + return 0; + +-err_probe_ports: +- unregister_switchdev_notifier(&rocker_switchdev_notifier); + err_register_switchdev_notifier: + unregister_fib_notifier(&rocker->fib_nb); + err_register_fib_notifier: ++ rocker_remove_ports(rocker); ++err_probe_ports: + destroy_workqueue(rocker->rocker_owq); + err_alloc_ordered_workqueue: + free_irq(rocker_msix_vector(rocker, ROCKER_MSIX_VEC_EVENT), rocker); +@@ -2961,9 +2961,9 @@ static void rocker_remove(struct pci_dev + { + struct rocker *rocker = pci_get_drvdata(pdev); + +- rocker_remove_ports(rocker); + unregister_switchdev_notifier(&rocker_switchdev_notifier); + unregister_fib_notifier(&rocker->fib_nb); ++ rocker_remove_ports(rocker); + rocker_write32(rocker, CONTROL, ROCKER_CONTROL_RESET); + destroy_workqueue(rocker->rocker_owq); + free_irq(rocker_msix_vector(rocker, ROCKER_MSIX_VEC_EVENT), rocker); diff --git a/queue-4.14/series b/queue-4.14/series index a26ba2fbd3f..0aece8b7cc3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,3 +1,16 @@ gitignore-sort-normal-pattern-rules-alphabetically.patch gitignore-move-.dtb-and-.dtb.s-patterns-to-the-top-level-.gitignore.patch kbuild-rpm-pkg-keep-spec-file-until-make-mrproper.patch +ip6mr-fix-stale-iterator.patch +net-igmp-add-a-missing-rcu-locking-section.patch +qlcnic-fix-deadlock-bug.patch +qmi_wwan-add-support-for-quectel-ep06.patch +r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch +tcp-release-sk_frag.page-in-tcp_disconnect.patch +vhost_net-stop-device-during-reset-owner.patch +revert-defer-call-to-mem_cgroup_sk_alloc.patch +net-ipv6-send-unsolicited-na-after-dad.patch +rocker-fix-possible-null-pointer-dereference-in-rocker_router_fib_event_work.patch +tcp_bbr-fix-pacing_gain-to-always-be-unity-when-using-lt_bw.patch +ipv6-fix-so_reuseport-udp-socket-with-implicit-sk_ipv6only.patch +soreuseport-fix-mem-leak-in-reuseport_add_sock.patch diff --git a/queue-4.14/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch b/queue-4.14/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch new file mode 100644 index 00000000000..f84ebf4fd28 --- /dev/null +++ b/queue-4.14/soreuseport-fix-mem-leak-in-reuseport_add_sock.patch @@ -0,0 +1,120 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Eric Dumazet +Date: Fri, 2 Feb 2018 10:27:27 -0800 +Subject: soreuseport: fix mem leak in reuseport_add_sock() + +From: Eric Dumazet + + +[ Upstream commit 4db428a7c9ab07e08783e0fcdc4ca0f555da0567 ] + +reuseport_add_sock() needs to deal with attaching a socket having +its own sk_reuseport_cb, after a prior +setsockopt(SO_ATTACH_REUSEPORT_?BPF) + +Without this fix, not only a WARN_ONCE() was issued, but we were also +leaking memory. + +Thanks to sysbot and Eric Biggers for providing us nice C repros. + +------------[ cut here ]------------ +socket already in reuseport group +WARNING: CPU: 0 PID: 3496 at net/core/sock_reuseport.c:119   +reuseport_add_sock+0x742/0x9b0 net/core/sock_reuseport.c:117 +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 0 PID: 3496 Comm: syzkaller869503 Not tainted 4.15.0-rc6+ #245 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS   +Google 01/01/2011 +Call Trace: +  __dump_stack lib/dump_stack.c:17 [inline] +  dump_stack+0x194/0x257 lib/dump_stack.c:53 +  panic+0x1e4/0x41c kernel/panic.c:183 +  __warn+0x1dc/0x200 kernel/panic.c:547 +  report_bug+0x211/0x2d0 lib/bug.c:184 +  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 +  fixup_bug arch/x86/kernel/traps.c:247 [inline] +  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 +  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 +  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079 + +Fixes: ef456144da8e ("soreuseport: define reuseport groups") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+c0ea2226f77a42936bf7@syzkaller.appspotmail.com +Acked-by: Craig Gallek + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_reuseport.c | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +--- a/net/core/sock_reuseport.c ++++ b/net/core/sock_reuseport.c +@@ -94,6 +94,16 @@ static struct sock_reuseport *reuseport_ + return more_reuse; + } + ++static void reuseport_free_rcu(struct rcu_head *head) ++{ ++ struct sock_reuseport *reuse; ++ ++ reuse = container_of(head, struct sock_reuseport, rcu); ++ if (reuse->prog) ++ bpf_prog_destroy(reuse->prog); ++ kfree(reuse); ++} ++ + /** + * reuseport_add_sock - Add a socket to the reuseport group of another. + * @sk: New socket to add to the group. +@@ -102,7 +112,7 @@ static struct sock_reuseport *reuseport_ + */ + int reuseport_add_sock(struct sock *sk, struct sock *sk2) + { +- struct sock_reuseport *reuse; ++ struct sock_reuseport *old_reuse, *reuse; + + if (!rcu_access_pointer(sk2->sk_reuseport_cb)) { + int err = reuseport_alloc(sk2); +@@ -113,10 +123,13 @@ int reuseport_add_sock(struct sock *sk, + + spin_lock_bh(&reuseport_lock); + reuse = rcu_dereference_protected(sk2->sk_reuseport_cb, +- lockdep_is_held(&reuseport_lock)), +- WARN_ONCE(rcu_dereference_protected(sk->sk_reuseport_cb, +- lockdep_is_held(&reuseport_lock)), +- "socket already in reuseport group"); ++ lockdep_is_held(&reuseport_lock)); ++ old_reuse = rcu_dereference_protected(sk->sk_reuseport_cb, ++ lockdep_is_held(&reuseport_lock)); ++ if (old_reuse && old_reuse->num_socks != 1) { ++ spin_unlock_bh(&reuseport_lock); ++ return -EBUSY; ++ } + + if (reuse->num_socks == reuse->max_socks) { + reuse = reuseport_grow(reuse); +@@ -134,19 +147,11 @@ int reuseport_add_sock(struct sock *sk, + + spin_unlock_bh(&reuseport_lock); + ++ if (old_reuse) ++ call_rcu(&old_reuse->rcu, reuseport_free_rcu); + return 0; + } + +-static void reuseport_free_rcu(struct rcu_head *head) +-{ +- struct sock_reuseport *reuse; +- +- reuse = container_of(head, struct sock_reuseport, rcu); +- if (reuse->prog) +- bpf_prog_destroy(reuse->prog); +- kfree(reuse); +-} +- + void reuseport_detach_sock(struct sock *sk) + { + struct sock_reuseport *reuse; diff --git a/queue-4.14/tcp-release-sk_frag.page-in-tcp_disconnect.patch b/queue-4.14/tcp-release-sk_frag.page-in-tcp_disconnect.patch new file mode 100644 index 00000000000..ed15536785e --- /dev/null +++ b/queue-4.14/tcp-release-sk_frag.page-in-tcp_disconnect.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Li RongQing +Date: Fri, 26 Jan 2018 16:40:41 +0800 +Subject: tcp: release sk_frag.page in tcp_disconnect + +From: Li RongQing + + +[ Upstream commit 9b42d55a66d388e4dd5550107df051a9637564fc ] + +socket can be disconnected and gets transformed back to a listening +socket, if sk_frag.page is not released, which will be cloned into +a new socket by sk_clone_lock, but the reference count of this page +is increased, lead to a use after free or double free issue + +Signed-off-by: Li RongQing +Cc: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2379,6 +2379,12 @@ int tcp_disconnect(struct sock *sk, int + + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); + ++ if (sk->sk_frag.page) { ++ put_page(sk->sk_frag.page); ++ sk->sk_frag.page = NULL; ++ sk->sk_frag.offset = 0; ++ } ++ + sk->sk_error_report(sk); + return err; + } diff --git a/queue-4.14/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-using-lt_bw.patch b/queue-4.14/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-using-lt_bw.patch new file mode 100644 index 00000000000..23669dcbeea --- /dev/null +++ b/queue-4.14/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-using-lt_bw.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Neal Cardwell +Date: Wed, 31 Jan 2018 15:43:05 -0500 +Subject: tcp_bbr: fix pacing_gain to always be unity when using lt_bw + +From: Neal Cardwell + + +[ Upstream commit 3aff3b4b986e51bcf4ab249e5d48d39596e0df6a ] + +This commit fixes the pacing_gain to remain at BBR_UNIT (1.0) when +using lt_bw and returning from the PROBE_RTT state to PROBE_BW. + +Previously, when using lt_bw, upon exiting PROBE_RTT and entering +PROBE_BW the bbr_reset_probe_bw_mode() code could sometimes randomly +end up with a cycle_idx of 0 and hence have bbr_advance_cycle_phase() +set a pacing gain above 1.0. In such cases this would result in a +pacing rate that is 1.25x higher than intended, potentially resulting +in a high loss rate for a little while until we stop using the lt_bw a +bit later. + +This commit is a stable candidate for kernels back as far as 4.9. + +Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control") +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: Soheil Hassas Yeganeh +Reported-by: Beyers Cronje +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_bbr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -481,7 +481,8 @@ static void bbr_advance_cycle_phase(stru + + bbr->cycle_idx = (bbr->cycle_idx + 1) & (CYCLE_LEN - 1); + bbr->cycle_mstamp = tp->delivered_mstamp; +- bbr->pacing_gain = bbr_pacing_gain[bbr->cycle_idx]; ++ bbr->pacing_gain = bbr->lt_use_bw ? BBR_UNIT : ++ bbr_pacing_gain[bbr->cycle_idx]; + } + + /* Gain cycling: cycle pacing gain to converge to fair share of available bw. */ +@@ -490,8 +491,7 @@ static void bbr_update_cycle_phase(struc + { + struct bbr *bbr = inet_csk_ca(sk); + +- if ((bbr->mode == BBR_PROBE_BW) && !bbr->lt_use_bw && +- bbr_is_next_cycle_phase(sk, rs)) ++ if (bbr->mode == BBR_PROBE_BW && bbr_is_next_cycle_phase(sk, rs)) + bbr_advance_cycle_phase(sk); + } + diff --git a/queue-4.14/vhost_net-stop-device-during-reset-owner.patch b/queue-4.14/vhost_net-stop-device-during-reset-owner.patch new file mode 100644 index 00000000000..3b98a4d46e1 --- /dev/null +++ b/queue-4.14/vhost_net-stop-device-during-reset-owner.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Feb 7 11:29:20 PST 2018 +From: Jason Wang +Date: Thu, 25 Jan 2018 22:03:52 +0800 +Subject: vhost_net: stop device during reset owner + +From: Jason Wang + + +[ Upstream commit 4cd879515d686849eec5f718aeac62a70b067d82 ] + +We don't stop device before reset owner, this means we could try to +serve any virtqueue kick before reset dev->worker. This will result a +warn since the work was pending at llist during owner resetting. Fix +this by stopping device during owner reset. + +Reported-by: syzbot+eb17c6162478cc50632c@syzkaller.appspotmail.com +Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1212,6 +1212,7 @@ static long vhost_net_reset_owner(struct + } + vhost_net_stop(n, &tx_sock, &rx_sock); + vhost_net_flush(n); ++ vhost_dev_stop(&n->dev); + vhost_dev_reset_owner(&n->dev, umem); + vhost_net_vq_reset(n); + done: