From: Greg Kroah-Hartman Date: Mon, 20 Sep 2021 09:10:15 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.284~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92fb9386eb68434daf208352d8d6ca58f183877d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch ibmvnic-check-failover_pending-in-login-response.patch net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch net-caif-avoid-user-triggerable-warn_on-1.patch net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch ptp-dp83640-don-t-define-page0.patch r6040-restore-mdio-clock-frequency-after-mac-reset.patch revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch tipc-increase-timeout-in-tipc_sk_enqueue.patch --- diff --git a/queue-4.14/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch b/queue-4.14/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch new file mode 100644 index 00000000000..83e1b905159 --- /dev/null +++ b/queue-4.14/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch @@ -0,0 +1,41 @@ +From d9ea761fdd197351890418acd462c51f241014a7 Mon Sep 17 00:00:00 2001 +From: "Lin, Zhenpeng" +Date: Wed, 8 Sep 2021 03:40:59 +0000 +Subject: dccp: don't duplicate ccid when cloning dccp sock + +From: Lin, Zhenpeng + +commit d9ea761fdd197351890418acd462c51f241014a7 upstream. + +Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed +a UAF but reintroduced CVE-2017-6074. + +When the sock is cloned, two dccps_hc_tx_ccid will reference to the +same ccid. So one can free the ccid object twice from two socks after +cloning. + +This issue was found by "Hadar Manor" as well and assigned with +CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port +the patch from Ubuntu to fix it. + +The patch prevents cloned socks from referencing the same ccid. + +Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...") +Signed-off-by: Zhenpeng Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/minisocks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dccp/minisocks.c ++++ b/net/dccp/minisocks.c +@@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(c + newdp->dccps_role = DCCP_ROLE_SERVER; + newdp->dccps_hc_rx_ackvec = NULL; + newdp->dccps_service_list = NULL; ++ newdp->dccps_hc_rx_ccid = NULL; ++ newdp->dccps_hc_tx_ccid = NULL; + newdp->dccps_service = dreq->dreq_service; + newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo; + newdp->dccps_timestamp_time = dreq->dreq_timestamp_time; diff --git a/queue-4.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch b/queue-4.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch new file mode 100644 index 00000000000..b1695a80fe6 --- /dev/null +++ b/queue-4.14/events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch @@ -0,0 +1,36 @@ +From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001 +From: Baptiste Lepers +Date: Mon, 6 Sep 2021 11:53:10 +1000 +Subject: events: Reuse value read using READ_ONCE instead of re-reading it + +From: Baptiste Lepers + +commit b89a05b21f46150ac10a962aa50109250b56b03b upstream. + +In perf_event_addr_filters_apply, the task associated with +the event (event->ctx->task) is read using READ_ONCE at the beginning +of the function, checked, and then re-read from event->ctx->task, +voiding all guarantees of the checks. Reuse the value that was read by +READ_ONCE to ensure the consistency of the task struct throughout the +function. + +Fixes: 375637bc52495 ("perf/core: Introduce address range filtering") +Signed-off-by: Baptiste Lepers +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8435,7 +8435,7 @@ static void perf_event_addr_filters_appl + if (!ifh->nr_file_filters) + return; + +- mm = get_task_mm(event->ctx->task); ++ mm = get_task_mm(task); + if (!mm) + goto restart; + diff --git a/queue-4.14/ibmvnic-check-failover_pending-in-login-response.patch b/queue-4.14/ibmvnic-check-failover_pending-in-login-response.patch new file mode 100644 index 00000000000..7f70dfedde5 --- /dev/null +++ b/queue-4.14/ibmvnic-check-failover_pending-in-login-response.patch @@ -0,0 +1,38 @@ +From 273c29e944bda9a20a30c26cfc34c9a3f363280b Mon Sep 17 00:00:00 2001 +From: Sukadev Bhattiprolu +Date: Wed, 8 Sep 2021 09:58:20 -0700 +Subject: ibmvnic: check failover_pending in login response + +From: Sukadev Bhattiprolu + +commit 273c29e944bda9a20a30c26cfc34c9a3f363280b upstream. + +If a failover occurs before a login response is received, the login +response buffer maybe undefined. Check that there was no failover +before accessing the login response buffer. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3965,6 +3965,14 @@ static int ibmvnic_probe(struct vio_dev + goto ibmvnic_init_fail; + } while (rc == EAGAIN); + ++ if (adapter->failover_pending) { ++ adapter->init_done_rc = -EAGAIN; ++ netdev_dbg(netdev, "Failover pending, ignoring login response\n"); ++ complete(&adapter->init_done); ++ /* login response buffer will be released on reset */ ++ return 0; ++ } ++ + netdev->mtu = adapter->req_mtu - ETH_HLEN; + + rc = device_create_file(&dev->dev, &dev_attr_failover); diff --git a/queue-4.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch b/queue-4.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch new file mode 100644 index 00000000000..4b718990992 --- /dev/null +++ b/queue-4.14/net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch @@ -0,0 +1,97 @@ +From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 8 Sep 2021 17:00:29 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_poll + +From: Eric Dumazet + +commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream. + +syzbot reported another data-race in af_unix [1] + +Lets change __skb_insert() to use WRITE_ONCE() when changing +skb head qlen. + +Also, change unix_dgram_poll() to use lockless version +of unix_recvq_full() + +It is verry possible we can switch all/most unix_recvq_full() +to the lockless version, this will be done in a future kernel version. + +[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1 + +BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll + +write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0: + __skb_insert include/linux/skbuff.h:1938 [inline] + __skb_queue_before include/linux/skbuff.h:2043 [inline] + __skb_queue_tail include/linux/skbuff.h:2076 [inline] + skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264 + unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850 + sock_sendmsg_nosec net/socket.c:703 [inline] + sock_sendmsg net/socket.c:723 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 + ___sys_sendmsg net/socket.c:2446 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532 + __do_sys_sendmmsg net/socket.c:2561 [inline] + __se_sys_sendmmsg net/socket.c:2558 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1: + skb_queue_len include/linux/skbuff.h:1869 [inline] + unix_recvq_full net/unix/af_unix.c:194 [inline] + unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777 + sock_poll+0x23e/0x260 net/socket.c:1288 + vfs_poll include/linux/poll.h:90 [inline] + ep_item_poll fs/eventpoll.c:846 [inline] + ep_send_events fs/eventpoll.c:1683 [inline] + ep_poll fs/eventpoll.c:1798 [inline] + do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226 + __do_sys_epoll_wait fs/eventpoll.c:2238 [inline] + __se_sys_epoll_wait fs/eventpoll.c:2233 [inline] + __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000001b -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()") +Cc: Qian Cai +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 2 +- + net/unix/af_unix.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1758,7 +1758,7 @@ static inline void __skb_insert(struct s + WRITE_ONCE(newsk->prev, prev); + WRITE_ONCE(next->prev, newsk); + WRITE_ONCE(prev->next, newsk); +- list->qlen++; ++ WRITE_ONCE(list->qlen, list->qlen + 1); + } + + static inline void __skb_queue_splice(const struct sk_buff_head *list, +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2742,7 +2742,7 @@ static unsigned int unix_dgram_poll(stru + + other = unix_peer(sk); + if (other && unix_peer(other) != sk && +- unix_recvq_full(other) && ++ unix_recvq_full_lockless(other) && + unix_dgram_peer_wake_me(sk, other)) + writable = 0; + diff --git a/queue-4.14/net-caif-avoid-user-triggerable-warn_on-1.patch b/queue-4.14/net-caif-avoid-user-triggerable-warn_on-1.patch new file mode 100644 index 00000000000..e34b99c873a --- /dev/null +++ b/queue-4.14/net-caif-avoid-user-triggerable-warn_on-1.patch @@ -0,0 +1,112 @@ +From 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 13 Sep 2021 11:08:36 -0700 +Subject: net-caif: avoid user-triggerable WARN_ON(1) + +From: Eric Dumazet + +commit 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 upstream. + +syszbot triggers this warning, which looks something +we can easily prevent. + +If we initialize priv->list_field in chnl_net_init(), +then always use list_del_init(), we can remove robust_list_del() +completely. + +WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 robust_list_del net/caif/chnl_net.c:67 [inline] +WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375 +Modules linked in: +CPU: 0 PID: 3233 Comm: syz-executor.3 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:robust_list_del net/caif/chnl_net.c:67 [inline] +RIP: 0010:chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375 +Code: 89 eb e8 3a a3 ba f8 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 bf 01 00 00 48 81 fb 00 14 4e 8d 48 8b 2b 75 d0 e8 17 a3 ba f8 <0f> 0b 5b 5d 41 5c 41 5d e9 0a a3 ba f8 4c 89 e3 e8 02 a3 ba f8 4c +RSP: 0018:ffffc90009067248 EFLAGS: 00010202 +RAX: 0000000000008780 RBX: ffffffff8d4e1400 RCX: ffffc9000fd34000 +RDX: 0000000000040000 RSI: ffffffff88bb6e49 RDI: 0000000000000003 +RBP: ffff88802cd9ee08 R08: 0000000000000000 R09: ffffffff8d0e6647 +R10: ffffffff88bb6dc2 R11: 0000000000000000 R12: ffff88803791ae08 +R13: dffffc0000000000 R14: 00000000e600ffce R15: ffff888073ed3480 +FS: 00007fed10fa0700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2c322000 CR3: 00000000164a6000 CR4: 00000000001506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + register_netdevice+0xadf/0x1500 net/core/dev.c:10347 + ipcaif_newlink+0x4c/0x260 net/caif/chnl_net.c:468 + __rtnl_newlink+0x106d/0x1750 net/core/rtnetlink.c:3458 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506 + rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 + netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 + netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:724 + __sys_sendto+0x21c/0x320 net/socket.c:2036 + __do_sys_sendto net/socket.c:2048 [inline] + __se_sys_sendto net/socket.c:2044 [inline] + __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2044 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: cc36a070b590 ("net-caif: add CAIF netdevice") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/chnl_net.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +--- a/net/caif/chnl_net.c ++++ b/net/caif/chnl_net.c +@@ -54,20 +54,6 @@ struct chnl_net { + enum caif_states state; + }; + +-static void robust_list_del(struct list_head *delete_node) +-{ +- struct list_head *list_node; +- struct list_head *n; +- ASSERT_RTNL(); +- list_for_each_safe(list_node, n, &chnl_net_list) { +- if (list_node == delete_node) { +- list_del(list_node); +- return; +- } +- } +- WARN_ON(1); +-} +- + static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) + { + struct sk_buff *skb; +@@ -369,6 +355,7 @@ static int chnl_net_init(struct net_devi + ASSERT_RTNL(); + priv = netdev_priv(dev); + strncpy(priv->name, dev->name, sizeof(priv->name)); ++ INIT_LIST_HEAD(&priv->list_field); + return 0; + } + +@@ -377,7 +364,7 @@ static void chnl_net_uninit(struct net_d + struct chnl_net *priv; + ASSERT_RTNL(); + priv = netdev_priv(dev); +- robust_list_del(&priv->list_field); ++ list_del_init(&priv->list_field); + } + + static const struct net_device_ops netdev_ops = { +@@ -542,7 +529,7 @@ static void __exit chnl_exit_module(void + rtnl_lock(); + list_for_each_safe(list_node, _tmp, &chnl_net_list) { + dev = list_entry(list_node, struct chnl_net, list_field); +- list_del(list_node); ++ list_del_init(list_node); + delete_device(dev); + } + rtnl_unlock(); diff --git a/queue-4.14/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch b/queue-4.14/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch new file mode 100644 index 00000000000..6f422366aac --- /dev/null +++ b/queue-4.14/net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch @@ -0,0 +1,43 @@ +From 9b6ff7eb666415e1558f1ba8a742f5db6a9954de Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Thu, 9 Sep 2021 12:32:00 +0800 +Subject: net/l2tp: Fix reference count leak in l2tp_udp_recv_core + +From: Xiyu Yang + +commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de upstream. + +The reference count leak issue may take place in an error handling +path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the +return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function +would directly jump to label invalid, without decrementing the reference +count of the l2tp_session object session increased earlier by +l2tp_tunnel_get_session(). This may result in refcount leaks. + +Fix this issue by decrease the reference count before jumping to the +label invalid. + +Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -994,8 +994,10 @@ static int l2tp_udp_recv_core(struct l2t + } + + if (tunnel->version == L2TP_HDR_VER_3 && +- l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) ++ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { ++ l2tp_session_dec_refcount(session); + goto error; ++ } + + l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook); + l2tp_session_dec_refcount(session); diff --git a/queue-4.14/ptp-dp83640-don-t-define-page0.patch b/queue-4.14/ptp-dp83640-don-t-define-page0.patch new file mode 100644 index 00000000000..6f7797f82b4 --- /dev/null +++ b/queue-4.14/ptp-dp83640-don-t-define-page0.patch @@ -0,0 +1,46 @@ +From 7366c23ff492ad260776a3ee1aaabba9fc773a8b Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Mon, 13 Sep 2021 15:06:05 -0700 +Subject: ptp: dp83640: don't define PAGE0 + +From: Randy Dunlap + +commit 7366c23ff492ad260776a3ee1aaabba9fc773a8b upstream. + +Building dp83640.c on arch/parisc/ produces a build warning for +PAGE0 being redefined. Since the macro is not used in the dp83640 +driver, just make it a comment for documentation purposes. + +In file included from ../drivers/net/phy/dp83640.c:23: +../drivers/net/phy/dp83640_reg.h:8: warning: "PAGE0" redefined + 8 | #define PAGE0 0x0000 + from ../drivers/net/phy/dp83640.c:11: +../arch/parisc/include/asm/page.h:187: note: this is the location of the previous definition + 187 | #define PAGE0 ((struct zeropage *)__PAGE_OFFSET) + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Cc: Richard Cochran +Cc: John Stultz +Cc: Heiner Kallweit +Cc: Russell King +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20210913220605.19682-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640_reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640_reg.h ++++ b/drivers/net/phy/dp83640_reg.h +@@ -5,7 +5,7 @@ + #ifndef HAVE_DP83640_REGISTERS + #define HAVE_DP83640_REGISTERS + +-#define PAGE0 0x0000 ++/* #define PAGE0 0x0000 */ + #define PHYCR2 0x001c /* PHY Control Register 2 */ + + #define PAGE4 0x0004 diff --git a/queue-4.14/r6040-restore-mdio-clock-frequency-after-mac-reset.patch b/queue-4.14/r6040-restore-mdio-clock-frequency-after-mac-reset.patch new file mode 100644 index 00000000000..d21e648d883 --- /dev/null +++ b/queue-4.14/r6040-restore-mdio-clock-frequency-after-mac-reset.patch @@ -0,0 +1,73 @@ +From e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 9 Sep 2021 10:33:28 -0700 +Subject: r6040: Restore MDIO clock frequency after MAC reset + +From: Florian Fainelli + +commit e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 upstream. + +A number of users have reported that they were not able to get the PHY +to successfully link up, especially after commit c36757eb9dee ("net: +phy: consider AN_RESTART status when reading link status") where we +stopped reading just BMSR, but we also read BMCR to determine the link +status. + +Andrius at NetBSD did a wonderful job at debugging the problem +and found out that the MDIO bus clock frequency would be incorrectly set +back to its default value which would prevent the MDIO bus controller +from reading PHY registers properly. Back when we only read BMSR, if we +read all 1s, we could falsely indicate a link status, though in general +there is a cable plugged in, so this went unnoticed. After a second read +of BMCR was added, a wrong read will lead to the inability to determine +a link UP condition which is when it started to be visibly broken, even +if it was long before that. + +The fix consists in restoring the value of the MD_CSR register that was +set prior to the MAC reset. + +Link: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53494 +Fixes: 90f750a81a29 ("r6040: consolidate MAC reset to its own function") +Reported-by: Andrius V +Reported-by: Darek Strugacz +Tested-by: Darek Strugacz +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rdc/r6040.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/rdc/r6040.c ++++ b/drivers/net/ethernet/rdc/r6040.c +@@ -133,6 +133,8 @@ + #define PHY_ST 0x8A /* PHY status register */ + #define MAC_SM 0xAC /* MAC status machine */ + #define MAC_SM_RST 0x0002 /* MAC status machine reset */ ++#define MD_CSC 0xb6 /* MDC speed control register */ ++#define MD_CSC_DEFAULT 0x0030 + #define MAC_ID 0xBE /* Identifier register */ + + #define TX_DCNT 0x80 /* TX descriptor count */ +@@ -368,8 +370,9 @@ static void r6040_reset_mac(struct r6040 + { + void __iomem *ioaddr = lp->base; + int limit = MAC_DEF_TIMEOUT; +- u16 cmd; ++ u16 cmd, md_csc; + ++ md_csc = ioread16(ioaddr + MD_CSC); + iowrite16(MAC_RST, ioaddr + MCR1); + while (limit--) { + cmd = ioread16(ioaddr + MCR1); +@@ -381,6 +384,10 @@ static void r6040_reset_mac(struct r6040 + iowrite16(MAC_SM_RST, ioaddr + MAC_SM); + iowrite16(0, ioaddr + MAC_SM); + mdelay(5); ++ ++ /* Restore MDIO clock frequency */ ++ if (md_csc != MD_CSC_DEFAULT) ++ iowrite16(md_csc, ioaddr + MD_CSC); + } + + static void r6040_init_mac_regs(struct net_device *dev) diff --git a/queue-4.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch b/queue-4.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch new file mode 100644 index 00000000000..8b4133b1a64 --- /dev/null +++ b/queue-4.14/revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch @@ -0,0 +1,80 @@ +From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001 +From: Yajun Deng +Date: Mon, 13 Sep 2021 12:04:42 +0800 +Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers" + +From: Yajun Deng + +commit d7807a9adf4856171f8441f13078c33941df48ab upstream. + +This reverts commit 919483096bfe75dda338e98d56da91a263746a0a. + +There is only when ip_options_get() return zero need to free. +It already called kfree() when return error. + +Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 2 +- + net/ipv4/ping.c | 5 ++--- + net/ipv4/raw.c | 5 ++--- + net/ipv4/udp.c | 4 +--- + 4 files changed, 6 insertions(+), 10 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -277,7 +277,7 @@ int ip_cmsg_send(struct sock *sk, struct + case IP_RETOPTS: + err = cmsg->cmsg_len - sizeof(struct cmsghdr); + +- /* Our caller is responsible for freeing ipc->opt */ ++ /* Our caller is responsible for freeing ipc->opt when err = 0 */ + err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg), + err < 40 ? err : 40); + if (err) +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -749,10 +749,9 @@ static int ping_v4_sendmsg(struct sock * + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -571,10 +571,9 @@ static int raw_sendmsg(struct sock *sk, + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, false); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + goto out; +- } ++ + if (ipc.opt) + free = 1; + } +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -955,10 +955,8 @@ int udp_sendmsg(struct sock *sk, struct + + if (msg->msg_controllen) { + err = ip_cmsg_send(sk, msg, &ipc, sk->sk_family == AF_INET6); +- if (unlikely(err)) { +- kfree(ipc.opt); ++ if (unlikely(err)) + return err; +- } + if (ipc.opt) + free = 1; + connected = 0; diff --git a/queue-4.14/series b/queue-4.14/series index a587678e2ff..329b500274a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -192,3 +192,14 @@ xen-reset-legacy-rtc-flag-for-pv-domu.patch bnx2x-fix-enabling-network-interfaces-without-vfs.patch pm-base-power-don-t-try-to-use-non-existing-rtc-for-storing-data.patch x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch +net-caif-avoid-user-triggerable-warn_on-1.patch +ptp-dp83640-don-t-define-page0.patch +dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch +net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch +r6040-restore-mdio-clock-frequency-after-mac-reset.patch +tipc-increase-timeout-in-tipc_sk_enqueue.patch +events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch +net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch +revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch +tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch +ibmvnic-check-failover_pending-in-login-response.patch diff --git a/queue-4.14/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch b/queue-4.14/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch new file mode 100644 index 00000000000..80198a5c750 --- /dev/null +++ b/queue-4.14/tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch @@ -0,0 +1,42 @@ +From 4f884f3962767877d7aabbc1ec124d2c307a4257 Mon Sep 17 00:00:00 2001 +From: zhenggy +Date: Tue, 14 Sep 2021 09:51:15 +0800 +Subject: tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() + +From: zhenggy + +commit 4f884f3962767877d7aabbc1ec124d2c307a4257 upstream. + +Commit 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit +time") may directly retrans a multiple segments TSO/GSO packet without +split, Since this commit, we can no longer assume that a retransmitted +packet is a single segment. + +This patch fixes the tp->undo_retrans accounting in tcp_sacktag_one() +that use the actual segments(pcount) of the retransmitted packet. + +Before that commit (10d3be569243), the assumption underlying the +tp->undo_retrans-- seems correct. + +Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time") +Signed-off-by: zhenggy +Reviewed-by: Eric Dumazet +Acked-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1225,7 +1225,7 @@ static u8 tcp_sacktag_one(struct sock *s + if (dup_sack && (sacked & TCPCB_RETRANS)) { + if (tp->undo_marker && tp->undo_retrans > 0 && + after(end_seq, tp->undo_marker)) +- tp->undo_retrans--; ++ tp->undo_retrans = max_t(int, 0, tp->undo_retrans - pcount); + if (sacked & TCPCB_SACKED_ACKED) + state->reord = min(fack_count, state->reord); + } diff --git a/queue-4.14/tipc-increase-timeout-in-tipc_sk_enqueue.patch b/queue-4.14/tipc-increase-timeout-in-tipc_sk_enqueue.patch new file mode 100644 index 00000000000..fcfaeff1f5d --- /dev/null +++ b/queue-4.14/tipc-increase-timeout-in-tipc_sk_enqueue.patch @@ -0,0 +1,39 @@ +From f4bb62e64c88c93060c051195d3bbba804e56945 Mon Sep 17 00:00:00 2001 +From: Hoang Le +Date: Mon, 13 Sep 2021 16:28:52 +0700 +Subject: tipc: increase timeout in tipc_sk_enqueue() + +From: Hoang Le + +commit f4bb62e64c88c93060c051195d3bbba804e56945 upstream. + +In tipc_sk_enqueue() we use hardcoded 2 jiffies to extract +socket buffer from generic queue to particular socket. +The 2 jiffies is too short in case there are other high priority +tasks get CPU cycles for multiple jiffies update. As result, no +buffer could be enqueued to particular socket. + +To solve this, we switch to use constant timeout 20msecs. +Then, the function will be expired between 2 jiffies (CONFIG_100HZ) +and 20 jiffies (CONFIG_1000HZ). + +Fixes: c637c1035534 ("tipc: resolve race problem at unicast message reception") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1775,7 +1775,7 @@ static int tipc_backlog_rcv(struct sock + static void tipc_sk_enqueue(struct sk_buff_head *inputq, struct sock *sk, + u32 dport, struct sk_buff_head *xmitq) + { +- unsigned long time_limit = jiffies + 2; ++ unsigned long time_limit = jiffies + usecs_to_jiffies(20000); + struct sk_buff *skb; + unsigned int lim; + atomic_t *dcnt;