From: Greg Kroah-Hartman Date: Sun, 15 Mar 2020 08:34:25 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.110~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=90d7ec80b448f72f5aa41c4d13b6e014cf4a1f2b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bnxt_en-fix-error-handling-when-flashing-from-file.patch bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch can-add-missing-attribute-validation-for-termination.patch cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch devlink-validate-length-of-param-values.patch devlink-validate-length-of-region-addr-len.patch fib-add-missing-attribute-validation-for-tun_id.patch gre-fix-uninit-value-in-__iptunnel_pull_header.patch inet_diag-return-classid-for-all-socket-types.patch ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch macsec-add-missing-attribute-validation-for-port.patch macvlan-add-cond_resched-during-multicast-processing.patch net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch net-dsa-fix-phylink_start-phylink_stop-calls.patch net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch net-fq-add-missing-attribute-validation-for-orphan-mask.patch net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch net-ipv6-need-update-peer-route-when-modify-metric.patch net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch net-ipv6-use-configured-metric-when-add-peer-route.patch net-macsec-update-sci-upon-mac-address-change.patch net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch net-memcg-late-association-of-sock-to-memcg.patch net-nfc-fix-bounds-checking-bugs-on-pipe.patch net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch net-phy-fix-mdio-bus-pm-phy-resuming.patch net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch net-taprio-add-missing-attribute-validation-for-txtime-delay.patch netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch nfc-add-missing-attribute-validation-for-deactivate-target.patch nfc-add-missing-attribute-validation-for-se-api.patch nfc-add-missing-attribute-validation-for-vendor-subcommand.patch nl802154-add-missing-attribute-validation-for-dev_type.patch nl802154-add-missing-attribute-validation.patch r8152-check-disconnect-status-after-long-sleep.patch selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch sfc-detach-from-cb_page-in-efx_copy_channel.patch slip-make-slhc_compress-more-robust-against-malicious-packets.patch taprio-fix-sending-packets-without-dequeueing-them.patch team-add-missing-attribute-validation-for-array-index.patch team-add-missing-attribute-validation-for-port-ifindex.patch tipc-add-missing-attribute-validation-for-mtu-property.patch --- diff --git a/queue-5.4/bnxt_en-fix-error-handling-when-flashing-from-file.patch b/queue-5.4/bnxt_en-fix-error-handling-when-flashing-from-file.patch new file mode 100644 index 00000000000..c5aba78e3dd --- /dev/null +++ b/queue-5.4/bnxt_en-fix-error-handling-when-flashing-from-file.patch @@ -0,0 +1,93 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Edwin Peer +Date: Sun, 1 Mar 2020 22:07:18 -0500 +Subject: bnxt_en: fix error handling when flashing from file + +From: Edwin Peer + +[ Upstream commit 22630e28f9c2b55abd217869cc0696def89f2284 ] + +After bnxt_hwrm_do_send_message() was updated to return standard error +codes in a recent commit, a regression in bnxt_flash_package_from_file() +was introduced. The return value does not properly reflect all +possible firmware errors when calling firmware to flash the package. + +Fix it by consolidating all errors in one local variable rc instead +of having 2 variables for different errors. + +Fixes: d4f1420d3656 ("bnxt_en: Convert error code in firmware message response to standard code.") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 24 ++++++++++------------ + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2005,8 +2005,8 @@ static int bnxt_flash_package_from_file( + struct hwrm_nvm_install_update_output *resp = bp->hwrm_cmd_resp_addr; + struct hwrm_nvm_install_update_input install = {0}; + const struct firmware *fw; +- int rc, hwrm_err = 0; + u32 item_len; ++ int rc = 0; + u16 index; + + bnxt_hwrm_fw_set_time(bp); +@@ -2050,15 +2050,14 @@ static int bnxt_flash_package_from_file( + memcpy(kmem, fw->data, fw->size); + modify.host_src_addr = cpu_to_le64(dma_handle); + +- hwrm_err = hwrm_send_message(bp, &modify, +- sizeof(modify), +- FLASH_PACKAGE_TIMEOUT); ++ rc = hwrm_send_message(bp, &modify, sizeof(modify), ++ FLASH_PACKAGE_TIMEOUT); + dma_free_coherent(&bp->pdev->dev, fw->size, kmem, + dma_handle); + } + } + release_firmware(fw); +- if (rc || hwrm_err) ++ if (rc) + goto err_exit; + + if ((install_type & 0xffff) == 0) +@@ -2067,20 +2066,19 @@ static int bnxt_flash_package_from_file( + install.install_type = cpu_to_le32(install_type); + + mutex_lock(&bp->hwrm_cmd_lock); +- hwrm_err = _hwrm_send_message(bp, &install, sizeof(install), +- INSTALL_PACKAGE_TIMEOUT); +- if (hwrm_err) { ++ rc = _hwrm_send_message(bp, &install, sizeof(install), ++ INSTALL_PACKAGE_TIMEOUT); ++ if (rc) { + u8 error_code = ((struct hwrm_err_output *)resp)->cmd_err; + + if (resp->error_code && error_code == + NVM_INSTALL_UPDATE_CMD_ERR_CODE_FRAG_ERR) { + install.flags |= cpu_to_le16( + NVM_INSTALL_UPDATE_REQ_FLAGS_ALLOWED_TO_DEFRAG); +- hwrm_err = _hwrm_send_message(bp, &install, +- sizeof(install), +- INSTALL_PACKAGE_TIMEOUT); ++ rc = _hwrm_send_message(bp, &install, sizeof(install), ++ INSTALL_PACKAGE_TIMEOUT); + } +- if (hwrm_err) ++ if (rc) + goto flash_pkg_exit; + } + +@@ -2092,7 +2090,7 @@ static int bnxt_flash_package_from_file( + flash_pkg_exit: + mutex_unlock(&bp->hwrm_cmd_lock); + err_exit: +- if (hwrm_err == -EACCES) ++ if (rc == -EACCES) + bnxt_print_admin_err(bp); + return rc; + } diff --git a/queue-5.4/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch b/queue-5.4/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch new file mode 100644 index 00000000000..1b388af21d1 --- /dev/null +++ b/queue-5.4/bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch @@ -0,0 +1,45 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Vasundhara Volam +Date: Sun, 1 Mar 2020 22:07:17 -0500 +Subject: bnxt_en: reinitialize IRQs when MTU is modified + +From: Vasundhara Volam + +[ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ] + +MTU changes may affect the number of IRQs so we must call +bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter +set to true. The reason is that a larger MTU may require +aggregation rings not needed with smaller MTU. We may not be +able to allocate the required number of aggregation rings and +so we reduce the number of channels which will change the number +of IRQs. Without this patch, it may crash eventually in +pci_disable_msix() when the IRQs are not properly unwound. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10891,13 +10891,13 @@ static int bnxt_change_mtu(struct net_de + struct bnxt *bp = netdev_priv(dev); + + if (netif_running(dev)) +- bnxt_close_nic(bp, false, false); ++ bnxt_close_nic(bp, true, false); + + dev->mtu = new_mtu; + bnxt_set_ring_params(bp); + + if (netif_running(dev)) +- return bnxt_open_nic(bp, false, false); ++ return bnxt_open_nic(bp, true, false); + + return 0; + } diff --git a/queue-5.4/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch b/queue-5.4/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch new file mode 100644 index 00000000000..ada3dbba8d9 --- /dev/null +++ b/queue-5.4/bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch @@ -0,0 +1,155 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Eric Dumazet +Date: Wed, 4 Mar 2020 09:32:16 -0800 +Subject: bonding/alb: make sure arp header is pulled before accessing it + +From: Eric Dumazet + +Similar to commit 38f88c454042 ("bonding/alb: properly access headers +in bond_alb_xmit()"), we need to make sure arp header was pulled +in skb->head before blindly accessing it in rlb_arp_xmit(). + +Remove arp_pkt() private helper, since it is more readable/obvious +to have the following construct back to back : + + if (!pskb_network_may_pull(skb, sizeof(*arp))) + return NULL; + arp = (struct arp_pkt *)skb_network_header(skb); + +syzbot reported : + +BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline] +BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline] +BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477 +CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + bond_slave_has_mac_rx include/net/bonding.h:704 [inline] + rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline] + bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477 + __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline] + bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282 + __netdev_start_xmit include/linux/netdevice.h:4524 [inline] + netdev_start_xmit include/linux/netdevice.h:4538 [inline] + xmit_one net/core/dev.c:3470 [inline] + dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486 + __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096 + packet_snd net/packet/af_packet.c:2967 [inline] + packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + __sys_sendto+0xc1b/0xc50 net/socket.c:1998 + __do_sys_sendto net/socket.c:2010 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:2006 + __x64_sys_sendto+0x6e/0x90 net/socket.c:2006 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45c479 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479 +RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003 +RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766 + sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242 + packet_alloc_skb net/packet/af_packet.c:2815 [inline] + packet_snd net/packet/af_packet.c:2910 [inline] + packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg net/socket.c:672 [inline] + __sys_sendto+0xc1b/0xc50 net/socket.c:1998 + __do_sys_sendto net/socket.c:2010 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:2006 + __x64_sys_sendto+0x6e/0x90 net/socket.c:2006 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_alb.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -50,11 +50,6 @@ struct arp_pkt { + }; + #pragma pack() + +-static inline struct arp_pkt *arp_pkt(const struct sk_buff *skb) +-{ +- return (struct arp_pkt *)skb_network_header(skb); +-} +- + /* Forward declaration */ + static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[], + bool strict_match); +@@ -553,10 +548,11 @@ static void rlb_req_update_subnet_client + spin_unlock(&bond->mode_lock); + } + +-static struct slave *rlb_choose_channel(struct sk_buff *skb, struct bonding *bond) ++static struct slave *rlb_choose_channel(struct sk_buff *skb, ++ struct bonding *bond, ++ const struct arp_pkt *arp) + { + struct alb_bond_info *bond_info = &(BOND_ALB_INFO(bond)); +- struct arp_pkt *arp = arp_pkt(skb); + struct slave *assigned_slave, *curr_active_slave; + struct rlb_client_info *client_info; + u32 hash_index = 0; +@@ -653,8 +649,12 @@ static struct slave *rlb_choose_channel( + */ + static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond) + { +- struct arp_pkt *arp = arp_pkt(skb); + struct slave *tx_slave = NULL; ++ struct arp_pkt *arp; ++ ++ if (!pskb_network_may_pull(skb, sizeof(*arp))) ++ return NULL; ++ arp = (struct arp_pkt *)skb_network_header(skb); + + /* Don't modify or load balance ARPs that do not originate locally + * (e.g.,arrive via a bridge). +@@ -664,7 +664,7 @@ static struct slave *rlb_arp_xmit(struct + + if (arp->op_code == htons(ARPOP_REPLY)) { + /* the arp must be sent on the selected rx channel */ +- tx_slave = rlb_choose_channel(skb, bond); ++ tx_slave = rlb_choose_channel(skb, bond, arp); + if (tx_slave) + bond_hw_addr_copy(arp->mac_src, tx_slave->dev->dev_addr, + tx_slave->dev->addr_len); +@@ -676,7 +676,7 @@ static struct slave *rlb_arp_xmit(struct + * When the arp reply is received the entry will be updated + * with the correct unicast address of the client. + */ +- tx_slave = rlb_choose_channel(skb, bond); ++ tx_slave = rlb_choose_channel(skb, bond, arp); + + /* The ARP reply packets must be delayed so that + * they can cancel out the influence of the ARP request. diff --git a/queue-5.4/can-add-missing-attribute-validation-for-termination.patch b/queue-5.4/can-add-missing-attribute-validation-for-termination.patch new file mode 100644 index 00000000000..f3c06d34915 --- /dev/null +++ b/queue-5.4/can-add-missing-attribute-validation-for-termination.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:16 -0800 +Subject: can: add missing attribute validation for termination + +From: Jakub Kicinski + +[ Upstream commit ab02ad660586b94f5d08912a3952b939cf4c4430 ] + +Add missing attribute validation for IFLA_CAN_TERMINATION +to the netlink policy. + +Fixes: 12a6075cabc0 ("can: dev: add CAN interface termination API") +Signed-off-by: Jakub Kicinski +Acked-by: Oliver Hartkopp +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -884,6 +884,7 @@ static const struct nla_policy can_polic + = { .len = sizeof(struct can_bittiming) }, + [IFLA_CAN_DATA_BITTIMING_CONST] + = { .len = sizeof(struct can_bittiming_const) }, ++ [IFLA_CAN_TERMINATION] = { .type = NLA_U16 }, + }; + + static int can_validate(struct nlattr *tb[], struct nlattr *data[], diff --git a/queue-5.4/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch b/queue-5.4/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch new file mode 100644 index 00000000000..7aef80f636f --- /dev/null +++ b/queue-5.4/cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch @@ -0,0 +1,124 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Shakeel Butt +Date: Mon, 9 Mar 2020 22:16:05 -0700 +Subject: cgroup: memcg: net: do not associate sock with unrelated cgroup + +From: Shakeel Butt + +[ Upstream commit e876ecc67db80dfdb8e237f71e5b43bb88ae549c ] + +We are testing network memory accounting in our setup and noticed +inconsistent network memory usage and often unrelated cgroups network +usage correlates with testing workload. On further inspection, it +seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in +irq context specially for cgroup v1. + +mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context +and kind of assumes that this can only happen from sk_clone_lock() +and the source sock object has already associated cgroup. However in +cgroup v1, where network memory accounting is opt-in, the source sock +can be unassociated with any cgroup and the new cloned sock can get +associated with unrelated interrupted cgroup. + +Cgroup v2 can also suffer if the source sock object was created by +process in the root cgroup or if sk_alloc() is called in irq context. +The fix is to just do nothing in interrupt. + +WARNING: Please note that about half of the TCP sockets are allocated +from the IRQ context, so, memory used by such sockets will not be +accouted by the memcg. + +The stack trace of mem_cgroup_sk_alloc() from IRQ-context: + +CPU: 70 PID: 12720 Comm: ssh Tainted: 5.6.0-smp-DEV #1 +Hardware name: ... +Call Trace: + + dump_stack+0x57/0x75 + mem_cgroup_sk_alloc+0xe9/0xf0 + sk_clone_lock+0x2a7/0x420 + inet_csk_clone_lock+0x1b/0x110 + tcp_create_openreq_child+0x23/0x3b0 + tcp_v6_syn_recv_sock+0x88/0x730 + tcp_check_req+0x429/0x560 + tcp_v6_rcv+0x72d/0xa40 + ip6_protocol_deliver_rcu+0xc9/0x400 + ip6_input+0x44/0xd0 + ? ip6_protocol_deliver_rcu+0x400/0x400 + ip6_rcv_finish+0x71/0x80 + ipv6_rcv+0x5b/0xe0 + ? ip6_sublist_rcv+0x2e0/0x2e0 + process_backlog+0x108/0x1e0 + net_rx_action+0x26b/0x460 + __do_softirq+0x104/0x2a6 + do_softirq_own_stack+0x2a/0x40 + + do_softirq.part.19+0x40/0x50 + __local_bh_enable_ip+0x51/0x60 + ip6_finish_output2+0x23d/0x520 + ? ip6table_mangle_hook+0x55/0x160 + __ip6_finish_output+0xa1/0x100 + ip6_finish_output+0x30/0xd0 + ip6_output+0x73/0x120 + ? __ip6_finish_output+0x100/0x100 + ip6_xmit+0x2e3/0x600 + ? ipv6_anycast_cleanup+0x50/0x50 + ? inet6_csk_route_socket+0x136/0x1e0 + ? skb_free_head+0x1e/0x30 + inet6_csk_xmit+0x95/0xf0 + __tcp_transmit_skb+0x5b4/0xb20 + __tcp_send_ack.part.60+0xa3/0x110 + tcp_send_ack+0x1d/0x20 + tcp_rcv_state_process+0xe64/0xe80 + ? tcp_v6_connect+0x5d1/0x5f0 + tcp_v6_do_rcv+0x1b1/0x3f0 + ? tcp_v6_do_rcv+0x1b1/0x3f0 + __release_sock+0x7f/0xd0 + release_sock+0x30/0xa0 + __inet_stream_connect+0x1c3/0x3b0 + ? prepare_to_wait+0xb0/0xb0 + inet_stream_connect+0x3b/0x60 + __sys_connect+0x101/0x120 + ? __sys_getsockopt+0x11b/0x140 + __x64_sys_connect+0x1a/0x20 + do_syscall_64+0x51/0x200 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The stack trace of mem_cgroup_sk_alloc() from IRQ-context: +Fixes: 2d7580738345 ("mm: memcontrol: consolidate cgroup socket tracking") +Fixes: d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets") +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup.c | 4 ++++ + mm/memcontrol.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -6381,6 +6381,10 @@ void cgroup_sk_alloc(struct sock_cgroup_ + return; + } + ++ /* Don't associate the sock with unrelated interrupted task's cgroup. */ ++ if (in_interrupt()) ++ return; ++ + rcu_read_lock(); + + while (true) { +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6806,6 +6806,10 @@ void mem_cgroup_sk_alloc(struct sock *sk + return; + } + ++ /* Do not associate the sock with unrelated interrupted task's memcg. */ ++ if (in_interrupt()) ++ return; ++ + rcu_read_lock(); + memcg = mem_cgroup_from_task(current); + if (memcg == root_mem_cgroup) diff --git a/queue-5.4/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch b/queue-5.4/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch new file mode 100644 index 00000000000..f5031145dd6 --- /dev/null +++ b/queue-5.4/cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch @@ -0,0 +1,121 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Dmitry Yakunin +Date: Thu, 5 Mar 2020 17:45:57 +0300 +Subject: cgroup, netclassid: periodically release file_lock on classid updating + +From: Dmitry Yakunin + +[ Upstream commit 018d26fcd12a75fb9b5fe233762aa3f2f0854b88 ] + +In our production environment we have faced with problem that updating +classid in cgroup with heavy tasks cause long freeze of the file tables +in this tasks. By heavy tasks we understand tasks with many threads and +opened sockets (e.g. balancers). This freeze leads to an increase number +of client timeouts. + +This patch implements following logic to fix this issue: +аfter iterating 1000 file descriptors file table lock will be released +thus providing a time gap for socket creation/deletion. + +Now update is non atomic and socket may be skipped using calls: + +dup2(oldfd, newfd); +close(oldfd); + +But this case is not typical. Moreover before this patch skip is possible +too by hiding socket fd in unix socket buffer. + +New sockets will be allocated with updated classid because cgroup state +is updated before start of the file descriptors iteration. + +So in common cases this patch has no side effects. + +Signed-off-by: Dmitry Yakunin +Reviewed-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netclassid_cgroup.c | 47 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 10 deletions(-) + +--- a/net/core/netclassid_cgroup.c ++++ b/net/core/netclassid_cgroup.c +@@ -53,30 +53,60 @@ static void cgrp_css_free(struct cgroup_ + kfree(css_cls_state(css)); + } + ++/* ++ * To avoid freezing of sockets creation for tasks with big number of threads ++ * and opened sockets lets release file_lock every 1000 iterated descriptors. ++ * New sockets will already have been created with new classid. ++ */ ++ ++struct update_classid_context { ++ u32 classid; ++ unsigned int batch; ++}; ++ ++#define UPDATE_CLASSID_BATCH 1000 ++ + static int update_classid_sock(const void *v, struct file *file, unsigned n) + { + int err; ++ struct update_classid_context *ctx = (void *)v; + struct socket *sock = sock_from_file(file, &err); + + if (sock) { + spin_lock(&cgroup_sk_update_lock); +- sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, +- (unsigned long)v); ++ sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, ctx->classid); + spin_unlock(&cgroup_sk_update_lock); + } ++ if (--ctx->batch == 0) { ++ ctx->batch = UPDATE_CLASSID_BATCH; ++ return n + 1; ++ } + return 0; + } + ++static void update_classid_task(struct task_struct *p, u32 classid) ++{ ++ struct update_classid_context ctx = { ++ .classid = classid, ++ .batch = UPDATE_CLASSID_BATCH ++ }; ++ unsigned int fd = 0; ++ ++ do { ++ task_lock(p); ++ fd = iterate_fd(p->files, fd, update_classid_sock, &ctx); ++ task_unlock(p); ++ cond_resched(); ++ } while (fd); ++} ++ + static void cgrp_attach(struct cgroup_taskset *tset) + { + struct cgroup_subsys_state *css; + struct task_struct *p; + + cgroup_taskset_for_each(p, css, tset) { +- task_lock(p); +- iterate_fd(p->files, 0, update_classid_sock, +- (void *)(unsigned long)css_cls_state(css)->classid); +- task_unlock(p); ++ update_classid_task(p, css_cls_state(css)->classid); + } + } + +@@ -98,10 +128,7 @@ static int write_classid(struct cgroup_s + + css_task_iter_start(css, 0, &it); + while ((p = css_task_iter_next(&it))) { +- task_lock(p); +- iterate_fd(p->files, 0, update_classid_sock, +- (void *)(unsigned long)cs->classid); +- task_unlock(p); ++ update_classid_task(p, cs->classid); + cond_resched(); + } + css_task_iter_end(&it); diff --git a/queue-5.4/devlink-validate-length-of-param-values.patch b/queue-5.4/devlink-validate-length-of-param-values.patch new file mode 100644 index 00000000000..5faa490bf15 --- /dev/null +++ b/queue-5.4/devlink-validate-length-of-param-values.patch @@ -0,0 +1,78 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:11 -0800 +Subject: devlink: validate length of param values + +From: Jakub Kicinski + +[ Upstream commit 8750939b6ad86abc3f53ec8a9683a1cded4a5654 ] + +DEVLINK_ATTR_PARAM_VALUE_DATA may have different types +so it's not checked by the normal netlink policy. Make +sure the attribute length is what we expect. + +Fixes: e3b7ca18ad7b ("devlink: Add param set command") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -3222,34 +3222,41 @@ devlink_param_value_get_from_info(const + struct genl_info *info, + union devlink_param_value *value) + { ++ struct nlattr *param_data; + int len; + +- if (param->type != DEVLINK_PARAM_TYPE_BOOL && +- !info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]) ++ param_data = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]; ++ ++ if (param->type != DEVLINK_PARAM_TYPE_BOOL && !param_data) + return -EINVAL; + + switch (param->type) { + case DEVLINK_PARAM_TYPE_U8: +- value->vu8 = nla_get_u8(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]); ++ if (nla_len(param_data) != sizeof(u8)) ++ return -EINVAL; ++ value->vu8 = nla_get_u8(param_data); + break; + case DEVLINK_PARAM_TYPE_U16: +- value->vu16 = nla_get_u16(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]); ++ if (nla_len(param_data) != sizeof(u16)) ++ return -EINVAL; ++ value->vu16 = nla_get_u16(param_data); + break; + case DEVLINK_PARAM_TYPE_U32: +- value->vu32 = nla_get_u32(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]); ++ if (nla_len(param_data) != sizeof(u32)) ++ return -EINVAL; ++ value->vu32 = nla_get_u32(param_data); + break; + case DEVLINK_PARAM_TYPE_STRING: +- len = strnlen(nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]), +- nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA])); +- if (len == nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]) || ++ len = strnlen(nla_data(param_data), nla_len(param_data)); ++ if (len == nla_len(param_data) || + len >= __DEVLINK_PARAM_MAX_STRING_VALUE) + return -EINVAL; +- strcpy(value->vstr, +- nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA])); ++ strcpy(value->vstr, nla_data(param_data)); + break; + case DEVLINK_PARAM_TYPE_BOOL: +- value->vbool = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA] ? +- true : false; ++ if (param_data && nla_len(param_data)) ++ return -EINVAL; ++ value->vbool = nla_get_flag(param_data); + break; + } + return 0; diff --git a/queue-5.4/devlink-validate-length-of-region-addr-len.patch b/queue-5.4/devlink-validate-length-of-region-addr-len.patch new file mode 100644 index 00000000000..85294297c2c --- /dev/null +++ b/queue-5.4/devlink-validate-length-of-region-addr-len.patch @@ -0,0 +1,33 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:12 -0800 +Subject: devlink: validate length of region addr/len + +From: Jakub Kicinski + +[ Upstream commit ff3b63b8c299b73ac599b120653b47e275407656 ] + +DEVLINK_ATTR_REGION_CHUNK_ADDR and DEVLINK_ATTR_REGION_CHUNK_LEN +lack entries in the netlink policy. Corresponding nla_get_u64()s +may read beyond the end of the message. + +Fixes: 4e54795a27f5 ("devlink: Add support for region snapshot read command") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -5804,6 +5804,8 @@ static const struct nla_policy devlink_n + [DEVLINK_ATTR_PARAM_VALUE_CMODE] = { .type = NLA_U8 }, + [DEVLINK_ATTR_REGION_NAME] = { .type = NLA_NUL_STRING }, + [DEVLINK_ATTR_REGION_SNAPSHOT_ID] = { .type = NLA_U32 }, ++ [DEVLINK_ATTR_REGION_CHUNK_ADDR] = { .type = NLA_U64 }, ++ [DEVLINK_ATTR_REGION_CHUNK_LEN] = { .type = NLA_U64 }, + [DEVLINK_ATTR_HEALTH_REPORTER_NAME] = { .type = NLA_NUL_STRING }, + [DEVLINK_ATTR_HEALTH_REPORTER_GRACEFUL_PERIOD] = { .type = NLA_U64 }, + [DEVLINK_ATTR_HEALTH_REPORTER_AUTO_RECOVER] = { .type = NLA_U8 }, diff --git a/queue-5.4/fib-add-missing-attribute-validation-for-tun_id.patch b/queue-5.4/fib-add-missing-attribute-validation-for-tun_id.patch new file mode 100644 index 00000000000..75261e35a66 --- /dev/null +++ b/queue-5.4/fib-add-missing-attribute-validation-for-tun_id.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:13 -0800 +Subject: fib: add missing attribute validation for tun_id + +From: Jakub Kicinski + +[ Upstream commit 4c16d64ea04056f1b1b324ab6916019f6a064114 ] + +Add missing netlink policy entry for FRA_TUN_ID. + +Fixes: e7030878fc84 ("fib: Add fib rule match on tunnel id") +Signed-off-by: Jakub Kicinski +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/fib_rules.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/net/fib_rules.h ++++ b/include/net/fib_rules.h +@@ -108,6 +108,7 @@ struct fib_rule_notifier_info { + [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \ + [FRA_PRIORITY] = { .type = NLA_U32 }, \ + [FRA_FWMARK] = { .type = NLA_U32 }, \ ++ [FRA_TUN_ID] = { .type = NLA_U64 }, \ + [FRA_FWMASK] = { .type = NLA_U32 }, \ + [FRA_TABLE] = { .type = NLA_U32 }, \ + [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \ diff --git a/queue-5.4/gre-fix-uninit-value-in-__iptunnel_pull_header.patch b/queue-5.4/gre-fix-uninit-value-in-__iptunnel_pull_header.patch new file mode 100644 index 00000000000..ebcb35b82b3 --- /dev/null +++ b/queue-5.4/gre-fix-uninit-value-in-__iptunnel_pull_header.patch @@ -0,0 +1,138 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Eric Dumazet +Date: Sat, 7 Mar 2020 22:05:14 -0800 +Subject: gre: fix uninit-value in __iptunnel_pull_header + +From: Eric Dumazet + +[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ] + +syzbot found an interesting case of the kernel reading +an uninit-value [1] + +Problem is in the handling of ETH_P_WCCP in gre_parse_header() + +We look at the byte following GRE options to eventually decide +if the options are four bytes longer. + +Use skb_header_pointer() to not pull bytes if we found +that no more bytes were needed. + +All callers of gre_parse_header() are properly using pskb_may_pull() +anyway before proceeding to next header. + +[1] +BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline] +BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94 +CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + pskb_may_pull include/linux/skbuff.h:2303 [inline] + __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94 + iptunnel_pull_header include/net/ip_tunnels.h:411 [inline] + gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606 + ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432 + ip6_input_finish net/ipv6/ip6_input.c:473 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ip6_input net/ipv6/ip6_input.c:482 [inline] + ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576 + dst_input include/net/dst.h:442 [inline] + ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306 + __netif_receive_skb_one_core net/core/dev.c:5198 [inline] + __netif_receive_skb net/core/dev.c:5312 [inline] + netif_receive_skb_internal net/core/dev.c:5402 [inline] + netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461 + tun_rx_batched include/linux/skbuff.h:4321 [inline] + tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997 + tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write fs/read_write.c:483 [inline] + __vfs_write+0xa5a/0xca0 fs/read_write.c:496 + vfs_write+0x44a/0x8f0 fs/read_write.c:558 + ksys_write+0x267/0x450 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:620 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f62d99 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580 +RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004 +RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766 + sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242 + tun_alloc_skb drivers/net/tun.c:1529 [inline] + tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843 + tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write fs/read_write.c:483 [inline] + __vfs_write+0xa5a/0xca0 fs/read_write.c:496 + vfs_write+0x44a/0x8f0 fs/read_write.c:558 + ksys_write+0x267/0x450 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:620 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 + +Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers") +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/gre_demux.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv4/gre_demux.c ++++ b/net/ipv4/gre_demux.c +@@ -56,7 +56,9 @@ int gre_del_protocol(const struct gre_pr + } + EXPORT_SYMBOL_GPL(gre_del_protocol); + +-/* Fills in tpi and returns header length to be pulled. */ ++/* Fills in tpi and returns header length to be pulled. ++ * Note that caller must use pskb_may_pull() before pulling GRE header. ++ */ + int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, + bool *csum_err, __be16 proto, int nhs) + { +@@ -110,8 +112,14 @@ int gre_parse_header(struct sk_buff *skb + * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header + */ + if (greh->flags == 0 && tpi->proto == htons(ETH_P_WCCP)) { ++ u8 _val, *val; ++ ++ val = skb_header_pointer(skb, nhs + hdr_len, ++ sizeof(_val), &_val); ++ if (!val) ++ return -EINVAL; + tpi->proto = proto; +- if ((*(u8 *)options & 0xF0) != 0x40) ++ if ((*val & 0xF0) != 0x40) + hdr_len += 4; + } + tpi->hdr_len = hdr_len; diff --git a/queue-5.4/inet_diag-return-classid-for-all-socket-types.patch b/queue-5.4/inet_diag-return-classid-for-all-socket-types.patch new file mode 100644 index 00000000000..157d1339ae2 --- /dev/null +++ b/queue-5.4/inet_diag-return-classid-for-all-socket-types.patch @@ -0,0 +1,184 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Dmitry Yakunin +Date: Thu, 5 Mar 2020 15:33:12 +0300 +Subject: inet_diag: return classid for all socket types + +From: Dmitry Yakunin + +[ Upstream commit 83f73c5bb7b9a9135173f0ba2b1aa00c06664ff9 ] + +In commit 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and +fallback to priority") croup classid reporting was fixed. But this works +only for TCP sockets because for other socket types icsk parameter can +be NULL and classid code path is skipped. This change moves classid +handling to inet_diag_msg_attrs_fill() function. + +Also inet_diag_msg_attrs_size() helper was added and addends in +nlmsg_new() were reordered to save order from inet_sk_diag_fill(). + +Fixes: 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and fallback to priority") +Signed-off-by: Dmitry Yakunin +Reviewed-by: Konstantin Khlebnikov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/inet_diag.h | 18 ++++++++++++------ + net/ipv4/inet_diag.c | 44 ++++++++++++++++++++------------------------ + net/ipv4/raw_diag.c | 5 +++-- + net/ipv4/udp_diag.c | 5 +++-- + net/sctp/diag.c | 8 ++------ + 5 files changed, 40 insertions(+), 40 deletions(-) + +--- a/include/linux/inet_diag.h ++++ b/include/linux/inet_diag.h +@@ -2,15 +2,10 @@ + #ifndef _INET_DIAG_H_ + #define _INET_DIAG_H_ 1 + ++#include + #include + +-struct net; +-struct sock; + struct inet_hashinfo; +-struct nlattr; +-struct nlmsghdr; +-struct sk_buff; +-struct netlink_callback; + + struct inet_diag_handler { + void (*dump)(struct sk_buff *skb, +@@ -62,6 +57,17 @@ int inet_diag_bc_sk(const struct nlattr + + void inet_diag_msg_common_fill(struct inet_diag_msg *r, struct sock *sk); + ++static inline size_t inet_diag_msg_attrs_size(void) ++{ ++ return nla_total_size(1) /* INET_DIAG_SHUTDOWN */ ++ + nla_total_size(1) /* INET_DIAG_TOS */ ++#if IS_ENABLED(CONFIG_IPV6) ++ + nla_total_size(1) /* INET_DIAG_TCLASS */ ++ + nla_total_size(1) /* INET_DIAG_SKV6ONLY */ ++#endif ++ + nla_total_size(4) /* INET_DIAG_MARK */ ++ + nla_total_size(4); /* INET_DIAG_CLASS_ID */ ++} + int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb, + struct inet_diag_msg *r, int ext, + struct user_namespace *user_ns, bool net_admin); +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -100,13 +100,9 @@ static size_t inet_sk_attr_size(struct s + aux = handler->idiag_get_aux_size(sk, net_admin); + + return nla_total_size(sizeof(struct tcp_info)) +- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ +- + nla_total_size(1) /* INET_DIAG_TOS */ +- + nla_total_size(1) /* INET_DIAG_TCLASS */ +- + nla_total_size(4) /* INET_DIAG_MARK */ +- + nla_total_size(4) /* INET_DIAG_CLASS_ID */ +- + nla_total_size(sizeof(struct inet_diag_meminfo)) + + nla_total_size(sizeof(struct inet_diag_msg)) ++ + inet_diag_msg_attrs_size() ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) + + nla_total_size(SK_MEMINFO_VARS * sizeof(u32)) + + nla_total_size(TCP_CA_NAME_MAX) + + nla_total_size(sizeof(struct tcpvegas_info)) +@@ -147,6 +143,24 @@ int inet_diag_msg_attrs_fill(struct sock + if (net_admin && nla_put_u32(skb, INET_DIAG_MARK, sk->sk_mark)) + goto errout; + ++ if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) || ++ ext & (1 << (INET_DIAG_TCLASS - 1))) { ++ u32 classid = 0; ++ ++#ifdef CONFIG_SOCK_CGROUP_DATA ++ classid = sock_cgroup_classid(&sk->sk_cgrp_data); ++#endif ++ /* Fallback to socket priority if class id isn't set. ++ * Classful qdiscs use it as direct reference to class. ++ * For cgroup2 classid is always zero. ++ */ ++ if (!classid) ++ classid = sk->sk_priority; ++ ++ if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid)) ++ goto errout; ++ } ++ + r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk)); + r->idiag_inode = sock_i_ino(sk); + +@@ -284,24 +298,6 @@ int inet_sk_diag_fill(struct sock *sk, s + goto errout; + } + +- if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) || +- ext & (1 << (INET_DIAG_TCLASS - 1))) { +- u32 classid = 0; +- +-#ifdef CONFIG_SOCK_CGROUP_DATA +- classid = sock_cgroup_classid(&sk->sk_cgrp_data); +-#endif +- /* Fallback to socket priority if class id isn't set. +- * Classful qdiscs use it as direct reference to class. +- * For cgroup2 classid is always zero. +- */ +- if (!classid) +- classid = sk->sk_priority; +- +- if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid)) +- goto errout; +- } +- + out: + nlmsg_end(skb, nlh); + return 0; +--- a/net/ipv4/raw_diag.c ++++ b/net/ipv4/raw_diag.c +@@ -100,8 +100,9 @@ static int raw_diag_dump_one(struct sk_b + if (IS_ERR(sk)) + return PTR_ERR(sk); + +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + 64, ++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) + ++ inet_diag_msg_attrs_size() + ++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64, + GFP_KERNEL); + if (!rep) { + sock_put(sk); +--- a/net/ipv4/udp_diag.c ++++ b/net/ipv4/udp_diag.c +@@ -64,8 +64,9 @@ static int udp_dump_one(struct udp_table + goto out; + + err = -ENOMEM; +- rep = nlmsg_new(sizeof(struct inet_diag_msg) + +- sizeof(struct inet_diag_meminfo) + 64, ++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) + ++ inet_diag_msg_attrs_size() + ++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64, + GFP_KERNEL); + if (!rep) + goto out; +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -237,15 +237,11 @@ static size_t inet_assoc_attr_size(struc + addrcnt++; + + return nla_total_size(sizeof(struct sctp_info)) +- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */ +- + nla_total_size(1) /* INET_DIAG_TOS */ +- + nla_total_size(1) /* INET_DIAG_TCLASS */ +- + nla_total_size(4) /* INET_DIAG_MARK */ +- + nla_total_size(4) /* INET_DIAG_CLASS_ID */ + + nla_total_size(addrlen * asoc->peer.transport_count) + + nla_total_size(addrlen * addrcnt) +- + nla_total_size(sizeof(struct inet_diag_meminfo)) + + nla_total_size(sizeof(struct inet_diag_msg)) ++ + inet_diag_msg_attrs_size() ++ + nla_total_size(sizeof(struct inet_diag_meminfo)) + + 64; + } + diff --git a/queue-5.4/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch b/queue-5.4/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch new file mode 100644 index 00000000000..b4a041d4388 --- /dev/null +++ b/queue-5.4/ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch @@ -0,0 +1,73 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Hangbin Liu +Date: Tue, 10 Mar 2020 15:27:37 +0800 +Subject: ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface + +From: Hangbin Liu + +[ Upstream commit 60380488e4e0b95e9e82aa68aa9705baa86de84c ] + +Rafał found an issue that for non-Ethernet interface, if we down and up +frequently, the memory will be consumed slowly. + +The reason is we add allnodes/allrouters addressed in multicast list in +ipv6_add_dev(). When link down, we call ipv6_mc_down(), store all multicast +addresses via mld_add_delrec(). But when link up, we don't call ipv6_mc_up() +for non-Ethernet interface to remove the addresses. This makes idev->mc_tomb +getting bigger and bigger. The call stack looks like: + +addrconf_notify(NETDEV_REGISTER) + ipv6_add_dev + ipv6_dev_mc_inc(ff01::1) + ipv6_dev_mc_inc(ff02::1) + ipv6_dev_mc_inc(ff02::2) + +addrconf_notify(NETDEV_UP) + addrconf_dev_config + /* Alas, we support only Ethernet autoconfiguration. */ + return; + +addrconf_notify(NETDEV_DOWN) + addrconf_ifdown + ipv6_mc_down + igmp6_group_dropped(ff02::2) + mld_add_delrec(ff02::2) + igmp6_group_dropped(ff02::1) + igmp6_group_dropped(ff01::1) + +After investigating, I can't found a rule to disable multicast on +non-Ethernet interface. In RFC2460, the link could be Ethernet, PPP, ATM, +tunnels, etc. In IPv4, it doesn't check the dev type when calls ip_mc_up() +in inetdev_event(). Even for IPv6, we don't check the dev type and call +ipv6_add_dev(), ipv6_dev_mc_inc() after register device. + +So I think it's OK to fix this memory consumer by calling ipv6_mc_up() for +non-Ethernet interface. + +v2: Also check IFF_MULTICAST flag to make sure the interface supports + multicast + +Reported-by: Rafał Miłecki +Tested-by: Rafał Miłecki +Fixes: 74235a25c673 ("[IPV6] addrconf: Fix IPv6 on tuntap tunnels") +Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3345,6 +3345,10 @@ static void addrconf_dev_config(struct n + (dev->type != ARPHRD_NONE) && + (dev->type != ARPHRD_RAWIP)) { + /* Alas, we support only Ethernet autoconfiguration. */ ++ idev = __in6_dev_get(dev); ++ if (!IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP && ++ dev->flags & IFF_MULTICAST) ++ ipv6_mc_up(idev); + return; + } + diff --git a/queue-5.4/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch b/queue-5.4/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch new file mode 100644 index 00000000000..b4e4ca609b5 --- /dev/null +++ b/queue-5.4/ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch @@ -0,0 +1,114 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:57:02 -0700 +Subject: ipvlan: add cond_resched_rcu() while processing muticast backlog + +From: Mahesh Bandewar + +[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ] + +If there are substantial number of slaves created as simulated by +Syzbot, the backlog processing could take much longer and result +into the issue found in the Syzbot report. + +INFO: rcu_sched detected stalls on CPUs/tasks: + (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752) +All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0 +syz-executor.1 R running task on cpu 1 10984 11210 3866 0x30020008 179034491270 +Call Trace: + + [] _sched_show_task kernel/sched/core.c:8063 [inline] + [] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030 + [] sched_show_task+0xb/0x10 kernel/sched/core.c:8073 + [] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline] + [] check_cpu_stall kernel/rcu/tree.c:1695 [inline] + [] __rcu_pending kernel/rcu/tree.c:3478 [inline] + [] rcu_pending kernel/rcu/tree.c:3540 [inline] + [] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876 + [] update_process_times+0x32/0x80 kernel/time/timer.c:1635 + [] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161 + [] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193 + [] __run_hrtimer kernel/time/hrtimer.c:1393 [inline] + [] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455 + [] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513 + [] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline] + [] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056 + [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778 +RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153 +RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12 +RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000 +RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0 +RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273 +R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8 +R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0 + [] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline] + [] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240 + [] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006 + [] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482 + [] dst_input include/net/dst.h:449 [inline] + [] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78 + [] NF_HOOK include/linux/netfilter.h:292 [inline] + [] NF_HOOK include/linux/netfilter.h:286 [inline] + [] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278 + [] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303 + [] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417 + [] process_backlog+0x216/0x6c0 net/core/dev.c:6243 + [] napi_poll net/core/dev.c:6680 [inline] + [] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748 + [] __do_softirq+0x2c8/0x99a kernel/softirq.c:317 + [] invoke_softirq kernel/softirq.c:399 [inline] + [] irq_exit+0x16a/0x1a0 kernel/softirq.c:439 + [] exiting_irq arch/x86/include/asm/apic.h:561 [inline] + [] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058 + [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778 + +RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102 +RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12 +RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000 +RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005 +RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000 +R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000 + [] do_futex+0x151/0x1d50 kernel/futex.c:3548 + [] C_SYSC_futex kernel/futex_compat.c:201 [inline] + [] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175 + [] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline] + [] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415 + [] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f23c69 +RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0 +RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c +RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1 +rcu_sched R running task on cpu 1 13048 8 2 0x90000000 179099587640 +Call Trace: + [] context_switch+0x60f/0xa60 kernel/sched/core.c:3209 + [] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934 + [] schedule+0x8f/0x1b0 kernel/sched/core.c:4011 + [] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803 + [] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327 + [] kthread+0x348/0x420 kernel/kthread.c:246 + [] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393 + +Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”) +Signed-off-by: Mahesh Bandewar +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -277,6 +277,7 @@ void ipvlan_process_multicast(struct wor + } + ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true); + local_bh_enable(); ++ cond_resched_rcu(); + } + rcu_read_unlock(); + diff --git a/queue-5.4/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch b/queue-5.4/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch new file mode 100644 index 00000000000..b920fb6859f --- /dev/null +++ b/queue-5.4/ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch @@ -0,0 +1,70 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jiri Wiesner +Date: Sat, 7 Mar 2020 13:31:57 +0100 +Subject: ipvlan: do not add hardware address of master to its unicast filter list + +From: Jiri Wiesner + +[ Upstream commit 63aae7b17344d4b08a7d05cb07044de4c0f9dcc6 ] + +There is a problem when ipvlan slaves are created on a master device that +is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not +support unicast address filtering. When an ipvlan device is brought up in +ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware +address of the vmxnet3 master device to the unicast address list of the +master device, phy_dev->uc. This inevitably leads to the vmxnet3 master +device being forced into promiscuous mode by __dev_set_rx_mode(). + +Promiscuous mode is switched on the master despite the fact that there is +still only one hardware address that the master device should use for +filtering in order for the ipvlan device to be able to receive packets. +The comment above struct net_device describes the uc_promisc member as a +"counter, that indicates, that promiscuous mode has been enabled due to +the need to listen to additional unicast addresses in a device that does +not implement ndo_set_rx_mode()". Moreover, the design of ipvlan +guarantees that only the hardware address of a master device, +phy_dev->dev_addr, will be used to transmit and receive all packets from +its ipvlan slaves. Thus, the unicast address list of the master device +should not be modified by ipvlan_open() and ipvlan_stop() in order to make +ipvlan a workable option on masters that do not support unicast address +filtering. + +Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver") +Reported-by: Per Sundstrom +Signed-off-by: Jiri Wiesner +Reviewed-by: Eric Dumazet +Acked-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -164,7 +164,6 @@ static void ipvlan_uninit(struct net_dev + static int ipvlan_open(struct net_device *dev) + { + struct ipvl_dev *ipvlan = netdev_priv(dev); +- struct net_device *phy_dev = ipvlan->phy_dev; + struct ipvl_addr *addr; + + if (ipvlan->port->mode == IPVLAN_MODE_L3 || +@@ -178,7 +177,7 @@ static int ipvlan_open(struct net_device + ipvlan_ht_addr_add(ipvlan, addr); + rcu_read_unlock(); + +- return dev_uc_add(phy_dev, phy_dev->dev_addr); ++ return 0; + } + + static int ipvlan_stop(struct net_device *dev) +@@ -190,8 +189,6 @@ static int ipvlan_stop(struct net_device + dev_uc_unsync(phy_dev, dev); + dev_mc_unsync(phy_dev, dev); + +- dev_uc_del(phy_dev, phy_dev->dev_addr); +- + rcu_read_lock(); + list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) + ipvlan_ht_addr_del(addr); diff --git a/queue-5.4/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch b/queue-5.4/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch new file mode 100644 index 00000000000..f08c90a67ec --- /dev/null +++ b/queue-5.4/ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch @@ -0,0 +1,43 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Eric Dumazet +Date: Mon, 9 Mar 2020 18:22:58 -0700 +Subject: ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() + +From: Eric Dumazet + +[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ] + +Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while +processing muticast backlog") added a cond_resched_rcu() in a loop +using rcu protection to iterate over slaves. + +This is breaking rcu rules, so lets instead use cond_resched() +at a point we can reschedule + +Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog") +Signed-off-by: Eric Dumazet +Cc: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -277,7 +277,6 @@ void ipvlan_process_multicast(struct wor + } + ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true); + local_bh_enable(); +- cond_resched_rcu(); + } + rcu_read_unlock(); + +@@ -294,6 +293,7 @@ void ipvlan_process_multicast(struct wor + } + if (dev) + dev_put(dev); ++ cond_resched(); + } + } + diff --git a/queue-5.4/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch b/queue-5.4/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch new file mode 100644 index 00000000000..6b410f36e4d --- /dev/null +++ b/queue-5.4/ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:56:56 -0700 +Subject: ipvlan: don't deref eth hdr before checking it's set + +From: Mahesh Bandewar + +[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ] + +IPvlan in L3 mode discards outbound multicast packets but performs +the check before ensuring the ether-header is set or not. This is +an error that Eric found through code browsing. + +Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”) +Signed-off-by: Mahesh Bandewar +Reported-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_core.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -499,19 +499,21 @@ static int ipvlan_process_outbound(struc + struct ethhdr *ethh = eth_hdr(skb); + int ret = NET_XMIT_DROP; + +- /* In this mode we dont care about multicast and broadcast traffic */ +- if (is_multicast_ether_addr(ethh->h_dest)) { +- pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n", +- ntohs(skb->protocol)); +- kfree_skb(skb); +- goto out; +- } +- + /* The ipvlan is a pseudo-L2 device, so the packets that we receive + * will have L2; which need to discarded and processed further + * in the net-ns of the main-device. + */ + if (skb_mac_header_was_set(skb)) { ++ /* In this mode we dont care about ++ * multicast and broadcast traffic */ ++ if (is_multicast_ether_addr(ethh->h_dest)) { ++ pr_debug_ratelimited( ++ "Dropped {multi|broad}cast of type=[%x]\n", ++ ntohs(skb->protocol)); ++ kfree_skb(skb); ++ goto out; ++ } ++ + skb_pull(skb, sizeof(*ethh)); + skb->mac_header = (typeof(skb->mac_header))~0U; + skb_reset_network_header(skb); diff --git a/queue-5.4/macsec-add-missing-attribute-validation-for-port.patch b/queue-5.4/macsec-add-missing-attribute-validation-for-port.patch new file mode 100644 index 00000000000..7f6cc56d213 --- /dev/null +++ b/queue-5.4/macsec-add-missing-attribute-validation-for-port.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:17 -0800 +Subject: macsec: add missing attribute validation for port + +From: Jakub Kicinski + +[ Upstream commit 31d9a1c524964bac77b7f9d0a1ac140dc6b57461 ] + +Add missing attribute validation for IFLA_MACSEC_PORT +to the netlink policy. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2983,6 +2983,7 @@ static const struct device_type macsec_t + + static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { + [IFLA_MACSEC_SCI] = { .type = NLA_U64 }, ++ [IFLA_MACSEC_PORT] = { .type = NLA_U16 }, + [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 }, + [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 }, + [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 }, diff --git a/queue-5.4/macvlan-add-cond_resched-during-multicast-processing.patch b/queue-5.4/macvlan-add-cond_resched-during-multicast-processing.patch new file mode 100644 index 00000000000..99fe50f44f4 --- /dev/null +++ b/queue-5.4/macvlan-add-cond_resched-during-multicast-processing.patch @@ -0,0 +1,40 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Mahesh Bandewar +Date: Mon, 9 Mar 2020 15:57:07 -0700 +Subject: macvlan: add cond_resched() during multicast processing + +From: Mahesh Bandewar + +[ Upstream commit ce9a4186f9ac475c415ffd20348176a4ea366670 ] + +The Rx bound multicast packets are deferred to a workqueue and +macvlan can also suffer from the same attack that was discovered +by Syzbot for IPvlan. This solution is not as effective as in +IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing +to a workqueue while macvlan does this way only for the Rx. This +fix should address the Rx codition to certain extent. + +Tx is still suseptible. Tx multicast processing happens when +.ndo_start_xmit is called, hence we cannot add cond_resched(). +However, it's not that severe since the user which is generating + / flooding will be affected the most. + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -334,6 +334,8 @@ static void macvlan_process_broadcast(st + if (src) + dev_put(src->dev); + consume_skb(skb); ++ ++ cond_resched(); + } + } + diff --git a/queue-5.4/net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch b/queue-5.4/net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch new file mode 100644 index 00000000000..8a19200535a --- /dev/null +++ b/queue-5.4/net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch @@ -0,0 +1,63 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Andrew Lunn +Date: Wed, 11 Mar 2020 16:24:24 +0100 +Subject: net: dsa: Don't instantiate phylink for CPU/DSA ports unless needed + +From: Andrew Lunn + +[ Upstream commit a20f997010c4ec76eaa55b8cc047d76dcac69f70 ] + +By default, DSA drivers should configure CPU and DSA ports to their +maximum speed. In many configurations this is sufficient to make the +link work. + +In some cases it is necessary to configure the link to run slower, +e.g. because of limitations of the SoC it is connected to. Or back to +back PHYs are used and the PHY needs to be driven in order to +establish link. In this case, phylink is used. + +Only instantiate phylink if it is required. If there is no PHY, or no +fixed link properties, phylink can upset a link which works in the +default configuration. + +Fixes: 0e27921816ad ("net: dsa: Use PHYLINK for the CPU/DSA ports") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/port.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/dsa/port.c ++++ b/net/dsa/port.c +@@ -649,9 +649,14 @@ err_phy_connect: + int dsa_port_link_register_of(struct dsa_port *dp) + { + struct dsa_switch *ds = dp->ds; ++ struct device_node *phy_np; + +- if (!ds->ops->adjust_link) +- return dsa_port_phylink_register(dp); ++ if (!ds->ops->adjust_link) { ++ phy_np = of_parse_phandle(dp->dn, "phy-handle", 0); ++ if (of_phy_is_fixed_link(dp->dn) || phy_np) ++ return dsa_port_phylink_register(dp); ++ return 0; ++ } + + dev_warn(ds->dev, + "Using legacy PHYLIB callbacks. Please migrate to PHYLINK!\n"); +@@ -666,11 +671,12 @@ void dsa_port_link_unregister_of(struct + { + struct dsa_switch *ds = dp->ds; + +- if (!ds->ops->adjust_link) { ++ if (!ds->ops->adjust_link && dp->pl) { + rtnl_lock(); + phylink_disconnect_phy(dp->pl); + rtnl_unlock(); + phylink_destroy(dp->pl); ++ dp->pl = NULL; + return; + } + diff --git a/queue-5.4/net-dsa-fix-phylink_start-phylink_stop-calls.patch b/queue-5.4/net-dsa-fix-phylink_start-phylink_stop-calls.patch new file mode 100644 index 00000000000..620cb7f49ff --- /dev/null +++ b/queue-5.4/net-dsa-fix-phylink_start-phylink_stop-calls.patch @@ -0,0 +1,133 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Russell King +Date: Tue, 3 Mar 2020 15:01:46 +0000 +Subject: net: dsa: fix phylink_start()/phylink_stop() calls + +From: Russell King + +[ Upstream commit 8640f8dc6d657ebfb4e67c202ad32c5457858a13 ] + +Place phylink_start()/phylink_stop() inside dsa_port_enable() and +dsa_port_disable(), which ensures that we call phylink_stop() before +tearing down phylink - which is a documented requirement. Failure +to do so can cause use-after-free bugs. + +Fixes: 0e27921816ad ("net: dsa: Use PHYLINK for the CPU/DSA ports") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa_priv.h | 2 ++ + net/dsa/port.c | 32 ++++++++++++++++++++++++++------ + net/dsa/slave.c | 8 ++------ + 3 files changed, 30 insertions(+), 12 deletions(-) + +--- a/net/dsa/dsa_priv.h ++++ b/net/dsa/dsa_priv.h +@@ -128,7 +128,9 @@ static inline struct net_device *dsa_mas + /* port.c */ + int dsa_port_set_state(struct dsa_port *dp, u8 state, + struct switchdev_trans *trans); ++int dsa_port_enable_rt(struct dsa_port *dp, struct phy_device *phy); + int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy); ++void dsa_port_disable_rt(struct dsa_port *dp); + void dsa_port_disable(struct dsa_port *dp); + int dsa_port_bridge_join(struct dsa_port *dp, struct net_device *br); + void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br); +--- a/net/dsa/port.c ++++ b/net/dsa/port.c +@@ -63,7 +63,7 @@ static void dsa_port_set_state_now(struc + pr_err("DSA: failed to set STP state %u (%d)\n", state, err); + } + +-int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy) ++int dsa_port_enable_rt(struct dsa_port *dp, struct phy_device *phy) + { + struct dsa_switch *ds = dp->ds; + int port = dp->index; +@@ -78,14 +78,31 @@ int dsa_port_enable(struct dsa_port *dp, + if (!dp->bridge_dev) + dsa_port_set_state_now(dp, BR_STATE_FORWARDING); + ++ if (dp->pl) ++ phylink_start(dp->pl); ++ + return 0; + } + +-void dsa_port_disable(struct dsa_port *dp) ++int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy) ++{ ++ int err; ++ ++ rtnl_lock(); ++ err = dsa_port_enable_rt(dp, phy); ++ rtnl_unlock(); ++ ++ return err; ++} ++ ++void dsa_port_disable_rt(struct dsa_port *dp) + { + struct dsa_switch *ds = dp->ds; + int port = dp->index; + ++ if (dp->pl) ++ phylink_stop(dp->pl); ++ + if (!dp->bridge_dev) + dsa_port_set_state_now(dp, BR_STATE_DISABLED); + +@@ -93,6 +110,13 @@ void dsa_port_disable(struct dsa_port *d + ds->ops->port_disable(ds, port); + } + ++void dsa_port_disable(struct dsa_port *dp) ++{ ++ rtnl_lock(); ++ dsa_port_disable_rt(dp); ++ rtnl_unlock(); ++} ++ + int dsa_port_bridge_join(struct dsa_port *dp, struct net_device *br) + { + struct dsa_notifier_bridge_info info = { +@@ -615,10 +639,6 @@ static int dsa_port_phylink_register(str + goto err_phy_connect; + } + +- rtnl_lock(); +- phylink_start(dp->pl); +- rtnl_unlock(); +- + return 0; + + err_phy_connect: +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -90,12 +90,10 @@ static int dsa_slave_open(struct net_dev + goto clear_allmulti; + } + +- err = dsa_port_enable(dp, dev->phydev); ++ err = dsa_port_enable_rt(dp, dev->phydev); + if (err) + goto clear_promisc; + +- phylink_start(dp->pl); +- + return 0; + + clear_promisc: +@@ -119,9 +117,7 @@ static int dsa_slave_close(struct net_de + cancel_work_sync(&dp->xmit_work); + skb_queue_purge(&dp->xmit_queue); + +- phylink_stop(dp->pl); +- +- dsa_port_disable(dp); ++ dsa_port_disable_rt(dp); + + dev_mc_unsync(master, dev); + dev_uc_unsync(master, dev); diff --git a/queue-5.4/net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch b/queue-5.4/net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch new file mode 100644 index 00000000000..a0f02494f28 --- /dev/null +++ b/queue-5.4/net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch @@ -0,0 +1,53 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Russell King +Date: Fri, 28 Feb 2020 19:39:41 +0000 +Subject: net: dsa: mv88e6xxx: fix lockup on warm boot + +From: Russell King + +[ Upstream commit 0395823b8d9a4d87bd1bf74359123461c2ae801b ] + +If the switch is not hardware reset on a warm boot, interrupts can be +left enabled, and possibly pending. This will cause us to enter an +infinite loop trying to service an interrupt we are unable to handle, +thereby preventing the kernel from booting. + +Ensure that the global 2 interrupt sources are disabled before we claim +the parent interrupt. + +Observed on the ZII development revision B and C platforms with +reworked serdes support, and using reboot -f to reboot the platform. + +Fixes: dc30c35be720 ("net: dsa: mv88e6xxx: Implement interrupt support.") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/global2.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/global2.c ++++ b/drivers/net/dsa/mv88e6xxx/global2.c +@@ -1083,6 +1083,13 @@ int mv88e6xxx_g2_irq_setup(struct mv88e6 + { + int err, irq, virq; + ++ chip->g2_irq.masked = ~0; ++ mv88e6xxx_reg_lock(chip); ++ err = mv88e6xxx_g2_int_mask(chip, ~chip->g2_irq.masked); ++ mv88e6xxx_reg_unlock(chip); ++ if (err) ++ return err; ++ + chip->g2_irq.domain = irq_domain_add_simple( + chip->dev->of_node, 16, 0, &mv88e6xxx_g2_irq_domain_ops, chip); + if (!chip->g2_irq.domain) +@@ -1092,7 +1099,6 @@ int mv88e6xxx_g2_irq_setup(struct mv88e6 + irq_create_mapping(chip->g2_irq.domain, irq); + + chip->g2_irq.chip = mv88e6xxx_g2_irq_chip; +- chip->g2_irq.masked = ~0; + + chip->device_irq = irq_find_mapping(chip->g1_irq.domain, + MV88E6XXX_G1_STS_IRQ_DEVICE); diff --git a/queue-5.4/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch b/queue-5.4/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch new file mode 100644 index 00000000000..70019e7e270 --- /dev/null +++ b/queue-5.4/net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch @@ -0,0 +1,46 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Tue, 10 Mar 2020 20:36:16 -0700 +Subject: net: fec: validate the new settings in fec_enet_set_coalesce() + +From: Jakub Kicinski + +[ Upstream commit ab14961d10d02d20767612c78ce148f6eb85bd58 ] + +fec_enet_set_coalesce() validates the previously set params +and if they are within range proceeds to apply the new ones. +The new ones, however, are not validated. This seems backwards, +probably a copy-paste error? + +Compile tested only. + +Fixes: d851b47b22fc ("net: fec: add interrupt coalescence feature support") +Signed-off-by: Jakub Kicinski +Acked-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2529,15 +2529,15 @@ fec_enet_set_coalesce(struct net_device + return -EINVAL; + } + +- cycle = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr); ++ cycle = fec_enet_us_to_itr_clock(ndev, ec->rx_coalesce_usecs); + if (cycle > 0xFFFF) { + dev_err(dev, "Rx coalesced usec exceed hardware limitation\n"); + return -EINVAL; + } + +- cycle = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr); ++ cycle = fec_enet_us_to_itr_clock(ndev, ec->tx_coalesce_usecs); + if (cycle > 0xFFFF) { +- dev_err(dev, "Rx coalesced usec exceed hardware limitation\n"); ++ dev_err(dev, "Tx coalesced usec exceed hardware limitation\n"); + return -EINVAL; + } + diff --git a/queue-5.4/net-fq-add-missing-attribute-validation-for-orphan-mask.patch b/queue-5.4/net-fq-add-missing-attribute-validation-for-orphan-mask.patch new file mode 100644 index 00000000000..2c969522668 --- /dev/null +++ b/queue-5.4/net-fq-add-missing-attribute-validation-for-orphan-mask.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:19 -0800 +Subject: net: fq: add missing attribute validation for orphan mask + +From: Jakub Kicinski + +[ Upstream commit 7e6dc03eeb023e18427a373522f1d247b916a641 ] + +Add missing attribute validation for TCA_FQ_ORPHAN_MASK +to the netlink policy. + +Fixes: 06eb395fa985 ("pkt_sched: fq: better control of DDOS traffic") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -745,6 +745,7 @@ static const struct nla_policy fq_policy + [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 }, + [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 }, + [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 }, ++ [TCA_FQ_ORPHAN_MASK] = { .type = NLA_U32 }, + [TCA_FQ_LOW_RATE_THRESHOLD] = { .type = NLA_U32 }, + [TCA_FQ_CE_THRESHOLD] = { .type = NLA_U32 }, + }; diff --git a/queue-5.4/net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch b/queue-5.4/net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch new file mode 100644 index 00000000000..925bd145f61 --- /dev/null +++ b/queue-5.4/net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch @@ -0,0 +1,51 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jian Shen +Date: Thu, 5 Mar 2020 09:47:53 +0800 +Subject: net: hns3: fix a not link up issue when fibre port supports autoneg + +From: Jian Shen + +[ Upstream commit 68e1006f618e509fc7869259fe83ceec4a95dac3 ] + +When fibre port supports auto-negotiation, the IMP(Intelligent +Management Process) processes the speed of auto-negotiation +and the user's speed separately. +For below case, the port will get a not link up problem. +step 1: disables auto-negotiation and sets speed to A, then +the driver's MAC speed will be updated to A. +step 2: enables auto-negotiation and MAC gets negotiated +speed B, then the driver's MAC speed will be updated to B +through querying in periodical task. +step 3: MAC gets new negotiated speed A. +step 4: disables auto-negotiation and sets speed to B before +periodical task query new MAC speed A, the driver will ignore +the speed configuration. + +This patch fixes it by skipping speed and duplex checking when +fibre port supports auto-negotiation. + +Fixes: 22f48e24a23d ("net: hns3: add autoneg and change speed support for fibre port") +Signed-off-by: Jian Shen +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -2417,10 +2417,12 @@ static int hclge_cfg_mac_speed_dup_hw(st + + int hclge_cfg_mac_speed_dup(struct hclge_dev *hdev, int speed, u8 duplex) + { ++ struct hclge_mac *mac = &hdev->hw.mac; + int ret; + + duplex = hclge_check_speed_dup(duplex, speed); +- if (hdev->hw.mac.speed == speed && hdev->hw.mac.duplex == duplex) ++ if (!mac->support_autoneg && mac->speed == speed && ++ mac->duplex == duplex) + return 0; + + ret = hclge_cfg_mac_speed_dup_hw(hdev, speed, duplex); diff --git a/queue-5.4/net-ipv6-need-update-peer-route-when-modify-metric.patch b/queue-5.4/net-ipv6-need-update-peer-route-when-modify-metric.patch new file mode 100644 index 00000000000..249b761469a --- /dev/null +++ b/queue-5.4/net-ipv6-need-update-peer-route-when-modify-metric.patch @@ -0,0 +1,90 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Hangbin Liu +Date: Tue, 3 Mar 2020 14:37:34 +0800 +Subject: net/ipv6: need update peer route when modify metric + +From: Hangbin Liu + +[ Upstream commit 617940123e0140521f3080d2befc2bf55bcda094 ] + +When we modify the route metric, the peer address's route need also +be updated. Before the fix: + ++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2 metric 60 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 60 pref medium +2001:db8::2 proto kernel metric 60 pref medium ++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 61 pref medium +2001:db8::2 proto kernel metric 60 pref medium + +After the fix: ++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 61 pref medium +2001:db8::2 proto kernel metric 61 pref medium + +Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes") +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -4590,12 +4590,14 @@ inet6_rtm_deladdr(struct sk_buff *skb, s + } + + static int modify_prefix_route(struct inet6_ifaddr *ifp, +- unsigned long expires, u32 flags) ++ unsigned long expires, u32 flags, ++ bool modify_peer) + { + struct fib6_info *f6i; + u32 prio; + +- f6i = addrconf_get_prefix_route(&ifp->addr, ifp->prefix_len, ++ f6i = addrconf_get_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr, ++ ifp->prefix_len, + ifp->idev->dev, 0, RTF_DEFAULT, true); + if (!f6i) + return -ENOENT; +@@ -4606,7 +4608,8 @@ static int modify_prefix_route(struct in + ip6_del_rt(dev_net(ifp->idev->dev), f6i); + + /* add new one */ +- addrconf_prefix_route(&ifp->addr, ifp->prefix_len, ++ addrconf_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr, ++ ifp->prefix_len, + ifp->rt_priority, ifp->idev->dev, + expires, flags, GFP_KERNEL); + } else { +@@ -4682,7 +4685,7 @@ static int inet6_addr_modify(struct inet + int rc = -ENOENT; + + if (had_prefixroute) +- rc = modify_prefix_route(ifp, expires, flags); ++ rc = modify_prefix_route(ifp, expires, flags, false); + + /* prefix route could have been deleted; if so restore it */ + if (rc == -ENOENT) { +@@ -4690,6 +4693,15 @@ static int inet6_addr_modify(struct inet + ifp->rt_priority, ifp->idev->dev, + expires, flags, GFP_KERNEL); + } ++ ++ if (had_prefixroute && !ipv6_addr_any(&ifp->peer_addr)) ++ rc = modify_prefix_route(ifp, expires, flags, true); ++ ++ if (rc == -ENOENT && !ipv6_addr_any(&ifp->peer_addr)) { ++ addrconf_prefix_route(&ifp->peer_addr, ifp->prefix_len, ++ ifp->rt_priority, ifp->idev->dev, ++ expires, flags, GFP_KERNEL); ++ } + } else if (had_prefixroute) { + enum cleanup_prefix_rt_t action; + unsigned long rt_expires; diff --git a/queue-5.4/net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch b/queue-5.4/net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch new file mode 100644 index 00000000000..f2d3ca5ba50 --- /dev/null +++ b/queue-5.4/net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch @@ -0,0 +1,106 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Hangbin Liu +Date: Tue, 3 Mar 2020 14:37:35 +0800 +Subject: net/ipv6: remove the old peer route if change it to a new one + +From: Hangbin Liu + +[ Upstream commit d0098e4c6b83e502cc1cd96d67ca86bc79a6c559 ] + +When we modify the peer route and changed it to a new one, we should +remove the old route first. Before the fix: + ++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 256 pref medium +2001:db8::2 proto kernel metric 256 pref medium ++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 256 pref medium +2001:db8::2 proto kernel metric 256 pref medium + +After the fix: ++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3 ++ ip -6 route show dev dummy1 +2001:db8::1 proto kernel metric 256 pref medium +2001:db8::3 proto kernel metric 256 pref medium + +This patch depend on the previous patch "net/ipv6: need update peer route +when modify metric" to update new peer route after delete old one. + +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1226,11 +1226,13 @@ check_cleanup_prefix_route(struct inet6_ + } + + static void +-cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires, bool del_rt) ++cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires, ++ bool del_rt, bool del_peer) + { + struct fib6_info *f6i; + +- f6i = addrconf_get_prefix_route(&ifp->addr, ifp->prefix_len, ++ f6i = addrconf_get_prefix_route(del_peer ? &ifp->peer_addr : &ifp->addr, ++ ifp->prefix_len, + ifp->idev->dev, 0, RTF_DEFAULT, true); + if (f6i) { + if (del_rt) +@@ -1293,7 +1295,7 @@ static void ipv6_del_addr(struct inet6_i + + if (action != CLEANUP_PREFIX_RT_NOP) { + cleanup_prefix_route(ifp, expires, +- action == CLEANUP_PREFIX_RT_DEL); ++ action == CLEANUP_PREFIX_RT_DEL, false); + } + + /* clean up prefsrc entries */ +@@ -4631,6 +4633,7 @@ static int inet6_addr_modify(struct inet + unsigned long timeout; + bool was_managetempaddr; + bool had_prefixroute; ++ bool new_peer = false; + + ASSERT_RTNL(); + +@@ -4662,6 +4665,13 @@ static int inet6_addr_modify(struct inet + cfg->preferred_lft = timeout; + } + ++ if (cfg->peer_pfx && ++ memcmp(&ifp->peer_addr, cfg->peer_pfx, sizeof(struct in6_addr))) { ++ if (!ipv6_addr_any(&ifp->peer_addr)) ++ cleanup_prefix_route(ifp, expires, true, true); ++ new_peer = true; ++ } ++ + spin_lock_bh(&ifp->lock); + was_managetempaddr = ifp->flags & IFA_F_MANAGETEMPADDR; + had_prefixroute = ifp->flags & IFA_F_PERMANENT && +@@ -4677,6 +4687,9 @@ static int inet6_addr_modify(struct inet + if (cfg->rt_priority && cfg->rt_priority != ifp->rt_priority) + ifp->rt_priority = cfg->rt_priority; + ++ if (new_peer) ++ ifp->peer_addr = *cfg->peer_pfx; ++ + spin_unlock_bh(&ifp->lock); + if (!(ifp->flags&IFA_F_TENTATIVE)) + ipv6_ifa_notify(0, ifp); +@@ -4712,7 +4725,7 @@ static int inet6_addr_modify(struct inet + + if (action != CLEANUP_PREFIX_RT_NOP) { + cleanup_prefix_route(ifp, rt_expires, +- action == CLEANUP_PREFIX_RT_DEL); ++ action == CLEANUP_PREFIX_RT_DEL, false); + } + } + diff --git a/queue-5.4/net-ipv6-use-configured-metric-when-add-peer-route.patch b/queue-5.4/net-ipv6-use-configured-metric-when-add-peer-route.patch new file mode 100644 index 00000000000..aaaf9101f28 --- /dev/null +++ b/queue-5.4/net-ipv6-use-configured-metric-when-add-peer-route.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Hangbin Liu +Date: Sat, 29 Feb 2020 17:27:13 +0800 +Subject: net/ipv6: use configured metric when add peer route + +From: Hangbin Liu + +[ Upstream commit 07758eb9ff52794fba15d03aa88d92dbd1b7d125 ] + +When we add peer address with metric configured, IPv4 could set the dest +metric correctly, but IPv6 do not. e.g. + +]# ip addr add 192.0.2.1 peer 192.0.2.2/32 dev eth1 metric 20 +]# ip route show dev eth1 +192.0.2.2 proto kernel scope link src 192.0.2.1 metric 20 +]# ip addr add 2001:db8::1 peer 2001:db8::2/128 dev eth1 metric 20 +]# ip -6 route show dev eth1 +2001:db8::1 proto kernel metric 20 pref medium +2001:db8::2 proto kernel metric 256 pref medium + +Fix this by using configured metric instead of default one. + +Reported-by: Jianlin Shi +Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes") +Reviewed-by: David Ahern +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5988,9 +5988,9 @@ static void __ipv6_ifa_notify(int event, + if (ifp->idev->cnf.forwarding) + addrconf_join_anycast(ifp); + if (!ipv6_addr_any(&ifp->peer_addr)) +- addrconf_prefix_route(&ifp->peer_addr, 128, 0, +- ifp->idev->dev, 0, 0, +- GFP_ATOMIC); ++ addrconf_prefix_route(&ifp->peer_addr, 128, ++ ifp->rt_priority, ifp->idev->dev, ++ 0, 0, GFP_ATOMIC); + break; + case RTM_DELADDR: + if (ifp->idev->cnf.forwarding) diff --git a/queue-5.4/net-macsec-update-sci-upon-mac-address-change.patch b/queue-5.4/net-macsec-update-sci-upon-mac-address-change.patch new file mode 100644 index 00000000000..a62a5ee039b --- /dev/null +++ b/queue-5.4/net-macsec-update-sci-upon-mac-address-change.patch @@ -0,0 +1,55 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Dmitry Bogdanov +Date: Tue, 10 Mar 2020 18:22:24 +0300 +Subject: net: macsec: update SCI upon MAC address change. + +From: Dmitry Bogdanov + +[ Upstream commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823 ] + +SCI should be updated, because it contains MAC in its first 6 octets. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Mark Starovoytov +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2882,6 +2882,11 @@ static void macsec_dev_set_rx_mode(struc + dev_uc_sync(real_dev, dev); + } + ++static sci_t dev_to_sci(struct net_device *dev, __be16 port) ++{ ++ return make_sci(dev->dev_addr, port); ++} ++ + static int macsec_set_mac_address(struct net_device *dev, void *p) + { + struct macsec_dev *macsec = macsec_priv(dev); +@@ -2903,6 +2908,7 @@ static int macsec_set_mac_address(struct + + out: + ether_addr_copy(dev->dev_addr, addr->sa_data); ++ macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES); + return 0; + } + +@@ -3176,11 +3182,6 @@ static bool sci_exists(struct net_device + return false; + } + +-static sci_t dev_to_sci(struct net_device *dev, __be16 port) +-{ +- return make_sci(dev->dev_addr, port); +-} +- + static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) + { + struct macsec_dev *macsec = macsec_priv(dev); diff --git a/queue-5.4/net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch b/queue-5.4/net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch new file mode 100644 index 00000000000..825bb9b217c --- /dev/null +++ b/queue-5.4/net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch @@ -0,0 +1,121 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Eric Dumazet +Date: Wed, 11 Mar 2020 11:44:26 -0700 +Subject: net: memcg: fix lockdep splat in inet_csk_accept() + +From: Eric Dumazet + +Locking newsk while still holding the listener lock triggered +a lockdep splat [1] + +We can simply move the memcg code after we release the listener lock, +as this can also help if multiple threads are sharing a common listener. + +Also fix a typo while reading socket sk_rmem_alloc. + +[1] +WARNING: possible recursive locking detected +5.6.0-rc3-syzkaller #0 Not tainted +-------------------------------------------- +syz-executor598/9524 is trying to acquire lock: +ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline] +ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492 + +but task is already holding lock: +ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline] +ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(sk_lock-AF_INET6); + lock(sk_lock-AF_INET6); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +1 lock held by syz-executor598/9524: + #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline] + #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445 + +stack backtrace: +CPU: 0 PID: 9524 Comm: syz-executor598 Not tainted 5.6.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + print_deadlock_bug kernel/locking/lockdep.c:2370 [inline] + check_deadlock kernel/locking/lockdep.c:2411 [inline] + validate_chain kernel/locking/lockdep.c:2954 [inline] + __lock_acquire.cold+0x114/0x288 kernel/locking/lockdep.c:3954 + lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4484 + lock_sock_nested+0xc5/0x110 net/core/sock.c:2947 + lock_sock include/net/sock.h:1541 [inline] + inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492 + inet_accept+0xe9/0x7c0 net/ipv4/af_inet.c:734 + __sys_accept4_file+0x3ac/0x5b0 net/socket.c:1758 + __sys_accept4+0x53/0x90 net/socket.c:1809 + __do_sys_accept4 net/socket.c:1821 [inline] + __se_sys_accept4 net/socket.c:1818 [inline] + __x64_sys_accept4+0x93/0xf0 net/socket.c:1818 + do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4445c9 +Code: e8 0c 0d 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc35b37608 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004445c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000306777 R09: 0000000000306777 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00000000004053d0 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: d752a4986532 ("net: memcg: late association of sock to memcg") +Signed-off-by: Eric Dumazet +Cc: Shakeel Butt +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_connection_sock.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -483,27 +483,27 @@ struct sock *inet_csk_accept(struct sock + spin_unlock_bh(&queue->fastopenq.lock); + } + +- if (mem_cgroup_sockets_enabled) { ++out: ++ release_sock(sk); ++ if (newsk && mem_cgroup_sockets_enabled) { + int amt; + + /* atomically get the memory usage, set and charge the +- * sk->sk_memcg. ++ * newsk->sk_memcg. + */ + lock_sock(newsk); + +- /* The sk has not been accepted yet, no need to look at +- * sk->sk_wmem_queued. ++ /* The socket has not been accepted yet, no need to look at ++ * newsk->sk_wmem_queued. + */ + amt = sk_mem_pages(newsk->sk_forward_alloc + +- atomic_read(&sk->sk_rmem_alloc)); ++ atomic_read(&newsk->sk_rmem_alloc)); + mem_cgroup_sk_alloc(newsk); + if (newsk->sk_memcg && amt) + mem_cgroup_charge_skmem(newsk->sk_memcg, amt); + + release_sock(newsk); + } +-out: +- release_sock(sk); + if (req) + reqsk_put(req); + return newsk; diff --git a/queue-5.4/net-memcg-late-association-of-sock-to-memcg.patch b/queue-5.4/net-memcg-late-association-of-sock-to-memcg.patch new file mode 100644 index 00000000000..16d0fc12a0f --- /dev/null +++ b/queue-5.4/net-memcg-late-association-of-sock-to-memcg.patch @@ -0,0 +1,99 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Shakeel Butt +Date: Mon, 9 Mar 2020 22:16:06 -0700 +Subject: net: memcg: late association of sock to memcg + +From: Shakeel Butt + +[ Upstream commit d752a4986532cb6305dfd5290a614cde8072769d ] + +If a TCP socket is allocated in IRQ context or cloned from unassociated +(i.e. not associated to a memcg) in IRQ context then it will remain +unassociated for its whole life. Almost half of the TCPs created on the +system are created in IRQ context, so, memory used by such sockets will +not be accounted by the memcg. + +This issue is more widespread in cgroup v1 where network memory +accounting is opt-in but it can happen in cgroup v2 if the source socket +for the cloning was created in root memcg. + +To fix the issue, just do the association of the sockets at the accept() +time in the process context and then force charge the memory buffer +already used and reserved by the socket. + +Signed-off-by: Shakeel Butt +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 14 -------------- + net/core/sock.c | 5 ++++- + net/ipv4/inet_connection_sock.c | 20 ++++++++++++++++++++ + 3 files changed, 24 insertions(+), 15 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6792,20 +6792,6 @@ void mem_cgroup_sk_alloc(struct sock *sk + if (!mem_cgroup_sockets_enabled) + return; + +- /* +- * Socket cloning can throw us here with sk_memcg already +- * filled. It won't however, necessarily happen from +- * process context. So the test for root memcg given +- * the current task's memcg won't help us in this case. +- * +- * Respecting the original socket's memcg is a better +- * decision in this case. +- */ +- if (sk->sk_memcg) { +- css_get(&sk->sk_memcg->css); +- return; +- } +- + /* Do not associate the sock with unrelated interrupted task's memcg. */ + if (in_interrupt()) + return; +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1832,7 +1832,10 @@ struct sock *sk_clone_lock(const struct + atomic_set(&newsk->sk_zckey, 0); + + sock_reset_flag(newsk, SOCK_DONE); +- mem_cgroup_sk_alloc(newsk); ++ ++ /* sk->sk_memcg will be populated at accept() time */ ++ newsk->sk_memcg = NULL; ++ + cgroup_sk_alloc(&newsk->sk_cgrp_data); + + rcu_read_lock(); +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -482,6 +482,26 @@ struct sock *inet_csk_accept(struct sock + } + spin_unlock_bh(&queue->fastopenq.lock); + } ++ ++ if (mem_cgroup_sockets_enabled) { ++ int amt; ++ ++ /* atomically get the memory usage, set and charge the ++ * sk->sk_memcg. ++ */ ++ lock_sock(newsk); ++ ++ /* The sk has not been accepted yet, no need to look at ++ * sk->sk_wmem_queued. ++ */ ++ amt = sk_mem_pages(newsk->sk_forward_alloc + ++ atomic_read(&sk->sk_rmem_alloc)); ++ mem_cgroup_sk_alloc(newsk); ++ if (newsk->sk_memcg && amt) ++ mem_cgroup_charge_skmem(newsk->sk_memcg, amt); ++ ++ release_sock(newsk); ++ } + out: + release_sock(sk); + if (req) diff --git a/queue-5.4/net-nfc-fix-bounds-checking-bugs-on-pipe.patch b/queue-5.4/net-nfc-fix-bounds-checking-bugs-on-pipe.patch new file mode 100644 index 00000000000..89134ec0ab2 --- /dev/null +++ b/queue-5.4/net-nfc-fix-bounds-checking-bugs-on-pipe.patch @@ -0,0 +1,67 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Dan Carpenter +Date: Wed, 4 Mar 2020 17:24:31 +0300 +Subject: net: nfc: fix bounds checking bugs on "pipe" + +From: Dan Carpenter + +[ Upstream commit a3aefbfe45751bf7b338c181b97608e276b5bb73 ] + +This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory +corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0 +("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which +added range checks on "pipe". + +The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work(). +It's in the 0-255 range. We're using it as the array index into the +hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members. + +Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/hci/core.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/net/nfc/hci/core.c ++++ b/net/nfc/hci/core.c +@@ -181,13 +181,20 @@ exit: + void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, + struct sk_buff *skb) + { +- u8 gate = hdev->pipes[pipe].gate; + u8 status = NFC_HCI_ANY_OK; + struct hci_create_pipe_resp *create_info; + struct hci_delete_pipe_noti *delete_info; + struct hci_all_pipe_cleared_noti *cleared_info; ++ u8 gate; + +- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd); ++ pr_debug("from pipe %x cmd %x\n", pipe, cmd); ++ ++ if (pipe >= NFC_HCI_MAX_PIPES) { ++ status = NFC_HCI_ANY_E_NOK; ++ goto exit; ++ } ++ ++ gate = hdev->pipes[pipe].gate; + + switch (cmd) { + case NFC_HCI_ADM_NOTIFY_PIPE_CREATED: +@@ -375,8 +382,14 @@ void nfc_hci_event_received(struct nfc_h + struct sk_buff *skb) + { + int r = 0; +- u8 gate = hdev->pipes[pipe].gate; ++ u8 gate; ++ ++ if (pipe >= NFC_HCI_MAX_PIPES) { ++ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe); ++ goto exit; ++ } + ++ gate = hdev->pipes[pipe].gate; + if (gate == NFC_HCI_INVALID_GATE) { + pr_err("Discarded event %x to unopened pipe %x\n", event, pipe); + goto exit; diff --git a/queue-5.4/net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch b/queue-5.4/net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch new file mode 100644 index 00000000000..36c3ee3e5cf --- /dev/null +++ b/queue-5.4/net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch @@ -0,0 +1,55 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Willem de Bruijn +Date: Mon, 9 Mar 2020 11:34:35 -0400 +Subject: net/packet: tpacket_rcv: do not increment ring index on drop + +From: Willem de Bruijn + +[ Upstream commit 46e4c421a053c36bf7a33dda2272481bcaf3eed3 ] + +In one error case, tpacket_rcv drops packets after incrementing the +ring producer index. + +If this happens, it does not update tp_status to TP_STATUS_USER and +thus the reader is stalled for an iteration of the ring, causing out +of order arrival. + +The only such error path is when virtio_net_hdr_from_skb fails due +to encountering an unknown GSO type. + +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2273,6 +2273,13 @@ static int tpacket_rcv(struct sk_buff *s + TP_STATUS_KERNEL, (macoff+snaplen)); + if (!h.raw) + goto drop_n_account; ++ ++ if (do_vnet && ++ virtio_net_hdr_from_skb(skb, h.raw + macoff - ++ sizeof(struct virtio_net_hdr), ++ vio_le(), true, 0)) ++ goto drop_n_account; ++ + if (po->tp_version <= TPACKET_V2) { + packet_increment_rx_head(po, &po->rx_ring); + /* +@@ -2285,12 +2292,6 @@ static int tpacket_rcv(struct sk_buff *s + status |= TP_STATUS_LOSING; + } + +- if (do_vnet && +- virtio_net_hdr_from_skb(skb, h.raw + macoff - +- sizeof(struct virtio_net_hdr), +- vio_le(), true, 0)) +- goto drop_n_account; +- + po->stats.stats1.tp_packets++; + if (copy_skb) { + status |= TP_STATUS_COPY; diff --git a/queue-5.4/net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch b/queue-5.4/net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch new file mode 100644 index 00000000000..97317b9ddaf --- /dev/null +++ b/queue-5.4/net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch @@ -0,0 +1,50 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Heiner Kallweit +Date: Sun, 1 Mar 2020 21:36:09 +0100 +Subject: net: phy: avoid clearing PHY interrupts twice in irq handler + +From: Heiner Kallweit + +[ Upstream commit 249bc9744e165abe74ae326f43e9d70bad54c3b7 ] + +On all PHY drivers that implement did_interrupt() reading the interrupt +status bits clears them. This means we may loose an interrupt that +is triggered between calling did_interrupt() and phy_clear_interrupt(). +As part of the fix make it a requirement that did_interrupt() clears +the interrupt. + +The Fixes tag refers to the first commit where the patch applies +cleanly. + +Fixes: 49644e68f472 ("net: phy: add callback for custom interrupt handler to struct phy_driver") +Reported-by: Michael Walle +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 3 ++- + include/linux/phy.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -761,7 +761,8 @@ static irqreturn_t phy_interrupt(int irq + phy_trigger_machine(phydev); + } + +- if (phy_clear_interrupt(phydev)) ++ /* did_interrupt() may have cleared the interrupt already */ ++ if (!phydev->drv->did_interrupt && phy_clear_interrupt(phydev)) + goto phy_err; + return IRQ_HANDLED; + +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -524,6 +524,7 @@ struct phy_driver { + /* + * Checks if the PHY generated an interrupt. + * For multi-PHY devices with shared PHY interrupt pin ++ * Set interrupt bits have to be cleared. + */ + int (*did_interrupt)(struct phy_device *phydev); + diff --git a/queue-5.4/net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch b/queue-5.4/net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch new file mode 100644 index 00000000000..28f253370b8 --- /dev/null +++ b/queue-5.4/net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch @@ -0,0 +1,75 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jonas Gorski +Date: Mon, 2 Mar 2020 20:46:57 +0100 +Subject: net: phy: bcm63xx: fix OOPS due to missing driver name + +From: Jonas Gorski + +[ Upstream commit 43de81b0601df7d7988d3f5617ee0987df65c883 ] + +719655a14971 ("net: phy: Replace phy driver features u32 with link_mode +bitmap") was a bit over-eager and also removed the second phy driver's +name, resulting in a nasty OOPS on registration: + +[ 1.319854] CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 804dd50c, ra == 804dd4f0 +[ 1.330859] Oops[#1]: +[ 1.333138] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.22 #0 +[ 1.339217] $ 0 : 00000000 00000001 87ca7f00 805c1874 +[ 1.344590] $ 4 : 00000000 00000047 00585000 8701f800 +[ 1.349965] $ 8 : 8701f800 804f4a5c 00000003 64726976 +[ 1.355341] $12 : 00000001 00000000 00000000 00000114 +[ 1.360718] $16 : 87ca7f80 00000000 00000000 80639fe4 +[ 1.366093] $20 : 00000002 00000000 806441d0 80b90000 +[ 1.371470] $24 : 00000000 00000000 +[ 1.376847] $28 : 87c1e000 87c1fda0 80b90000 804dd4f0 +[ 1.382224] Hi : d1c8f8da +[ 1.385180] Lo : 5518a480 +[ 1.388182] epc : 804dd50c kset_find_obj+0x3c/0x114 +[ 1.393345] ra : 804dd4f0 kset_find_obj+0x20/0x114 +[ 1.398530] Status: 10008703 KERNEL EXL IE +[ 1.402833] Cause : 00800008 (ExcCode 02) +[ 1.406952] BadVA : 00000000 +[ 1.409913] PrId : 0002a075 (Broadcom BMIPS4350) +[ 1.414745] Modules linked in: +[ 1.417895] Process swapper/0 (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000) +[ 1.426214] Stack : 87cec000 80630000 80639370 80640658 80640000 80049af4 80639fe4 8063a0d8 +[ 1.434816] 8063a0d8 802ef078 00000002 00000000 806441d0 80b90000 8063a0d8 802ef114 +[ 1.443417] 87cea0de 87c1fde0 00000000 804de488 87cea000 8063a0d8 8063a0d8 80334e48 +[ 1.452018] 80640000 8063984c 80639bf4 00000000 8065de48 00000001 8063a0d8 80334ed0 +[ 1.460620] 806441d0 80b90000 80b90000 802ef164 8065dd70 80620000 80b90000 8065de58 +[ 1.469222] ... +[ 1.471734] Call Trace: +[ 1.474255] [<804dd50c>] kset_find_obj+0x3c/0x114 +[ 1.479141] [<802ef078>] driver_find+0x1c/0x44 +[ 1.483665] [<802ef114>] driver_register+0x74/0x148 +[ 1.488719] [<80334e48>] phy_driver_register+0x9c/0xd0 +[ 1.493968] [<80334ed0>] phy_drivers_register+0x54/0xe8 +[ 1.499345] [<8001061c>] do_one_initcall+0x7c/0x1f4 +[ 1.504374] [<80644ed8>] kernel_init_freeable+0x1d4/0x2b4 +[ 1.509940] [<804f4e24>] kernel_init+0x10/0xf8 +[ 1.514502] [<80018e68>] ret_from_kernel_thread+0x14/0x1c +[ 1.520040] Code: 1060000c 02202025 90650000 <90810000> 24630001 14250004 24840001 14a0fffb 90650000 +[ 1.530061] +[ 1.531698] ---[ end trace d52f1717cd29bdc8 ]--- + +Fix it by readding the name. + +Fixes: 719655a14971 ("net: phy: Replace phy driver features u32 with link_mode bitmap") +Signed-off-by: Jonas Gorski +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/bcm63xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/bcm63xx.c ++++ b/drivers/net/phy/bcm63xx.c +@@ -73,6 +73,7 @@ static struct phy_driver bcm63xx_driver[ + /* same phy as above, with just a different OUI */ + .phy_id = 0x002bdc00, + .phy_id_mask = 0xfffffc00, ++ .name = "Broadcom BCM63XX (2)", + /* PHY_BASIC_FEATURES */ + .flags = PHY_IS_INTERNAL, + .config_init = bcm63xx_config_init, diff --git a/queue-5.4/net-phy-fix-mdio-bus-pm-phy-resuming.patch b/queue-5.4/net-phy-fix-mdio-bus-pm-phy-resuming.patch new file mode 100644 index 00000000000..ebdbbea7ef8 --- /dev/null +++ b/queue-5.4/net-phy-fix-mdio-bus-pm-phy-resuming.patch @@ -0,0 +1,72 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Heiner Kallweit +Date: Thu, 12 Mar 2020 22:25:20 +0100 +Subject: net: phy: fix MDIO bus PM PHY resuming + +From: Heiner Kallweit + +[ Upstream commit 611d779af7cad2b87487ff58e4931a90c20b113c ] + +So far we have the unfortunate situation that mdio_bus_phy_may_suspend() +is called in suspend AND resume path, assuming that function result is +the same. After the original change this is no longer the case, +resulting in broken resume as reported by Geert. + +To fix this call mdio_bus_phy_may_suspend() in the suspend path only, +and let the phy_device store the info whether it was suspended by +MDIO bus PM. + +Fixes: 503ba7c69610 ("net: phy: Avoid multiple suspends") +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Heiner Kallweit +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 6 +++++- + include/linux/phy.h | 2 ++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -284,6 +284,8 @@ static int mdio_bus_phy_suspend(struct d + if (!mdio_bus_phy_may_suspend(phydev)) + return 0; + ++ phydev->suspended_by_mdio_bus = 1; ++ + return phy_suspend(phydev); + } + +@@ -292,9 +294,11 @@ static int mdio_bus_phy_resume(struct de + struct phy_device *phydev = to_phy_device(dev); + int ret; + +- if (!mdio_bus_phy_may_suspend(phydev)) ++ if (!phydev->suspended_by_mdio_bus) + goto no_resume; + ++ phydev->suspended_by_mdio_bus = 0; ++ + ret = phy_resume(phydev); + if (ret < 0) + return ret; +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -336,6 +336,7 @@ struct phy_c45_device_ids { + * is_gigabit_capable: Set to true if PHY supports 1000Mbps + * has_fixups: Set to true if this phy has fixups/quirks. + * suspended: Set to true if this phy has been suspended successfully. ++ * suspended_by_mdio_bus: Set to true if this phy was suspended by MDIO bus. + * sysfs_links: Internal boolean tracking sysfs symbolic links setup/removal. + * loopback_enabled: Set true if this phy has been loopbacked successfully. + * state: state of the PHY for management purposes +@@ -372,6 +373,7 @@ struct phy_device { + unsigned is_gigabit_capable:1; + unsigned has_fixups:1; + unsigned suspended:1; ++ unsigned suspended_by_mdio_bus:1; + unsigned sysfs_links:1; + unsigned loopback_enabled:1; + diff --git a/queue-5.4/net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch b/queue-5.4/net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch new file mode 100644 index 00000000000..1adec8366c9 --- /dev/null +++ b/queue-5.4/net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch @@ -0,0 +1,45 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Remi Pommarel +Date: Sun, 8 Mar 2020 10:25:56 +0100 +Subject: net: stmmac: dwmac1000: Disable ACS if enhanced descs are not used + +From: Remi Pommarel + +[ Upstream commit b723bd933980f4956dabc8a8d84b3e83be8d094c ] + +ACS (auto PAD/FCS stripping) removes FCS off 802.3 packets (LLC) so that +there is no need to manually strip it for such packets. The enhanced DMA +descriptors allow to flag LLC packets so that the receiving callback can +use that to strip FCS manually or not. On the other hand, normal +descriptors do not support that. + +Thus in order to not truncate LLC packet ACS should be disabled when +using normal DMA descriptors. + +Fixes: 47dd7a540b8a0 ("net: add support for STMicroelectronics Ethernet controllers.") +Signed-off-by: Remi Pommarel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -24,6 +24,7 @@ + static void dwmac1000_core_init(struct mac_device_info *hw, + struct net_device *dev) + { ++ struct stmmac_priv *priv = netdev_priv(dev); + void __iomem *ioaddr = hw->pcsr; + u32 value = readl(ioaddr + GMAC_CONTROL); + int mtu = dev->mtu; +@@ -35,7 +36,7 @@ static void dwmac1000_core_init(struct m + * Broadcom tags can look like invalid LLC/SNAP packets and cause the + * hardware to truncate packets on reception. + */ +- if (netdev_uses_dsa(dev)) ++ if (netdev_uses_dsa(dev) || !priv->plat->enh_desc) + value &= ~GMAC_CONTROL_ACS; + + if (mtu > 1500) diff --git a/queue-5.4/net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch b/queue-5.4/net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..89a0f304889 --- /dev/null +++ b/queue-5.4/net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch @@ -0,0 +1,32 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Colin Ian King +Date: Thu, 12 Mar 2020 15:04:30 +0000 +Subject: net: systemport: fix index check to avoid an array out of bounds access + +From: Colin Ian King + +[ Upstream commit c0368595c1639947839c0db8294ee96aca0b3b86 ] + +Currently the bounds check on index is off by one and can lead to +an out of bounds access on array priv->filters_loc when index is +RXCHK_BRCM_TAG_MAX. + +Fixes: bb9051a2b230 ("net: systemport: Add support for WAKE_FILTER") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2135,7 +2135,7 @@ static int bcm_sysport_rule_set(struct b + return -ENOSPC; + + index = find_first_zero_bit(priv->filters, RXCHK_BRCM_TAG_MAX); +- if (index > RXCHK_BRCM_TAG_MAX) ++ if (index >= RXCHK_BRCM_TAG_MAX) + return -ENOSPC; + + /* Location is the classification ID, and index is the position diff --git a/queue-5.4/net-taprio-add-missing-attribute-validation-for-txtime-delay.patch b/queue-5.4/net-taprio-add-missing-attribute-validation-for-txtime-delay.patch new file mode 100644 index 00000000000..62cbe2da749 --- /dev/null +++ b/queue-5.4/net-taprio-add-missing-attribute-validation-for-txtime-delay.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:20 -0800 +Subject: net: taprio: add missing attribute validation for txtime delay + +From: Jakub Kicinski + +[ Upstream commit e13aaa0643da10006ec35715954e7f92a62899a5 ] + +Add missing attribute validation for TCA_TAPRIO_ATTR_TXTIME_DELAY +to the netlink policy. + +Fixes: 4cfd5779bd6e ("taprio: Add support for txtime-assist mode") +Signed-off-by: Jakub Kicinski +Reviewed-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -774,6 +774,7 @@ static const struct nla_policy taprio_po + [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME] = { .type = NLA_S64 }, + [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION] = { .type = NLA_S64 }, + [TCA_TAPRIO_ATTR_FLAGS] = { .type = NLA_U32 }, ++ [TCA_TAPRIO_ATTR_TXTIME_DELAY] = { .type = NLA_U32 }, + }; + + static int fill_sched_entry(struct nlattr **tb, struct sched_entry *entry, diff --git a/queue-5.4/netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch b/queue-5.4/netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch new file mode 100644 index 00000000000..6bf867ba6d1 --- /dev/null +++ b/queue-5.4/netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch @@ -0,0 +1,32 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Pablo Neira Ayuso +Date: Wed, 26 Feb 2020 19:47:34 +0100 +Subject: netlink: Use netlink header as base to calculate bad attribute offset + +From: Pablo Neira Ayuso + +[ Upstream commit 84b3268027641401bb8ad4427a90a3cce2eb86f5 ] + +Userspace might send a batch that is composed of several netlink +messages. The netlink_ack() function must use the pointer to the netlink +header as base to calculate the bad attribute offset. + +Fixes: 2d4bc93368f5 ("netlink: extended ACK reporting") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2434,7 +2434,7 @@ void netlink_ack(struct sk_buff *in_skb, + in_skb->len)) + WARN_ON(nla_put_u32(skb, NLMSGERR_ATTR_OFFS, + (u8 *)extack->bad_attr - +- in_skb->data)); ++ (u8 *)nlh)); + } else { + if (extack->cookie_len) + WARN_ON(nla_put(skb, NLMSGERR_ATTR_COOKIE, diff --git a/queue-5.4/nfc-add-missing-attribute-validation-for-deactivate-target.patch b/queue-5.4/nfc-add-missing-attribute-validation-for-deactivate-target.patch new file mode 100644 index 00000000000..48f2ae72b48 --- /dev/null +++ b/queue-5.4/nfc-add-missing-attribute-validation-for-deactivate-target.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:25 -0800 +Subject: nfc: add missing attribute validation for deactivate target + +From: Jakub Kicinski + +[ Upstream commit 88e706d5168b07df4792dbc3d1bc37b83e4bd74d ] + +Add missing attribute validation for NFC_ATTR_TARGET_INDEX +to the netlink policy. + +Fixes: 4d63adfe12dd ("NFC: Add NFC_CMD_DEACTIVATE_TARGET support") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -32,6 +32,7 @@ static const struct nla_policy nfc_genl_ + [NFC_ATTR_DEVICE_NAME] = { .type = NLA_STRING, + .len = NFC_DEVICE_NAME_MAXSIZE }, + [NFC_ATTR_PROTOCOLS] = { .type = NLA_U32 }, ++ [NFC_ATTR_TARGET_INDEX] = { .type = NLA_U32 }, + [NFC_ATTR_COMM_MODE] = { .type = NLA_U8 }, + [NFC_ATTR_RF_MODE] = { .type = NLA_U8 }, + [NFC_ATTR_DEVICE_POWERED] = { .type = NLA_U8 }, diff --git a/queue-5.4/nfc-add-missing-attribute-validation-for-se-api.patch b/queue-5.4/nfc-add-missing-attribute-validation-for-se-api.patch new file mode 100644 index 00000000000..7d741cb9f33 --- /dev/null +++ b/queue-5.4/nfc-add-missing-attribute-validation-for-se-api.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:24 -0800 +Subject: nfc: add missing attribute validation for SE API + +From: Jakub Kicinski + +[ Upstream commit 361d23e41ca6e504033f7e66a03b95788377caae ] + +Add missing attribute validation for NFC_ATTR_SE_INDEX +to the netlink policy. + +Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -43,6 +43,7 @@ static const struct nla_policy nfc_genl_ + [NFC_ATTR_LLC_SDP] = { .type = NLA_NESTED }, + [NFC_ATTR_FIRMWARE_NAME] = { .type = NLA_STRING, + .len = NFC_FIRMWARE_NAME_MAXSIZE }, ++ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 }, + [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY }, + [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY }, + diff --git a/queue-5.4/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch b/queue-5.4/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch new file mode 100644 index 00000000000..24df1131c26 --- /dev/null +++ b/queue-5.4/nfc-add-missing-attribute-validation-for-vendor-subcommand.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:26 -0800 +Subject: nfc: add missing attribute validation for vendor subcommand + +From: Jakub Kicinski + +[ Upstream commit 6ba3da446551f2150fadbf8c7788edcb977683d3 ] + +Add missing attribute validation for vendor subcommand attributes +to the netlink policy. + +Fixes: 9e58095f9660 ("NFC: netlink: Implement vendor command support") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -46,6 +46,8 @@ static const struct nla_policy nfc_genl_ + .len = NFC_FIRMWARE_NAME_MAXSIZE }, + [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 }, + [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY }, ++ [NFC_ATTR_VENDOR_ID] = { .type = NLA_U32 }, ++ [NFC_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 }, + [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY }, + + }; diff --git a/queue-5.4/nl802154-add-missing-attribute-validation-for-dev_type.patch b/queue-5.4/nl802154-add-missing-attribute-validation-for-dev_type.patch new file mode 100644 index 00000000000..09356b45859 --- /dev/null +++ b/queue-5.4/nl802154-add-missing-attribute-validation-for-dev_type.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:15 -0800 +Subject: nl802154: add missing attribute validation for dev_type + +From: Jakub Kicinski + +[ Upstream commit b60673c4c418bef7550d02faf53c34fbfeb366bf ] + +Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE +to the netlink policy. + +Fixes: 90c049b2c6ae ("ieee802154: interface type to be added") +Signed-off-by: Jakub Kicinski +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl_policy.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ieee802154/nl_policy.c ++++ b/net/ieee802154/nl_policy.c +@@ -27,6 +27,7 @@ const struct nla_policy ieee802154_polic + [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, }, + [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_DEV_TYPE] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, }, + [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, }, + [IEEE802154_ATTR_COORD_PAN_ID] = { .type = NLA_U16, }, diff --git a/queue-5.4/nl802154-add-missing-attribute-validation.patch b/queue-5.4/nl802154-add-missing-attribute-validation.patch new file mode 100644 index 00000000000..883413a594e --- /dev/null +++ b/queue-5.4/nl802154-add-missing-attribute-validation.patch @@ -0,0 +1,34 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:14 -0800 +Subject: nl802154: add missing attribute validation + +From: Jakub Kicinski + +[ Upstream commit 9322cd7c4af2ccc7fe7c5f01adb53f4f77949e92 ] + +Add missing attribute validation for several u8 types. + +Fixes: 2c21d11518b6 ("net: add NL802154 interface for configuration of 802.15.4 devices") +Signed-off-by: Jakub Kicinski +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl_policy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ieee802154/nl_policy.c ++++ b/net/ieee802154/nl_policy.c +@@ -21,6 +21,11 @@ const struct nla_policy ieee802154_polic + [IEEE802154_ATTR_HW_ADDR] = { .type = NLA_HW_ADDR, }, + [IEEE802154_ATTR_PAN_ID] = { .type = NLA_U16, }, + [IEEE802154_ATTR_CHANNEL] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_BCN_ORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_SF_ORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_PAN_COORD] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, }, ++ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, }, + [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, }, + [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, }, + [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, }, diff --git a/queue-5.4/r8152-check-disconnect-status-after-long-sleep.patch b/queue-5.4/r8152-check-disconnect-status-after-long-sleep.patch new file mode 100644 index 00000000000..48e9af3b750 --- /dev/null +++ b/queue-5.4/r8152-check-disconnect-status-after-long-sleep.patch @@ -0,0 +1,124 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: You-Sheng Yang +Date: Wed, 26 Feb 2020 23:37:10 +0800 +Subject: r8152: check disconnect status after long sleep + +From: You-Sheng Yang + +[ Upstream commit d64c7a08034b32c285e576208ae44fc3ba3fa7df ] + +Dell USB Type C docking WD19/WD19DC attaches additional peripherals as: + + /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M + |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M + |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M + |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class, + Driver=r8152, 5000M + +where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock. + +When hotplugging such dock with additional usb devices already attached on +it, the probing process may reset usb 2.1 port, therefore r8152 ethernet +device is also reset. However, during r8152 device init there are several +for-loops that, when it's unable to retrieve hardware registers due to +being disconnected from USB, may take up to 14 seconds each in practice, +and that has to be completed before USB may re-enumerate devices on the +bus. As a result, devices attached to the dock will only be available +after nearly 1 minute after the dock was plugged in: + + [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface + [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id + [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready + [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr + [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail + +This happens in, for example, r8153_init: + + static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size, + void *data, u16 type) + { + if (test_bit(RTL8152_UNPLUG, &tp->flags)) + return -ENODEV; + ... + } + + static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index) + { + u32 data; + ... + generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen); + + data = __le32_to_cpu(tmp); + ... + return (u16)data; + } + + static void r8153_init(struct r8152 *tp) + { + ... + if (test_bit(RTL8152_UNPLUG, &tp->flags)) + return; + + for (i = 0; i < 500; i++) { + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) + break; + msleep(20); + } + ... + } + +Since ocp_read_word() doesn't check the return status of +generic_ocp_read(), and the only exit condition for the loop is to have +a match in the returned value, such loops will only ends after exceeding +its maximum runs when the device has been marked as disconnected, which +takes 500 * 20ms = 10 seconds in theory, 14 in practice. + +To solve this long latency another test to RTL8152_UNPLUG flag should be +added after those 20ms sleep to skip unnecessary loops, so that the device +probe can complete early and proceed to parent port reset/reprobe process. + +This can be reproduced on all kernel versions up to latest v5.6-rc2, but +after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less +while it was around 1/2. + +Signed-off-by: You-Sheng Yang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3006,6 +3006,8 @@ static u16 r8153_phy_status(struct r8152 + } + + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + + return data; +@@ -4419,7 +4421,10 @@ static void r8153_init(struct r8152 *tp) + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) + break; ++ + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + + data = r8153_phy_status(tp, 0); +@@ -4545,7 +4550,10 @@ static void r8153b_init(struct r8152 *tp + if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) & + AUTOLOAD_DONE) + break; ++ + msleep(20); ++ if (test_bit(RTL8152_UNPLUG, &tp->flags)) ++ break; + } + + data = r8153_phy_status(tp, 0); diff --git a/queue-5.4/selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch b/queue-5.4/selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch new file mode 100644 index 00000000000..33ee099dda0 --- /dev/null +++ b/queue-5.4/selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch @@ -0,0 +1,77 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Hangbin Liu +Date: Tue, 3 Mar 2020 14:37:36 +0800 +Subject: selftests/net/fib_tests: update addr_metric_test for peer route testing + +From: Hangbin Liu + +[ Upstream commit 0d29169a708bf730ede287248e429d579f432d1d ] + +This patch update {ipv4, ipv6}_addr_metric_test with +1. Set metric of address with peer route and see if the route added +correctly. +2. Modify metric and peer address for peer route and see if the route +changed correctly. + +Signed-off-by: Hangbin Liu +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib_tests.sh | 34 ++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1041,6 +1041,27 @@ ipv6_addr_metric_test() + fi + log_test $rc 0 "Prefix route with metric on link up" + ++ # verify peer metric added correctly ++ set -e ++ run_cmd "$IP -6 addr flush dev dummy2" ++ run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::1 peer 2001:db8:104::2 metric 260" ++ set +e ++ ++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260" ++ log_test $? 0 "Set metric with peer route on local side" ++ log_test $? 0 "User specified metric on local address" ++ check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260" ++ log_test $? 0 "Set metric with peer route on peer side" ++ ++ set -e ++ run_cmd "$IP -6 addr change dev dummy2 2001:db8:104::1 peer 2001:db8:104::3 metric 261" ++ set +e ++ ++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 261" ++ log_test $? 0 "Modify metric and peer address on local side" ++ check_route6 "2001:db8:104::3 dev dummy2 proto kernel metric 261" ++ log_test $? 0 "Modify metric and peer address on peer side" ++ + $IP li del dummy1 + $IP li del dummy2 + cleanup +@@ -1457,13 +1478,20 @@ ipv4_addr_metric_test() + + run_cmd "$IP addr flush dev dummy2" + run_cmd "$IP addr add dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 260" +- run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 261" + rc=$? + if [ $rc -eq 0 ]; then +- check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261" ++ check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 260" ++ rc=$? ++ fi ++ log_test $rc 0 "Set metric of address with peer route" ++ ++ run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.3 metric 261" ++ rc=$? ++ if [ $rc -eq 0 ]; then ++ check_route "172.16.104.3 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261" + rc=$? + fi +- log_test $rc 0 "Modify metric of address with peer route" ++ log_test $rc 0 "Modify metric and peer address for peer route" + + $IP li del dummy1 + $IP li del dummy2 diff --git a/queue-5.4/series b/queue-5.4/series index 211ac97523e..4b3e040780b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,55 @@ virtio_balloon-adjust-label-in-virtballoon_probe.patch alsa-hda-realtek-more-constifications.patch alsa-hda-realtek-add-headset-mic-supported-for-hp-cpc.patch alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch +cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch +gre-fix-uninit-value-in-__iptunnel_pull_header.patch +inet_diag-return-classid-for-all-socket-types.patch +ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch +ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch +ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch +ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch +ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch +macvlan-add-cond_resched-during-multicast-processing.patch +net-dsa-fix-phylink_start-phylink_stop-calls.patch +net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch +net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch +net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch +net-ipv6-use-configured-metric-when-add-peer-route.patch +netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch +net-macsec-update-sci-upon-mac-address-change.patch +net-nfc-fix-bounds-checking-bugs-on-pipe.patch +net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch +net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch +net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch +net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch +r8152-check-disconnect-status-after-long-sleep.patch +sfc-detach-from-cb_page-in-efx_copy_channel.patch +slip-make-slhc_compress-more-robust-against-malicious-packets.patch +taprio-fix-sending-packets-without-dequeueing-them.patch +bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch +bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch +bnxt_en-fix-error-handling-when-flashing-from-file.patch +cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch +net-memcg-late-association-of-sock-to-memcg.patch +net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch +devlink-validate-length-of-param-values.patch +devlink-validate-length-of-region-addr-len.patch +fib-add-missing-attribute-validation-for-tun_id.patch +nl802154-add-missing-attribute-validation.patch +nl802154-add-missing-attribute-validation-for-dev_type.patch +can-add-missing-attribute-validation-for-termination.patch +macsec-add-missing-attribute-validation-for-port.patch +net-fq-add-missing-attribute-validation-for-orphan-mask.patch +net-taprio-add-missing-attribute-validation-for-txtime-delay.patch +team-add-missing-attribute-validation-for-port-ifindex.patch +team-add-missing-attribute-validation-for-array-index.patch +tipc-add-missing-attribute-validation-for-mtu-property.patch +nfc-add-missing-attribute-validation-for-se-api.patch +nfc-add-missing-attribute-validation-for-deactivate-target.patch +nfc-add-missing-attribute-validation-for-vendor-subcommand.patch +net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch +net-phy-fix-mdio-bus-pm-phy-resuming.patch +net-ipv6-need-update-peer-route-when-modify-metric.patch +net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch +selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch +net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch diff --git a/queue-5.4/sfc-detach-from-cb_page-in-efx_copy_channel.patch b/queue-5.4/sfc-detach-from-cb_page-in-efx_copy_channel.patch new file mode 100644 index 00000000000..86ebed27224 --- /dev/null +++ b/queue-5.4/sfc-detach-from-cb_page-in-efx_copy_channel.patch @@ -0,0 +1,37 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Edward Cree +Date: Mon, 9 Mar 2020 18:16:24 +0000 +Subject: sfc: detach from cb_page in efx_copy_channel() + +From: Edward Cree + +[ Upstream commit 4b1bd9db078f7d5332c8601a2f5bd43cf0458fd4 ] + +It's a resource, not a parameter, so we can't copy it into the new + channel's TX queues, otherwise aliasing will lead to resource- + management bugs if the channel is subsequently torn down without + being initialised. + +Before the Fixes:-tagged commit there was a similar bug with + tsoh_page, but I'm not sure it's worth doing another fix for such + old kernels. + +Fixes: e9117e5099ea ("sfc: Firmware-Assisted TSO version 2") +Suggested-by: Derek Shute +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/efx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/sfc/efx.c ++++ b/drivers/net/ethernet/sfc/efx.c +@@ -519,6 +519,7 @@ efx_copy_channel(const struct efx_channe + if (tx_queue->channel) + tx_queue->channel = channel; + tx_queue->buffer = NULL; ++ tx_queue->cb_page = NULL; + memset(&tx_queue->txd, 0, sizeof(tx_queue->txd)); + } + diff --git a/queue-5.4/slip-make-slhc_compress-more-robust-against-malicious-packets.patch b/queue-5.4/slip-make-slhc_compress-more-robust-against-malicious-packets.patch new file mode 100644 index 00000000000..cb950afdda2 --- /dev/null +++ b/queue-5.4/slip-make-slhc_compress-more-robust-against-malicious-packets.patch @@ -0,0 +1,119 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Eric Dumazet +Date: Wed, 4 Mar 2020 15:51:43 -0800 +Subject: slip: make slhc_compress() more robust against malicious packets + +From: Eric Dumazet + +[ Upstream commit 110a40dfb708fe940a3f3704d470e431c368d256 ] + +Before accessing various fields in IPV4 network header +and TCP header, make sure the packet : + +- Has IP version 4 (ip->version == 4) +- Has not a silly network length (ip->ihl >= 5) +- Is big enough to hold network and transport headers +- Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4) + +syzbot reported : + +BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270 +CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270 + ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline] + __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495 + ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516 + ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512 + do_loop_readv_writev fs/read_write.c:717 [inline] + do_iter_write+0x812/0xdc0 fs/read_write.c:1000 + compat_writev+0x2df/0x5a0 fs/read_write.c:1351 + do_compat_pwritev64 fs/read_write.c:1400 [inline] + __do_compat_sys_pwritev fs/read_write.c:1420 [inline] + __se_compat_sys_pwritev fs/read_write.c:1414 [inline] + __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f7cd99 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 +RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2793 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401 + __kmalloc_reserve net/core/skbuff.c:142 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210 + alloc_skb include/linux/skbuff.h:1051 [inline] + ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500 + do_loop_readv_writev fs/read_write.c:717 [inline] + do_iter_write+0x812/0xdc0 fs/read_write.c:1000 + compat_writev+0x2df/0x5a0 fs/read_write.c:1351 + do_compat_pwritev64 fs/read_write.c:1400 [inline] + __do_compat_sys_pwritev fs/read_write.c:1420 [inline] + __se_compat_sys_pwritev fs/read_write.c:1414 [inline] + __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 + +Fixes: b5451d783ade ("slip: Move the SLIP drivers") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slhc.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, u + struct cstate *cs = lcs->next; + unsigned long deltaS, deltaA; + short changes = 0; +- int hlen; ++ int nlen, hlen; + unsigned char new_seq[16]; + unsigned char *cp = new_seq; + struct iphdr *ip; +@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, u + return isize; + + ip = (struct iphdr *) icp; ++ if (ip->version != 4 || ip->ihl < 5) ++ return isize; + + /* Bail if this packet isn't TCP, or is an IP fragment */ + if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) { +@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, u + comp->sls_o_tcp++; + return isize; + } +- /* Extract TCP header */ ++ nlen = ip->ihl * 4; ++ if (isize < nlen + sizeof(*th)) ++ return isize; + +- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4); +- hlen = ip->ihl*4 + th->doff*4; ++ th = (struct tcphdr *)(icp + nlen); ++ if (th->doff < sizeof(struct tcphdr) / 4) ++ return isize; ++ hlen = nlen + th->doff * 4; + + /* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or + * some other control bit is set). Also uncompressible if diff --git a/queue-5.4/taprio-fix-sending-packets-without-dequeueing-them.patch b/queue-5.4/taprio-fix-sending-packets-without-dequeueing-them.patch new file mode 100644 index 00000000000..34f63f740af --- /dev/null +++ b/queue-5.4/taprio-fix-sending-packets-without-dequeueing-them.patch @@ -0,0 +1,185 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Vinicius Costa Gomes +Date: Mon, 9 Mar 2020 10:39:53 -0700 +Subject: taprio: Fix sending packets without dequeueing them + +From: Vinicius Costa Gomes + +[ Upstream commit b09fe70ef520e011ba4a64f4b93f948a8f14717b ] + +There was a bug that was causing packets to be sent to the driver +without first calling dequeue() on the "child" qdisc. And the KASAN +report below shows that sending a packet without calling dequeue() +leads to bad results. + +The problem is that when checking the last qdisc "child" we do not set +the returned skb to NULL, which can cause it to be sent to the driver, +and so after the skb is sent, it may be freed, and in some situations a +reference to it may still be in the child qdisc, because it was never +dequeued. + +The crash log looks like this: + +[ 19.937538] ================================================================== +[ 19.938300] BUG: KASAN: use-after-free in taprio_dequeue_soft+0x620/0x780 +[ 19.938968] Read of size 4 at addr ffff8881128628cc by task swapper/1/0 +[ 19.939612] +[ 19.939772] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc3+ #97 +[ 19.940397] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qe4 +[ 19.941523] Call Trace: +[ 19.941774] +[ 19.941985] dump_stack+0x97/0xe0 +[ 19.942323] print_address_description.constprop.0+0x3b/0x60 +[ 19.942884] ? taprio_dequeue_soft+0x620/0x780 +[ 19.943325] ? taprio_dequeue_soft+0x620/0x780 +[ 19.943767] __kasan_report.cold+0x1a/0x32 +[ 19.944173] ? taprio_dequeue_soft+0x620/0x780 +[ 19.944612] kasan_report+0xe/0x20 +[ 19.944954] taprio_dequeue_soft+0x620/0x780 +[ 19.945380] __qdisc_run+0x164/0x18d0 +[ 19.945749] net_tx_action+0x2c4/0x730 +[ 19.946124] __do_softirq+0x268/0x7bc +[ 19.946491] irq_exit+0x17d/0x1b0 +[ 19.946824] smp_apic_timer_interrupt+0xeb/0x380 +[ 19.947280] apic_timer_interrupt+0xf/0x20 +[ 19.947687] +[ 19.947912] RIP: 0010:default_idle+0x2d/0x2d0 +[ 19.948345] Code: 00 00 41 56 41 55 65 44 8b 2d 3f 8d 7c 7c 41 54 55 53 0f 1f 44 00 00 e8 b1 b2 c5 fd e9 07 00 3 +[ 19.950166] RSP: 0018:ffff88811a3efda0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 +[ 19.950909] RAX: 0000000080000000 RBX: ffff88811a3a9600 RCX: ffffffff8385327e +[ 19.951608] RDX: 1ffff110234752c0 RSI: 0000000000000000 RDI: ffffffff8385262f +[ 19.952309] RBP: ffffed10234752c0 R08: 0000000000000001 R09: ffffed10234752c1 +[ 19.953009] R10: ffffed10234752c0 R11: ffff88811a3a9607 R12: 0000000000000001 +[ 19.953709] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +[ 19.954408] ? default_idle_call+0x2e/0x70 +[ 19.954816] ? default_idle+0x1f/0x2d0 +[ 19.955192] default_idle_call+0x5e/0x70 +[ 19.955584] do_idle+0x3d4/0x500 +[ 19.955909] ? arch_cpu_idle_exit+0x40/0x40 +[ 19.956325] ? _raw_spin_unlock_irqrestore+0x23/0x30 +[ 19.956829] ? trace_hardirqs_on+0x30/0x160 +[ 19.957242] cpu_startup_entry+0x19/0x20 +[ 19.957633] start_secondary+0x2a6/0x380 +[ 19.958026] ? set_cpu_sibling_map+0x18b0/0x18b0 +[ 19.958486] secondary_startup_64+0xa4/0xb0 +[ 19.958921] +[ 19.959078] Allocated by task 33: +[ 19.959412] save_stack+0x1b/0x80 +[ 19.959747] __kasan_kmalloc.constprop.0+0xc2/0xd0 +[ 19.960222] kmem_cache_alloc+0xe4/0x230 +[ 19.960617] __alloc_skb+0x91/0x510 +[ 19.960967] ndisc_alloc_skb+0x133/0x330 +[ 19.961358] ndisc_send_ns+0x134/0x810 +[ 19.961735] addrconf_dad_work+0xad5/0xf80 +[ 19.962144] process_one_work+0x78e/0x13a0 +[ 19.962551] worker_thread+0x8f/0xfa0 +[ 19.962919] kthread+0x2ba/0x3b0 +[ 19.963242] ret_from_fork+0x3a/0x50 +[ 19.963596] +[ 19.963753] Freed by task 33: +[ 19.964055] save_stack+0x1b/0x80 +[ 19.964386] __kasan_slab_free+0x12f/0x180 +[ 19.964830] kmem_cache_free+0x80/0x290 +[ 19.965231] ip6_mc_input+0x38a/0x4d0 +[ 19.965617] ipv6_rcv+0x1a4/0x1d0 +[ 19.965948] __netif_receive_skb_one_core+0xf2/0x180 +[ 19.966437] netif_receive_skb+0x8c/0x3c0 +[ 19.966846] br_handle_frame_finish+0x779/0x1310 +[ 19.967302] br_handle_frame+0x42a/0x830 +[ 19.967694] __netif_receive_skb_core+0xf0e/0x2a90 +[ 19.968167] __netif_receive_skb_one_core+0x96/0x180 +[ 19.968658] process_backlog+0x198/0x650 +[ 19.969047] net_rx_action+0x2fa/0xaa0 +[ 19.969420] __do_softirq+0x268/0x7bc +[ 19.969785] +[ 19.969940] The buggy address belongs to the object at ffff888112862840 +[ 19.969940] which belongs to the cache skbuff_head_cache of size 224 +[ 19.971202] The buggy address is located 140 bytes inside of +[ 19.971202] 224-byte region [ffff888112862840, ffff888112862920) +[ 19.972344] The buggy address belongs to the page: +[ 19.972820] page:ffffea00044a1800 refcount:1 mapcount:0 mapping:ffff88811a2bd1c0 index:0xffff8881128625c0 compo0 +[ 19.973930] flags: 0x8000000000010200(slab|head) +[ 19.974388] raw: 8000000000010200 ffff88811a2ed650 ffff88811a2ed650 ffff88811a2bd1c0 +[ 19.975151] raw: ffff8881128625c0 0000000000190013 00000001ffffffff 0000000000000000 +[ 19.975915] page dumped because: kasan: bad access detected +[ 19.976461] page_owner tracks the page as allocated +[ 19.976946] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NO) +[ 19.978332] prep_new_page+0x24b/0x330 +[ 19.978707] get_page_from_freelist+0x2057/0x2c90 +[ 19.979170] __alloc_pages_nodemask+0x218/0x590 +[ 19.979619] new_slab+0x9d/0x300 +[ 19.979948] ___slab_alloc.constprop.0+0x2f9/0x6f0 +[ 19.980421] __slab_alloc.constprop.0+0x30/0x60 +[ 19.980870] kmem_cache_alloc+0x201/0x230 +[ 19.981269] __alloc_skb+0x91/0x510 +[ 19.981620] alloc_skb_with_frags+0x78/0x4a0 +[ 19.982043] sock_alloc_send_pskb+0x5eb/0x750 +[ 19.982476] unix_stream_sendmsg+0x399/0x7f0 +[ 19.982904] sock_sendmsg+0xe2/0x110 +[ 19.983262] ____sys_sendmsg+0x4de/0x6d0 +[ 19.983660] ___sys_sendmsg+0xe4/0x160 +[ 19.984032] __sys_sendmsg+0xab/0x130 +[ 19.984396] do_syscall_64+0xe7/0xae0 +[ 19.984761] page last free stack trace: +[ 19.985142] __free_pages_ok+0x432/0xbc0 +[ 19.985533] qlist_free_all+0x56/0xc0 +[ 19.985907] quarantine_reduce+0x149/0x170 +[ 19.986315] __kasan_kmalloc.constprop.0+0x9e/0xd0 +[ 19.986791] kmem_cache_alloc+0xe4/0x230 +[ 19.987182] prepare_creds+0x24/0x440 +[ 19.987548] do_faccessat+0x80/0x590 +[ 19.987906] do_syscall_64+0xe7/0xae0 +[ 19.988276] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 19.988775] +[ 19.988930] Memory state around the buggy address: +[ 19.989402] ffff888112862780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 19.990111] ffff888112862800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 19.990822] >ffff888112862880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 19.991529] ^ +[ 19.992081] ffff888112862900: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc +[ 19.992796] ffff888112862980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") +Reported-by: Michael Schmidt +Signed-off-by: Vinicius Costa Gomes +Acked-by: Andre Guedes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -564,8 +564,10 @@ static struct sk_buff *taprio_dequeue_so + prio = skb->priority; + tc = netdev_get_prio_tc_map(dev, prio); + +- if (!(gate_mask & BIT(tc))) ++ if (!(gate_mask & BIT(tc))) { ++ skb = NULL; + continue; ++ } + + len = qdisc_pkt_len(skb); + guard = ktime_add_ns(taprio_get_time(q), +@@ -575,13 +577,17 @@ static struct sk_buff *taprio_dequeue_so + * guard band ... + */ + if (gate_mask != TAPRIO_ALL_GATES_OPEN && +- ktime_after(guard, entry->close_time)) ++ ktime_after(guard, entry->close_time)) { ++ skb = NULL; + continue; ++ } + + /* ... and no budget. */ + if (gate_mask != TAPRIO_ALL_GATES_OPEN && +- atomic_sub_return(len, &entry->budget) < 0) ++ atomic_sub_return(len, &entry->budget) < 0) { ++ skb = NULL; + continue; ++ } + + skb = child->ops->dequeue(child); + if (unlikely(!skb)) diff --git a/queue-5.4/team-add-missing-attribute-validation-for-array-index.patch b/queue-5.4/team-add-missing-attribute-validation-for-array-index.patch new file mode 100644 index 00000000000..cc7b965b452 --- /dev/null +++ b/queue-5.4/team-add-missing-attribute-validation-for-array-index.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:22 -0800 +Subject: team: add missing attribute validation for array index + +From: Jakub Kicinski + +[ Upstream commit 669fcd7795900cd1880237cbbb57a7db66cb9ac8 ] + +Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX +to the netlink policy. + +Fixes: b13033262d24 ("team: introduce array options") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2241,6 +2241,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M + [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 }, + [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY }, + [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 }, ++ [TEAM_ATTR_OPTION_ARRAY_INDEX] = { .type = NLA_U32 }, + }; + + static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info) diff --git a/queue-5.4/team-add-missing-attribute-validation-for-port-ifindex.patch b/queue-5.4/team-add-missing-attribute-validation-for-port-ifindex.patch new file mode 100644 index 00000000000..b18015ce317 --- /dev/null +++ b/queue-5.4/team-add-missing-attribute-validation-for-port-ifindex.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:21 -0800 +Subject: team: add missing attribute validation for port ifindex + +From: Jakub Kicinski + +[ Upstream commit dd25cb272ccce4db67dc8509278229099e4f5e99 ] + +Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX +to the netlink policy. + +Fixes: 80f7c6683fe0 ("team: add support for per-port options") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2240,6 +2240,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M + [TEAM_ATTR_OPTION_CHANGED] = { .type = NLA_FLAG }, + [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 }, + [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY }, ++ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 }, + }; + + static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info) diff --git a/queue-5.4/tipc-add-missing-attribute-validation-for-mtu-property.patch b/queue-5.4/tipc-add-missing-attribute-validation-for-mtu-property.patch new file mode 100644 index 00000000000..75586b937db --- /dev/null +++ b/queue-5.4/tipc-add-missing-attribute-validation-for-mtu-property.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 15 Mar 2020 09:33:48 AM CET +From: Jakub Kicinski +Date: Mon, 2 Mar 2020 21:05:23 -0800 +Subject: tipc: add missing attribute validation for MTU property + +From: Jakub Kicinski + +[ Upstream commit 213320a67962ff6e7b83b704d55cbebc341426db ] + +Add missing attribute validation for TIPC_NLA_PROP_MTU +to the netlink policy. + +Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU") +Signed-off-by: Jakub Kicinski +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -111,6 +111,7 @@ const struct nla_policy tipc_nl_prop_pol + [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 }, + [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 }, + [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 }, ++ [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 }, + [TIPC_NLA_PROP_BROADCAST] = { .type = NLA_U32 }, + [TIPC_NLA_PROP_BROADCAST_RATIO] = { .type = NLA_U32 } + };