From: Greg Kroah-Hartman Date: Mon, 3 Dec 2018 09:12:47 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.7~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a27b311c00b43e7300e35ae445478c3047a34ec7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-skb_scrub_packet-scrub-offload_fwd_mark.patch net-thunderx-set-tso_hdrs-pointer-to-null-in-nicvf_free_snd_queue.patch net-thunderx-set-xdp_prog-to-null-if-bpf_prog_add-fails.patch packet-copy-user-buffers-before-orphan-or-clone.patch rapidio-rionet-do-not-free-skb-before-reading-its-length.patch s390-qeth-fix-length-check-in-snmp-processing.patch usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch virtio-net-disable-guest-csum-during-xdp-set.patch virtio-net-fail-xdp-set-if-guest-csum-is-negotiated.patch --- diff --git a/queue-4.14/net-skb_scrub_packet-scrub-offload_fwd_mark.patch b/queue-4.14/net-skb_scrub_packet-scrub-offload_fwd_mark.patch new file mode 100644 index 00000000000..13084f0ce83 --- /dev/null +++ b/queue-4.14/net-skb_scrub_packet-scrub-offload_fwd_mark.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Petr Machata +Date: Tue, 20 Nov 2018 11:39:56 +0000 +Subject: net: skb_scrub_packet(): Scrub offload_fwd_mark + +From: Petr Machata + +[ Upstream commit b5dd186d10ba59e6b5ba60e42b3b083df56df6f3 ] + +When a packet is trapped and the corresponding SKB marked as +already-forwarded, it retains this marking even after it is forwarded +across veth links into another bridge. There, since it ingresses the +bridge over veth, which doesn't have offload_fwd_mark, it triggers a +warning in nbp_switchdev_frame_mark(). + +Then nbp_switchdev_allowed_egress() decides not to allow egress from +this bridge through another veth, because the SKB is already marked, and +the mark (of 0) of course matches. Thus the packet is incorrectly +blocked. + +Solve by resetting offload_fwd_mark() in skb_scrub_packet(). That +function is called from tunnels and also from veth, and thus catches the +cases where traffic is forwarded between bridges and transformed in a +way that invalidates the marking. + +Fixes: 6bc506b4fb06 ("bridge: switchdev: Add forward mark support for stacked devices") +Fixes: abf4bb6b63d0 ("skbuff: Add the offload_mr_fwd_mark field") +Signed-off-by: Petr Machata +Suggested-by: Ido Schimmel +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4882,6 +4882,10 @@ void skb_scrub_packet(struct sk_buff *sk + nf_reset(skb); + nf_reset_trace(skb); + ++#ifdef CONFIG_NET_SWITCHDEV ++ skb->offload_fwd_mark = 0; ++#endif ++ + if (!xnet) + return; + diff --git a/queue-4.14/net-thunderx-set-tso_hdrs-pointer-to-null-in-nicvf_free_snd_queue.patch b/queue-4.14/net-thunderx-set-tso_hdrs-pointer-to-null-in-nicvf_free_snd_queue.patch new file mode 100644 index 00000000000..03aaadb2842 --- /dev/null +++ b/queue-4.14/net-thunderx-set-tso_hdrs-pointer-to-null-in-nicvf_free_snd_queue.patch @@ -0,0 +1,97 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Lorenzo Bianconi +Date: Fri, 23 Nov 2018 18:28:01 +0100 +Subject: net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue + +From: Lorenzo Bianconi + +[ Upstream commit ef2a7cf1d8831535b8991459567b385661eb4a36 ] + +Reset snd_queue tso_hdrs pointer to NULL in nicvf_free_snd_queue routine +since it is used to check if tso dma descriptor queue has been previously +allocated. The issue can be triggered with the following reproducer: + +$ip link set dev enP2p1s0v0 xdpdrv obj xdp_dummy.o +$ip link set dev enP2p1s0v0 xdpdrv off + +[ 341.467649] WARNING: CPU: 74 PID: 2158 at mm/vmalloc.c:1511 __vunmap+0x98/0xe0 +[ 341.515010] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018 +[ 341.521874] pstate: 60400005 (nZCv daif +PAN -UAO) +[ 341.526654] pc : __vunmap+0x98/0xe0 +[ 341.530132] lr : __vunmap+0x98/0xe0 +[ 341.533609] sp : ffff00001c5db860 +[ 341.536913] x29: ffff00001c5db860 x28: 0000000000020000 +[ 341.542214] x27: ffff810feb5090b0 x26: ffff000017e57000 +[ 341.547515] x25: 0000000000000000 x24: 00000000fbd00000 +[ 341.552816] x23: 0000000000000000 x22: ffff810feb5090b0 +[ 341.558117] x21: 0000000000000000 x20: 0000000000000000 +[ 341.563418] x19: ffff000017e57000 x18: 0000000000000000 +[ 341.568719] x17: 0000000000000000 x16: 0000000000000000 +[ 341.574020] x15: 0000000000000010 x14: ffffffffffffffff +[ 341.579321] x13: ffff00008985eb27 x12: ffff00000985eb2f +[ 341.584622] x11: ffff0000096b3000 x10: ffff00001c5db510 +[ 341.589923] x9 : 00000000ffffffd0 x8 : ffff0000086868e8 +[ 341.595224] x7 : 3430303030303030 x6 : 00000000000006ef +[ 341.600525] x5 : 00000000003fffff x4 : 0000000000000000 +[ 341.605825] x3 : 0000000000000000 x2 : ffffffffffffffff +[ 341.611126] x1 : ffff0000096b3728 x0 : 0000000000000038 +[ 341.616428] Call trace: +[ 341.618866] __vunmap+0x98/0xe0 +[ 341.621997] vunmap+0x3c/0x50 +[ 341.624961] arch_dma_free+0x68/0xa0 +[ 341.628534] dma_direct_free+0x50/0x80 +[ 341.632285] nicvf_free_resources+0x160/0x2d8 [nicvf] +[ 341.637327] nicvf_config_data_transfer+0x174/0x5e8 [nicvf] +[ 341.642890] nicvf_stop+0x298/0x340 [nicvf] +[ 341.647066] __dev_close_many+0x9c/0x108 +[ 341.650977] dev_close_many+0xa4/0x158 +[ 341.654720] rollback_registered_many+0x140/0x530 +[ 341.659414] rollback_registered+0x54/0x80 +[ 341.663499] unregister_netdevice_queue+0x9c/0xe8 +[ 341.668192] unregister_netdev+0x28/0x38 +[ 341.672106] nicvf_remove+0xa4/0xa8 [nicvf] +[ 341.676280] nicvf_shutdown+0x20/0x30 [nicvf] +[ 341.680630] pci_device_shutdown+0x44/0x88 +[ 341.684720] device_shutdown+0x144/0x250 +[ 341.688640] kernel_restart_prepare+0x44/0x50 +[ 341.692986] kernel_restart+0x20/0x68 +[ 341.696638] __se_sys_reboot+0x210/0x238 +[ 341.700550] __arm64_sys_reboot+0x24/0x30 +[ 341.704555] el0_svc_handler+0x94/0x110 +[ 341.708382] el0_svc+0x8/0xc +[ 341.711252] ---[ end trace 3f4019c8439959c9 ]--- +[ 341.715874] page:ffff7e0003ef4000 count:0 mapcount:0 mapping:0000000000000000 index:0x4 +[ 341.723872] flags: 0x1fffe000000000() +[ 341.727527] raw: 001fffe000000000 ffff7e0003f1a008 ffff7e0003ef4048 0000000000000000 +[ 341.735263] raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 +[ 341.742994] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) + +where xdp_dummy.c is a simple bpf program that forwards the incoming +frames to the network stack (available here: +https://github.com/altoor/xdp_walkthrough_examples/blob/master/sample_1/xdp_dummy.c) + +Fixes: 05c773f52b96 ("net: thunderx: Add basic XDP support") +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c +@@ -585,10 +585,12 @@ static void nicvf_free_snd_queue(struct + if (!sq->dmem.base) + return; + +- if (sq->tso_hdrs) ++ if (sq->tso_hdrs) { + dma_free_coherent(&nic->pdev->dev, + sq->dmem.q_len * TSO_HEADER_SIZE, + sq->tso_hdrs, sq->tso_hdrs_phys); ++ sq->tso_hdrs = NULL; ++ } + + /* Free pending skbs in the queue */ + smp_rmb(); diff --git a/queue-4.14/net-thunderx-set-xdp_prog-to-null-if-bpf_prog_add-fails.patch b/queue-4.14/net-thunderx-set-xdp_prog-to-null-if-bpf_prog_add-fails.patch new file mode 100644 index 00000000000..ace6b99ae34 --- /dev/null +++ b/queue-4.14/net-thunderx-set-xdp_prog-to-null-if-bpf_prog_add-fails.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Lorenzo Bianconi +Date: Wed, 21 Nov 2018 16:32:10 +0100 +Subject: net: thunderx: set xdp_prog to NULL if bpf_prog_add fails + +From: Lorenzo Bianconi + +[ Upstream commit 6d0f60b0f8588fd4380ea5df9601e12fddd55ce2 ] + +Set xdp_prog pointer to NULL if bpf_prog_add fails since that routine +reports the error code instead of NULL in case of failure and xdp_prog +pointer value is used in the driver to verify if XDP is currently +enabled. +Moreover report the error code to userspace if nicvf_xdp_setup fails + +Fixes: 05c773f52b96 ("net: thunderx: Add basic XDP support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -1691,6 +1691,7 @@ static int nicvf_xdp_setup(struct nicvf + bool if_up = netif_running(nic->netdev); + struct bpf_prog *old_prog; + bool bpf_attached = false; ++ int ret = 0; + + /* For now just support only the usual MTU sized frames */ + if (prog && (dev->mtu > 1500)) { +@@ -1724,8 +1725,12 @@ static int nicvf_xdp_setup(struct nicvf + if (nic->xdp_prog) { + /* Attach BPF program */ + nic->xdp_prog = bpf_prog_add(nic->xdp_prog, nic->rx_queues - 1); +- if (!IS_ERR(nic->xdp_prog)) ++ if (!IS_ERR(nic->xdp_prog)) { + bpf_attached = true; ++ } else { ++ ret = PTR_ERR(nic->xdp_prog); ++ nic->xdp_prog = NULL; ++ } + } + + /* Calculate Tx queues needed for XDP and network stack */ +@@ -1737,7 +1742,7 @@ static int nicvf_xdp_setup(struct nicvf + netif_trans_update(nic->netdev); + } + +- return 0; ++ return ret; + } + + static int nicvf_xdp(struct net_device *netdev, struct netdev_xdp *xdp) diff --git a/queue-4.14/packet-copy-user-buffers-before-orphan-or-clone.patch b/queue-4.14/packet-copy-user-buffers-before-orphan-or-clone.patch new file mode 100644 index 00000000000..6b5fe9c0e22 --- /dev/null +++ b/queue-4.14/packet-copy-user-buffers-before-orphan-or-clone.patch @@ -0,0 +1,100 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Willem de Bruijn +Date: Tue, 20 Nov 2018 13:00:18 -0500 +Subject: packet: copy user buffers before orphan or clone + +From: Willem de Bruijn + +[ Upstream commit 5cd8d46ea1562be80063f53c7c6a5f40224de623 ] + +tpacket_snd sends packets with user pages linked into skb frags. It +notifies that pages can be reused when the skb is released by setting +skb->destructor to tpacket_destruct_skb. + +This can cause data corruption if the skb is orphaned (e.g., on +transmit through veth) or cloned (e.g., on mirror to another psock). + +Create a kernel-private copy of data in these cases, same as tun/tap +zerocopy transmission. Reuse that infrastructure: mark the skb as +SKBTX_ZEROCOPY_FRAG, which will trigger copy in skb_orphan_frags(_rx). + +Unlike other zerocopy packets, do not set shinfo destructor_arg to +struct ubuf_info. tpacket_destruct_skb already uses that ptr to notify +when the original skb is released and a timestamp is recorded. Do not +change this timestamp behavior. The ubuf_info->callback is not needed +anyway, as no zerocopy notification is expected. + +Mark destructor_arg as not-a-uarg by setting the lower bit to 1. The +resulting value is not a valid ubuf_info pointer, nor a valid +tpacket_snd frame address. Add skb_zcopy_.._nouarg helpers for this. + +The fix relies on features introduced in commit 52267790ef52 ("sock: +add MSG_ZEROCOPY"), so can be backported as is only to 4.14. + +Tested with from `./in_netns.sh ./txring_overwrite` from +http://github.com/wdebruij/kerneltools/tests + +Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") +Reported-by: Anand H. Krishnan +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 18 +++++++++++++++++- + net/packet/af_packet.c | 4 ++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1288,6 +1288,22 @@ static inline void skb_zcopy_set(struct + } + } + ++static inline void skb_zcopy_set_nouarg(struct sk_buff *skb, void *val) ++{ ++ skb_shinfo(skb)->destructor_arg = (void *)((uintptr_t) val | 0x1UL); ++ skb_shinfo(skb)->tx_flags |= SKBTX_ZEROCOPY_FRAG; ++} ++ ++static inline bool skb_zcopy_is_nouarg(struct sk_buff *skb) ++{ ++ return (uintptr_t) skb_shinfo(skb)->destructor_arg & 0x1UL; ++} ++ ++static inline void *skb_zcopy_get_nouarg(struct sk_buff *skb) ++{ ++ return (void *)((uintptr_t) skb_shinfo(skb)->destructor_arg & ~0x1UL); ++} ++ + /* Release a reference on a zerocopy structure */ + static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy) + { +@@ -1297,7 +1313,7 @@ static inline void skb_zcopy_clear(struc + if (uarg->callback == sock_zerocopy_callback) { + uarg->zerocopy = uarg->zerocopy && zerocopy; + sock_zerocopy_put(uarg); +- } else { ++ } else if (!skb_zcopy_is_nouarg(skb)) { + uarg->callback(uarg, zerocopy); + } + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2433,7 +2433,7 @@ static void tpacket_destruct_skb(struct + void *ph; + __u32 ts; + +- ph = skb_shinfo(skb)->destructor_arg; ++ ph = skb_zcopy_get_nouarg(skb); + packet_dec_pending(&po->tx_ring); + + ts = __packet_set_timestamp(po, ph, skb); +@@ -2499,7 +2499,7 @@ static int tpacket_fill_skb(struct packe + skb->priority = po->sk.sk_priority; + skb->mark = po->sk.sk_mark; + sock_tx_timestamp(&po->sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags); +- skb_shinfo(skb)->destructor_arg = ph.raw; ++ skb_zcopy_set_nouarg(skb, ph.raw); + + skb_reserve(skb, hlen); + skb_reset_network_header(skb); diff --git a/queue-4.14/rapidio-rionet-do-not-free-skb-before-reading-its-length.patch b/queue-4.14/rapidio-rionet-do-not-free-skb-before-reading-its-length.patch new file mode 100644 index 00000000000..a00ad240034 --- /dev/null +++ b/queue-4.14/rapidio-rionet-do-not-free-skb-before-reading-its-length.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Pan Bian +Date: Wed, 28 Nov 2018 14:53:19 +0800 +Subject: rapidio/rionet: do not free skb before reading its length + +From: Pan Bian + +[ Upstream commit cfc435198f53a6fa1f656d98466b24967ff457d0 ] + +skb is freed via dev_kfree_skb_any, however, skb->len is read then. This +may result in a use-after-free bug. + +Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal") +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/rionet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -216,9 +216,9 @@ static int rionet_start_xmit(struct sk_b + * it just report sending a packet to the target + * (without actual packet transfer). + */ +- dev_kfree_skb_any(skb); + ndev->stats.tx_packets++; + ndev->stats.tx_bytes += skb->len; ++ dev_kfree_skb_any(skb); + } + } + diff --git a/queue-4.14/s390-qeth-fix-length-check-in-snmp-processing.patch b/queue-4.14/s390-qeth-fix-length-check-in-snmp-processing.patch new file mode 100644 index 00000000000..361aaeacf28 --- /dev/null +++ b/queue-4.14/s390-qeth-fix-length-check-in-snmp-processing.patch @@ -0,0 +1,88 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Julian Wiedmann +Date: Wed, 28 Nov 2018 16:20:50 +0100 +Subject: s390/qeth: fix length check in SNMP processing + +From: Julian Wiedmann + +[ Upstream commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 ] + +The response for a SNMP request can consist of multiple parts, which +the cmd callback stages into a kernel buffer until all parts have been +received. If the callback detects that the staging buffer provides +insufficient space, it bails out with error. +This processing is buggy for the first part of the response - while it +initially checks for a length of 'data_len', it later copies an +additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes. + +Fix the calculation of 'data_len' for the first part of the response. +This also nicely cleans up the memcpy code. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Julian Wiedmann +Reviewed-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4545,8 +4545,8 @@ static int qeth_snmp_command_cb(struct q + { + struct qeth_ipa_cmd *cmd; + struct qeth_arp_query_info *qinfo; +- struct qeth_snmp_cmd *snmp; + unsigned char *data; ++ void *snmp_data; + __u16 data_len; + + QETH_CARD_TEXT(card, 3, "snpcmdcb"); +@@ -4554,7 +4554,6 @@ static int qeth_snmp_command_cb(struct q + cmd = (struct qeth_ipa_cmd *) sdata; + data = (unsigned char *)((char *)cmd - reply->offset); + qinfo = (struct qeth_arp_query_info *) reply->param; +- snmp = &cmd->data.setadapterparms.data.snmp; + + if (cmd->hdr.return_code) { + QETH_CARD_TEXT_(card, 4, "scer1%x", cmd->hdr.return_code); +@@ -4567,10 +4566,15 @@ static int qeth_snmp_command_cb(struct q + return 0; + } + data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data)); +- if (cmd->data.setadapterparms.hdr.seq_no == 1) +- data_len -= (__u16)((char *)&snmp->data - (char *)cmd); +- else +- data_len -= (__u16)((char *)&snmp->request - (char *)cmd); ++ if (cmd->data.setadapterparms.hdr.seq_no == 1) { ++ snmp_data = &cmd->data.setadapterparms.data.snmp; ++ data_len -= offsetof(struct qeth_ipa_cmd, ++ data.setadapterparms.data.snmp); ++ } else { ++ snmp_data = &cmd->data.setadapterparms.data.snmp.request; ++ data_len -= offsetof(struct qeth_ipa_cmd, ++ data.setadapterparms.data.snmp.request); ++ } + + /* check if there is enough room in userspace */ + if ((qinfo->udata_len - qinfo->udata_offset) < data_len) { +@@ -4583,16 +4587,9 @@ static int qeth_snmp_command_cb(struct q + QETH_CARD_TEXT_(card, 4, "sseqn%i", + cmd->data.setadapterparms.hdr.seq_no); + /*copy entries to user buffer*/ +- if (cmd->data.setadapterparms.hdr.seq_no == 1) { +- memcpy(qinfo->udata + qinfo->udata_offset, +- (char *)snmp, +- data_len + offsetof(struct qeth_snmp_cmd, data)); +- qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data); +- } else { +- memcpy(qinfo->udata + qinfo->udata_offset, +- (char *)&snmp->request, data_len); +- } ++ memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len); + qinfo->udata_offset += data_len; ++ + /* check if all replies received ... */ + QETH_CARD_TEXT_(card, 4, "srtot%i", + cmd->data.setadapterparms.hdr.used_total); diff --git a/queue-4.14/series b/queue-4.14/series index 5f8e6e9eeaa..0cdac161a26 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -56,3 +56,12 @@ f2fs-fix-to-do-sanity-check-with-i_extra_isize.patch f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch +net-skb_scrub_packet-scrub-offload_fwd_mark.patch +net-thunderx-set-xdp_prog-to-null-if-bpf_prog_add-fails.patch +virtio-net-disable-guest-csum-during-xdp-set.patch +virtio-net-fail-xdp-set-if-guest-csum-is-negotiated.patch +net-thunderx-set-tso_hdrs-pointer-to-null-in-nicvf_free_snd_queue.patch +packet-copy-user-buffers-before-orphan-or-clone.patch +rapidio-rionet-do-not-free-skb-before-reading-its-length.patch +s390-qeth-fix-length-check-in-snmp-processing.patch +usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch diff --git a/queue-4.14/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch b/queue-4.14/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch new file mode 100644 index 00000000000..0ff11735206 --- /dev/null +++ b/queue-4.14/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch @@ -0,0 +1,168 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Bernd Eckstein <3erndeckstein@gmail.com> +Date: Fri, 23 Nov 2018 13:51:26 +0100 +Subject: usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 + +From: Bernd Eckstein <3erndeckstein@gmail.com> + +[ Upstream commit 45611c61dd503454b2edae00aabe1e429ec49ebe ] + +The bug is not easily reproducable, as it may occur very infrequently +(we had machines with 20minutes heavy downloading before it occurred) +However, on a virual machine (VMWare on Windows 10 host) it occurred +pretty frequently (1-2 seconds after a speedtest was started) + +dev->tx_skb mab be freed via dev_kfree_skb_irq on a callback +before it is set. + +This causes the following problems: +- double free of the skb or potential memory leak +- in dmesg: 'recvmsg bug' and 'recvmsg bug 2' and eventually + general protection fault + +Example dmesg output: +[ 134.841986] ------------[ cut here ]------------ +[ 134.841987] recvmsg bug: copied 9C24A555 seq 9C24B557 rcvnxt 9C25A6B3 fl 0 +[ 134.841993] WARNING: CPU: 7 PID: 2629 at /build/linux-hwe-On9fm7/linux-hwe-4.15.0/net/ipv4/tcp.c:1865 tcp_recvmsg+0x44d/0xab0 +[ 134.841994] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi +[ 134.842046] CPU: 7 PID: 2629 Comm: python Tainted: G W OE 4.15.0-34-generic #37~16.04.1-Ubuntu +[ 134.842046] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 +[ 134.842048] RIP: 0010:tcp_recvmsg+0x44d/0xab0 +[ 134.842048] RSP: 0018:ffffa6630422bcc8 EFLAGS: 00010286 +[ 134.842049] RAX: 0000000000000000 RBX: ffff997616f4f200 RCX: 0000000000000006 +[ 134.842049] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff9976257d6490 +[ 134.842050] RBP: ffffa6630422bd98 R08: 0000000000000001 R09: 000000000004bba4 +[ 134.842050] R10: 0000000001e00c6f R11: 000000000004bba4 R12: ffff99760dee3000 +[ 134.842051] R13: 0000000000000000 R14: ffff99760dee3514 R15: 0000000000000000 +[ 134.842051] FS: 00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000 +[ 134.842052] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 134.842053] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0 +[ 134.842055] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 134.842055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 134.842057] Call Trace: +[ 134.842060] ? aa_sk_perm+0x53/0x1a0 +[ 134.842064] inet_recvmsg+0x51/0xc0 +[ 134.842066] sock_recvmsg+0x43/0x50 +[ 134.842070] SYSC_recvfrom+0xe4/0x160 +[ 134.842072] ? __schedule+0x3de/0x8b0 +[ 134.842075] ? ktime_get_ts64+0x4c/0xf0 +[ 134.842079] SyS_recvfrom+0xe/0x10 +[ 134.842082] do_syscall_64+0x73/0x130 +[ 134.842086] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +[ 134.842086] RIP: 0033:0x7fe331f5a81d +[ 134.842088] RSP: 002b:00007ffe8da98398 EFLAGS: 00000246 ORIG_RAX: 000000000000002d +[ 134.842090] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00007fe331f5a81d +[ 134.842094] RDX: 00000000000003fb RSI: 0000000001e00874 RDI: 0000000000000003 +[ 134.842095] RBP: 00007fe32f642c70 R08: 0000000000000000 R09: 0000000000000000 +[ 134.842097] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe332347698 +[ 134.842099] R13: 0000000001b7e0a0 R14: 0000000001e00874 R15: 0000000000000000 +[ 134.842103] Code: 24 fd ff ff e9 cc fe ff ff 48 89 d8 41 8b 8c 24 10 05 00 00 44 8b 45 80 48 c7 c7 08 bd 59 8b 48 89 85 68 ff ff ff e8 b3 c4 7d ff <0f> 0b 48 8b 85 68 ff ff ff e9 e9 fe ff ff 41 8b 8c 24 10 05 00 +[ 134.842126] ---[ end trace b7138fc08c83147f ]--- +[ 134.842144] general protection fault: 0000 [#1] SMP PTI +[ 134.842145] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi +[ 134.842161] CPU: 7 PID: 2629 Comm: python Tainted: G W OE 4.15.0-34-generic #37~16.04.1-Ubuntu +[ 134.842162] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 +[ 134.842164] RIP: 0010:tcp_close+0x2c6/0x440 +[ 134.842165] RSP: 0018:ffffa6630422bde8 EFLAGS: 00010202 +[ 134.842167] RAX: 0000000000000000 RBX: ffff99760dee3000 RCX: 0000000180400034 +[ 134.842168] RDX: 5c4afd407207a6c4 RSI: ffffe868495bd300 RDI: ffff997616f4f200 +[ 134.842169] RBP: ffffa6630422be08 R08: 0000000016f4d401 R09: 0000000180400034 +[ 134.842169] R10: ffffa6630422bd98 R11: 0000000000000000 R12: 000000000000600c +[ 134.842170] R13: 0000000000000000 R14: ffff99760dee30c8 R15: ffff9975bd44fe00 +[ 134.842171] FS: 00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000 +[ 134.842173] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 134.842174] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0 +[ 134.842177] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 134.842178] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 134.842179] Call Trace: +[ 134.842181] inet_release+0x42/0x70 +[ 134.842183] __sock_release+0x42/0xb0 +[ 134.842184] sock_close+0x15/0x20 +[ 134.842187] __fput+0xea/0x220 +[ 134.842189] ____fput+0xe/0x10 +[ 134.842191] task_work_run+0x8a/0xb0 +[ 134.842193] exit_to_usermode_loop+0xc4/0xd0 +[ 134.842195] do_syscall_64+0xf4/0x130 +[ 134.842197] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +[ 134.842197] RIP: 0033:0x7fe331f5a560 +[ 134.842198] RSP: 002b:00007ffe8da982e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ 134.842200] RAX: 0000000000000000 RBX: 00007fe32f642c70 RCX: 00007fe331f5a560 +[ 134.842201] RDX: 00000000008f5320 RSI: 0000000001cd4b50 RDI: 0000000000000003 +[ 134.842202] RBP: 00007fe32f6500f8 R08: 000000000000003c R09: 00000000009343c0 +[ 134.842203] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe32f6500d0 +[ 134.842204] R13: 00000000008f5320 R14: 00000000008f5320 R15: 0000000001cd4770 +[ 134.842205] Code: c8 00 00 00 45 31 e4 49 39 fe 75 4d eb 50 83 ab d8 00 00 00 01 48 8b 17 48 8b 47 08 48 c7 07 00 00 00 00 48 c7 47 08 00 00 00 00 <48> 89 42 08 48 89 10 0f b6 57 34 8b 47 2c 2b 47 28 83 e2 01 80 +[ 134.842226] RIP: tcp_close+0x2c6/0x440 RSP: ffffa6630422bde8 +[ 134.842227] ---[ end trace b7138fc08c831480 ]--- + +The proposed patch eliminates a potential racing condition. +Before, usb_submit_urb was called and _after_ that, the skb was attached +(dev->tx_skb). So, on a callback it was possible, however unlikely that the +skb was freed before it was set. That way (because dev->tx_skb was not set +to NULL after it was freed), it could happen that a skb from a earlier +transmission was freed a second time (and the skb we should have freed did +not get freed at all) + +Now we free the skb directly in ipheth_tx(). It is not passed to the +callback anymore, eliminating the posibility of a double free of the same +skb. Depending on the retval of usb_submit_urb() we use dev_kfree_skb_any() +respectively dev_consume_skb_any() to free the skb. + +Signed-off-by: Oliver Zweigle +Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -140,7 +140,6 @@ struct ipheth_device { + struct usb_device *udev; + struct usb_interface *intf; + struct net_device *net; +- struct sk_buff *tx_skb; + struct urb *tx_urb; + struct urb *rx_urb; + unsigned char *tx_buf; +@@ -229,6 +228,7 @@ static void ipheth_rcvbulk_callback(stru + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: ++ case -EPROTO: + return; + case 0: + break; +@@ -280,7 +280,6 @@ static void ipheth_sndbulk_callback(stru + dev_err(&dev->intf->dev, "%s: urb status: %d\n", + __func__, status); + +- dev_kfree_skb_irq(dev->tx_skb); + netif_wake_queue(dev->net); + } + +@@ -410,7 +409,7 @@ static int ipheth_tx(struct sk_buff *skb + if (skb->len > IPHETH_BUF_SIZE) { + WARN(1, "%s: skb too large: %d bytes\n", __func__, skb->len); + dev->net->stats.tx_dropped++; +- dev_kfree_skb_irq(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +@@ -430,12 +429,11 @@ static int ipheth_tx(struct sk_buff *skb + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n", + __func__, retval); + dev->net->stats.tx_errors++; +- dev_kfree_skb_irq(skb); ++ dev_kfree_skb_any(skb); + } else { +- dev->tx_skb = skb; +- + dev->net->stats.tx_packets++; + dev->net->stats.tx_bytes += skb->len; ++ dev_consume_skb_any(skb); + netif_stop_queue(net); + } + diff --git a/queue-4.14/virtio-net-disable-guest-csum-during-xdp-set.patch b/queue-4.14/virtio-net-disable-guest-csum-during-xdp-set.patch new file mode 100644 index 00000000000..d66eff62642 --- /dev/null +++ b/queue-4.14/virtio-net-disable-guest-csum-during-xdp-set.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Jason Wang +Date: Thu, 22 Nov 2018 14:36:30 +0800 +Subject: virtio-net: disable guest csum during XDP set + +From: Jason Wang + +[ Upstream commit e59ff2c49ae16e1d179de679aca81405829aee6c ] + +We don't disable VIRTIO_NET_F_GUEST_CSUM if XDP was set. This means we +can receive partial csumed packets with metadata kept in the +vnet_hdr. This may have several side effects: + +- It could be overridden by header adjustment, thus is might be not + correct after XDP processing. +- There's no way to pass such metadata information through + XDP_REDIRECT to another driver. +- XDP does not support checksum offload right now. + +So simply disable guest csum if possible in this the case of XDP. + +Fixes: 3f93522ffab2d ("virtio-net: switch off offloads on demand if possible on XDP set") +Reported-by: Jesper Dangaard Brouer +Cc: Jesper Dangaard Brouer +Cc: Pavel Popa +Cc: David Ahern +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -61,7 +61,8 @@ static const unsigned long guest_offload + VIRTIO_NET_F_GUEST_TSO4, + VIRTIO_NET_F_GUEST_TSO6, + VIRTIO_NET_F_GUEST_ECN, +- VIRTIO_NET_F_GUEST_UFO ++ VIRTIO_NET_F_GUEST_UFO, ++ VIRTIO_NET_F_GUEST_CSUM + }; + + struct virtnet_stats { +@@ -1939,9 +1940,6 @@ static int virtnet_clear_guest_offloads( + if (!vi->guest_offloads) + return 0; + +- if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM)) +- offloads = 1ULL << VIRTIO_NET_F_GUEST_CSUM; +- + return virtnet_set_guest_offloads(vi, offloads); + } + +@@ -1951,8 +1949,6 @@ static int virtnet_restore_guest_offload + + if (!vi->guest_offloads) + return 0; +- if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM)) +- offloads |= 1ULL << VIRTIO_NET_F_GUEST_CSUM; + + return virtnet_set_guest_offloads(vi, offloads); + } diff --git a/queue-4.14/virtio-net-fail-xdp-set-if-guest-csum-is-negotiated.patch b/queue-4.14/virtio-net-fail-xdp-set-if-guest-csum-is-negotiated.patch new file mode 100644 index 00000000000..f762f14936f --- /dev/null +++ b/queue-4.14/virtio-net-fail-xdp-set-if-guest-csum-is-negotiated.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 3 10:10:59 CET 2018 +From: Jason Wang +Date: Thu, 22 Nov 2018 14:36:31 +0800 +Subject: virtio-net: fail XDP set if guest csum is negotiated + +From: Jason Wang + +[ Upstream commit 18ba58e1c234ea1a2d9835ac8c1735d965ce4640 ] + +We don't support partial csumed packet since its metadata will be lost +or incorrect during XDP processing. So fail the XDP set if guest_csum +feature is negotiated. + +Fixes: f600b6905015 ("virtio_net: Add XDP support") +Reported-by: Jesper Dangaard Brouer +Cc: Jesper Dangaard Brouer +Cc: Pavel Popa +Cc: David Ahern +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1966,8 +1966,9 @@ static int virtnet_xdp_set(struct net_de + && (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_TSO6) || + virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_ECN) || +- virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_UFO))) { +- NL_SET_ERR_MSG_MOD(extack, "Can't set XDP while host is implementing LRO, disable LRO first"); ++ virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_UFO) || ++ virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM))) { ++ NL_SET_ERR_MSG_MOD(extack, "Can't set XDP while host is implementing LRO/CSUM, disable LRO/CSUM first"); + return -EOPNOTSUPP; + } +