From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 16:21:35 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.139~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96ad98fcc4527303e358efb858c72b2f34efc9fa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bonding-fix-event-handling-for-stacked-bonds.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch ipv4-recompile-ip-options-in-ipv4_link_failure.patch net-atm-fix-potential-spectre-v1-vulnerabilities.patch net-bridge-fix-per-port-af_packet-sockets.patch net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch tcp-tcp_grow_window-needs-to-respect-tcp_space.patch team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch vhost-reject-zero-size-iova-range.patch --- diff --git a/queue-4.9/bonding-fix-event-handling-for-stacked-bonds.patch b/queue-4.9/bonding-fix-event-handling-for-stacked-bonds.patch new file mode 100644 index 00000000000..546996ac73a --- /dev/null +++ b/queue-4.9/bonding-fix-event-handling-for-stacked-bonds.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Sabrina Dubroca +Date: Fri, 12 Apr 2019 15:04:10 +0200 +Subject: bonding: fix event handling for stacked bonds + +From: Sabrina Dubroca + +[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ] + +When a bond is enslaved to another bond, bond_netdev_event() only +handles the event as if the bond is a master, and skips treating the +bond as a slave. + +This leads to a refcount leak on the slave, since we don't remove the +adjacency to its master and the master holds a reference on the slave. + +Reproducer: + ip link add bondL type bond + ip link add bondU type bond + ip link set bondL master bondU + ip link del bondL + +No "Fixes:" tag, this code is older than git history. + +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3134,8 +3134,12 @@ static int bond_netdev_event(struct noti + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { diff --git a/queue-4.9/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch b/queue-4.9/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..b9aa3901865 --- /dev/null +++ b/queue-4.9/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Eric Dumazet +Date: Sat, 13 Apr 2019 17:32:21 -0700 +Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure() + +From: Eric Dumazet + +[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ] + +fib_compute_spec_dst() needs to be called under rcu protection. + +syzbot reported : + +WARNING: suspicious RCU usage +5.1.0-rc4+ #165 Not tainted +include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by swapper/0/0: + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline] + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315 + +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162 + __in_dev_get_rcu include/linux/inetdevice.h:220 [inline] + fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294 + spec_dst_fill net/ipv4/ip_options.c:245 [inline] + __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343 + ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195 + dst_link_failure include/net/dst.h:427 [inline] + arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297 + neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995 + neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1170,14 +1170,20 @@ static struct dst_entry *ipv4_dst_check( + + static void ipv4_link_failure(struct sk_buff *skb) + { +- struct rtable *rt; + struct ip_options opt; ++ struct rtable *rt; ++ int res; + + /* Recompile ip options since IPCB may not be valid anymore. + */ + memset(&opt, 0, sizeof(opt)); + opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); +- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) + return; + + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); diff --git a/queue-4.9/ipv4-recompile-ip-options-in-ipv4_link_failure.patch b/queue-4.9/ipv4-recompile-ip-options-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..ad697cfc8be --- /dev/null +++ b/queue-4.9/ipv4-recompile-ip-options-in-ipv4_link_failure.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Stephen Suryaputra +Date: Fri, 12 Apr 2019 16:19:27 -0400 +Subject: ipv4: recompile ip options in ipv4_link_failure + +From: Stephen Suryaputra + +[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ] + +Recompile IP options since IPCB may not be valid anymore when +ipv4_link_failure is called from arp_error_report. + +Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error") +and the commit before that (9ef6b42ad6fd) for a similar issue. + +Signed-off-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1171,8 +1171,16 @@ static struct dst_entry *ipv4_dst_check( + static void ipv4_link_failure(struct sk_buff *skb) + { + struct rtable *rt; ++ struct ip_options opt; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) diff --git a/queue-4.9/net-atm-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.9/net-atm-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..08573793240 --- /dev/null +++ b/queue-4.9/net-atm-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,53 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: "Gustavo A. R. Silva" +Date: Mon, 15 Apr 2019 15:57:23 -0500 +Subject: net: atm: Fix potential Spectre v1 vulnerabilities + +From: "Gustavo A. R. Silva" + +[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ] + +arg is controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap) + +Fix this by sanitizing arg before using it to index dev_lec. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/atm/lec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -721,7 +721,10 @@ static int lec_vcc_attach(struct atm_vcc + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -739,6 +742,7 @@ static int lecd_attach(struct atm_vcc *v + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + diff --git a/queue-4.9/net-bridge-fix-per-port-af_packet-sockets.patch b/queue-4.9/net-bridge-fix-per-port-af_packet-sockets.patch new file mode 100644 index 00000000000..7e2520983f8 --- /dev/null +++ b/queue-4.9/net-bridge-fix-per-port-af_packet-sockets.patch @@ -0,0 +1,77 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 13:56:39 +0300 +Subject: net: bridge: fix per-port af_packet sockets + +From: Nikolay Aleksandrov + +[ Upstream commit 3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ] + +When the commit below was introduced it changed two visible things: + - the skb was no longer passed through the protocol handlers with the + original device + - the skb was passed up the stack with skb->dev = bridge + +The first change broke af_packet sockets on bridge ports. For example we +use them for hostapd which listens for ETH_P_PAE packets on the ports. +We discussed two possible fixes: + - create a clone and pass it through NF_HOOK(), act on the original skb + based on the result + - somehow signal to the caller from the okfn() that it was called, + meaning the skb is ok to be passed, which this patch is trying to + implement via returning 1 from the bridge link-local okfn() + +Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and +drop/error would return < 0 thus the okfn() is called only when the +return was 1, so we signal to the caller that it was called by preserving +the return value from nf_hook(). + +Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_input.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -231,13 +231,10 @@ static void __br_handle_local_finish(str + /* note: already called with rcu_read_lock */ + static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- struct net_bridge_port *p = br_port_get_rcu(skb->dev); +- + __br_handle_local_finish(skb); + +- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev; +- br_pass_frame_up(skb); +- return 0; ++ /* return 1 to signal the okfn() was called so it's ok to use the skb */ ++ return 1; + } + + /* +@@ -308,10 +305,18 @@ rx_handler_result_t br_handle_frame(stru + goto forward; + } + +- /* Deliver packet to local host only */ +- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev), +- NULL, skb, skb->dev, NULL, br_handle_local_finish); +- return RX_HANDLER_CONSUMED; ++ /* The else clause should be hit when nf_hook(): ++ * - returns < 0 (drop/error) ++ * - returns = 0 (stolen/nf_queue) ++ * Thus return 1 from the okfn() to signal the skb is ok to pass ++ */ ++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, ++ dev_net(skb->dev), NULL, skb, skb->dev, NULL, ++ br_handle_local_finish) == 1) { ++ return RX_HANDLER_PASS; ++ } else { ++ return RX_HANDLER_CONSUMED; ++ } + } + + forward: diff --git a/queue-4.9/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch b/queue-4.9/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch new file mode 100644 index 00000000000..5f841bf15fa --- /dev/null +++ b/queue-4.9/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 15:08:25 +0300 +Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier + +From: Nikolay Aleksandrov + +[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ] + +br_multicast_start_querier() walks over the port list but it can be +called from a timer with only multicast_lock held which doesn't protect +the port list, so use RCU to walk over it. + +Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1983,7 +1983,8 @@ static void br_multicast_start_querier(s + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -1995,6 +1996,7 @@ static void br_multicast_start_querier(s + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-4.9/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch b/queue-4.9/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch new file mode 100644 index 00000000000..c3770f1bd34 --- /dev/null +++ b/queue-4.9/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Lorenzo Bianconi +Date: Tue, 9 Apr 2019 11:47:20 +0200 +Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv + +From: Lorenzo Bianconi + +[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ] + +gue tunnels run iptunnel_pull_offloads on received skbs. This can +determine a possible use-after-free accessing guehdr pointer since +the packet will be 'uncloned' running pskb_expand_head if it is a +cloned gso skb (e.g if the packet has been sent though a veth device) + +Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fou.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -119,6 +119,7 @@ static int gue_udp_recv(struct sock *sk, + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -210,13 +211,14 @@ static int gue_udp_recv(struct sock *sk, + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..fef7f5de652 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,10 @@ +bonding-fix-event-handling-for-stacked-bonds.patch +net-atm-fix-potential-spectre-v1-vulnerabilities.patch +net-bridge-fix-per-port-af_packet-sockets.patch +net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch +net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch +tcp-tcp_grow_window-needs-to-respect-tcp_space.patch +team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch +vhost-reject-zero-size-iova-range.patch +ipv4-recompile-ip-options-in-ipv4_link_failure.patch +ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch diff --git a/queue-4.9/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch b/queue-4.9/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch new file mode 100644 index 00000000000..af7fce8ef43 --- /dev/null +++ b/queue-4.9/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch @@ -0,0 +1,63 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Eric Dumazet +Date: Tue, 16 Apr 2019 10:55:20 -0700 +Subject: tcp: tcp_grow_window() needs to respect tcp_space() + +From: Eric Dumazet + +[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ] + +For some reason, tcp_grow_window() correctly tests if enough room +is present before attempting to increase tp->rcv_ssthresh, +but does not prevent it to grow past tcp_space() + +This is causing hard to debug issues, like failing +the (__tcp_select_window(sk) >= tp->rcv_wnd) test +in __tcp_ack_snd_check(), causing ACK delays and possibly +slow flows. + +Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio, +we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000" +after about 60 round trips, when the active side no longer sends +immediate acks. + +This bug predates git history. + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Acked-by: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -389,11 +389,12 @@ static int __tcp_grow_window(const struc + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -406,8 +407,7 @@ static void tcp_grow_window(struct sock + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } diff --git a/queue-4.9/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch b/queue-4.9/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch new file mode 100644 index 00000000000..5a5a448903a --- /dev/null +++ b/queue-4.9/team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch @@ -0,0 +1,73 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Hangbin Liu +Date: Mon, 8 Apr 2019 16:45:17 +0800 +Subject: team: set slave to promisc if team is already in promisc mode + +From: Hangbin Liu + +[ Upstream commit 43c2adb9df7ddd6560fd3546d925b42cef92daa0 ] + +After adding a team interface to bridge, the team interface will enter +promisc mode. Then if we add a new slave to team0, the slave will keep +promisc off. Fix it by setting slave to promisc on if team master is +already in promisc mode, also do the same for allmulti. + +v2: add promisc and allmulti checking when delete ports + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1251,6 +1251,23 @@ static int team_port_add(struct team *te + goto err_option_port_add; + } + ++ /* set promiscuity level to new slave */ ++ if (dev->flags & IFF_PROMISC) { ++ err = dev_set_promiscuity(port_dev, 1); ++ if (err) ++ goto err_set_slave_promisc; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (dev->flags & IFF_ALLMULTI) { ++ err = dev_set_allmulti(port_dev, 1); ++ if (err) { ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ goto err_set_slave_promisc; ++ } ++ } ++ + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); + dev_mc_sync_multiple(port_dev, dev); +@@ -1267,6 +1284,9 @@ static int team_port_add(struct team *te + + return 0; + ++err_set_slave_promisc: ++ __team_option_inst_del_port(team, port); ++ + err_option_port_add: + team_upper_dev_unlink(team, port); + +@@ -1312,6 +1332,12 @@ static int team_port_del(struct team *te + + team_port_disable(team, port); + list_del_rcu(&port->list); ++ ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ if (dev->flags & IFF_ALLMULTI) ++ dev_set_allmulti(port_dev, -1); ++ + team_upper_dev_unlink(team, port); + netdev_rx_handler_unregister(port_dev); + team_port_disable_netpoll(port); diff --git a/queue-4.9/vhost-reject-zero-size-iova-range.patch b/queue-4.9/vhost-reject-zero-size-iova-range.patch new file mode 100644 index 00000000000..38a98381fb9 --- /dev/null +++ b/queue-4.9/vhost-reject-zero-size-iova-range.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 23 Apr 2019 05:35:42 PM CEST +From: Jason Wang +Date: Tue, 9 Apr 2019 12:10:25 +0800 +Subject: vhost: reject zero size iova range + +From: Jason Wang + +[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ] + +We used to accept zero size iova range which will lead a infinite loop +in translate_desc(). Fixing this by failing the request in this case. + +Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com +Fixes: 6b1e6cc7 ("vhost: new device IOTLB API") +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -863,8 +863,12 @@ static int vhost_new_umem_range(struct v + u64 start, u64 size, u64 end, + u64 userspace_addr, int perm) + { +- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC); ++ struct vhost_umem_node *tmp, *node; + ++ if (!size) ++ return -EFAULT; ++ ++ node = kmalloc(sizeof(*node), GFP_ATOMIC); + if (!node) + return -ENOMEM; +