From: Greg Kroah-Hartman Date: Wed, 22 May 2019 06:38:34 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.1.5~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91562c7b425f0a59fbbf11dc418e64036818b043;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ipv6-fix-src-addr-routing-with-the-exception-table.patch ipv6-prevent-possible-fib6-leaks.patch net-always-descend-into-dsa.patch net-avoid-weird-emergency-message.patch net-mlx4_core-change-the-error-print-to-info-print.patch net-mlx5-imply-mlxfw-in-mlx5_core.patch net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch net-test-nouarg-before-dereferencing-zerocopy-pointers.patch net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch ppp-deflate-fix-possible-crash-in-deflate_init.patch rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch tipc-switch-order-of-device-registration-to-fix-a-crash.patch vsock-virtio-free-packets-during-the-socket-release.patch vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch --- diff --git a/queue-4.19/ipv6-fix-src-addr-routing-with-the-exception-table.patch b/queue-4.19/ipv6-fix-src-addr-routing-with-the-exception-table.patch new file mode 100644 index 00000000000..f5e21f910ba --- /dev/null +++ b/queue-4.19/ipv6-fix-src-addr-routing-with-the-exception-table.patch @@ -0,0 +1,137 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Wei Wang +Date: Thu, 16 May 2019 13:30:54 -0700 +Subject: ipv6: fix src addr routing with the exception table + +From: Wei Wang + +[ Upstream commit 510e2ceda031eed97a7a0f9aad65d271a58b460d ] + +When inserting route cache into the exception table, the key is +generated with both src_addr and dest_addr with src addr routing. +However, current logic always assumes the src_addr used to generate the +key is a /128 host address. This is not true in the following scenarios: +1. When the route is a gateway route or does not have next hop. + (rt6_is_gw_or_nonexthop() == false) +2. When calling ip6_rt_cache_alloc(), saddr is passed in as NULL. +This means, when looking for a route cache in the exception table, we +have to do the lookup twice: first time with the passed in /128 host +address, second time with the src_addr stored in fib6_info. + +This solves the pmtu discovery issue reported by Mikael Magnusson where +a route cache with a lower mtu info is created for a gateway route with +src addr. However, the lookup code is not able to find this route cache. + +Fixes: 2b760fcf5cfb ("ipv6: hook up exception table to store dst cache") +Reported-by: Mikael Magnusson +Bisected-by: David Ahern +Signed-off-by: Wei Wang +Cc: Martin Lau +Cc: Eric Dumazet +Acked-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 51 +++++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 24 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -110,8 +110,8 @@ static int rt6_fill_node(struct net *net + int iif, int type, u32 portid, u32 seq, + unsigned int flags); + static struct rt6_info *rt6_find_cached_rt(struct fib6_info *rt, +- struct in6_addr *daddr, +- struct in6_addr *saddr); ++ const struct in6_addr *daddr, ++ const struct in6_addr *saddr); + + #ifdef CONFIG_IPV6_ROUTE_INFO + static struct fib6_info *rt6_add_route_info(struct net *net, +@@ -1542,31 +1542,44 @@ out: + * Caller has to hold rcu_read_lock() + */ + static struct rt6_info *rt6_find_cached_rt(struct fib6_info *rt, +- struct in6_addr *daddr, +- struct in6_addr *saddr) ++ const struct in6_addr *daddr, ++ const struct in6_addr *saddr) + { ++ const struct in6_addr *src_key = NULL; + struct rt6_exception_bucket *bucket; +- struct in6_addr *src_key = NULL; + struct rt6_exception *rt6_ex; + struct rt6_info *res = NULL; + +- bucket = rcu_dereference(rt->rt6i_exception_bucket); +- + #ifdef CONFIG_IPV6_SUBTREES + /* rt6i_src.plen != 0 indicates rt is in subtree + * and exception table is indexed by a hash of + * both rt6i_dst and rt6i_src. +- * Otherwise, the exception table is indexed by +- * a hash of only rt6i_dst. ++ * However, the src addr used to create the hash ++ * might not be exactly the passed in saddr which ++ * is a /128 addr from the flow. ++ * So we need to use f6i->fib6_src to redo lookup ++ * if the passed in saddr does not find anything. ++ * (See the logic in ip6_rt_cache_alloc() on how ++ * rt->rt6i_src is updated.) + */ + if (rt->fib6_src.plen) + src_key = saddr; ++find_ex: + #endif ++ bucket = rcu_dereference(rt->rt6i_exception_bucket); + rt6_ex = __rt6_find_exception_rcu(&bucket, daddr, src_key); + + if (rt6_ex && !rt6_check_expired(rt6_ex->rt6i)) + res = rt6_ex->rt6i; + ++#ifdef CONFIG_IPV6_SUBTREES ++ /* Use fib6_src as src_key and redo lookup */ ++ if (!res && src_key && src_key != &rt->fib6_src.addr) { ++ src_key = &rt->fib6_src.addr; ++ goto find_ex; ++ } ++#endif ++ + return res; + } + +@@ -2650,10 +2663,8 @@ out: + u32 ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr, + struct in6_addr *saddr) + { +- struct rt6_exception_bucket *bucket; +- struct rt6_exception *rt6_ex; +- struct in6_addr *src_key; + struct inet6_dev *idev; ++ struct rt6_info *rt; + u32 mtu = 0; + + if (unlikely(fib6_metric_locked(f6i, RTAX_MTU))) { +@@ -2662,18 +2673,10 @@ u32 ip6_mtu_from_fib6(struct fib6_info * + goto out; + } + +- src_key = NULL; +-#ifdef CONFIG_IPV6_SUBTREES +- if (f6i->fib6_src.plen) +- src_key = saddr; +-#endif +- +- bucket = rcu_dereference(f6i->rt6i_exception_bucket); +- rt6_ex = __rt6_find_exception_rcu(&bucket, daddr, src_key); +- if (rt6_ex && !rt6_check_expired(rt6_ex->rt6i)) +- mtu = dst_metric_raw(&rt6_ex->rt6i->dst, RTAX_MTU); +- +- if (likely(!mtu)) { ++ rt = rt6_find_cached_rt(f6i, daddr, saddr); ++ if (unlikely(rt)) { ++ mtu = dst_metric_raw(&rt->dst, RTAX_MTU); ++ } else { + struct net_device *dev = fib6_info_nh_dev(f6i); + + mtu = IPV6_MIN_MTU; diff --git a/queue-4.19/ipv6-prevent-possible-fib6-leaks.patch b/queue-4.19/ipv6-prevent-possible-fib6-leaks.patch new file mode 100644 index 00000000000..da1faf6e881 --- /dev/null +++ b/queue-4.19/ipv6-prevent-possible-fib6-leaks.patch @@ -0,0 +1,106 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Eric Dumazet +Date: Wed, 15 May 2019 19:39:52 -0700 +Subject: ipv6: prevent possible fib6 leaks + +From: Eric Dumazet + +[ Upstream commit 61fb0d01680771f72cc9d39783fb2c122aaad51e ] + +At ipv6 route dismantle, fib6_drop_pcpu_from() is responsible +for finding all percpu routes and set their ->from pointer +to NULL, so that fib6_ref can reach its expected value (1). + +The problem right now is that other cpus can still catch the +route being deleted, since there is no rcu grace period +between the route deletion and call to fib6_drop_pcpu_from() + +This can leak the fib6 and associated resources, since no +notifier will take care of removing the last reference(s). + +I decided to add another boolean (fib6_destroying) instead +of reusing/renaming exception_bucket_flushed to ease stable backports, +and properly document the memory barriers used to implement this fix. + +This patch has been co-developped with Wei Wang. + +Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Wei Wang +Cc: David Ahern +Cc: Martin Lau +Acked-by: Wei Wang +Acked-by: Martin KaFai Lau +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_fib.h | 3 ++- + net/ipv6/ip6_fib.c | 12 +++++++++--- + net/ipv6/route.c | 7 +++++++ + 3 files changed, 18 insertions(+), 4 deletions(-) + +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -171,7 +171,8 @@ struct fib6_info { + dst_nocount:1, + dst_nopolicy:1, + dst_host:1, +- unused:3; ++ fib6_destroying:1, ++ unused:2; + + struct fib6_nh fib6_nh; + struct rcu_head rcu; +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -877,6 +877,12 @@ static void fib6_drop_pcpu_from(struct f + { + int cpu; + ++ /* Make sure rt6_make_pcpu_route() wont add other percpu routes ++ * while we are cleaning them here. ++ */ ++ f6i->fib6_destroying = 1; ++ mb(); /* paired with the cmpxchg() in rt6_make_pcpu_route() */ ++ + /* release the reference to this fib entry from + * all of its cached pcpu routes + */ +@@ -900,6 +906,9 @@ static void fib6_purge_rt(struct fib6_in + { + struct fib6_table *table = rt->fib6_table; + ++ if (rt->rt6i_pcpu) ++ fib6_drop_pcpu_from(rt, table); ++ + if (atomic_read(&rt->fib6_ref) != 1) { + /* This route is used as dummy address holder in some split + * nodes. It is not leaked, but it still holds other resources, +@@ -921,9 +930,6 @@ static void fib6_purge_rt(struct fib6_in + fn = rcu_dereference_protected(fn->parent, + lockdep_is_held(&table->tb6_lock)); + } +- +- if (rt->rt6i_pcpu) +- fib6_drop_pcpu_from(rt, table); + } + } + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1268,6 +1268,13 @@ static struct rt6_info *rt6_make_pcpu_ro + prev = cmpxchg(p, NULL, pcpu_rt); + BUG_ON(prev); + ++ if (rt->fib6_destroying) { ++ struct fib6_info *from; ++ ++ from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL); ++ fib6_info_release(from); ++ } ++ + return pcpu_rt; + } + diff --git a/queue-4.19/net-always-descend-into-dsa.patch b/queue-4.19/net-always-descend-into-dsa.patch new file mode 100644 index 00000000000..bdea8d50588 --- /dev/null +++ b/queue-4.19/net-always-descend-into-dsa.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Florian Fainelli +Date: Mon, 13 May 2019 14:06:24 -0700 +Subject: net: Always descend into dsa/ + +From: Florian Fainelli + +[ Upstream commit 0fe9f173d6cda95874edeb413b1fa9907b5ae830 ] + +Jiri reported that with a kernel built with CONFIG_FIXED_PHY=y, +CONFIG_NET_DSA=m and CONFIG_NET_DSA_LOOP=m, we would not get to a +functional state where the mock-up driver is registered. Turns out that +we are not descending into drivers/net/dsa/ unconditionally, and we +won't be able to link-in dsa_loop_bdinfo.o which does the actual mock-up +mdio device registration. + +Reported-by: Jiri Pirko +Fixes: 40013ff20b1b ("net: dsa: Fix functional dsa-loop dependency on FIXED_PHY") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Tested-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/Makefile ++++ b/drivers/net/Makefile +@@ -40,7 +40,7 @@ obj-$(CONFIG_ARCNET) += arcnet/ + obj-$(CONFIG_DEV_APPLETALK) += appletalk/ + obj-$(CONFIG_CAIF) += caif/ + obj-$(CONFIG_CAN) += can/ +-obj-$(CONFIG_NET_DSA) += dsa/ ++obj-y += dsa/ + obj-$(CONFIG_ETHERNET) += ethernet/ + obj-$(CONFIG_FDDI) += fddi/ + obj-$(CONFIG_HIPPI) += hippi/ diff --git a/queue-4.19/net-avoid-weird-emergency-message.patch b/queue-4.19/net-avoid-weird-emergency-message.patch new file mode 100644 index 00000000000..9fe7aabaad2 --- /dev/null +++ b/queue-4.19/net-avoid-weird-emergency-message.patch @@ -0,0 +1,38 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Eric Dumazet +Date: Thu, 16 May 2019 08:09:57 -0700 +Subject: net: avoid weird emergency message + +From: Eric Dumazet + +[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ] + +When host is under high stress, it is very possible thread +running netdev_wait_allrefs() returns from msleep(250) +10 seconds late. + +This leads to these messages in the syslog : + +[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0 + +If the device refcount is zero, the wait is over. + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8716,7 +8716,7 @@ static void netdev_wait_allrefs(struct n + + refcnt = netdev_refcnt_read(dev); + +- if (time_after(jiffies, warning_time + 10 * HZ)) { ++ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) { + pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n", + dev->name, refcnt); + warning_time = jiffies; diff --git a/queue-4.19/net-mlx4_core-change-the-error-print-to-info-print.patch b/queue-4.19/net-mlx4_core-change-the-error-print-to-info-print.patch new file mode 100644 index 00000000000..0cca53aaf90 --- /dev/null +++ b/queue-4.19/net-mlx4_core-change-the-error-print-to-info-print.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Yunjian Wang +Date: Tue, 14 May 2019 19:03:19 +0800 +Subject: net/mlx4_core: Change the error print to info print + +From: Yunjian Wang + +[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ] + +The error print within mlx4_flow_steer_promisc_add() should +be a info print. + +Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering') +Signed-off-by: Yunjian Wang +Reviewed-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -1492,7 +1492,7 @@ int mlx4_flow_steer_promisc_add(struct m + rule.port = port; + rule.qpn = qpn; + INIT_LIST_HEAD(&rule.list); +- mlx4_err(dev, "going promisc on %x\n", port); ++ mlx4_info(dev, "going promisc on %x\n", port); + + return mlx4_flow_attach(dev, &rule, regid_p); + } diff --git a/queue-4.19/net-mlx5-imply-mlxfw-in-mlx5_core.patch b/queue-4.19/net-mlx5-imply-mlxfw-in-mlx5_core.patch new file mode 100644 index 00000000000..5fc9b91c513 --- /dev/null +++ b/queue-4.19/net-mlx5-imply-mlxfw-in-mlx5_core.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Saeed Mahameed +Date: Tue, 7 May 2019 13:15:20 -0700 +Subject: net/mlx5: Imply MLXFW in mlx5_core + +From: Saeed Mahameed + +[ Upstream commit bad861f31bb15a99becef31aab59640eaeb247e2 ] + +mlxfw can be compiled as external module while mlx5_core can be +builtin, in such case mlx5 will act like mlxfw is disabled. + +Since mlxfw is just a service library for mlx* drivers, +imply it in mlx5_core to make it always reachable if it was enabled. + +Fixes: 3ffaabecd1a1 ("net/mlx5e: Support the flash device ethtool callback") +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig +@@ -8,6 +8,7 @@ config MLX5_CORE + depends on PCI + imply PTP_1588_CLOCK + imply VXLAN ++ imply MLXFW + default n + ---help--- + Core driver for low level functionality of the ConnectX-4 and diff --git a/queue-4.19/net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch b/queue-4.19/net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch new file mode 100644 index 00000000000..45063bc046a --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch @@ -0,0 +1,58 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Saeed Mahameed +Date: Tue, 7 May 2019 12:59:38 -0700 +Subject: net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled + +From: Saeed Mahameed + +[ Upstream commit 8f0916c6dc5cd5e3bc52416fa2a9ff4075080180 ] + +ethtool user spaces needs to know ring count via ETHTOOL_GRXRINGS when +executing (ethtool -x) which is retrieved via ethtool get_rxnfc callback, +in mlx5 this callback is disabled when CONFIG_MLX5_EN_RXNFC=n. + +This patch allows only ETHTOOL_GRXRINGS command on mlx5e_get_rxnfc() when +CONFIG_MLX5_EN_RXNFC is disabled, so ethtool -x will continue working. + +Fixes: fe6d86b3c316 ("net/mlx5e: Add CONFIG_MLX5_EN_RXNFC for ethtool rx nfc") +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1609,6 +1609,22 @@ static int mlx5e_flash_device(struct net + return mlx5e_ethtool_flash_device(priv, flash); + } + ++#ifndef CONFIG_MLX5_EN_RXNFC ++/* When CONFIG_MLX5_EN_RXNFC=n we only support ETHTOOL_GRXRINGS ++ * otherwise this function will be defined from en_fs_ethtool.c ++ */ ++static int mlx5e_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *info, u32 *rule_locs) ++{ ++ struct mlx5e_priv *priv = netdev_priv(dev); ++ ++ if (info->cmd != ETHTOOL_GRXRINGS) ++ return -EOPNOTSUPP; ++ /* ring_count is needed by ethtool -x */ ++ info->data = priv->channels.params.num_channels; ++ return 0; ++} ++#endif ++ + const struct ethtool_ops mlx5e_ethtool_ops = { + .get_drvinfo = mlx5e_get_drvinfo, + .get_link = ethtool_op_get_link, +@@ -1627,8 +1643,8 @@ const struct ethtool_ops mlx5e_ethtool_o + .get_rxfh_indir_size = mlx5e_get_rxfh_indir_size, + .get_rxfh = mlx5e_get_rxfh, + .set_rxfh = mlx5e_set_rxfh, +-#ifdef CONFIG_MLX5_EN_RXNFC + .get_rxnfc = mlx5e_get_rxnfc, ++#ifdef CONFIG_MLX5_EN_RXNFC + .set_rxnfc = mlx5e_set_rxnfc, + #endif + .flash_device = mlx5e_flash_device, diff --git a/queue-4.19/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch b/queue-4.19/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch new file mode 100644 index 00000000000..0287ba68e67 --- /dev/null +++ b/queue-4.19/net-test-nouarg-before-dereferencing-zerocopy-pointers.patch @@ -0,0 +1,56 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Willem de Bruijn +Date: Wed, 15 May 2019 13:29:16 -0400 +Subject: net: test nouarg before dereferencing zerocopy pointers + +From: Willem de Bruijn + +[ Upstream commit 185ce5c38ea76f29b6bd9c7c8c7a5e5408834920 ] + +Zerocopy skbs without completion notification were added for packet +sockets with PACKET_TX_RING user buffers. Those signal completion +through the TP_STATUS_USER bit in the ring. Zerocopy annotation was +added only to avoid premature notification after clone or orphan, by +triggering a copy on these paths for these packets. + +The mechanism had to define a special "no-uarg" mode because packet +sockets already use skb_uarg(skb) == skb_shinfo(skb)->destructor_arg +for a different pointer. + +Before deferencing skb_uarg(skb), verify that it is a real pointer. + +Fixes: 5cd8d46ea1562 ("packet: copy user buffers before orphan or clone") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1333,10 +1333,12 @@ static inline void skb_zcopy_clear(struc + struct ubuf_info *uarg = skb_zcopy(skb); + + if (uarg) { +- if (uarg->callback == sock_zerocopy_callback) { ++ if (skb_zcopy_is_nouarg(skb)) { ++ /* no notification callback */ ++ } else if (uarg->callback == sock_zerocopy_callback) { + uarg->zerocopy = uarg->zerocopy && zerocopy; + sock_zerocopy_put(uarg); +- } else if (!skb_zcopy_is_nouarg(skb)) { ++ } else { + uarg->callback(uarg, zerocopy); + } + +@@ -2587,7 +2589,8 @@ static inline int skb_orphan_frags(struc + { + if (likely(!skb_zcopy(skb))) + return 0; +- if (skb_uarg(skb)->callback == sock_zerocopy_callback) ++ if (!skb_zcopy_is_nouarg(skb) && ++ skb_uarg(skb)->callback == sock_zerocopy_callback) + return 0; + return skb_copy_ubufs(skb, gfp_mask); + } diff --git a/queue-4.19/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch b/queue-4.19/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch new file mode 100644 index 00000000000..1c5da422bcc --- /dev/null +++ b/queue-4.19/net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Daniele Palmas +Date: Wed, 15 May 2019 17:29:43 +0200 +Subject: net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions + +From: Daniele Palmas + +[ Upstream commit b4e467c82f8c12af78b6f6fa5730cb7dea7af1b4 ] + +Added support for Telit LE910Cx 0x1260 and 0x1261 compositions. + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1240,6 +1240,8 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ + {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ + {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ diff --git a/queue-4.19/nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch b/queue-4.19/nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch new file mode 100644 index 00000000000..d2ce7830437 --- /dev/null +++ b/queue-4.19/nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch @@ -0,0 +1,82 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Pieter Jansen van Vuuren +Date: Tue, 14 May 2019 14:28:19 -0700 +Subject: nfp: flower: add rcu locks when accessing netdev for tunnels + +From: Pieter Jansen van Vuuren + +[ Upstream commit cb07d915bf278a7a3938b983bbcb4921366b5eff ] + +Add rcu locks when accessing netdev when processing route request +and tunnel keep alive messages received from hardware. + +Fixes: 8e6a9046b66a ("nfp: flower vxlan neighbour offload") +Fixes: 856f5b135758 ("nfp: flower vxlan neighbour keep-alive") +Signed-off-by: Pieter Jansen van Vuuren +Reviewed-by: Jakub Kicinski +Reviewed-by: John Hurley +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 17 ++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c +@@ -194,6 +194,7 @@ void nfp_tunnel_keep_alive(struct nfp_ap + return; + } + ++ rcu_read_lock(); + for (i = 0; i < count; i++) { + ipv4_addr = payload->tun_info[i].ipv4; + port = be32_to_cpu(payload->tun_info[i].egress_port); +@@ -209,6 +210,7 @@ void nfp_tunnel_keep_alive(struct nfp_ap + neigh_event_send(n, NULL); + neigh_release(n); + } ++ rcu_read_unlock(); + } + + static bool nfp_tun_is_netdev_to_offload(struct net_device *netdev) +@@ -404,9 +406,10 @@ void nfp_tunnel_request_route(struct nfp + + payload = nfp_flower_cmsg_get_data(skb); + ++ rcu_read_lock(); + netdev = nfp_app_repr_get(app, be32_to_cpu(payload->ingress_port)); + if (!netdev) +- goto route_fail_warning; ++ goto fail_rcu_unlock; + + flow.daddr = payload->ipv4_addr; + flow.flowi4_proto = IPPROTO_UDP; +@@ -416,21 +419,23 @@ void nfp_tunnel_request_route(struct nfp + rt = ip_route_output_key(dev_net(netdev), &flow); + err = PTR_ERR_OR_ZERO(rt); + if (err) +- goto route_fail_warning; ++ goto fail_rcu_unlock; + #else +- goto route_fail_warning; ++ goto fail_rcu_unlock; + #endif + + /* Get the neighbour entry for the lookup */ + n = dst_neigh_lookup(&rt->dst, &flow.daddr); + ip_rt_put(rt); + if (!n) +- goto route_fail_warning; +- nfp_tun_write_neigh(n->dev, app, &flow, n, GFP_KERNEL); ++ goto fail_rcu_unlock; ++ nfp_tun_write_neigh(n->dev, app, &flow, n, GFP_ATOMIC); + neigh_release(n); ++ rcu_read_unlock(); + return; + +-route_fail_warning: ++fail_rcu_unlock: ++ rcu_read_unlock(); + nfp_flower_cmsg_warn(app, "Requested route not found.\n"); + } + diff --git a/queue-4.19/ppp-deflate-fix-possible-crash-in-deflate_init.patch b/queue-4.19/ppp-deflate-fix-possible-crash-in-deflate_init.patch new file mode 100644 index 00000000000..78a146040d2 --- /dev/null +++ b/queue-4.19/ppp-deflate-fix-possible-crash-in-deflate_init.patch @@ -0,0 +1,86 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: YueHaibing +Date: Tue, 14 May 2019 22:55:32 +0800 +Subject: ppp: deflate: Fix possible crash in deflate_init + +From: YueHaibing + +[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ] + +BUG: unable to handle kernel paging request at ffffffffa018f000 +PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic] +Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0 +75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74 +RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287 +RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a +RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000 +RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080 +R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78 +FS: 00007f2339557540(0000) GS:ffff888237a00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0 +Call Trace: + ? 0xffffffffa01a3000 + deflate_init+0x11/0x1000 [ppp_deflate] + ? 0xffffffffa01a3000 + do_one_initcall+0x6c/0x3cc + ? kmem_cache_alloc_trace+0x248/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If ppp_deflate fails to register in deflate_init, +module initialization failed out, however +ppp_deflate_draft may has been regiestred and not +unregistered before return. +Then the seconed modprobe will trigger crash like this. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/net/ppp/ppp_deflate.c ++++ b/drivers/net/ppp/ppp_deflate.c +@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra + + static int __init deflate_init(void) + { +- int answer = ppp_register_compressor(&ppp_deflate); +- if (answer == 0) +- printk(KERN_INFO +- "PPP Deflate Compression module registered\n"); +- ppp_register_compressor(&ppp_deflate_draft); +- return answer; ++ int rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate); ++ if (rc) ++ return rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate_draft); ++ if (rc) { ++ ppp_unregister_compressor(&ppp_deflate); ++ return rc; ++ } ++ ++ pr_info("PPP Deflate Compression module registered\n"); ++ return 0; + } + + static void __exit deflate_cleanup(void) diff --git a/queue-4.19/rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch b/queue-4.19/rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch new file mode 100644 index 00000000000..036b1bda9b7 --- /dev/null +++ b/queue-4.19/rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch @@ -0,0 +1,95 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Sabrina Dubroca +Date: Tue, 14 May 2019 15:12:19 +0200 +Subject: rtnetlink: always put IFLA_LINK for links with a link-netnsid + +From: Sabrina Dubroca + +[ Upstream commit feadc4b6cf42a53a8a93c918a569a0b7e62bd350 ] + +Currently, nla_put_iflink() doesn't put the IFLA_LINK attribute when +iflink == ifindex. + +In some cases, a device can be created in a different netns with the +same ifindex as its parent. That device will not dump its IFLA_LINK +attribute, which can confuse some userspace software that expects it. +For example, if the last ifindex created in init_net and foo are both +8, these commands will trigger the issue: + + ip link add parent type dummy # ifindex 9 + ip link add link parent netns foo type macvlan # ifindex 9 in ns foo + +So, in case a device puts the IFLA_LINK_NETNSID attribute in a dump, +always put the IFLA_LINK attribute as well. + +Thanks to Dan Winship for analyzing the original OpenShift bug down to +the missing netlink attribute. + +v2: change Fixes tag, it's been here forever, as Nicolas Dichtel said + add Nicolas' ack +v3: change Fixes tag + fix subject typo, spotted by Edward Cree + +Analyzed-by: Dan Winship +Fixes: d8a5ec672768 ("[NET]: netlink support for moving devices between network namespaces.") +Signed-off-by: Sabrina Dubroca +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1496,14 +1496,15 @@ static int put_master_ifindex(struct sk_ + return ret; + } + +-static int nla_put_iflink(struct sk_buff *skb, const struct net_device *dev) ++static int nla_put_iflink(struct sk_buff *skb, const struct net_device *dev, ++ bool force) + { + int ifindex = dev_get_iflink(dev); + +- if (dev->ifindex == ifindex) +- return 0; ++ if (force || dev->ifindex != ifindex) ++ return nla_put_u32(skb, IFLA_LINK, ifindex); + +- return nla_put_u32(skb, IFLA_LINK, ifindex); ++ return 0; + } + + static noinline_for_stack int nla_put_ifalias(struct sk_buff *skb, +@@ -1520,6 +1521,8 @@ static int rtnl_fill_link_netnsid(struct + const struct net_device *dev, + struct net *src_net) + { ++ bool put_iflink = false; ++ + if (dev->rtnl_link_ops && dev->rtnl_link_ops->get_link_net) { + struct net *link_net = dev->rtnl_link_ops->get_link_net(dev); + +@@ -1528,10 +1531,12 @@ static int rtnl_fill_link_netnsid(struct + + if (nla_put_s32(skb, IFLA_LINK_NETNSID, id)) + return -EMSGSIZE; ++ ++ put_iflink = true; + } + } + +- return 0; ++ return nla_put_iflink(skb, dev, put_iflink); + } + + static int rtnl_fill_link_af(struct sk_buff *skb, +@@ -1617,7 +1622,6 @@ static int rtnl_fill_ifinfo(struct sk_bu + #ifdef CONFIG_RPS + nla_put_u32(skb, IFLA_NUM_RX_QUEUES, dev->num_rx_queues) || + #endif +- nla_put_iflink(skb, dev) || + put_master_ifindex(skb, dev) || + nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) || + (dev->qdisc && diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..6b9a62d2f8c --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,16 @@ +ipv6-fix-src-addr-routing-with-the-exception-table.patch +ipv6-prevent-possible-fib6-leaks.patch +net-always-descend-into-dsa.patch +net-avoid-weird-emergency-message.patch +net-mlx4_core-change-the-error-print-to-info-print.patch +net-test-nouarg-before-dereferencing-zerocopy-pointers.patch +net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch +nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch +ppp-deflate-fix-possible-crash-in-deflate_init.patch +rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch +tipc-switch-order-of-device-registration-to-fix-a-crash.patch +vsock-virtio-free-packets-during-the-socket-release.patch +tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch +vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch +net-mlx5-imply-mlxfw-in-mlx5_core.patch +net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch diff --git a/queue-4.19/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch b/queue-4.19/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch new file mode 100644 index 00000000000..f573bbd48eb --- /dev/null +++ b/queue-4.19/tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch @@ -0,0 +1,92 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Junwei Hu +Date: Fri, 17 May 2019 19:27:34 +0800 +Subject: tipc: fix modprobe tipc failed after switch order of device registration + +From: Junwei Hu + +[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ] + +Error message printed: +modprobe: ERROR: could not insert 'tipc': Address family not +supported by protocol. +when modprobe tipc after the following patch: switch order of +device registration, commit 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") + +Because sock_create_kern(net, AF_TIPC, ...) is called by +tipc_topsrv_create_listener() in the initialization process +of tipc_net_ops, tipc_socket_init() must be execute before that. + +I move tipc_socket_init() into function tipc_init_net(). + +Fixes: 7e27e8d6130c +("tipc: switch order of device registration to fix a crash") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Kang Zhou +Reviewed-by: Suanming Mou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -66,6 +66,10 @@ static int __net_init tipc_init_net(stru + INIT_LIST_HEAD(&tn->node_list); + spin_lock_init(&tn->node_list_lock); + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_sk_rht_init(net); + if (err) + goto out_sk_rht; +@@ -92,6 +96,8 @@ out_subscr: + out_nametbl: + tipc_sk_rht_destroy(net); + out_sk_rht: ++ tipc_socket_stop(); ++out_socket: + return err; + } + +@@ -102,6 +108,7 @@ static void __net_exit tipc_exit_net(str + tipc_bcast_stop(net); + tipc_nametbl_stop(net); + tipc_sk_rht_destroy(net); ++ tipc_socket_stop(); + } + + static struct pernet_operations tipc_net_ops = { +@@ -137,10 +144,6 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -148,8 +151,6 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: +- tipc_socket_stop(); +-out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); +@@ -165,7 +166,6 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); +- tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); diff --git a/queue-4.19/tipc-switch-order-of-device-registration-to-fix-a-crash.patch b/queue-4.19/tipc-switch-order-of-device-registration-to-fix-a-crash.patch new file mode 100644 index 00000000000..2334041afc2 --- /dev/null +++ b/queue-4.19/tipc-switch-order-of-device-registration-to-fix-a-crash.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Junwei Hu +Date: Thu, 16 May 2019 10:51:15 +0800 +Subject: tipc: switch order of device registration to fix a crash + +From: Junwei Hu + +[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ] + +When tipc is loaded while many processes try to create a TIPC socket, +a crash occurs: + PANIC: Unable to handle kernel paging request at virtual + address "dfff20000000021d" + pc : tipc_sk_create+0x374/0x1180 [tipc] + lr : tipc_sk_create+0x374/0x1180 [tipc] + Exception class = DABT (current EL), IL = 32 bits + Call trace: + tipc_sk_create+0x374/0x1180 [tipc] + __sock_create+0x1cc/0x408 + __sys_socket+0xec/0x1f0 + __arm64_sys_socket+0x74/0xa8 + ... + +This is due to race between sock_create and unfinished +register_pernet_device. tipc_sk_insert tries to do +"net_generic(net, tipc_net_id)". +but tipc_net_id is not initialized yet. + +So switch the order of the two to close the race. + +This can be reproduced with multiple processes doing socket(AF_TIPC, ...) +and one process doing module removal. + +Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace") +Signed-off-by: Junwei Hu +Reported-by: Wang Wang +Reviewed-by: Xiaogang Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -129,10 +129,6 @@ static int __init tipc_init(void) + if (err) + goto out_netlink_compat; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_register_sysctl(); + if (err) + goto out_sysctl; +@@ -141,6 +137,10 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -148,12 +148,12 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ tipc_socket_stop(); ++out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); + out_sysctl: +- tipc_socket_stop(); +-out_socket: + tipc_netlink_compat_stop(); + out_netlink_compat: + tipc_netlink_stop(); +@@ -165,10 +165,10 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); +- tipc_socket_stop(); + tipc_unregister_sysctl(); + + pr_info("Deactivated\n"); diff --git a/queue-4.19/vsock-virtio-free-packets-during-the-socket-release.patch b/queue-4.19/vsock-virtio-free-packets-during-the-socket-release.patch new file mode 100644 index 00000000000..881aa26ea6e --- /dev/null +++ b/queue-4.19/vsock-virtio-free-packets-during-the-socket-release.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: Stefano Garzarella +Date: Fri, 17 May 2019 16:45:43 +0200 +Subject: vsock/virtio: free packets during the socket release + +From: Stefano Garzarella + +[ Upstream commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 ] + +When the socket is released, we should free all packets +queued in the per-socket list in order to avoid a memory +leak. + +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -786,12 +786,19 @@ static bool virtio_transport_close(struc + + void virtio_transport_release(struct vsock_sock *vsk) + { ++ struct virtio_vsock_sock *vvs = vsk->trans; ++ struct virtio_vsock_pkt *pkt, *tmp; + struct sock *sk = &vsk->sk; + bool remove_sock = true; + + lock_sock(sk); + if (sk->sk_type == SOCK_STREAM) + remove_sock = virtio_transport_close(vsk); ++ ++ list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) { ++ list_del(&pkt->list); ++ virtio_transport_free_pkt(pkt); ++ } + release_sock(sk); + + if (remove_sock) diff --git a/queue-4.19/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch b/queue-4.19/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch new file mode 100644 index 00000000000..3895872aa37 --- /dev/null +++ b/queue-4.19/vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch @@ -0,0 +1,108 @@ +From foo@baz Wed 22 May 2019 08:37:51 AM CEST +From: "Jorge E. Moreira" +Date: Thu, 16 May 2019 13:51:07 -0700 +Subject: vsock/virtio: Initialize core virtio vsock before registering the driver + +From: "Jorge E. Moreira" + +[ Upstream commit ba95e5dfd36647622d8897a2a0470dde60e59ffd ] + +Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are +accessed (while handling interrupts) before they are initialized. + +[ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8 +[ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20 +[ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0 +[ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI +[ 4.211379] Modules linked in: +[ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1 +[ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work +[ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000 +[ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20 +[ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286 +[ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0 +[ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0 +[ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001 +[ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0 +[ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0 +[ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000 +[ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0 +[ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 4.211379] Call Trace: +[ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0 +[ 4.211379] virtio_transport_recv_pkt+0x15f/0x740 +[ 4.211379] ? detach_buf+0x1b5/0x210 +[ 4.211379] virtio_transport_rx_work+0xb7/0x140 +[ 4.211379] process_one_work+0x1ef/0x480 +[ 4.211379] worker_thread+0x312/0x460 +[ 4.211379] kthread+0x132/0x140 +[ 4.211379] ? process_one_work+0x480/0x480 +[ 4.211379] ? kthread_destroy_worker+0xd0/0xd0 +[ 4.211379] ret_from_fork+0x35/0x40 +[ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e +[ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28 +[ 4.211379] CR2: ffffffffffffffe8 +[ 4.211379] ---[ end trace f31cc4a2e6df3689 ]--- +[ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt +[ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 4.211379] Rebooting in 5 seconds.. + +Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug") +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "David S. Miller" +Cc: kvm@vger.kernel.org +Cc: virtualization@lists.linux-foundation.org +Cc: netdev@vger.kernel.org +Cc: kernel-team@android.com +Cc: stable@vger.kernel.org [4.9+] +Signed-off-by: Jorge E. Moreira +Reviewed-by: Stefano Garzarella +Reviewed-by: Stefan Hajnoczi +Acked-by: Stefan Hajnoczi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -702,28 +702,27 @@ static int __init virtio_vsock_init(void + if (!virtio_vsock_workqueue) + return -ENOMEM; + +- ret = register_virtio_driver(&virtio_vsock_driver); ++ ret = vsock_core_init(&virtio_transport.transport); + if (ret) + goto out_wq; + +- ret = vsock_core_init(&virtio_transport.transport); ++ ret = register_virtio_driver(&virtio_vsock_driver); + if (ret) +- goto out_vdr; ++ goto out_vci; + + return 0; + +-out_vdr: +- unregister_virtio_driver(&virtio_vsock_driver); ++out_vci: ++ vsock_core_exit(); + out_wq: + destroy_workqueue(virtio_vsock_workqueue); + return ret; +- + } + + static void __exit virtio_vsock_exit(void) + { +- vsock_core_exit(); + unregister_virtio_driver(&virtio_vsock_driver); ++ vsock_core_exit(); + destroy_workqueue(virtio_vsock_workqueue); + } +