From: Greg Kroah-Hartman Date: Wed, 26 Aug 2020 10:00:57 +0000 (+0200) Subject: 5.7-stable patches X-Git-Tag: v5.7.19~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9faca70e0cc24643135a3134f2362acbe983b84a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.7-stable patches added patches: ethtool-account-for-hw_features-in-netlink-interface.patch ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch net-ena-make-missed_tx-stat-incremental.patch net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch net-nexthop-don-t-allow-empty-nha_group.patch net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch net-sctp-fix-negotiation-of-the-number-of-data-streams.patch net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch --- diff --git a/queue-5.7/ethtool-account-for-hw_features-in-netlink-interface.patch b/queue-5.7/ethtool-account-for-hw_features-in-netlink-interface.patch new file mode 100644 index 00000000000..6ff3b6513a4 --- /dev/null +++ b/queue-5.7/ethtool-account-for-hw_features-in-netlink-interface.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Maxim Mikityanskiy +Date: Mon, 17 Aug 2020 16:34:06 +0300 +Subject: ethtool: Account for hw_features in netlink interface + +From: Maxim Mikityanskiy + +[ Upstream commit 2847bfed888fbb8bf4c8e8067fd6127538c2c700 ] + +ethtool-netlink ignores dev->hw_features and may confuse the drivers by +asking them to enable features not in the hw_features bitmask. For +example: + +1. ethtool -k eth0 + tls-hw-tx-offload: off [fixed] +2. ethtool -K eth0 tls-hw-tx-offload on + tls-hw-tx-offload: on +3. ethtool -k eth0 + tls-hw-tx-offload: on [fixed] + +Fitler out dev->hw_features from req_wanted to fix it and to resemble +the legacy ethtool behavior. + +Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/features.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ethtool/features.c ++++ b/net/ethtool/features.c +@@ -273,7 +273,8 @@ int ethnl_set_features(struct sk_buff *s + goto out_rtnl; + } + +- dev->wanted_features = ethnl_bitmap_to_features(req_wanted); ++ dev->wanted_features &= ~dev->hw_features; ++ dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features; + __netdev_update_features(dev); + ethnl_features_to_bitmap(new_active, dev->features); + mod = !bitmap_equal(old_active, new_active, NETDEV_FEATURE_COUNT); diff --git a/queue-5.7/ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch b/queue-5.7/ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch new file mode 100644 index 00000000000..67bede0783b --- /dev/null +++ b/queue-5.7/ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch @@ -0,0 +1,57 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Maxim Mikityanskiy +Date: Mon, 17 Aug 2020 16:34:07 +0300 +Subject: ethtool: Don't omit the netlink reply if no features were changed + +From: Maxim Mikityanskiy + +[ Upstream commit f01204ec8be7ea5e8f0230a7d4200e338d563bde ] + +The legacy ethtool userspace tool shows an error when no features could +be changed. It's useful to have a netlink reply to be able to show this +error when __netdev_update_features wasn't called, for example: + +1. ethtool -k eth0 + large-receive-offload: off +2. ethtool -K eth0 rx-fcs on +3. ethtool -K eth0 lro on + Could not change any device features + rx-lro: off [requested on] +4. ethtool -K eth0 lro on + # The output should be the same, but without this patch the kernel + # doesn't send the reply, and ethtool is unable to detect the error. + +This commit makes ethtool-netlink always return a reply when requested, +and it still avoids unnecessary calls to __netdev_update_features if the +wanted features haven't changed. + +Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/features.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/net/ethtool/features.c ++++ b/net/ethtool/features.c +@@ -268,14 +268,11 @@ int ethnl_set_features(struct sk_buff *s + bitmap_and(req_wanted, req_wanted, req_mask, NETDEV_FEATURE_COUNT); + bitmap_andnot(new_wanted, old_wanted, req_mask, NETDEV_FEATURE_COUNT); + bitmap_or(req_wanted, new_wanted, req_wanted, NETDEV_FEATURE_COUNT); +- if (bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) { +- ret = 0; +- goto out_rtnl; ++ if (!bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) { ++ dev->wanted_features &= ~dev->hw_features; ++ dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features; ++ __netdev_update_features(dev); + } +- +- dev->wanted_features &= ~dev->hw_features; +- dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features; +- __netdev_update_features(dev); + ethnl_features_to_bitmap(new_active, dev->features); + mod = !bitmap_equal(old_active, new_active, NETDEV_FEATURE_COUNT); + diff --git a/queue-5.7/ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch b/queue-5.7/ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch new file mode 100644 index 00000000000..c1451bdc48d --- /dev/null +++ b/queue-5.7/ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch @@ -0,0 +1,78 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Maxim Mikityanskiy +Date: Mon, 17 Aug 2020 16:34:05 +0300 +Subject: ethtool: Fix preserving of wanted feature bits in netlink interface + +From: Maxim Mikityanskiy + +[ Upstream commit 840110a4eae190dcbb9907d68216d5d1d9f25839 ] + +Currently, ethtool-netlink calculates new wanted bits as: +(req_wanted & req_mask) | (old_active & ~req_mask) + +It completely discards the old wanted bits, so they are forgotten with +the next ethtool command. Sample steps to reproduce: + +1. ethtool -k eth0 + tx-tcp-segmentation: on # TSO is on from the beginning +2. ethtool -K eth0 tx off + tx-tcp-segmentation: off [not requested] +3. ethtool -k eth0 + tx-tcp-segmentation: off [requested on] +4. ethtool -K eth0 rx off # Some change unrelated to TSO +5. ethtool -k eth0 + tx-tcp-segmentation: off # "Wanted on" is forgotten + +This commit fixes it by changing the formula to: +(req_wanted & req_mask) | (old_wanted & ~req_mask), +where old_active was replaced by old_wanted to account for the wanted +bits. + +The shortcut condition for the case where nothing was changed now +compares wanted bitmasks, instead of wanted to active. + +Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/features.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ethtool/features.c ++++ b/net/ethtool/features.c +@@ -224,7 +224,9 @@ int ethnl_set_features(struct sk_buff *s + DECLARE_BITMAP(wanted_diff_mask, NETDEV_FEATURE_COUNT); + DECLARE_BITMAP(active_diff_mask, NETDEV_FEATURE_COUNT); + DECLARE_BITMAP(old_active, NETDEV_FEATURE_COUNT); ++ DECLARE_BITMAP(old_wanted, NETDEV_FEATURE_COUNT); + DECLARE_BITMAP(new_active, NETDEV_FEATURE_COUNT); ++ DECLARE_BITMAP(new_wanted, NETDEV_FEATURE_COUNT); + DECLARE_BITMAP(req_wanted, NETDEV_FEATURE_COUNT); + DECLARE_BITMAP(req_mask, NETDEV_FEATURE_COUNT); + struct nlattr *tb[ETHTOOL_A_FEATURES_MAX + 1]; +@@ -250,6 +252,7 @@ int ethnl_set_features(struct sk_buff *s + + rtnl_lock(); + ethnl_features_to_bitmap(old_active, dev->features); ++ ethnl_features_to_bitmap(old_wanted, dev->wanted_features); + ret = ethnl_parse_bitset(req_wanted, req_mask, NETDEV_FEATURE_COUNT, + tb[ETHTOOL_A_FEATURES_WANTED], + netdev_features_strings, info->extack); +@@ -261,11 +264,11 @@ int ethnl_set_features(struct sk_buff *s + goto out_rtnl; + } + +- /* set req_wanted bits not in req_mask from old_active */ ++ /* set req_wanted bits not in req_mask from old_wanted */ + bitmap_and(req_wanted, req_wanted, req_mask, NETDEV_FEATURE_COUNT); +- bitmap_andnot(new_active, old_active, req_mask, NETDEV_FEATURE_COUNT); +- bitmap_or(req_wanted, new_active, req_wanted, NETDEV_FEATURE_COUNT); +- if (bitmap_equal(req_wanted, old_active, NETDEV_FEATURE_COUNT)) { ++ bitmap_andnot(new_wanted, old_wanted, req_mask, NETDEV_FEATURE_COUNT); ++ bitmap_or(req_wanted, new_wanted, req_wanted, NETDEV_FEATURE_COUNT); ++ if (bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) { + ret = 0; + goto out_rtnl; + } diff --git a/queue-5.7/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch b/queue-5.7/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch new file mode 100644 index 00000000000..20a86f76f36 --- /dev/null +++ b/queue-5.7/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Mark Tomlinson +Date: Wed, 19 Aug 2020 13:53:58 +1200 +Subject: gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY + +From: Mark Tomlinson + +[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ] + +When receiving an IPv4 packet inside an IPv6 GRE packet, and the +IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would +get corrupted. This is due to the common ip6_tnl_rcv() function assuming +that the inner header is always IPv6. This patch checks the tunnel +protocol for IPv4 inner packets, but still defaults to IPv6. + +Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions") +Signed-off-by: Mark Tomlinson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -886,7 +886,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc + struct metadata_dst *tun_dst, + bool log_ecn_err) + { +- return __ip6_tnl_rcv(t, skb, tpi, tun_dst, ip6ip6_dscp_ecn_decapsulate, ++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t, ++ const struct ipv6hdr *ipv6h, ++ struct sk_buff *skb); ++ ++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate; ++ if (tpi->proto == htons(ETH_P_IP)) ++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate; ++ ++ return __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate, + log_ecn_err); + } + EXPORT_SYMBOL(ip6_tnl_rcv); diff --git a/queue-5.7/net-ena-make-missed_tx-stat-incremental.patch b/queue-5.7/net-ena-make-missed_tx-stat-incremental.patch new file mode 100644 index 00000000000..b164744c08f --- /dev/null +++ b/queue-5.7/net-ena-make-missed_tx-stat-incremental.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Shay Agroskin +Date: Wed, 19 Aug 2020 20:28:38 +0300 +Subject: net: ena: Make missed_tx stat incremental + +From: Shay Agroskin + +[ Upstream commit ccd143e5150f24b9ba15145c7221b61dd9e41021 ] + +Most statistics in ena driver are incremented, meaning that a stat's +value is a sum of all increases done to it since driver/queue +initialization. + +This patch makes all statistics this way, effectively making missed_tx +statistic incremental. +Also added a comment regarding rx_drops and tx_drops to make it +clearer how these counters are calculated. + +Fixes: 11095fdb712b ("net: ena: add statistics for missed tx packets") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3594,7 +3594,7 @@ static int check_missing_comp_in_tx_queu + } + + u64_stats_update_begin(&tx_ring->syncp); +- tx_ring->tx_stats.missed_tx = missed_tx; ++ tx_ring->tx_stats.missed_tx += missed_tx; + u64_stats_update_end(&tx_ring->syncp); + + return rc; +@@ -4519,6 +4519,9 @@ static void ena_keep_alive_wd(void *adap + rx_drops = ((u64)desc->rx_drops_high << 32) | desc->rx_drops_low; + + u64_stats_update_begin(&adapter->syncp); ++ /* These stats are accumulated by the device, so the counters indicate ++ * all drops since last reset. ++ */ + adapter->dev_stats.rx_drops = rx_drops; + u64_stats_update_end(&adapter->syncp); + } diff --git a/queue-5.7/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch b/queue-5.7/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch new file mode 100644 index 00000000000..8ccfbfc8ff6 --- /dev/null +++ b/queue-5.7/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Miaohe Lin +Date: Sat, 15 Aug 2020 04:44:31 -0400 +Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag() + +From: Miaohe Lin + +[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ] + +We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So +we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or +we may access the wrong data. + +Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5421,8 +5421,8 @@ struct sk_buff *skb_vlan_untag(struct sk + skb = skb_share_check(skb, GFP_ATOMIC); + if (unlikely(!skb)) + goto err_free; +- +- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) ++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) + goto err_free; + + vhdr = (struct vlan_hdr *)skb->data; diff --git a/queue-5.7/net-nexthop-don-t-allow-empty-nha_group.patch b/queue-5.7/net-nexthop-don-t-allow-empty-nha_group.patch new file mode 100644 index 00000000000..e9feacd0ea9 --- /dev/null +++ b/queue-5.7/net-nexthop-don-t-allow-empty-nha_group.patch @@ -0,0 +1,97 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Nikolay Aleksandrov +Date: Sat, 22 Aug 2020 15:06:36 +0300 +Subject: net: nexthop: don't allow empty NHA_GROUP + +From: Nikolay Aleksandrov + +[ Upstream commit eeaac3634ee0e3f35548be35275efeca888e9b23 ] + +Currently the nexthop code will use an empty NHA_GROUP attribute, but it +requires at least 1 entry in order to function properly. Otherwise we +end up derefencing null or random pointers all over the place due to not +having any nh_grp_entry members allocated, nexthop code relies on having at +least the first member present. Empty NHA_GROUP doesn't make any sense so +just disallow it. +Also add a WARN_ON for any future users of nexthop_create_group(). + + BUG: kernel NULL pointer dereference, address: 0000000000000080 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP + CPU: 0 PID: 558 Comm: ip Not tainted 5.9.0-rc1+ #93 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 + RIP: 0010:fib_check_nexthop+0x4a/0xaa + Code: 0f 84 83 00 00 00 48 c7 02 80 03 f7 81 c3 40 80 fe fe 75 12 b8 ea ff ff ff 48 85 d2 74 6b 48 c7 02 40 03 f7 81 c3 48 8b 40 10 <48> 8b 80 80 00 00 00 eb 36 80 78 1a 00 74 12 b8 ea ff ff ff 48 85 + RSP: 0018:ffff88807983ba00 EFLAGS: 00010213 + RAX: 0000000000000000 RBX: ffff88807983bc00 RCX: 0000000000000000 + RDX: ffff88807983bc00 RSI: 0000000000000000 RDI: ffff88807bdd0a80 + RBP: ffff88807983baf8 R08: 0000000000000dc0 R09: 000000000000040a + R10: 0000000000000000 R11: ffff88807bdd0ae8 R12: 0000000000000000 + R13: 0000000000000000 R14: ffff88807bea3100 R15: 0000000000000001 + FS: 00007f10db393700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000080 CR3: 000000007bd0f004 CR4: 00000000003706f0 + Call Trace: + fib_create_info+0x64d/0xaf7 + fib_table_insert+0xf6/0x581 + ? __vma_adjust+0x3b6/0x4d4 + inet_rtm_newroute+0x56/0x70 + rtnetlink_rcv_msg+0x1e3/0x20d + ? rtnl_calcit.isra.0+0xb8/0xb8 + netlink_rcv_skb+0x5b/0xac + netlink_unicast+0xfa/0x17b + netlink_sendmsg+0x334/0x353 + sock_sendmsg_nosec+0xf/0x3f + ____sys_sendmsg+0x1a0/0x1fc + ? copy_msghdr_from_user+0x4c/0x61 + ___sys_sendmsg+0x63/0x84 + ? handle_mm_fault+0xa39/0x11b5 + ? sockfd_lookup_light+0x72/0x9a + __sys_sendmsg+0x50/0x6e + do_syscall_64+0x54/0xbe + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f10dacc0bb7 + Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 8b 05 9a 4b 2b 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 f2 2a 00 f7 d8 64 89 02 48 + RSP: 002b:00007ffcbe628bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007ffcbe628f80 RCX: 00007f10dacc0bb7 + RDX: 0000000000000000 RSI: 00007ffcbe628c60 RDI: 0000000000000003 + RBP: 000000005f41099c R08: 0000000000000001 R09: 0000000000000008 + R10: 00000000000005e9 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000000000 R14: 00007ffcbe628d70 R15: 0000563a86c6e440 + Modules linked in: + CR2: 0000000000000080 + +CC: David Ahern +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Reported-by: syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/nexthop.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -402,7 +402,7 @@ static int nh_check_attr_group(struct ne + struct nexthop_grp *nhg; + unsigned int i, j; + +- if (len & (sizeof(struct nexthop_grp) - 1)) { ++ if (!len || len & (sizeof(struct nexthop_grp) - 1)) { + NL_SET_ERR_MSG(extack, + "Invalid length for nexthop group attribute"); + return -EINVAL; +@@ -1104,6 +1104,9 @@ static struct nexthop *nexthop_create_gr + struct nexthop *nh; + int i; + ++ if (WARN_ON(!num_nh)) ++ return ERR_PTR(-EINVAL); ++ + nh = nexthop_alloc(); + if (!nh) + return ERR_PTR(-ENOMEM); diff --git a/queue-5.7/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch b/queue-5.7/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch new file mode 100644 index 00000000000..f81b12fb030 --- /dev/null +++ b/queue-5.7/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Necip Fazil Yildiran +Date: Mon, 17 Aug 2020 15:54:48 +0000 +Subject: net: qrtr: fix usage of idr in port assignment to socket + +From: Necip Fazil Yildiran + +[ Upstream commit 8dfddfb79653df7c38a9c8c4c034f242a36acee9 ] + +Passing large uint32 sockaddr_qrtr.port numbers for port allocation +triggers a warning within idr_alloc() since the port number is cast +to int, and thus interpreted as a negative number. This leads to +the rejection of such valid port numbers in qrtr_port_assign() as +idr_alloc() fails. + +To avoid the problem, switch to idr_alloc_u32() instead. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com +Signed-off-by: Necip Fazil Yildiran +Reviewed-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -692,23 +692,25 @@ static void qrtr_port_remove(struct qrtr + */ + static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) + { ++ u32 min_port; + int rc; + + mutex_lock(&qrtr_port_lock); + if (!*port) { +- rc = idr_alloc(&qrtr_ports, ipc, +- QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET + 1, +- GFP_ATOMIC); +- if (rc >= 0) +- *port = rc; ++ min_port = QRTR_MIN_EPH_SOCKET; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC); ++ if (!rc) ++ *port = min_port; + } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) { + rc = -EACCES; + } else if (*port == QRTR_PORT_CTRL) { +- rc = idr_alloc(&qrtr_ports, ipc, 0, 1, GFP_ATOMIC); ++ min_port = 0; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC); + } else { +- rc = idr_alloc(&qrtr_ports, ipc, *port, *port + 1, GFP_ATOMIC); +- if (rc >= 0) +- *port = rc; ++ min_port = *port; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC); ++ if (!rc) ++ *port = min_port; + } + mutex_unlock(&qrtr_port_lock); + diff --git a/queue-5.7/net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch b/queue-5.7/net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch new file mode 100644 index 00000000000..864166d132e --- /dev/null +++ b/queue-5.7/net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Alaa Hleihel +Date: Wed, 19 Aug 2020 18:24:10 +0300 +Subject: net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow + +From: Alaa Hleihel + +[ Upstream commit eda814b97dfb8d9f4808eb2f65af9bd3705c4cae ] + +tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call +fails. Otherwise, we will cause a double-free bug. +In such cases, just return the error to the caller. + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: Alaa Hleihel +Reviewed-by: Roi Dayan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -702,7 +702,7 @@ static int tcf_ct_handle_fragments(struc + err = ip_defrag(net, skb, user); + local_bh_enable(); + if (err && err != -EINPROGRESS) +- goto out_free; ++ return err; + + if (!err) { + *defrag = true; diff --git a/queue-5.7/net-sctp-fix-negotiation-of-the-number-of-data-streams.patch b/queue-5.7/net-sctp-fix-negotiation-of-the-number-of-data-streams.patch new file mode 100644 index 00000000000..859b6d07306 --- /dev/null +++ b/queue-5.7/net-sctp-fix-negotiation-of-the-number-of-data-streams.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: David Laight +Date: Wed, 19 Aug 2020 14:40:52 +0000 +Subject: net: sctp: Fix negotiation of the number of data streams. + +From: David Laight + +[ Upstream commit ab921f3cdbec01c68705a7ade8bec628d541fc2b ] + +The number of output and input streams was never being reduced, eg when +processing received INIT or INIT_ACK chunks. +The effect is that DATA chunks can be sent with invalid stream ids +and then discarded by the remote system. + +Fixes: 2075e50caf5ea ("sctp: convert to genradix") +Signed-off-by: David Laight +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/stream.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -88,12 +88,13 @@ static int sctp_stream_alloc_out(struct + int ret; + + if (outcnt <= stream->outcnt) +- return 0; ++ goto out; + + ret = genradix_prealloc(&stream->out, outcnt, gfp); + if (ret) + return ret; + ++out: + stream->outcnt = outcnt; + return 0; + } +@@ -104,12 +105,13 @@ static int sctp_stream_alloc_in(struct s + int ret; + + if (incnt <= stream->incnt) +- return 0; ++ goto out; + + ret = genradix_prealloc(&stream->in, incnt, gfp); + if (ret) + return ret; + ++out: + stream->incnt = incnt; + return 0; + } diff --git a/queue-5.7/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch b/queue-5.7/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch new file mode 100644 index 00000000000..3d179ff11ff --- /dev/null +++ b/queue-5.7/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Peilin Ye +Date: Thu, 20 Aug 2020 16:30:52 +0200 +Subject: net/smc: Prevent kernel-infoleak in __smc_diag_dump() + +From: Peilin Ye + +[ Upstream commit ce51f63e63c52a4e1eee4dd040fb0ba0af3b43ab ] + +__smc_diag_dump() is potentially copying uninitialized kernel stack memory +into socket buffers, since the compiler may leave a 4-byte hole near the +beginning of `struct smcd_diag_dmbinfo`. Fix it by initializing `dinfo` +with memset(). + +Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support") +Suggested-by: Dan Carpenter +Signed-off-by: Peilin Ye +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_diag.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/net/smc/smc_diag.c ++++ b/net/smc/smc_diag.c +@@ -170,13 +170,15 @@ static int __smc_diag_dump(struct sock * + (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) && + !list_empty(&smc->conn.lgr->list)) { + struct smc_connection *conn = &smc->conn; +- struct smcd_diag_dmbinfo dinfo = { +- .linkid = *((u32 *)conn->lgr->id), +- .peer_gid = conn->lgr->peer_gid, +- .my_gid = conn->lgr->smcd->local_gid, +- .token = conn->rmb_desc->token, +- .peer_token = conn->peer_token +- }; ++ struct smcd_diag_dmbinfo dinfo; ++ ++ memset(&dinfo, 0, sizeof(dinfo)); ++ ++ dinfo.linkid = *((u32 *)conn->lgr->id); ++ dinfo.peer_gid = conn->lgr->peer_gid; ++ dinfo.my_gid = conn->lgr->smcd->local_gid; ++ dinfo.token = conn->rmb_desc->token; ++ dinfo.peer_token = conn->peer_token; + + if (nla_put(skb, SMC_DIAG_DMBINFO, sizeof(dinfo), &dinfo) < 0) + goto errout; diff --git a/queue-5.7/net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch b/queue-5.7/net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch new file mode 100644 index 00000000000..59ab40d4adb --- /dev/null +++ b/queue-5.7/net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: "Jason A. Donenfeld" +Date: Sat, 15 Aug 2020 09:29:30 +0200 +Subject: net: xdp: pull ethernet header off packet after computing skb->protocol + +From: "Jason A. Donenfeld" + +[ Upstream commit f8414a8d886b613b90d9fdf7cda6feea313b1069 ] + +When an XDP program changes the ethernet header protocol field, +eth_type_trans is used to recalculate skb->protocol. In order for +eth_type_trans to work correctly, the ethernet header must actually be +part of the skb data segment, so the code first pushes that onto the +head of the skb. However, it subsequently forgets to pull it back off, +making the behavior of the passed-on packet inconsistent between the +protocol modifying case and the static protocol case. This patch fixes +the issue by simply pulling the ethernet header back off of the skb +head. + +Fixes: 297249569932 ("net: fix generic XDP to handle if eth header was mangled") +Cc: Jesper Dangaard Brouer +Cc: David S. Miller +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4586,6 +4586,7 @@ static u32 netif_receive_generic_xdp(str + (orig_bcast != is_multicast_ether_addr_64bits(eth->h_dest))) { + __skb_push(skb, ETH_HLEN); + skb->protocol = eth_type_trans(skb, skb->dev); ++ __skb_pull(skb, ETH_HLEN); + } + + switch (act) { diff --git a/queue-5.7/series b/queue-5.7/series new file mode 100644 index 00000000000..7e8717b9c64 --- /dev/null +++ b/queue-5.7/series @@ -0,0 +1,14 @@ +gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch +net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch +net-nexthop-don-t-allow-empty-nha_group.patch +net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch +net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch +net-sctp-fix-negotiation-of-the-number-of-data-streams.patch +net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch +net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch +tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch +tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch +net-ena-make-missed_tx-stat-incremental.patch +ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch +ethtool-account-for-hw_features-in-netlink-interface.patch +ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch diff --git a/queue-5.7/tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch b/queue-5.7/tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch new file mode 100644 index 00000000000..3545fcfcc2f --- /dev/null +++ b/queue-5.7/tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Xin Long +Date: Thu, 20 Aug 2020 15:34:47 +0800 +Subject: tipc: call rcu_read_lock() in tipc_aead_encrypt_done() + +From: Xin Long + +[ Upstream commit f6db9096416209474090d64d8284e7c16c3d8873 ] + +b->media->send_msg() requires rcu_read_lock(), as we can see +elsewhere in tipc, tipc_bearer_xmit, tipc_bearer_xmit_skb +and tipc_bearer_bc_xmit(). + +Syzbot has reported this issue as: + + net/tipc/bearer.c:466 suspicious rcu_dereference_check() usage! + Workqueue: cryptd cryptd_queue_worker + Call Trace: + tipc_l2_send_msg+0x354/0x420 net/tipc/bearer.c:466 + tipc_aead_encrypt_done+0x204/0x3a0 net/tipc/crypto.c:761 + cryptd_aead_crypt+0xe8/0x1d0 crypto/cryptd.c:739 + cryptd_queue_worker+0x118/0x1b0 crypto/cryptd.c:181 + process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 + kthread+0x3b5/0x4a0 kernel/kthread.c:291 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 + +So fix it by calling rcu_read_lock() in tipc_aead_encrypt_done() +for b->media->send_msg(). + +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Reported-by: syzbot+47bbc6b678d317cccbe0@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/crypto.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -757,10 +757,12 @@ static void tipc_aead_encrypt_done(struc + switch (err) { + case 0: + this_cpu_inc(tx->stats->stat[STAT_ASYNC_OK]); ++ rcu_read_lock(); + if (likely(test_bit(0, &b->up))) + b->media->send_msg(net, skb, b, &tx_ctx->dst); + else + kfree_skb(skb); ++ rcu_read_unlock(); + break; + case -EINPROGRESS: + return; diff --git a/queue-5.7/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch b/queue-5.7/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch new file mode 100644 index 00000000000..77e1429f62a --- /dev/null +++ b/queue-5.7/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Aug 26 11:53:06 AM CEST 2020 +From: Cong Wang +Date: Sat, 15 Aug 2020 16:29:15 -0700 +Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit() + +From: Cong Wang + +[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ] + +__tipc_nl_compat_dumpit() has two callers, and it expects them to +pass a valid nlmsghdr via arg->data. This header is artificial and +crafted just for __tipc_nl_compat_dumpit(). + +tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well +as some nested attribute, TIPC_NLA_SOCK. But the other caller +tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized +on this call path. + +Fix this by just adding a similar nlmsghdr without any payload in +tipc_nl_compat_dumpit(). + +This bug exists since day 1, but the recent commit 6ea67769ff33 +("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it +easier to appear. + +Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com +Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat") +Cc: Jon Maloy +Cc: Ying Xue +Cc: Richard Alpe +Signed-off-by: Cong Wang +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -275,8 +275,9 @@ err_out: + static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg) + { +- int err; ++ struct nlmsghdr *nlh; + struct sk_buff *arg; ++ int err; + + if (msg->req_type && (!msg->req_size || + !TLV_CHECK_TYPE(msg->req, msg->req_type))) +@@ -305,6 +306,15 @@ static int tipc_nl_compat_dumpit(struct + return -ENOMEM; + } + ++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI); ++ if (!nlh) { ++ kfree_skb(arg); ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return -EMSGSIZE; ++ } ++ nlmsg_end(arg, nlh); ++ + err = __tipc_nl_compat_dumpit(cmd, msg, arg); + if (err) { + kfree_skb(msg->rep);