From: Greg Kroah-Hartman Date: Fri, 25 Sep 2020 07:57:22 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.148~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=990edd29cc0b0f46c58a48c8dd69a0895b048b86;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: act_ife-load-meta-modules-before-tcf_idr_check_alloc.patch bnxt_en-avoid-sending-firmware-messages-when-aer-error-is-detected.patch bnxt_en-fix-null-ptr-dereference-crash-in-bnxt_fw_reset_task.patch bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch cxgb4-fix-memory-leak-during-module-unload.patch cxgb4-fix-offset-when-clearing-filter-byte-counters.patch geneve-add-transport-ports-in-route-lookup-for-geneve.patch hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch ip-fix-tos-reflection-in-ack-and-reset-packets.patch ipv4-initialize-flowi4_multipath_hash-in-data-path.patch ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch ipv6-avoid-lockdep-issue-in-fib6_del.patch net-add-__must_check-to-skb_put_padto.patch net-bridge-br_vlan_get_pvid_rcu-should-dereference-the-vlan-group-under-rcu.patch net-dcb-validate-dcb_attr_dcb_buffer-argument.patch net-dsa-rtl8366-properly-clear-member-config.patch net-fix-bridge-enslavement-failure.patch net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch net-lantiq-disable-irqs-only-if-napi-gets-scheduled.patch net-lantiq-use-napi_complete_done.patch net-lantiq-use-netif_tx_napi_add-for-tx-napi.patch net-lantiq-wake-tx-queue-again.patch net-mlx5-fix-fte-cleanup.patch net-mlx5e-enable-adding-peer-miss-rules-only-if-merged-eswitch-is-supported.patch net-mlx5e-tls-do-not-expose-fpga-tls-counter-if-not-supported.patch net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch net-phy-do-not-warn-in-phy_stop-on-phy_down.patch net-qrtr-check-skb_put_padto-return-value.patch net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch net-sctp-fix-ipv6-ancestor_size-calc-in-sctp_copy_descendant.patch nfp-use-correct-define-to-return-none-fec.patch taprio-fix-allowing-too-small-intervals.patch tipc-fix-memory-leak-in-tipc_group_create_member.patch tipc-fix-shutdown-of-connection-oriented-socket.patch tipc-use-skb_unshare-instead-in-tipc_buf_append.patch --- diff --git a/queue-5.4/act_ife-load-meta-modules-before-tcf_idr_check_alloc.patch b/queue-5.4/act_ife-load-meta-modules-before-tcf_idr_check_alloc.patch new file mode 100644 index 00000000000..7a5f89c0cca --- /dev/null +++ b/queue-5.4/act_ife-load-meta-modules-before-tcf_idr_check_alloc.patch @@ -0,0 +1,118 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Cong Wang +Date: Thu, 3 Sep 2020 19:10:11 -0700 +Subject: act_ife: load meta modules before tcf_idr_check_alloc() + +From: Cong Wang + +[ Upstream commit cc8e58f8325cdf14b9516b61c384cdfd02a4f408 ] + +The following deadlock scenario is triggered by syzbot: + +Thread A: Thread B: +tcf_idr_check_alloc() +... +populate_metalist() + rtnl_unlock() + rtnl_lock() + ... + request_module() tcf_idr_check_alloc() + rtnl_lock() + +At this point, thread A is waiting for thread B to release RTNL +lock, while thread B is waiting for thread A to commit the IDR +change with tcf_idr_insert() later. + +Break this deadlock situation by preloading ife modules earlier, +before tcf_idr_check_alloc(), this is fine because we only need +to load modules we need potentially. + +Reported-and-tested-by: syzbot+80e32b5d1f9923f8ace6@syzkaller.appspotmail.com +Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") +Cc: Jamal Hadi Salim +Cc: Vlad Buslov +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 44 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 34 insertions(+), 10 deletions(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -436,6 +436,25 @@ static void tcf_ife_cleanup(struct tc_ac + kfree_rcu(p, rcu); + } + ++static int load_metalist(struct nlattr **tb, bool rtnl_held) ++{ ++ int i; ++ ++ for (i = 1; i < max_metacnt; i++) { ++ if (tb[i]) { ++ void *val = nla_data(tb[i]); ++ int len = nla_len(tb[i]); ++ int rc; ++ ++ rc = load_metaops_and_vet(i, val, len, rtnl_held); ++ if (rc != 0) ++ return rc; ++ } ++ } ++ ++ return 0; ++} ++ + static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb, + bool exists, bool rtnl_held) + { +@@ -449,10 +468,6 @@ static int populate_metalist(struct tcf_ + val = nla_data(tb[i]); + len = nla_len(tb[i]); + +- rc = load_metaops_and_vet(i, val, len, rtnl_held); +- if (rc != 0) +- return rc; +- + rc = add_metainfo(ife, i, val, len, exists); + if (rc) + return rc; +@@ -508,6 +523,21 @@ static int tcf_ife_init(struct net *net, + if (!p) + return -ENOMEM; + ++ if (tb[TCA_IFE_METALST]) { ++ err = nla_parse_nested_deprecated(tb2, IFE_META_MAX, ++ tb[TCA_IFE_METALST], NULL, ++ NULL); ++ if (err) { ++ kfree(p); ++ return err; ++ } ++ err = load_metalist(tb2, rtnl_held); ++ if (err) { ++ kfree(p); ++ return err; ++ } ++ } ++ + index = parm->index; + err = tcf_idr_check_alloc(tn, &index, a, bind); + if (err < 0) { +@@ -569,15 +599,9 @@ static int tcf_ife_init(struct net *net, + } + + if (tb[TCA_IFE_METALST]) { +- err = nla_parse_nested_deprecated(tb2, IFE_META_MAX, +- tb[TCA_IFE_METALST], NULL, +- NULL); +- if (err) +- goto metadata_parse_err; + err = populate_metalist(ife, tb2, exists, rtnl_held); + if (err) + goto metadata_parse_err; +- + } else { + /* if no passed metadata allow list or passed allow-all + * then here we process by adding as many supported metadatum diff --git a/queue-5.4/bnxt_en-avoid-sending-firmware-messages-when-aer-error-is-detected.patch b/queue-5.4/bnxt_en-avoid-sending-firmware-messages-when-aer-error-is-detected.patch new file mode 100644 index 00000000000..0c7f42cc75e --- /dev/null +++ b/queue-5.4/bnxt_en-avoid-sending-firmware-messages-when-aer-error-is-detected.patch @@ -0,0 +1,71 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Vasundhara Volam +Date: Sat, 5 Sep 2020 22:55:36 -0400 +Subject: bnxt_en: Avoid sending firmware messages when AER error is detected. + +From: Vasundhara Volam + +[ Upstream commit b340dc680ed48dcc05b56e1ebe1b9535813c3ee0 ] + +When the driver goes through PCIe AER reset in error state, all +firmware messages will timeout because the PCIe bus is no longer +accessible. This can lead to AER reset taking many minutes to +complete as each firmware command takes time to timeout. + +Define a new macro BNXT_NO_FW_ACCESS() to skip these firmware messages +when either firmware is in fatal error state or when +pci_channel_offline() is true. It now takes a more reasonable 20 to +30 seconds to complete AER recovery. + +Fixes: b4fff2079d10 ("bnxt_en: Do not send firmware messages if firmware is in error state.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 ++++ + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4204,7 +4204,7 @@ static int bnxt_hwrm_do_send_msg(struct + u32 bar_offset = BNXT_GRCPF_REG_CHIMP_COMM; + u16 dst = BNXT_HWRM_CHNL_CHIMP; + +- if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state)) ++ if (BNXT_NO_FW_ACCESS(bp)) + return -EBUSY; + + if (msg_len > BNXT_HWRM_MAX_REQ_LEN) { +@@ -5539,7 +5539,7 @@ static int hwrm_ring_free_send_msg(struc + struct hwrm_ring_free_output *resp = bp->hwrm_cmd_resp_addr; + u16 error_code; + +- if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state)) ++ if (BNXT_NO_FW_ACCESS(bp)) + return 0; + + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_RING_FREE, cmpl_ring_id, -1); +@@ -7454,7 +7454,7 @@ static int bnxt_set_tpa(struct bnxt *bp, + + if (set_tpa) + tpa_flags = bp->flags & BNXT_FLAG_TPA; +- else if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state)) ++ else if (BNXT_NO_FW_ACCESS(bp)) + return 0; + for (i = 0; i < bp->nr_vnics; i++) { + rc = bnxt_hwrm_vnic_set_tpa(bp, i, tpa_flags); +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1628,6 +1628,10 @@ struct bnxt { + #define BNXT_STATE_ABORT_ERR 5 + #define BNXT_STATE_FW_FATAL_COND 6 + ++#define BNXT_NO_FW_ACCESS(bp) \ ++ (test_bit(BNXT_STATE_FW_FATAL_COND, &(bp)->state) || \ ++ pci_channel_offline((bp)->pdev)) ++ + struct bnxt_irq *irq_tbl; + int total_irqs; + u8 mac_addr[ETH_ALEN]; diff --git a/queue-5.4/bnxt_en-fix-null-ptr-dereference-crash-in-bnxt_fw_reset_task.patch b/queue-5.4/bnxt_en-fix-null-ptr-dereference-crash-in-bnxt_fw_reset_task.patch new file mode 100644 index 00000000000..0b6b7fbcf89 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-null-ptr-dereference-crash-in-bnxt_fw_reset_task.patch @@ -0,0 +1,50 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Vasundhara Volam +Date: Sat, 5 Sep 2020 22:55:37 -0400 +Subject: bnxt_en: Fix NULL ptr dereference crash in bnxt_fw_reset_task() + +From: Vasundhara Volam + +[ Upstream commit b16939b59cc00231a75d224fd058d22c9d064976 ] + +bnxt_fw_reset_task() which runs from a workqueue can race with +bnxt_remove_one(). For example, if firmware reset and VF FLR are +happening at about the same time. + +bnxt_remove_one() already cancels the workqueue and waits for it +to finish, but we need to do this earlier before the devlink +reporters are destroyed. This will guarantee that +the devlink reporters will always be valid when bnxt_fw_reset_task() +is still running. + +Fixes: b148bb238c02 ("bnxt_en: Fix possible crash in bnxt_fw_reset_task().") +Reviewed-by: Edwin Peer +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11385,14 +11385,15 @@ static void bnxt_remove_one(struct pci_d + if (BNXT_PF(bp)) + bnxt_sriov_disable(bp); + ++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); ++ bnxt_cancel_sp_work(bp); ++ bp->sp_event = 0; ++ + bnxt_dl_fw_reporters_destroy(bp, true); + pci_disable_pcie_error_reporting(pdev); + unregister_netdev(dev); + bnxt_dl_unregister(bp); + bnxt_shutdown_tc(bp); +- clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state); +- bnxt_cancel_sp_work(bp); +- bp->sp_event = 0; + + bnxt_clear_int_mode(bp); + bnxt_hwrm_func_drv_unrgtr(bp); diff --git a/queue-5.4/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch b/queue-5.4/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch new file mode 100644 index 00000000000..d1e8d4783ba --- /dev/null +++ b/queue-5.4/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch @@ -0,0 +1,109 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Michael Chan +Date: Sun, 20 Sep 2020 21:08:56 -0400 +Subject: bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. + +From: Michael Chan + +[ Upstream commit a53906908148d64423398a62c4435efb0d09652c ] + +All changes related to bp->link_info require the protection of the +link_lock mutex. It's not sufficient to rely just on RTNL. + +Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.") +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++++++++-------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1665,9 +1665,12 @@ static int bnxt_set_pauseparam(struct ne + if (!BNXT_SINGLE_PF(bp)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); + if (epause->autoneg) { +- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) +- return -EINVAL; ++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { ++ rc = -EINVAL; ++ goto pause_exit; ++ } + + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL; + if (bp->hwrm_spec_code >= 0x10201) +@@ -1688,11 +1691,11 @@ static int bnxt_set_pauseparam(struct ne + if (epause->tx_pause) + link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX; + +- if (netif_running(dev)) { +- mutex_lock(&bp->link_lock); ++ if (netif_running(dev)) + rc = bnxt_hwrm_set_pause(bp); +- mutex_unlock(&bp->link_lock); +- } ++ ++pause_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +@@ -2397,8 +2400,7 @@ static int bnxt_set_eee(struct net_devic + struct bnxt *bp = netdev_priv(dev); + struct ethtool_eee *eee = &bp->eee; + struct bnxt_link_info *link_info = &bp->link_info; +- u32 advertising = +- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); ++ u32 advertising; + int rc = 0; + + if (!BNXT_SINGLE_PF(bp)) +@@ -2407,19 +2409,23 @@ static int bnxt_set_eee(struct net_devic + if (!(bp->flags & BNXT_FLAG_EEE_CAP)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); ++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); + if (!edata->eee_enabled) + goto eee_ok; + + if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { + netdev_warn(dev, "EEE requires autoneg\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + if (edata->tx_lpi_enabled) { + if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi || + edata->tx_lpi_timer < bp->lpi_tmr_lo)) { + netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n", + bp->lpi_tmr_lo, bp->lpi_tmr_hi); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } else if (!bp->lpi_tmr_hi) { + edata->tx_lpi_timer = eee->tx_lpi_timer; + } +@@ -2429,7 +2435,8 @@ static int bnxt_set_eee(struct net_devic + } else if (edata->advertised & ~advertising) { + netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n", + edata->advertised, advertising); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + + eee->advertised = edata->advertised; +@@ -2441,6 +2448,8 @@ eee_ok: + if (netif_running(dev)) + rc = bnxt_hwrm_set_link_setting(bp, false, true); + ++eee_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + diff --git a/queue-5.4/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch b/queue-5.4/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch new file mode 100644 index 00000000000..f0e2454eeca --- /dev/null +++ b/queue-5.4/bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch @@ -0,0 +1,72 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Edwin Peer +Date: Sun, 20 Sep 2020 21:08:55 -0400 +Subject: bnxt_en: return proper error codes in bnxt_show_temp + +From: Edwin Peer + +[ Upstream commit d69753fa1ecb3218b56b022722f7a5822735b876 ] + +Returning "unknown" as a temperature value violates the hwmon interface +rules. Appropriate error codes should be returned via device_attribute +show instead. These will ultimately be propagated to the user via the +file system interface. + +In addition to the corrected error handling, it is an even better idea to +not present the sensor in sysfs at all if it is known that the read will +definitely fail. Given that temp1_input is currently the only sensor +reported, ensure no hwmon registration if TEMP_MONITOR_QUERY is not +supported or if it will fail due to access permissions. Something smarter +may be needed if and when other sensors are added. + +Fixes: 12cce90b934b ("bnxt_en: fix HWRM error when querying VF temperature") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8939,18 +8939,16 @@ static ssize_t bnxt_show_temp(struct dev + struct hwrm_temp_monitor_query_output *resp; + struct bnxt *bp = dev_get_drvdata(dev); + u32 len = 0; ++ int rc; + + resp = bp->hwrm_cmd_resp_addr; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); + mutex_lock(&bp->hwrm_cmd_lock); +- if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT)) ++ rc = _hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); ++ if (!rc) + len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */ + mutex_unlock(&bp->hwrm_cmd_lock); +- +- if (len) +- return len; +- +- return sprintf(buf, "unknown\n"); ++ return rc ?: len; + } + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0); + +@@ -8970,7 +8968,16 @@ static void bnxt_hwmon_close(struct bnxt + + static void bnxt_hwmon_open(struct bnxt *bp) + { ++ struct hwrm_temp_monitor_query_input req = {0}; + struct pci_dev *pdev = bp->pdev; ++ int rc; ++ ++ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1); ++ rc = hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); ++ if (rc == -EACCES || rc == -EOPNOTSUPP) { ++ bnxt_hwmon_close(bp); ++ return; ++ } + + if (bp->hwmon_dev) + return; diff --git a/queue-5.4/cxgb4-fix-memory-leak-during-module-unload.patch b/queue-5.4/cxgb4-fix-memory-leak-during-module-unload.patch new file mode 100644 index 00000000000..16eafb6a5ca --- /dev/null +++ b/queue-5.4/cxgb4-fix-memory-leak-during-module-unload.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Raju Rangoju +Date: Wed, 16 Sep 2020 21:50:39 +0530 +Subject: cxgb4: fix memory leak during module unload + +From: Raju Rangoju + +[ Upstream commit f4a26a9b311d7ff9db461278faf2869d06496ef8 ] + +Fix the memory leak in mps during module unload +path by freeing mps reference entries if the list +adpter->mps_ref is not already empty + +Fixes: 28b3870578ef ("cxgb4: Re-work the logic for mps refcounting") +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_mps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_mps.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_mps.c +@@ -229,7 +229,7 @@ void cxgb4_free_mps_ref_entries(struct a + { + struct mps_entries_ref *mps_entry, *tmp; + +- if (!list_empty(&adap->mps_ref)) ++ if (list_empty(&adap->mps_ref)) + return; + + spin_lock(&adap->mps_ref_lock); diff --git a/queue-5.4/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch b/queue-5.4/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch new file mode 100644 index 00000000000..915587e75f0 --- /dev/null +++ b/queue-5.4/cxgb4-fix-offset-when-clearing-filter-byte-counters.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Ganji Aravind +Date: Fri, 4 Sep 2020 15:58:18 +0530 +Subject: cxgb4: Fix offset when clearing filter byte counters + +From: Ganji Aravind + +[ Upstream commit 94cc242a067a869c29800aa789d38b7676136e50 ] + +Pass the correct offset to clear the stale filter hit +bytes counter. Otherwise, the counter starts incrementing +from the stale information, instead of 0. + +Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") +Signed-off-by: Ganji Aravind +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -1617,13 +1617,16 @@ out: + static int configure_filter_tcb(struct adapter *adap, unsigned int tid, + struct filter_entry *f) + { +- if (f->fs.hitcnts) ++ if (f->fs.hitcnts) { + set_tcb_field(adap, f, tid, TCB_TIMESTAMP_W, +- TCB_TIMESTAMP_V(TCB_TIMESTAMP_M) | ++ TCB_TIMESTAMP_V(TCB_TIMESTAMP_M), ++ TCB_TIMESTAMP_V(0ULL), ++ 1); ++ set_tcb_field(adap, f, tid, TCB_RTT_TS_RECENT_AGE_W, + TCB_RTT_TS_RECENT_AGE_V(TCB_RTT_TS_RECENT_AGE_M), +- TCB_TIMESTAMP_V(0ULL) | + TCB_RTT_TS_RECENT_AGE_V(0ULL), + 1); ++ } + + if (f->fs.newdmac) + set_tcb_tflag(adap, f, tid, TF_CCTRL_ECE_S, 1, diff --git a/queue-5.4/geneve-add-transport-ports-in-route-lookup-for-geneve.patch b/queue-5.4/geneve-add-transport-ports-in-route-lookup-for-geneve.patch new file mode 100644 index 00000000000..3dcbabf3988 --- /dev/null +++ b/queue-5.4/geneve-add-transport-ports-in-route-lookup-for-geneve.patch @@ -0,0 +1,181 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Mark Gray +Date: Wed, 16 Sep 2020 05:19:35 -0400 +Subject: geneve: add transport ports in route lookup for geneve + +From: Mark Gray + +[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ] + +This patch adds transport ports information for route lookup so that +IPsec can select Geneve tunnel traffic to do encryption. This is +needed for OVS/OVN IPsec with encrypted Geneve tunnels. + +This can be tested by configuring a host-host VPN using an IKE +daemon and specifying port numbers. For example, for an +Openswan-type configuration, the following parameters should be +configured on both hosts and IPsec set up as-per normal: + +$ cat /etc/ipsec.conf + +conn in +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp/6081 +rightprotoport=udp +... +conn out +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp +rightprotoport=udp/6081 +... + +The tunnel can then be setup using "ip" on both hosts (but +changing the relevant IP addresses): + +$ ip link add tun type geneve id 1000 remote $IP2 +$ ip addr add 192.168.0.1/24 dev tun +$ ip link set tun up + +This can then be tested by pinging from $IP1: + +$ ping 192.168.0.2 + +Without this patch the traffic is unencrypted on the wire. + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Signed-off-by: Qiuyu Xiao +Signed-off-by: Mark Gray +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -773,7 +773,8 @@ static struct rtable *geneve_get_v4_rt(s + struct net_device *dev, + struct geneve_sock *gs4, + struct flowi4 *fl4, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -789,6 +790,8 @@ static struct rtable *geneve_get_v4_rt(s + fl4->flowi4_proto = IPPROTO_UDP; + fl4->daddr = info->key.u.ipv4.dst; + fl4->saddr = info->key.u.ipv4.src; ++ fl4->fl4_dport = dport; ++ fl4->fl4_sport = sport; + + tos = info->key.tos; + if ((tos == 1) && !geneve->collect_md) { +@@ -823,7 +826,8 @@ static struct dst_entry *geneve_get_v6_d + struct net_device *dev, + struct geneve_sock *gs6, + struct flowi6 *fl6, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -839,6 +843,9 @@ static struct dst_entry *geneve_get_v6_d + fl6->flowi6_proto = IPPROTO_UDP; + fl6->daddr = info->key.u.ipv6.dst; + fl6->saddr = info->key.u.ipv6.src; ++ fl6->fl6_dport = dport; ++ fl6->fl6_sport = sport; ++ + prio = info->key.tos; + if ((prio == 1) && !geneve->collect_md) { + prio = ip_tunnel_get_dsfield(ip_hdr(skb), skb); +@@ -885,14 +892,15 @@ static int geneve_xmit_skb(struct sk_buf + __be16 sport; + int err; + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + + skb_tunnel_check_pmtu(skb, &rt->dst, + GENEVE_IPV4_HLEN + info->options_len); + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -947,13 +955,14 @@ static int geneve6_xmit_skb(struct sk_bu + __be16 sport; + int err; + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + + skb_tunnel_check_pmtu(skb, dst, GENEVE_IPV6_HLEN + info->options_len); + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -1034,13 +1043,18 @@ static int geneve_fill_metadata_dst(stru + { + struct ip_tunnel_info *info = skb_tunnel_info(skb); + struct geneve_dev *geneve = netdev_priv(dev); ++ __be16 sport; + + if (ip_tunnel_info_af(info) == AF_INET) { + struct rtable *rt; + struct flowi4 fl4; ++ + struct geneve_sock *gs4 = rcu_dereference(geneve->sock4); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -1050,9 +1064,13 @@ static int geneve_fill_metadata_dst(stru + } else if (ip_tunnel_info_af(info) == AF_INET6) { + struct dst_entry *dst; + struct flowi6 fl6; ++ + struct geneve_sock *gs6 = rcu_dereference(geneve->sock6); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -1063,8 +1081,7 @@ static int geneve_fill_metadata_dst(stru + return -EINVAL; + } + +- info->key.tp_src = udp_flow_src_port(geneve->net, skb, +- 1, USHRT_MAX, true); ++ info->key.tp_src = sport; + info->key.tp_dst = geneve->info.key.tp_dst; + return 0; + } diff --git a/queue-5.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch b/queue-5.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch new file mode 100644 index 00000000000..f8d4f4085dd --- /dev/null +++ b/queue-5.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch @@ -0,0 +1,80 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Dan Carpenter +Date: Wed, 9 Sep 2020 12:46:48 +0300 +Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr() + +From: Dan Carpenter + +[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ] + +There are a couple bugs here: +1) If opt[1] is zero then this results in a forever loop. If the value + is less than 2 then it is invalid. +2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can + result in memory corruption. + +In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead +of "len" because, if "opt[1]" is less than sizeof(valid_accm) then +"nak_len" gets out of sync and it can lead to memory corruption in the +next iterations through the loop. In case of LCP_OPTION_MAGIC, the +only valid value for opt[1] is 6, but the code is trying to log invalid +data so we should only discard the data when "len" is less than 6 +because that leads to a read overflow. + +Reported-by: ChenNan Of Chaitin Security Research Lab +Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.") +Signed-off-by: Dan Carpenter +Reviewed-by: Eric Dumazet +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/hdlc_ppp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -383,11 +383,8 @@ static void ppp_cp_parse_cr(struct net_d + } + + for (opt = data; len; len -= opt[1], opt += opt[1]) { +- if (len < 2 || len < opt[1]) { +- dev->stats.rx_errors++; +- kfree(out); +- return; /* bad packet, drop silently */ +- } ++ if (len < 2 || opt[1] < 2 || len < opt[1]) ++ goto err_out; + + if (pid == PID_LCP) + switch (opt[0]) { +@@ -395,6 +392,8 @@ static void ppp_cp_parse_cr(struct net_d + continue; /* MRU always OK and > 1500 bytes? */ + + case LCP_OPTION_ACCM: /* async control character map */ ++ if (opt[1] < sizeof(valid_accm)) ++ goto err_out; + if (!memcmp(opt, valid_accm, + sizeof(valid_accm))) + continue; +@@ -406,6 +405,8 @@ static void ppp_cp_parse_cr(struct net_d + } + break; + case LCP_OPTION_MAGIC: ++ if (len < 6) ++ goto err_out; + if (opt[1] != 6 || (!opt[2] && !opt[3] && + !opt[4] && !opt[5])) + break; /* reject invalid magic number */ +@@ -424,6 +425,11 @@ static void ppp_cp_parse_cr(struct net_d + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data); + + kfree(out); ++ return; ++ ++err_out: ++ dev->stats.rx_errors++; ++ kfree(out); + } + + static int ppp_rx(struct sk_buff *skb) diff --git a/queue-5.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch b/queue-5.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch new file mode 100644 index 00000000000..19832591b8a --- /dev/null +++ b/queue-5.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Wei Wang +Date: Tue, 8 Sep 2020 14:09:34 -0700 +Subject: ip: fix tos reflection in ack and reset packets + +From: Wei Wang + +[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ] + +Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we +echo the TOS value of the received packets in the response. +However, we do not want to echo the lower 2 ECN bits in accordance +with RFC 3168 6.1.5 robustness principles. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") + +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -74,6 +74,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1699,7 +1700,7 @@ void ip_send_unicast_reply(struct sock * + if (IS_ERR(rt)) + return; + +- inet_sk(sk)->tos = arg->tos; ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK; + + sk->sk_protocol = ip_hdr(skb)->protocol; + sk->sk_bound_dev_if = arg->bound_dev_if; diff --git a/queue-5.4/ipv4-initialize-flowi4_multipath_hash-in-data-path.patch b/queue-5.4/ipv4-initialize-flowi4_multipath_hash-in-data-path.patch new file mode 100644 index 00000000000..d29f347ffb5 --- /dev/null +++ b/queue-5.4/ipv4-initialize-flowi4_multipath_hash-in-data-path.patch @@ -0,0 +1,68 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: David Ahern +Date: Sun, 13 Sep 2020 12:43:39 -0600 +Subject: ipv4: Initialize flowi4_multipath_hash in data path + +From: David Ahern + +[ Upstream commit 1869e226a7b3ef75b4f70ede2f1b7229f7157fa4 ] + +flowi4_multipath_hash was added by the commit referenced below for +tunnels. Unfortunately, the patch did not initialize the new field +for several fast path lookups that do not initialize the entire flow +struct to 0. Fix those locations. Currently, flowi4_multipath_hash +is random garbage and affects the hash value computed by +fib_multipath_hash for multipath selection. + +Fixes: 24ba14406c5c ("route: Add multipath_hash in flowi_common to make user-define hash") +Signed-off-by: David Ahern +Cc: wenxu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/flow.h | 1 + + net/core/filter.c | 1 + + net/ipv4/fib_frontend.c | 1 + + net/ipv4/route.c | 1 + + 4 files changed, 4 insertions(+) + +--- a/include/net/flow.h ++++ b/include/net/flow.h +@@ -116,6 +116,7 @@ static inline void flowi4_init_output(st + fl4->saddr = saddr; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; ++ fl4->flowi4_multipath_hash = 0; + } + + /* Reset some input parameters after previous lookup */ +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4650,6 +4650,7 @@ static int bpf_ipv4_fib_lookup(struct ne + fl4.saddr = params->ipv4_src; + fl4.fl4_sport = params->sport; + fl4.fl4_dport = params->dport; ++ fl4.flowi4_multipath_hash = 0; + + if (flags & BPF_FIB_LOOKUP_DIRECT) { + u32 tbid = l3mdev_fib_table_rcu(dev) ? : RT_TABLE_MAIN; +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -372,6 +372,7 @@ static int __fib_validate_source(struct + fl4.flowi4_tun_key.tun_id = 0; + fl4.flowi4_flags = 0; + fl4.flowi4_uid = sock_net_uid(net, NULL); ++ fl4.flowi4_multipath_hash = 0; + + no_addr = idev->ifa_list == NULL; + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2104,6 +2104,7 @@ static int ip_route_input_slow(struct sk + fl4.daddr = daddr; + fl4.saddr = saddr; + fl4.flowi4_uid = sock_net_uid(net, NULL); ++ fl4.flowi4_multipath_hash = 0; + + if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) { + flkeys = &_flkeys; diff --git a/queue-5.4/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch b/queue-5.4/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch new file mode 100644 index 00000000000..36e68f8283f --- /dev/null +++ b/queue-5.4/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch @@ -0,0 +1,162 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: David Ahern +Date: Mon, 14 Sep 2020 21:03:54 -0600 +Subject: ipv4: Update exception handling for multipath routes via same device + +From: David Ahern + +[ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ] + +Kfir reported that pmtu exceptions are not created properly for +deployments where multipath routes use the same device. + +After some digging I see 2 compounding problems: +1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after* + the route lookup. This is the second use case where this has + been a problem (the first is related to use of vti devices with + VRF). I can not find any reason for the oif to be changed after the + lookup; the code goes back to the start of git. It does not seem + logical so remove it. + +2. fib_lookups for exceptions do not call fib_select_path to handle + multipath route selection based on the hash. + +The end result is that the fib_lookup used to add the exception +always creates it based using the first leg of the route. + +An example topology showing the problem: + + | host1 + +------+ + | eth0 | .209 + +------+ + | + +------+ + switch | br0 | + +------+ + | + +---------+---------+ + | host2 | host3 + +------+ +------+ + | eth0 | .250 | eth0 | 192.168.252.252 + +------+ +------+ + + +-----+ +-----+ + | vti | .2 | vti | 192.168.247.3 + +-----+ +-----+ + \ / + ================================= + tunnels + 192.168.247.1/24 + +for h in host1 host2 host3; do + ip netns add ${h} + ip -netns ${h} link set lo up + ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1 +done + +ip netns add switch +ip -netns switch li set lo up +ip -netns switch link add br0 type bridge stp 0 +ip -netns switch link set br0 up + +for n in 1 2 3; do + ip -netns switch link add eth-sw type veth peer name eth-h${n} + ip -netns switch li set eth-h${n} master br0 up + ip -netns switch li set eth-sw netns host${n} name eth0 +done + +ip -netns host1 addr add 192.168.252.209/24 dev eth0 +ip -netns host1 link set dev eth0 up +ip -netns host1 route add 192.168.247.0/24 \ + nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0 + +ip -netns host2 addr add 192.168.252.250/24 dev eth0 +ip -netns host2 link set dev eth0 up + +ip -netns host2 addr add 192.168.252.252/24 dev eth0 +ip -netns host3 link set dev eth0 up + +ip netns add tunnel +ip -netns tunnel li set lo up +ip -netns tunnel li add br0 type bridge +ip -netns tunnel li set br0 up +for n in $(seq 11 20); do + ip -netns tunnel addr add dev br0 192.168.247.${n}/24 +done + +for n in 2 3 +do + ip -netns tunnel link add vti${n} type veth peer name eth${n} + ip -netns tunnel link set eth${n} mtu 1360 master br0 up + ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up + ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24 +done +ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3 + +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11 +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15 +ip -netns host1 ro ls cache + +Before this patch the cache always shows exceptions against the first +leg in the multipath route; 192.168.252.250 per this example. Since the +hash has an initial random seed, you may need to vary the final octet +more than what is listed. In my tests, using addresses between 11 and 19 +usually found 1 that used both legs. + +With this patch, the cache will have exceptions for both legs. + +Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions") +Reported-by: Kfir Itzhak +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -785,8 +785,10 @@ static void __ip_do_redirect(struct rtab + neigh_event_send(n, NULL); + } else { + if (fib_lookup(net, fl4, &res, 0) == 0) { +- struct fib_nh_common *nhc = FIB_RES_NHC(res); ++ struct fib_nh_common *nhc; + ++ fib_select_path(net, &res, fl4, skb); ++ nhc = FIB_RES_NHC(res); + update_or_create_fnhe(nhc, fl4->daddr, new_gw, + 0, false, + jiffies + ip_rt_gc_timeout); +@@ -1012,6 +1014,7 @@ out: kfree_skb(skb); + static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) + { + struct dst_entry *dst = &rt->dst; ++ struct net *net = dev_net(dst->dev); + u32 old_mtu = ipv4_mtu(dst); + struct fib_result res; + bool lock = false; +@@ -1032,9 +1035,11 @@ static void __ip_rt_update_pmtu(struct r + return; + + rcu_read_lock(); +- if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { +- struct fib_nh_common *nhc = FIB_RES_NHC(res); ++ if (fib_lookup(net, fl4, &res, 0) == 0) { ++ struct fib_nh_common *nhc; + ++ fib_select_path(net, &res, fl4, NULL); ++ nhc = FIB_RES_NHC(res); + update_or_create_fnhe(nhc, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } +@@ -2626,8 +2631,6 @@ struct rtable *ip_route_output_key_hash_ + fib_select_path(net, res, fl4, skb); + + dev_out = FIB_RES_DEV(*res); +- fl4->flowi4_oif = dev_out->ifindex; +- + + make_route: + rth = __mkroute_output(res, fl4, orig_oif, dev_out, flags); diff --git a/queue-5.4/ipv6-avoid-lockdep-issue-in-fib6_del.patch b/queue-5.4/ipv6-avoid-lockdep-issue-in-fib6_del.patch new file mode 100644 index 00000000000..cc1cb296ed5 --- /dev/null +++ b/queue-5.4/ipv6-avoid-lockdep-issue-in-fib6_del.patch @@ -0,0 +1,105 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Eric Dumazet +Date: Tue, 8 Sep 2020 01:20:23 -0700 +Subject: ipv6: avoid lockdep issue in fib6_del() + +From: Eric Dumazet + +[ Upstream commit 843d926b003ea692468c8cc5bea1f9f58dfa8c75 ] + +syzbot reported twice a lockdep issue in fib6_del() [1] +which I think is caused by net->ipv6.fib6_null_entry +having a NULL fib6_table pointer. + +fib6_del() already checks for fib6_null_entry special +case, we only need to return earlier. + +Bug seems to occur very rarely, I have thus chosen +a 'bug origin' that makes backports not too complex. + +[1] +WARNING: suspicious RCU usage +5.9.0-rc4-syzkaller #0 Not tainted +----------------------------- +net/ipv6/ip6_fib.c:1996 suspicious rcu_dereference_protected() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +4 locks held by syz-executor.5/8095: + #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: ppp_release+0x178/0x240 drivers/net/ppp/ppp_generic.c:401 + #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: spin_trylock_bh include/linux/spinlock.h:414 [inline] + #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: fib6_run_gc+0x21b/0x2d0 net/ipv6/ip6_fib.c:2312 + #2: ffffffff89bd6a40 (rcu_read_lock){....}-{1:2}, at: __fib6_clean_all+0x0/0x290 net/ipv6/ip6_fib.c:2613 + #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline] + #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: __fib6_clean_all+0x107/0x290 net/ipv6/ip6_fib.c:2245 + +stack backtrace: +CPU: 1 PID: 8095 Comm: syz-executor.5 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + fib6_del+0x12b4/0x1630 net/ipv6/ip6_fib.c:1996 + fib6_clean_node+0x39b/0x570 net/ipv6/ip6_fib.c:2180 + fib6_walk_continue+0x4aa/0x8e0 net/ipv6/ip6_fib.c:2102 + fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2150 + fib6_clean_tree+0xdb/0x120 net/ipv6/ip6_fib.c:2230 + __fib6_clean_all+0x120/0x290 net/ipv6/ip6_fib.c:2246 + fib6_clean_all net/ipv6/ip6_fib.c:2257 [inline] + fib6_run_gc+0x113/0x2d0 net/ipv6/ip6_fib.c:2320 + ndisc_netdev_event+0x217/0x350 net/ipv6/ndisc.c:1805 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033 + call_netdevice_notifiers_extack net/core/dev.c:2045 [inline] + call_netdevice_notifiers net/core/dev.c:2059 [inline] + dev_close_many+0x30b/0x650 net/core/dev.c:1634 + rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261 + rollback_registered net/core/dev.c:9329 [inline] + unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410 + unregister_netdevice include/linux/netdevice.h:2774 [inline] + ppp_release+0x216/0x240 drivers/net/ppp/ppp_generic.c:403 + __fput+0x285/0x920 fs/file_table.c:281 + task_work_run+0xdd/0x190 kernel/task_work.c:141 + tracehook_notify_resume include/linux/tracehook.h:188 [inline] + exit_to_user_mode_loop kernel/entry/common.c:163 [inline] + exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190 + syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 421842edeaf6 ("net/ipv6: Add fib6_null_entry") +Signed-off-by: Eric Dumazet +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1896,14 +1896,19 @@ static void fib6_del_route(struct fib6_t + /* Need to own table->tb6_lock */ + int fib6_del(struct fib6_info *rt, struct nl_info *info) + { +- struct fib6_node *fn = rcu_dereference_protected(rt->fib6_node, +- lockdep_is_held(&rt->fib6_table->tb6_lock)); +- struct fib6_table *table = rt->fib6_table; + struct net *net = info->nl_net; + struct fib6_info __rcu **rtp; + struct fib6_info __rcu **rtp_next; ++ struct fib6_table *table; ++ struct fib6_node *fn; + +- if (!fn || rt == net->ipv6.fib6_null_entry) ++ if (rt == net->ipv6.fib6_null_entry) ++ return -ENOENT; ++ ++ table = rt->fib6_table; ++ fn = rcu_dereference_protected(rt->fib6_node, ++ lockdep_is_held(&table->tb6_lock)); ++ if (!fn) + return -ENOENT; + + WARN_ON(!(fn->fn_flags & RTN_RTINFO)); diff --git a/queue-5.4/net-add-__must_check-to-skb_put_padto.patch b/queue-5.4/net-add-__must_check-to-skb_put_padto.patch new file mode 100644 index 00000000000..78b4d8763c9 --- /dev/null +++ b/queue-5.4/net-add-__must_check-to-skb_put_padto.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Eric Dumazet +Date: Wed, 9 Sep 2020 01:27:40 -0700 +Subject: net: add __must_check to skb_put_padto() + +From: Eric Dumazet + +[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ] + +skb_put_padto() and __skb_put_padto() callers +must check return values or risk use-after-free. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3185,8 +3185,9 @@ static inline int skb_padto(struct sk_bu + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error if @free_on_error is true. + */ +-static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len, +- bool free_on_error) ++static inline int __must_check __skb_put_padto(struct sk_buff *skb, ++ unsigned int len, ++ bool free_on_error) + { + unsigned int size = skb->len; + +@@ -3209,7 +3210,7 @@ static inline int __skb_put_padto(struct + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error. + */ +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len) ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len) + { + return __skb_put_padto(skb, len, true); + } diff --git a/queue-5.4/net-bridge-br_vlan_get_pvid_rcu-should-dereference-the-vlan-group-under-rcu.patch b/queue-5.4/net-bridge-br_vlan_get_pvid_rcu-should-dereference-the-vlan-group-under-rcu.patch new file mode 100644 index 00000000000..2af09548cdf --- /dev/null +++ b/queue-5.4/net-bridge-br_vlan_get_pvid_rcu-should-dereference-the-vlan-group-under-rcu.patch @@ -0,0 +1,93 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Vladimir Oltean +Date: Tue, 22 Sep 2020 01:07:09 +0300 +Subject: net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU + +From: Vladimir Oltean + +[ Upstream commit 99f62a746066fa436aa15d4606a538569540db08 ] + +When calling the RCU brother of br_vlan_get_pvid(), lockdep warns: + +============================= +WARNING: suspicious RCU usage +5.9.0-rc3-01631-g13c17acb8e38-dirty #814 Not tainted +----------------------------- +net/bridge/br_private.h:1054 suspicious rcu_dereference_protected() usage! + +Call trace: + lockdep_rcu_suspicious+0xd4/0xf8 + __br_vlan_get_pvid+0xc0/0x100 + br_vlan_get_pvid_rcu+0x78/0x108 + +The warning is because br_vlan_get_pvid_rcu() calls nbp_vlan_group() +which calls rtnl_dereference() instead of rcu_dereference(). In turn, +rtnl_dereference() calls rcu_dereference_protected() which assumes +operation under an RCU write-side critical section, which obviously is +not the case here. So, when the incorrect primitive is used to access +the RCU-protected VLAN group pointer, READ_ONCE() is not used, which may +cause various unexpected problems. + +I'm sad to say that br_vlan_get_pvid() and br_vlan_get_pvid_rcu() cannot +share the same implementation. So fix the bug by splitting the 2 +functions, and making br_vlan_get_pvid_rcu() retrieve the VLAN groups +under proper locking annotations. + +Fixes: 7582f5b70f9a ("bridge: add br_vlan_get_pvid_rcu()") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_vlan.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -1229,11 +1229,13 @@ void br_vlan_get_stats(const struct net_ + } + } + +-static int __br_vlan_get_pvid(const struct net_device *dev, +- struct net_bridge_port *p, u16 *p_pvid) ++int br_vlan_get_pvid(const struct net_device *dev, u16 *p_pvid) + { + struct net_bridge_vlan_group *vg; ++ struct net_bridge_port *p; + ++ ASSERT_RTNL(); ++ p = br_port_get_check_rtnl(dev); + if (p) + vg = nbp_vlan_group(p); + else if (netif_is_bridge_master(dev)) +@@ -1244,18 +1246,23 @@ static int __br_vlan_get_pvid(const stru + *p_pvid = br_get_pvid(vg); + return 0; + } +- +-int br_vlan_get_pvid(const struct net_device *dev, u16 *p_pvid) +-{ +- ASSERT_RTNL(); +- +- return __br_vlan_get_pvid(dev, br_port_get_check_rtnl(dev), p_pvid); +-} + EXPORT_SYMBOL_GPL(br_vlan_get_pvid); + + int br_vlan_get_pvid_rcu(const struct net_device *dev, u16 *p_pvid) + { +- return __br_vlan_get_pvid(dev, br_port_get_check_rcu(dev), p_pvid); ++ struct net_bridge_vlan_group *vg; ++ struct net_bridge_port *p; ++ ++ p = br_port_get_check_rcu(dev); ++ if (p) ++ vg = nbp_vlan_group_rcu(p); ++ else if (netif_is_bridge_master(dev)) ++ vg = br_vlan_group_rcu(netdev_priv(dev)); ++ else ++ return -EINVAL; ++ ++ *p_pvid = br_get_pvid(vg); ++ return 0; + } + EXPORT_SYMBOL_GPL(br_vlan_get_pvid_rcu); + diff --git a/queue-5.4/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch b/queue-5.4/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch new file mode 100644 index 00000000000..5ce5d465e83 --- /dev/null +++ b/queue-5.4/net-dcb-validate-dcb_attr_dcb_buffer-argument.patch @@ -0,0 +1,57 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Petr Machata +Date: Thu, 10 Sep 2020 14:09:05 +0200 +Subject: net: DCB: Validate DCB_ATTR_DCB_BUFFER argument + +From: Petr Machata + +[ Upstream commit 297e77e53eadb332d5062913447b104a772dc33b ] + +The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The +field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where +each value is a number of a buffer to direct that priority's traffic to. +That value is however never validated to lie within the bounds set by +DCBX_MAX_BUFFERS. The only driver that currently implements the callback is +mlx5 (maintainers CCd), and that does not do any validation either, in +particual allowing incorrect configuration if the prio2buffer value does +not fit into 4 bits. + +Instead of offloading the need to validate the buffer index to drivers, do +it right there in core, and bounce the request if the value is too large. + +CC: Parav Pandit +CC: Saeed Mahameed +Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1426,6 +1426,7 @@ static int dcbnl_ieee_set(struct net_dev + { + const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops; + struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1]; ++ int prio; + int err; + + if (!ops) +@@ -1475,6 +1476,13 @@ static int dcbnl_ieee_set(struct net_dev + struct dcbnl_buffer *buffer = + nla_data(ieee[DCB_ATTR_DCB_BUFFER]); + ++ for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) { ++ if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) { ++ err = -EINVAL; ++ goto err; ++ } ++ } ++ + err = ops->dcbnl_setbuffer(netdev, buffer); + if (err) + goto err; diff --git a/queue-5.4/net-dsa-rtl8366-properly-clear-member-config.patch b/queue-5.4/net-dsa-rtl8366-properly-clear-member-config.patch new file mode 100644 index 00000000000..ad1960d1745 --- /dev/null +++ b/queue-5.4/net-dsa-rtl8366-properly-clear-member-config.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Linus Walleij +Date: Sat, 5 Sep 2020 12:32:33 +0200 +Subject: net: dsa: rtl8366: Properly clear member config + +From: Linus Walleij + +[ Upstream commit 4ddcaf1ebb5e4e99240f29d531ee69d4244fe416 ] + +When removing a port from a VLAN we are just erasing the +member config for the VLAN, which is wrong: other ports +can be using it. + +Just mask off the port and only zero out the rest of the +member config once ports using of the VLAN are removed +from it. + +Reported-by: Florian Fainelli +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/rtl8366.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -452,13 +452,19 @@ int rtl8366_vlan_del(struct dsa_switch * + return ret; + + if (vid == vlanmc.vid) { +- /* clear VLAN member configurations */ +- vlanmc.vid = 0; +- vlanmc.priority = 0; +- vlanmc.member = 0; +- vlanmc.untag = 0; +- vlanmc.fid = 0; +- ++ /* Remove this port from the VLAN */ ++ vlanmc.member &= ~BIT(port); ++ vlanmc.untag &= ~BIT(port); ++ /* ++ * If no ports are members of this VLAN ++ * anymore then clear the whole member ++ * config so it can be reused. ++ */ ++ if (!vlanmc.member && vlanmc.untag) { ++ vlanmc.vid = 0; ++ vlanmc.priority = 0; ++ vlanmc.fid = 0; ++ } + ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); + if (ret) { + dev_err(smi->dev, diff --git a/queue-5.4/net-fix-bridge-enslavement-failure.patch b/queue-5.4/net-fix-bridge-enslavement-failure.patch new file mode 100644 index 00000000000..868dce7162d --- /dev/null +++ b/queue-5.4/net-fix-bridge-enslavement-failure.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Ido Schimmel +Date: Thu, 10 Sep 2020 14:01:26 +0300 +Subject: net: Fix bridge enslavement failure + +From: Ido Schimmel + +[ Upstream commit e1b9efe6baebe79019a2183176686a0e709388ae ] + +When a netdev is enslaved to a bridge, its parent identifier is queried. +This is done so that packets that were already forwarded in hardware +will not be forwarded again by the bridge device between netdevs +belonging to the same hardware instance. + +The operation fails when the netdev is an upper of netdevs with +different parent identifiers. + +Instead of failing the enslavement, have dev_get_port_parent_id() return +'-EOPNOTSUPP' which will signal the bridge to skip the query operation. +Other callers of the function are not affected by this change. + +Fixes: 7e1146e8c10c ("net: devlink: introduce devlink_compat_switch_id_get() helper") +Signed-off-by: Ido Schimmel +Reported-by: Vasundhara Volam +Reviewed-by: Jiri Pirko +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8241,7 +8241,7 @@ int dev_get_port_parent_id(struct net_de + if (!first.id_len) + first = *ppid; + else if (memcmp(&first, ppid, sizeof(*ppid))) +- return -ENODATA; ++ return -EOPNOTSUPP; + } + + return err; diff --git a/queue-5.4/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch b/queue-5.4/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch new file mode 100644 index 00000000000..948227d40ec --- /dev/null +++ b/queue-5.4/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Necip Fazil Yildiran +Date: Thu, 17 Sep 2020 19:46:43 +0300 +Subject: net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC + +From: Necip Fazil Yildiran + +[ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ] + +When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_HMAC + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA1 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA256 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and +CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs +are subordinate to CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -289,6 +289,7 @@ config IPV6_SEG6_LWTUNNEL + config IPV6_SEG6_HMAC + bool "IPv6: Segment Routing HMAC support" + depends on IPV6 ++ select CRYPTO + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_SHA256 diff --git a/queue-5.4/net-lantiq-disable-irqs-only-if-napi-gets-scheduled.patch b/queue-5.4/net-lantiq-disable-irqs-only-if-napi-gets-scheduled.patch new file mode 100644 index 00000000000..0d54949dde9 --- /dev/null +++ b/queue-5.4/net-lantiq-disable-irqs-only-if-napi-gets-scheduled.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Hauke Mehrtens +Date: Sat, 12 Sep 2020 21:36:29 +0200 +Subject: net: lantiq: Disable IRQs only if NAPI gets scheduled + +From: Hauke Mehrtens + +[ Upstream commit 9423361da52356cb68642db5b2729b6b85aad330 ] + +The napi_schedule() call will only schedule the NAPI if it is not +already running. To make sure that we do not deactivate interrupts +without scheduling NAPI only deactivate the interrupts in case NAPI also +gets scheduled. + +Signed-off-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/lantiq_xrx200.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -344,10 +344,12 @@ static irqreturn_t xrx200_dma_irq(int ir + { + struct xrx200_chan *ch = ptr; + +- ltq_dma_disable_irq(&ch->dma); +- ltq_dma_ack_irq(&ch->dma); ++ if (napi_schedule_prep(&ch->napi)) { ++ __napi_schedule(&ch->napi); ++ ltq_dma_disable_irq(&ch->dma); ++ } + +- napi_schedule(&ch->napi); ++ ltq_dma_ack_irq(&ch->dma); + + return IRQ_HANDLED; + } diff --git a/queue-5.4/net-lantiq-use-napi_complete_done.patch b/queue-5.4/net-lantiq-use-napi_complete_done.patch new file mode 100644 index 00000000000..60a81f85c25 --- /dev/null +++ b/queue-5.4/net-lantiq-use-napi_complete_done.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Hauke Mehrtens +Date: Sat, 12 Sep 2020 21:36:28 +0200 +Subject: net: lantiq: Use napi_complete_done() + +From: Hauke Mehrtens + +[ Upstream commit c582a7fea9dad4d309437d1a7e22e6d2cb380e2e ] + +Use napi_complete_done() and activate the interrupts when this function +returns true. This way the generic NAPI code can take care of activating +the interrupts. + +Signed-off-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/lantiq_xrx200.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -230,8 +230,8 @@ static int xrx200_poll_rx(struct napi_st + } + + if (rx < budget) { +- napi_complete(&ch->napi); +- ltq_dma_enable_irq(&ch->dma); ++ if (napi_complete_done(&ch->napi, rx)) ++ ltq_dma_enable_irq(&ch->dma); + } + + return rx; +@@ -272,8 +272,8 @@ static int xrx200_tx_housekeeping(struct + netif_wake_queue(net_dev); + + if (pkts < budget) { +- napi_complete(&ch->napi); +- ltq_dma_enable_irq(&ch->dma); ++ if (napi_complete_done(&ch->napi, pkts)) ++ ltq_dma_enable_irq(&ch->dma); + } + + return pkts; diff --git a/queue-5.4/net-lantiq-use-netif_tx_napi_add-for-tx-napi.patch b/queue-5.4/net-lantiq-use-netif_tx_napi_add-for-tx-napi.patch new file mode 100644 index 00000000000..b640728c12e --- /dev/null +++ b/queue-5.4/net-lantiq-use-netif_tx_napi_add-for-tx-napi.patch @@ -0,0 +1,30 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Hauke Mehrtens +Date: Sat, 12 Sep 2020 21:36:27 +0200 +Subject: net: lantiq: use netif_tx_napi_add() for TX NAPI + +From: Hauke Mehrtens + +[ Upstream commit 74c7b80e222b58d3cea731d31e2a31a77fea8345 ] + +netif_tx_napi_add() should be used for NAPI in the TX direction instead +of the netif_napi_add() function. + +Signed-off-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/lantiq_xrx200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -501,7 +501,7 @@ static int xrx200_probe(struct platform_ + + /* setup NAPI */ + netif_napi_add(net_dev, &priv->chan_rx.napi, xrx200_poll_rx, 32); +- netif_napi_add(net_dev, &priv->chan_tx.napi, xrx200_tx_housekeeping, 32); ++ netif_tx_napi_add(net_dev, &priv->chan_tx.napi, xrx200_tx_housekeeping, 32); + + platform_set_drvdata(pdev, priv); + diff --git a/queue-5.4/net-lantiq-wake-tx-queue-again.patch b/queue-5.4/net-lantiq-wake-tx-queue-again.patch new file mode 100644 index 00000000000..90390eab90a --- /dev/null +++ b/queue-5.4/net-lantiq-wake-tx-queue-again.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Hauke Mehrtens +Date: Sat, 12 Sep 2020 21:36:26 +0200 +Subject: net: lantiq: Wake TX queue again + +From: Hauke Mehrtens + +[ Upstream commit dea36631e6f186d4b853af67a4aef2e35cfa8bb7 ] + +The call to netif_wake_queue() when the TX descriptors were freed was +missing. When there are no TX buffers available the TX queue will be +stopped, but it was not started again when they are available again, +this is fixed in this patch. + +Fixes: fe1a56420cf2 ("net: lantiq: Add Lantiq / Intel VRX200 Ethernet driver") +Signed-off-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/lantiq_xrx200.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -268,6 +268,9 @@ static int xrx200_tx_housekeeping(struct + net_dev->stats.tx_bytes += bytes; + netdev_completed_queue(ch->priv->net_dev, pkts, bytes); + ++ if (netif_queue_stopped(net_dev)) ++ netif_wake_queue(net_dev); ++ + if (pkts < budget) { + napi_complete(&ch->napi); + ltq_dma_enable_irq(&ch->dma); diff --git a/queue-5.4/net-mlx5-fix-fte-cleanup.patch b/queue-5.4/net-mlx5-fix-fte-cleanup.patch new file mode 100644 index 00000000000..1b31063c189 --- /dev/null +++ b/queue-5.4/net-mlx5-fix-fte-cleanup.patch @@ -0,0 +1,103 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Maor Gottlieb +Date: Mon, 31 Aug 2020 20:50:42 +0300 +Subject: net/mlx5: Fix FTE cleanup + +From: Maor Gottlieb + +[ Upstream commit cefc23554fc259114e78a7b0908aac4610ee18eb ] + +Currently, when an FTE is allocated, its refcount is decreased to 0 +with the purpose it will not be a stand alone steering object and every +rule (destination) of the FTE would increase the refcount. +When mlx5_cleanup_fs is called while not all rules were deleted by the +steering users, it hit refcount underflow on the FTE once clean_tree +calls to tree_remove_node after the deleted rules already decreased +the refcount to 0. + +FTE is no longer destroyed implicitly when the last rule (destination) +is deleted. mlx5_del_flow_rules avoids it by increasing the refcount on +the FTE and destroy it explicitly after all rules were deleted. So we +can avoid the refcount underflow by making FTE as stand alone object. +In addition need to set del_hw_func to FTE so the HW object will be +destroyed when the FTE is deleted from the cleanup_tree flow. + +refcount_t: underflow; use-after-free. +WARNING: CPU: 2 PID: 15715 at lib/refcount.c:28 refcount_warn_saturate+0xd9/0xe0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Call Trace: + tree_put_node+0xf2/0x140 [mlx5_core] + clean_tree+0x4e/0xf0 [mlx5_core] + clean_tree+0x4e/0xf0 [mlx5_core] + clean_tree+0x4e/0xf0 [mlx5_core] + clean_tree+0x5f/0xf0 [mlx5_core] + clean_tree+0x4e/0xf0 [mlx5_core] + clean_tree+0x5f/0xf0 [mlx5_core] + mlx5_cleanup_fs+0x26/0x270 [mlx5_core] + mlx5_unload+0x2e/0xa0 [mlx5_core] + mlx5_unload_one+0x51/0x120 [mlx5_core] + mlx5_devlink_reload_down+0x51/0x90 [mlx5_core] + devlink_reload+0x39/0x120 + ? devlink_nl_cmd_reload+0x43/0x220 + genl_rcv_msg+0x1e4/0x420 + ? genl_family_rcv_msg_attrs_parse+0x100/0x100 + netlink_rcv_skb+0x47/0x110 + genl_rcv+0x24/0x40 + netlink_unicast+0x217/0x2f0 + netlink_sendmsg+0x30f/0x430 + sock_sendmsg+0x30/0x40 + __sys_sendto+0x10e/0x140 + ? handle_mm_fault+0xc4/0x1f0 + ? do_page_fault+0x33f/0x630 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x48/0x130 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 718ce4d601db ("net/mlx5: Consolidate update FTE for all removal changes") +Fixes: bd71b08ec2ee ("net/mlx5: Support multiple updates of steering rules in parallel") +Signed-off-by: Maor Gottlieb +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -629,7 +629,7 @@ static struct fs_fte *alloc_fte(struct m + fte->action = *flow_act; + fte->flow_context = spec->flow_context; + +- tree_init_node(&fte->node, NULL, del_sw_fte); ++ tree_init_node(&fte->node, del_hw_fte, del_sw_fte); + + return fte; + } +@@ -1737,7 +1737,6 @@ skip_search: + up_write_ref_node(&g->node, false); + rule = add_rule_fg(g, spec, flow_act, dest, dest_num, fte); + up_write_ref_node(&fte->node, false); +- tree_put_node(&fte->node, false); + return rule; + } + rule = ERR_PTR(-ENOENT); +@@ -1837,7 +1836,6 @@ search_again_locked: + up_write_ref_node(&g->node, false); + rule = add_rule_fg(g, spec, flow_act, dest, dest_num, fte); + up_write_ref_node(&fte->node, false); +- tree_put_node(&fte->node, false); + tree_put_node(&g->node, false); + return rule; + +@@ -1930,7 +1928,9 @@ void mlx5_del_flow_rules(struct mlx5_flo + up_write_ref_node(&fte->node, false); + } else { + del_hw_fte(&fte->node); +- up_write(&fte->node.lock); ++ /* Avoid double call to del_hw_fte */ ++ fte->node.del_hw_func = NULL; ++ up_write_ref_node(&fte->node, false); + tree_put_node(&fte->node, false); + } + kfree(handle); diff --git a/queue-5.4/net-mlx5e-enable-adding-peer-miss-rules-only-if-merged-eswitch-is-supported.patch b/queue-5.4/net-mlx5e-enable-adding-peer-miss-rules-only-if-merged-eswitch-is-supported.patch new file mode 100644 index 00000000000..8904450b944 --- /dev/null +++ b/queue-5.4/net-mlx5e-enable-adding-peer-miss-rules-only-if-merged-eswitch-is-supported.patch @@ -0,0 +1,114 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Maor Dickman +Date: Wed, 5 Aug 2020 17:56:04 +0300 +Subject: net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported + +From: Maor Dickman + +[ Upstream commit 6cec0229ab1959259e71e9a5bbe47c04577950b1 ] + +The cited commit creates peer miss group during switchdev mode +initialization in order to handle miss packets correctly while in VF +LAG mode. This is done regardless of FW support of such groups which +could cause rules setups failure later on. + +Fix by adding FW capability check before creating peer groups/rule. + +Fixes: ac004b832128 ("net/mlx5e: E-Switch, Add peer miss rules") +Signed-off-by: Maor Dickman +Reviewed-by: Roi Dayan +Reviewed-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 64 ++++++------- + 1 file changed, 34 insertions(+), 30 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -1143,35 +1143,37 @@ static int esw_create_offloads_fdb_table + } + esw->fdb_table.offloads.send_to_vport_grp = g; + +- /* create peer esw miss group */ +- memset(flow_group_in, 0, inlen); +- +- esw_set_flow_group_source_port(esw, flow_group_in); +- +- if (!mlx5_eswitch_vport_match_metadata_enabled(esw)) { +- match_criteria = MLX5_ADDR_OF(create_flow_group_in, +- flow_group_in, +- match_criteria); +- +- MLX5_SET_TO_ONES(fte_match_param, match_criteria, +- misc_parameters.source_eswitch_owner_vhca_id); +- +- MLX5_SET(create_flow_group_in, flow_group_in, +- source_eswitch_owner_vhca_id_valid, 1); +- } +- +- MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, ix); +- MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, +- ix + esw->total_vports - 1); +- ix += esw->total_vports; +- +- g = mlx5_create_flow_group(fdb, flow_group_in); +- if (IS_ERR(g)) { +- err = PTR_ERR(g); +- esw_warn(dev, "Failed to create peer miss flow group err(%d)\n", err); +- goto peer_miss_err; ++ if (MLX5_CAP_ESW(esw->dev, merged_eswitch)) { ++ /* create peer esw miss group */ ++ memset(flow_group_in, 0, inlen); ++ ++ esw_set_flow_group_source_port(esw, flow_group_in); ++ ++ if (!mlx5_eswitch_vport_match_metadata_enabled(esw)) { ++ match_criteria = MLX5_ADDR_OF(create_flow_group_in, ++ flow_group_in, ++ match_criteria); ++ ++ MLX5_SET_TO_ONES(fte_match_param, match_criteria, ++ misc_parameters.source_eswitch_owner_vhca_id); ++ ++ MLX5_SET(create_flow_group_in, flow_group_in, ++ source_eswitch_owner_vhca_id_valid, 1); ++ } ++ ++ MLX5_SET(create_flow_group_in, flow_group_in, start_flow_index, ix); ++ MLX5_SET(create_flow_group_in, flow_group_in, end_flow_index, ++ ix + esw->total_vports - 1); ++ ix += esw->total_vports; ++ ++ g = mlx5_create_flow_group(fdb, flow_group_in); ++ if (IS_ERR(g)) { ++ err = PTR_ERR(g); ++ esw_warn(dev, "Failed to create peer miss flow group err(%d)\n", err); ++ goto peer_miss_err; ++ } ++ esw->fdb_table.offloads.peer_miss_grp = g; + } +- esw->fdb_table.offloads.peer_miss_grp = g; + + /* create miss group */ + memset(flow_group_in, 0, inlen); +@@ -1206,7 +1208,8 @@ static int esw_create_offloads_fdb_table + miss_rule_err: + mlx5_destroy_flow_group(esw->fdb_table.offloads.miss_grp); + miss_err: +- mlx5_destroy_flow_group(esw->fdb_table.offloads.peer_miss_grp); ++ if (MLX5_CAP_ESW(esw->dev, merged_eswitch)) ++ mlx5_destroy_flow_group(esw->fdb_table.offloads.peer_miss_grp); + peer_miss_err: + mlx5_destroy_flow_group(esw->fdb_table.offloads.send_to_vport_grp); + send_vport_err: +@@ -1229,7 +1232,8 @@ static void esw_destroy_offloads_fdb_tab + mlx5_del_flow_rules(esw->fdb_table.offloads.miss_rule_multi); + mlx5_del_flow_rules(esw->fdb_table.offloads.miss_rule_uni); + mlx5_destroy_flow_group(esw->fdb_table.offloads.send_to_vport_grp); +- mlx5_destroy_flow_group(esw->fdb_table.offloads.peer_miss_grp); ++ if (MLX5_CAP_ESW(esw->dev, merged_eswitch)) ++ mlx5_destroy_flow_group(esw->fdb_table.offloads.peer_miss_grp); + mlx5_destroy_flow_group(esw->fdb_table.offloads.miss_grp); + + mlx5_destroy_flow_table(esw->fdb_table.offloads.slow_fdb); diff --git a/queue-5.4/net-mlx5e-tls-do-not-expose-fpga-tls-counter-if-not-supported.patch b/queue-5.4/net-mlx5e-tls-do-not-expose-fpga-tls-counter-if-not-supported.patch new file mode 100644 index 00000000000..f4995c5b0fe --- /dev/null +++ b/queue-5.4/net-mlx5e-tls-do-not-expose-fpga-tls-counter-if-not-supported.patch @@ -0,0 +1,71 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Tariq Toukan +Date: Sun, 28 Jun 2020 13:06:06 +0300 +Subject: net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported + +From: Tariq Toukan + +[ Upstream commit 8f0bcd19b1da3f264223abea985b9462e85a3718 ] + +The set of TLS TX global SW counters in mlx5e_tls_sw_stats_desc +is updated from all rings by using atomic ops. +This set of stats is used only in the FPGA TLS use case, not in +the Connect-X TLS one, where regular per-ring counters are used. + +Do not expose them in the Connect-X use case, as this would cause +counter duplication. For example, tx_tls_drop_no_sync_data would +appear twice in the ethtool stats. + +Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support") +Signed-off-by: Tariq Toukan +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_stats.c | 12 +++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_stats.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_stats.c +@@ -35,7 +35,6 @@ + #include + + #include "en.h" +-#include "accel/tls.h" + #include "fpga/sdk.h" + #include "en_accel/tls.h" + +@@ -51,9 +50,14 @@ static const struct counter_desc mlx5e_t + + #define NUM_TLS_SW_COUNTERS ARRAY_SIZE(mlx5e_tls_sw_stats_desc) + ++static bool is_tls_atomic_stats(struct mlx5e_priv *priv) ++{ ++ return priv->tls && !mlx5_accel_is_ktls_device(priv->mdev); ++} ++ + int mlx5e_tls_get_count(struct mlx5e_priv *priv) + { +- if (!priv->tls) ++ if (!is_tls_atomic_stats(priv)) + return 0; + + return NUM_TLS_SW_COUNTERS; +@@ -63,7 +67,7 @@ int mlx5e_tls_get_strings(struct mlx5e_p + { + unsigned int i, idx = 0; + +- if (!priv->tls) ++ if (!is_tls_atomic_stats(priv)) + return 0; + + for (i = 0; i < NUM_TLS_SW_COUNTERS; i++) +@@ -77,7 +81,7 @@ int mlx5e_tls_get_stats(struct mlx5e_pri + { + int i, idx = 0; + +- if (!priv->tls) ++ if (!is_tls_atomic_stats(priv)) + return 0; + + for (i = 0; i < NUM_TLS_SW_COUNTERS; i++) diff --git a/queue-5.4/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch b/queue-5.4/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch new file mode 100644 index 00000000000..da5e41c755f --- /dev/null +++ b/queue-5.4/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Florian Fainelli +Date: Wed, 16 Sep 2020 20:43:09 -0700 +Subject: net: phy: Avoid NPD upon phy_detach() when driver is unbound + +From: Florian Fainelli + +[ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ] + +If we have unbound the PHY driver prior to calling phy_detach() (often +via phy_disconnect()) then we can cause a NULL pointer de-reference +accessing the driver owner member. The steps to reproduce are: + +echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind +ip link set eth0 down + +Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1421,7 +1421,8 @@ void phy_detach(struct phy_device *phyde + + phy_led_triggers_unregister(phydev); + +- module_put(phydev->mdio.dev.driver->owner); ++ if (phydev->mdio.dev.driver) ++ module_put(phydev->mdio.dev.driver->owner); + + /* If the device had no specific driver before (i.e. - it + * was using the generic driver), we unbind the device diff --git a/queue-5.4/net-phy-do-not-warn-in-phy_stop-on-phy_down.patch b/queue-5.4/net-phy-do-not-warn-in-phy_stop-on-phy_down.patch new file mode 100644 index 00000000000..9c9194dcb43 --- /dev/null +++ b/queue-5.4/net-phy-do-not-warn-in-phy_stop-on-phy_down.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Florian Fainelli +Date: Wed, 16 Sep 2020 20:43:10 -0700 +Subject: net: phy: Do not warn in phy_stop() on PHY_DOWN + +From: Florian Fainelli + +[ Upstream commit 5116a8ade333b6c2e180782139c9c516a437b21c ] + +When phy_is_started() was added to catch incorrect PHY states, +phy_stop() would not be qualified against PHY_DOWN. It is possible to +reach that state when the PHY driver has been unbound and the network +device is then brought down. + +Fixes: 2b3e88ea6528 ("net: phy: improve phy state checking") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -834,7 +834,7 @@ EXPORT_SYMBOL(phy_free_interrupt); + */ + void phy_stop(struct phy_device *phydev) + { +- if (!phy_is_started(phydev)) { ++ if (!phy_is_started(phydev) && phydev->state != PHY_DOWN) { + WARN(1, "called from state %s\n", + phy_state_to_str(phydev->state)); + return; diff --git a/queue-5.4/net-qrtr-check-skb_put_padto-return-value.patch b/queue-5.4/net-qrtr-check-skb_put_padto-return-value.patch new file mode 100644 index 00000000000..5097042bb63 --- /dev/null +++ b/queue-5.4/net-qrtr-check-skb_put_padto-return-value.patch @@ -0,0 +1,165 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Eric Dumazet +Date: Wed, 9 Sep 2020 01:27:39 -0700 +Subject: net: qrtr: check skb_put_padto() return value + +From: Eric Dumazet + +[ Upstream commit 3ca1a42a52ca4b4f02061683851692ad65fefac8 ] + +If skb_put_padto() returns an error, skb has been freed. +Better not touch it anymore, as reported by syzbot [1] + +Note to qrtr maintainers : this suggests qrtr_sendmsg() +should adjust sock_alloc_send_skb() second parameter +to account for the potential added alignment to avoid +reallocation. + +[1] + +BUG: KASAN: use-after-free in __skb_insert include/linux/skbuff.h:1907 [inline] +BUG: KASAN: use-after-free in __skb_queue_before include/linux/skbuff.h:2016 [inline] +BUG: KASAN: use-after-free in __skb_queue_tail include/linux/skbuff.h:2049 [inline] +BUG: KASAN: use-after-free in skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146 +Write of size 8 at addr ffff88804d8ab3c0 by task syz-executor.4/4316 + +CPU: 1 PID: 4316 Comm: syz-executor.4 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1d6/0x29e lib/dump_stack.c:118 + print_address_description+0x66/0x620 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report+0x132/0x1d0 mm/kasan/report.c:530 + __skb_insert include/linux/skbuff.h:1907 [inline] + __skb_queue_before include/linux/skbuff.h:2016 [inline] + __skb_queue_tail include/linux/skbuff.h:2049 [inline] + skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146 + qrtr_tun_send+0x1a/0x40 net/qrtr/tun.c:23 + qrtr_node_enqueue+0x44f/0xc00 net/qrtr/qrtr.c:364 + qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d5b9 +Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f84b5b81c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000038b40 RCX: 000000000045d5b9 +RDX: 0000000000000055 RSI: 0000000020001240 RDI: 0000000000000003 +RBP: 00007f84b5b81ca0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000f +R13: 00007ffcbbf86daf R14: 00007f84b5b829c0 R15: 000000000118cf4c + +Allocated by task 4316: + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 + slab_post_alloc_hook+0x3e/0x290 mm/slab.h:518 + slab_alloc mm/slab.c:3312 [inline] + kmem_cache_alloc+0x1c1/0x2d0 mm/slab.c:3482 + skb_clone+0x1b2/0x370 net/core/skbuff.c:1449 + qrtr_bcast_enqueue+0x6d/0x140 net/qrtr/qrtr.c:857 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 4316: + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 + kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 + __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 + __cache_free mm/slab.c:3418 [inline] + kmem_cache_free+0x82/0xf0 mm/slab.c:3693 + __skb_pad+0x3f5/0x5a0 net/core/skbuff.c:1823 + __skb_put_padto include/linux/skbuff.h:3233 [inline] + skb_put_padto include/linux/skbuff.h:3252 [inline] + qrtr_node_enqueue+0x62f/0xc00 net/qrtr/qrtr.c:360 + qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861 + qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + sock_write_iter+0x317/0x470 net/socket.c:998 + call_write_iter include/linux/fs.h:1882 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0xa96/0xd10 fs/read_write.c:578 + ksys_write+0x11b/0x220 fs/read_write.c:631 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff88804d8ab3c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 0 bytes inside of + 224-byte region [ffff88804d8ab3c0, ffff88804d8ab4a0) +The buggy address belongs to the page: +page:00000000ea8cccfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804d8abb40 pfn:0x4d8ab +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0002237ec8 ffffea00029b3388 ffff88821bb66800 +raw: ffff88804d8abb40 ffff88804d8ab000 000000010000000b 0000000000000000 +page dumped because: kasan: bad access detected + +Fixes: ce57785bf91b ("net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Carl Huang +Cc: Wen Gong +Cc: Bjorn Andersson +Cc: Manivannan Sadhasivam +Acked-by: Manivannan Sadhasivam +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -178,7 +178,7 @@ static int qrtr_node_enqueue(struct qrtr + { + struct qrtr_hdr_v1 *hdr; + size_t len = skb->len; +- int rc = -ENODEV; ++ int rc; + + hdr = skb_push(skb, sizeof(*hdr)); + hdr->version = cpu_to_le32(QRTR_PROTO_VER_1); +@@ -196,15 +196,17 @@ static int qrtr_node_enqueue(struct qrtr + hdr->size = cpu_to_le32(len); + hdr->confirm_rx = 0; + +- skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr)); +- +- mutex_lock(&node->ep_lock); +- if (node->ep) +- rc = node->ep->xmit(node->ep, skb); +- else +- kfree_skb(skb); +- mutex_unlock(&node->ep_lock); ++ rc = skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr)); + ++ if (!rc) { ++ mutex_lock(&node->ep_lock); ++ rc = -ENODEV; ++ if (node->ep) ++ rc = node->ep->xmit(node->ep, skb); ++ else ++ kfree_skb(skb); ++ mutex_unlock(&node->ep_lock); ++ } + return rc; + } + diff --git a/queue-5.4/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch b/queue-5.4/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch new file mode 100644 index 00000000000..c5a89fbd01c --- /dev/null +++ b/queue-5.4/net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch @@ -0,0 +1,107 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Yunsheng Lin +Date: Tue, 8 Sep 2020 19:02:34 +0800 +Subject: net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc + +From: Yunsheng Lin + +[ Upstream commit 2fb541c862c987d02dfdf28f1545016deecfa0d5 ] + +Currently there is concurrent reset and enqueue operation for the +same lockless qdisc when there is no lock to synchronize the +q->enqueue() in __dev_xmit_skb() with the qdisc reset operation in +qdisc_deactivate() called by dev_deactivate_queue(), which may cause +out-of-bounds access for priv->ring[] in hns3 driver if user has +requested a smaller queue num when __dev_xmit_skb() still enqueue a +skb with a larger queue_mapping after the corresponding qdisc is +reset, and call hns3_nic_net_xmit() with that skb later. + +Reused the existing synchronize_net() in dev_deactivate_many() to +make sure skb with larger queue_mapping enqueued to old qdisc(which +is saved in dev_queue->qdisc_sleeping) will always be reset when +dev_reset_queue() is called. + +Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") +Signed-off-by: Yunsheng Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_generic.c | 49 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1126,27 +1126,36 @@ static void dev_deactivate_queue(struct + struct netdev_queue *dev_queue, + void *_qdisc_default) + { +- struct Qdisc *qdisc_default = _qdisc_default; +- struct Qdisc *qdisc; ++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc); + +- qdisc = rtnl_dereference(dev_queue->qdisc); + if (qdisc) { +- bool nolock = qdisc->flags & TCQ_F_NOLOCK; +- +- if (nolock) +- spin_lock_bh(&qdisc->seqlock); +- spin_lock_bh(qdisc_lock(qdisc)); +- + if (!(qdisc->flags & TCQ_F_BUILTIN)) + set_bit(__QDISC_STATE_DEACTIVATED, &qdisc->state); ++ } ++} + +- rcu_assign_pointer(dev_queue->qdisc, qdisc_default); +- qdisc_reset(qdisc); ++static void dev_reset_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_unused) ++{ ++ struct Qdisc *qdisc; ++ bool nolock; + +- spin_unlock_bh(qdisc_lock(qdisc)); +- if (nolock) +- spin_unlock_bh(&qdisc->seqlock); +- } ++ qdisc = dev_queue->qdisc_sleeping; ++ if (!qdisc) ++ return; ++ ++ nolock = qdisc->flags & TCQ_F_NOLOCK; ++ ++ if (nolock) ++ spin_lock_bh(&qdisc->seqlock); ++ spin_lock_bh(qdisc_lock(qdisc)); ++ ++ qdisc_reset(qdisc); ++ ++ spin_unlock_bh(qdisc_lock(qdisc)); ++ if (nolock) ++ spin_unlock_bh(&qdisc->seqlock); + } + + static bool some_qdisc_is_busy(struct net_device *dev) +@@ -1207,12 +1216,20 @@ void dev_deactivate_many(struct list_hea + dev_watchdog_down(dev); + } + +- /* Wait for outstanding qdisc-less dev_queue_xmit calls. ++ /* Wait for outstanding qdisc-less dev_queue_xmit calls or ++ * outstanding qdisc enqueuing calls. + * This is avoided if all devices are in dismantle phase : + * Caller will call synchronize_net() for us + */ + synchronize_net(); + ++ list_for_each_entry(dev, head, close_list) { ++ netdev_for_each_tx_queue(dev, dev_reset_queue, NULL); ++ ++ if (dev_ingress_queue(dev)) ++ dev_reset_queue(dev, dev_ingress_queue(dev), NULL); ++ } ++ + /* Wait for outstanding qdisc_run calls. */ + list_for_each_entry(dev, head, close_list) { + while (some_qdisc_is_busy(dev)) diff --git a/queue-5.4/net-sctp-fix-ipv6-ancestor_size-calc-in-sctp_copy_descendant.patch b/queue-5.4/net-sctp-fix-ipv6-ancestor_size-calc-in-sctp_copy_descendant.patch new file mode 100644 index 00000000000..a7f37d880ec --- /dev/null +++ b/queue-5.4/net-sctp-fix-ipv6-ancestor_size-calc-in-sctp_copy_descendant.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Henry Ptasinski +Date: Sat, 19 Sep 2020 00:12:11 +0000 +Subject: net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant + +From: Henry Ptasinski + +[ Upstream commit fe81d9f6182d1160e625894eecb3d7ff0222cac5 ] + +When calculating ancestor_size with IPv6 enabled, simply using +sizeof(struct ipv6_pinfo) doesn't account for extra bytes needed for +alignment in the struct sctp6_sock. On x86, there aren't any extra +bytes, but on ARM the ipv6_pinfo structure is aligned on an 8-byte +boundary so there were 4 pad bytes that were omitted from the +ancestor_size calculation. This would lead to corruption of the +pd_lobby pointers, causing an oops when trying to free the sctp +structure on socket close. + +Fixes: 636d25d557d1 ("sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant") +Signed-off-by: Henry Ptasinski +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/structs.h | 8 +++++--- + net/sctp/socket.c | 9 +++------ + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -224,12 +224,14 @@ struct sctp_sock { + data_ready_signalled:1; + + atomic_t pd_mode; ++ ++ /* Fields after this point will be skipped on copies, like on accept ++ * and peeloff operations ++ */ ++ + /* Receive to here while partial delivery is in effect. */ + struct sk_buff_head pd_lobby; + +- /* These must be the last fields, as they will skipped on copies, +- * like on accept and peeloff operations +- */ + struct list_head auto_asconf_list; + int do_auto_asconf; + }; +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -9337,13 +9337,10 @@ void sctp_copy_sock(struct sock *newsk, + static inline void sctp_copy_descendant(struct sock *sk_to, + const struct sock *sk_from) + { +- int ancestor_size = sizeof(struct inet_sock) + +- sizeof(struct sctp_sock) - +- offsetof(struct sctp_sock, pd_lobby); +- +- if (sk_from->sk_family == PF_INET6) +- ancestor_size += sizeof(struct ipv6_pinfo); ++ size_t ancestor_size = sizeof(struct inet_sock); + ++ ancestor_size += sk_from->sk_prot->obj_size; ++ ancestor_size -= offsetof(struct sctp_sock, pd_lobby); + __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size); + } + diff --git a/queue-5.4/nfp-use-correct-define-to-return-none-fec.patch b/queue-5.4/nfp-use-correct-define-to-return-none-fec.patch new file mode 100644 index 00000000000..49cb53cce85 --- /dev/null +++ b/queue-5.4/nfp-use-correct-define-to-return-none-fec.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Jakub Kicinski +Date: Thu, 17 Sep 2020 10:52:57 -0700 +Subject: nfp: use correct define to return NONE fec + +From: Jakub Kicinski + +[ Upstream commit 5f6857e808a8bd078296575b417c4b9d160b9779 ] + +struct ethtool_fecparam carries bitmasks not bit numbers. +We want to return 1 (NONE), not 0. + +Fixes: 0d0870938337 ("nfp: implement ethtool FEC mode settings") +Signed-off-by: Jakub Kicinski +Reviewed-by: Simon Horman +Reviewed-by: Jesse Brandeburg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -731,8 +731,8 @@ nfp_port_get_fecparam(struct net_device + struct nfp_eth_table_port *eth_port; + struct nfp_port *port; + +- param->active_fec = ETHTOOL_FEC_NONE_BIT; +- param->fec = ETHTOOL_FEC_NONE_BIT; ++ param->active_fec = ETHTOOL_FEC_NONE; ++ param->fec = ETHTOOL_FEC_NONE; + + port = nfp_port_from_netdev(netdev); + eth_port = nfp_port_get_eth_port(port); diff --git a/queue-5.4/series b/queue-5.4/series index ccdd49e38aa..cf65d446435 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -3,3 +3,39 @@ ibmvnic-fix-null-tx_pools-and-rx_tools-issue-at-do_r.patch ibmvnic-add-missing-parenthesis-in-do_reset.patch kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch +act_ife-load-meta-modules-before-tcf_idr_check_alloc.patch +bnxt_en-avoid-sending-firmware-messages-when-aer-error-is-detected.patch +bnxt_en-fix-null-ptr-dereference-crash-in-bnxt_fw_reset_task.patch +cxgb4-fix-memory-leak-during-module-unload.patch +cxgb4-fix-offset-when-clearing-filter-byte-counters.patch +geneve-add-transport-ports-in-route-lookup-for-geneve.patch +hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch +ip-fix-tos-reflection-in-ack-and-reset-packets.patch +ipv4-initialize-flowi4_multipath_hash-in-data-path.patch +ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch +ipv6-avoid-lockdep-issue-in-fib6_del.patch +net-bridge-br_vlan_get_pvid_rcu-should-dereference-the-vlan-group-under-rcu.patch +net-dcb-validate-dcb_attr_dcb_buffer-argument.patch +net-dsa-rtl8366-properly-clear-member-config.patch +net-fix-bridge-enslavement-failure.patch +net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch +net-mlx5-fix-fte-cleanup.patch +net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch +net-sctp-fix-ipv6-ancestor_size-calc-in-sctp_copy_descendant.patch +nfp-use-correct-define-to-return-none-fec.patch +taprio-fix-allowing-too-small-intervals.patch +tipc-fix-memory-leak-in-tipc_group_create_member.patch +tipc-fix-shutdown-of-connection-oriented-socket.patch +tipc-use-skb_unshare-instead-in-tipc_buf_append.patch +net-mlx5e-enable-adding-peer-miss-rules-only-if-merged-eswitch-is-supported.patch +net-mlx5e-tls-do-not-expose-fpga-tls-counter-if-not-supported.patch +bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch +bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch +net-lantiq-wake-tx-queue-again.patch +net-lantiq-use-netif_tx_napi_add-for-tx-napi.patch +net-lantiq-use-napi_complete_done.patch +net-lantiq-disable-irqs-only-if-napi-gets-scheduled.patch +net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch +net-phy-do-not-warn-in-phy_stop-on-phy_down.patch +net-qrtr-check-skb_put_padto-return-value.patch +net-add-__must_check-to-skb_put_padto.patch diff --git a/queue-5.4/taprio-fix-allowing-too-small-intervals.patch b/queue-5.4/taprio-fix-allowing-too-small-intervals.patch new file mode 100644 index 00000000000..9357805efb8 --- /dev/null +++ b/queue-5.4/taprio-fix-allowing-too-small-intervals.patch @@ -0,0 +1,116 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Vinicius Costa Gomes +Date: Wed, 9 Sep 2020 17:03:11 -0700 +Subject: taprio: Fix allowing too small intervals + +From: Vinicius Costa Gomes + +[ Upstream commit b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 ] + +It's possible that the user specifies an interval that couldn't allow +any packet to be transmitted. This also avoids the issue of the +hrtimer handler starving the other threads because it's running too +often. + +The solution is to reject interval sizes that according to the current +link speed wouldn't allow any packet to be transmitted. + +Reported-by: syzbot+8267241609ae8c23b248@syzkaller.appspotmail.com +Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") +Signed-off-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -777,9 +777,11 @@ static const struct nla_policy taprio_po + [TCA_TAPRIO_ATTR_TXTIME_DELAY] = { .type = NLA_U32 }, + }; + +-static int fill_sched_entry(struct nlattr **tb, struct sched_entry *entry, ++static int fill_sched_entry(struct taprio_sched *q, struct nlattr **tb, ++ struct sched_entry *entry, + struct netlink_ext_ack *extack) + { ++ int min_duration = length_to_duration(q, ETH_ZLEN); + u32 interval = 0; + + if (tb[TCA_TAPRIO_SCHED_ENTRY_CMD]) +@@ -794,7 +796,10 @@ static int fill_sched_entry(struct nlatt + interval = nla_get_u32( + tb[TCA_TAPRIO_SCHED_ENTRY_INTERVAL]); + +- if (interval == 0) { ++ /* The interval should allow at least the minimum ethernet ++ * frame to go out. ++ */ ++ if (interval < min_duration) { + NL_SET_ERR_MSG(extack, "Invalid interval for schedule entry"); + return -EINVAL; + } +@@ -804,8 +809,9 @@ static int fill_sched_entry(struct nlatt + return 0; + } + +-static int parse_sched_entry(struct nlattr *n, struct sched_entry *entry, +- int index, struct netlink_ext_ack *extack) ++static int parse_sched_entry(struct taprio_sched *q, struct nlattr *n, ++ struct sched_entry *entry, int index, ++ struct netlink_ext_ack *extack) + { + struct nlattr *tb[TCA_TAPRIO_SCHED_ENTRY_MAX + 1] = { }; + int err; +@@ -819,10 +825,10 @@ static int parse_sched_entry(struct nlat + + entry->index = index; + +- return fill_sched_entry(tb, entry, extack); ++ return fill_sched_entry(q, tb, entry, extack); + } + +-static int parse_sched_list(struct nlattr *list, ++static int parse_sched_list(struct taprio_sched *q, struct nlattr *list, + struct sched_gate_list *sched, + struct netlink_ext_ack *extack) + { +@@ -847,7 +853,7 @@ static int parse_sched_list(struct nlatt + return -ENOMEM; + } + +- err = parse_sched_entry(n, entry, i, extack); ++ err = parse_sched_entry(q, n, entry, i, extack); + if (err < 0) { + kfree(entry); + return err; +@@ -862,7 +868,7 @@ static int parse_sched_list(struct nlatt + return i; + } + +-static int parse_taprio_schedule(struct nlattr **tb, ++static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, + struct sched_gate_list *new, + struct netlink_ext_ack *extack) + { +@@ -883,8 +889,8 @@ static int parse_taprio_schedule(struct + new->cycle_time = nla_get_s64(tb[TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME]); + + if (tb[TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST]) +- err = parse_sched_list( +- tb[TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST], new, extack); ++ err = parse_sched_list(q, tb[TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST], ++ new, extack); + if (err < 0) + return err; + +@@ -1474,7 +1480,7 @@ static int taprio_change(struct Qdisc *s + goto free_sched; + } + +- err = parse_taprio_schedule(tb, new_admin, extack); ++ err = parse_taprio_schedule(q, tb, new_admin, extack); + if (err < 0) + goto free_sched; + diff --git a/queue-5.4/tipc-fix-memory-leak-in-tipc_group_create_member.patch b/queue-5.4/tipc-fix-memory-leak-in-tipc_group_create_member.patch new file mode 100644 index 00000000000..e442a34ec13 --- /dev/null +++ b/queue-5.4/tipc-fix-memory-leak-in-tipc_group_create_member.patch @@ -0,0 +1,73 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Peilin Ye +Date: Sun, 13 Sep 2020 04:06:05 -0400 +Subject: tipc: Fix memory leak in tipc_group_create_member() + +From: Peilin Ye + +[ Upstream commit bb3a420d47ab00d7e1e5083286cab15235a96680 ] + +tipc_group_add_to_tree() returns silently if `key` matches `nkey` of an +existing node, causing tipc_group_create_member() to leak memory. Let +tipc_group_add_to_tree() return an error in such a case, so that +tipc_group_create_member() can handle it properly. + +Fixes: 75da2163dbb6 ("tipc: introduce communication groups") +Reported-and-tested-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com +Cc: Hillf Danton +Link: https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/group.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/tipc/group.c ++++ b/net/tipc/group.c +@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_fi + return NULL; + } + +-static void tipc_group_add_to_tree(struct tipc_group *grp, +- struct tipc_member *m) ++static int tipc_group_add_to_tree(struct tipc_group *grp, ++ struct tipc_member *m) + { + u64 nkey, key = (u64)m->node << 32 | m->port; + struct rb_node **n, *parent = NULL; +@@ -291,10 +291,11 @@ static void tipc_group_add_to_tree(struc + else if (key > nkey) + n = &(*n)->rb_right; + else +- return; ++ return -EEXIST; + } + rb_link_node(&m->tree_node, parent, n); + rb_insert_color(&m->tree_node, &grp->members); ++ return 0; + } + + static struct tipc_member *tipc_group_create_member(struct tipc_group *grp, +@@ -302,6 +303,7 @@ static struct tipc_member *tipc_group_cr + u32 instance, int state) + { + struct tipc_member *m; ++ int ret; + + m = kzalloc(sizeof(*m), GFP_ATOMIC); + if (!m) +@@ -314,8 +316,12 @@ static struct tipc_member *tipc_group_cr + m->port = port; + m->instance = instance; + m->bc_acked = grp->bc_snd_nxt - 1; ++ ret = tipc_group_add_to_tree(grp, m); ++ if (ret < 0) { ++ kfree(m); ++ return NULL; ++ } + grp->member_cnt++; +- tipc_group_add_to_tree(grp, m); + tipc_nlist_add(&grp->dests, m->node); + m->state = state; + return m; diff --git a/queue-5.4/tipc-fix-shutdown-of-connection-oriented-socket.patch b/queue-5.4/tipc-fix-shutdown-of-connection-oriented-socket.patch new file mode 100644 index 00000000000..140cb7af783 --- /dev/null +++ b/queue-5.4/tipc-fix-shutdown-of-connection-oriented-socket.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Tetsuo Handa +Date: Sat, 5 Sep 2020 15:14:47 +0900 +Subject: tipc: fix shutdown() of connection oriented socket + +From: Tetsuo Handa + +[ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ] + +I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix +shutdown() of connectionless socket") also applies to stream socket. + +---------- +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int fds[2] = { -1, -1 }; + socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds); + if (fork() == 0) + _exit(read(fds[0], NULL, 1)); + shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */ + wait(NULL); /* To be woken up by _exit(). */ + return 0; +} +---------- + +Since shutdown(SHUT_RDWR) should affect all processes sharing that socket, +unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right +behavior. + +Signed-off-by: Tetsuo Handa +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2616,10 +2616,7 @@ static int tipc_shutdown(struct socket * + + trace_tipc_sk_shutdown(sk, NULL, TIPC_DUMP_ALL, " "); + __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN); +- if (tipc_sk_type_connectionless(sk)) +- sk->sk_shutdown = SHUTDOWN_MASK; +- else +- sk->sk_shutdown = SEND_SHUTDOWN; ++ sk->sk_shutdown = SHUTDOWN_MASK; + + if (sk->sk_state == TIPC_DISCONNECTING) { + /* Discard any unreceived messages */ diff --git a/queue-5.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch b/queue-5.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch new file mode 100644 index 00000000000..b45a7963d34 --- /dev/null +++ b/queue-5.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Sep 25 09:56:48 AM CEST 2020 +From: Xin Long +Date: Sun, 13 Sep 2020 19:37:31 +0800 +Subject: tipc: use skb_unshare() instead in tipc_buf_append() + +From: Xin Long + +[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ] + +In tipc_buf_append() it may change skb's frag_list, and it causes +problems when this skb is cloned. skb_unclone() doesn't really +make this skb's flag_list available to change. + +Shuang Li has reported an use-after-free issue because of this +when creating quite a few macvlan dev over the same dev, where +the broadcast packets will be cloned and go up to the stack: + + [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0 + [ ] Call Trace: + [ ] dump_stack+0x7c/0xb0 + [ ] print_address_description.constprop.7+0x1a/0x220 + [ ] kasan_report.cold.10+0x37/0x7c + [ ] check_memory_region+0x183/0x1e0 + [ ] pskb_expand_head+0x86d/0xea0 + [ ] process_backlog+0x1df/0x660 + [ ] net_rx_action+0x3b4/0xc90 + [ ] + [ ] Allocated by task 1786: + [ ] kmem_cache_alloc+0xbf/0x220 + [ ] skb_clone+0x10a/0x300 + [ ] macvlan_broadcast+0x2f6/0x590 [macvlan] + [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan] + [ ] process_one_work+0x66a/0x1060 + [ ] worker_thread+0x87/0xb10 + [ ] + [ ] Freed by task 3253: + [ ] kmem_cache_free+0x82/0x2a0 + [ ] skb_release_data+0x2c3/0x6e0 + [ ] kfree_skb+0x78/0x1d0 + [ ] tipc_recvmsg+0x3be/0xa40 [tipc] + +So fix it by using skb_unshare() instead, which would create a new +skb for the cloned frag and it'll be safe to change its frag_list. +The similar things were also done in sctp_make_reassembled_event(), +which is using skb_copy(). + +Reported-by: Shuang Li +Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **hea + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- if (unlikely(skb_unclone(frag, GFP_ATOMIC))) ++ frag = skb_unshare(frag, GFP_ATOMIC); ++ if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + *buf = NULL;