From: Greg Kroah-Hartman Date: Fri, 8 Mar 2019 08:49:55 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.0.1~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a90d4507e7df891fa2f1a3ba77fd8ea8030fe1fe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch geneve-correctly-handle-ipv6.disable-module-parameter.patch hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch ipv4-return-error-for-rta_via-attribute.patch ipv6-return-error-for-rta_via-attribute.patch mpls-return-error-for-rta_gateway-attribute.patch net-add-__icmp_send-helper.patch net-avoid-use-ipcb-in-cipso_v4_error.patch net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch net-dsa-mv88e6xxx-fix-u64-statistics.patch net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch net-sit-fix-memory-leak-in-sit_init_net.patch net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch netlabel-fix-out-of-bounds-memory-accesses.patch sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch team-free-bpf-filter-when-unregistering-netdev.patch tipc-fix-rdm-dgram-connect-regression.patch tun-fix-blocking-read.patch tun-remove-unnecessary-memory-barrier.patch xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch --- diff --git a/queue-4.14/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch b/queue-4.14/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch new file mode 100644 index 00000000000..fe5d1183d2d --- /dev/null +++ b/queue-4.14/bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Michael Chan +Date: Wed, 27 Feb 2019 03:58:53 -0500 +Subject: bnxt_en: Drop oversize TX packets to prevent errors. + +From: Michael Chan + +[ Upstream commit 2b3c6885386020b1b9d92d45e8349637e27d1f66 ] + +There have been reports of oversize UDP packets being sent to the +driver to be transmitted, causing error conditions. The issue is +likely caused by the dst of the SKB switching between 'lo' with +64K MTU and the hardware device with a smaller MTU. Patches are +being proposed by Mahesh Bandewar to fix the +issue. + +In the meantime, add a quick length check in the driver to prevent +the error. The driver uses the TX packet size as index to look up an +array to setup the TX BD. The array is large enough to support all MTU +sizes supported by the driver. The oversize TX packet causes the +driver to index beyond the array and put garbage values into the +TX BD. Add a simple check to prevent this. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -447,6 +447,12 @@ normal_tx: + } + + length >>= 9; ++ if (unlikely(length >= ARRAY_SIZE(bnxt_lhint_arr))) { ++ dev_warn_ratelimited(&pdev->dev, "Dropped oversize %d bytes TX packet.\n", ++ skb->len); ++ i = 0; ++ goto tx_dma_error; ++ } + flags |= bnxt_lhint_arr[length]; + txbd->tx_bd_len_flags_type = cpu_to_le32(flags); + diff --git a/queue-4.14/geneve-correctly-handle-ipv6.disable-module-parameter.patch b/queue-4.14/geneve-correctly-handle-ipv6.disable-module-parameter.patch new file mode 100644 index 00000000000..76eac6bbcd1 --- /dev/null +++ b/queue-4.14/geneve-correctly-handle-ipv6.disable-module-parameter.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Jiri Benc +Date: Thu, 28 Feb 2019 14:56:04 +0100 +Subject: geneve: correctly handle ipv6.disable module parameter + +From: Jiri Benc + +[ Upstream commit cf1c9ccba7308e48a68fa77f476287d9d614e4c7 ] + +When IPv6 is compiled but disabled at runtime, geneve_sock_add returns +-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole +operation of bringing up the tunnel. + +Ignore failure of IPv6 socket creation for metadata based tunnels caused by +IPv6 not being available. + +This is the same fix as what commit d074bf960044 ("vxlan: correctly handle +ipv6.disable module parameter") is doing for vxlan. + +Note there's also commit c0a47e44c098 ("geneve: should not call rt6_lookup() +when ipv6 was disabled") which fixes a similar issue but for regular +tunnels, while this patch is needed for metadata based tunnels. + +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -632,15 +632,20 @@ out: + static int geneve_open(struct net_device *dev) + { + struct geneve_dev *geneve = netdev_priv(dev); +- bool ipv6 = !!(geneve->info.mode & IP_TUNNEL_INFO_IPV6); + bool metadata = geneve->collect_md; ++ bool ipv4, ipv6; + int ret = 0; + ++ ipv6 = geneve->info.mode & IP_TUNNEL_INFO_IPV6 || metadata; ++ ipv4 = !ipv6 || metadata; + #if IS_ENABLED(CONFIG_IPV6) +- if (ipv6 || metadata) ++ if (ipv6) { + ret = geneve_sock_add(geneve, true); ++ if (ret < 0 && ret != -EAFNOSUPPORT) ++ ipv4 = false; ++ } + #endif +- if (!ret && (!ipv6 || metadata)) ++ if (ipv4) + ret = geneve_sock_add(geneve, false); + if (ret < 0) + geneve_sock_release(geneve); diff --git a/queue-4.14/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch b/queue-4.14/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch new file mode 100644 index 00000000000..931b9436407 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Haiyang Zhang +Date: Fri, 22 Feb 2019 18:25:03 +0000 +Subject: hv_netvsc: Fix IP header checksum for coalesced packets + +From: Haiyang Zhang + +[ Upstream commit bf48648d650db1146b75b9bd358502431e86cf4f ] + +Incoming packets may have IP header checksum verified by the host. +They may not have IP header checksum computed after coalescing. +This patch re-compute the checksum when necessary, otherwise the +packets may be dropped, because Linux network stack always checks it. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -741,6 +741,14 @@ void netvsc_linkstatus_callback(struct h + schedule_delayed_work(&ndev_ctx->dwork, 0); + } + ++static void netvsc_comp_ipcsum(struct sk_buff *skb) ++{ ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ iph->check = 0; ++ iph->check = ip_fast_csum(iph, iph->ihl); ++} ++ + static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net, + struct napi_struct *napi, + const struct ndis_tcp_ip_checksum_info *csum_info, +@@ -764,9 +772,17 @@ static struct sk_buff *netvsc_alloc_recv + /* skb is already created with CHECKSUM_NONE */ + skb_checksum_none_assert(skb); + +- /* +- * In Linux, the IP checksum is always checked. +- * Do L4 checksum offload if enabled and present. ++ /* Incoming packets may have IP header checksum verified by the host. ++ * They may not have IP header checksum computed after coalescing. ++ * We compute it here if the flags are set, because on Linux, the IP ++ * checksum is always checked. ++ */ ++ if (csum_info && csum_info->receive.ip_checksum_value_invalid && ++ csum_info->receive.ip_checksum_succeeded && ++ skb->protocol == htons(ETH_P_IP)) ++ netvsc_comp_ipcsum(skb); ++ ++ /* Do L4 checksum offload if enabled and present. + */ + if (csum_info && (net->features & NETIF_F_RXCSUM)) { + if (csum_info->receive.tcp_checksum_succeeded || diff --git a/queue-4.14/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch b/queue-4.14/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch new file mode 100644 index 00000000000..3a9312c7ab8 --- /dev/null +++ b/queue-4.14/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Ido Schimmel +Date: Sun, 3 Mar 2019 07:34:57 +0000 +Subject: ip6mr: Do not call __IP6_INC_STATS() from preemptible context + +From: Ido Schimmel + +[ Upstream commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf ] + +Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from +improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot +assume preemption is disabled when incrementing the counter and +accessing a per-CPU variable. + +Preemption can be enabled when we add a route in process context that +corresponds to packets stored in the unresolved queue, which are then +forwarded using this route [1]. + +Fix this by using IP6_INC_STATS() which takes care of disabling +preemption on architectures where it is needed. + +[1] +[ 157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314 +[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0 +[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336 +[ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016 +[ 157.460461] Call Trace: +[ 157.460486] dump_stack+0xf9/0x1be +[ 157.460553] check_preemption_disabled+0x1d6/0x200 +[ 157.460576] ip6mr_forward2+0x73e/0x10e0 +[ 157.460705] ip6_mr_forward+0x9a0/0x1510 +[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00 +[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0 +[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060 +[ 157.462013] ipv6_setsockopt+0x90/0x110 +[ 157.462036] rawv6_setsockopt+0x4a/0x120 +[ 157.462058] __sys_setsockopt+0x16b/0x340 +[ 157.462198] __x64_sys_setsockopt+0xbf/0x160 +[ 157.462220] do_syscall_64+0x14d/0x610 +[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().") +Signed-off-by: Ido Schimmel +Reported-by: Amit Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -2002,10 +2002,10 @@ int ip6mr_compat_ioctl(struct sock *sk, + + static inline int ip6mr_forward2_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTFORWDATAGRAMS); +- __IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTOCTETS, skb->len); + return dst_output(net, sk, skb); + } + diff --git a/queue-4.14/ipv4-return-error-for-rta_via-attribute.patch b/queue-4.14/ipv4-return-error-for-rta_via-attribute.patch new file mode 100644 index 00000000000..c4f0b2ac9c1 --- /dev/null +++ b/queue-4.14/ipv4-return-error-for-rta_via-attribute.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:02 -0800 +Subject: ipv4: Return error for RTA_VIA attribute + +From: David Ahern + +[ Upstream commit b6e9e5df4ecf100f6a10ab2ade8e46d47a4b9779 ] + +IPv4 currently does not support nexthops outside of the AF_INET family. +Specifically, it does not handle RTA_VIA attribute. If it is passed +in a route add request, the actual route added only uses the device +which is clearly not what the user intended: + + $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0 + $ ip ro ls + ... + 172.16.1.0/24 dev eth0 + +Catch this and fail the route add: + $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0 + Error: IPv4 does not support RTA_VIA attribute. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -675,6 +675,10 @@ static int rtm_to_fib_config(struct net + case RTA_GATEWAY: + cfg->fc_gw = nla_get_be32(attr); + break; ++ case RTA_VIA: ++ NL_SET_ERR_MSG(extack, "IPv4 does not support RTA_VIA attribute"); ++ err = -EINVAL; ++ goto errout; + case RTA_PRIORITY: + cfg->fc_priority = nla_get_u32(attr); + break; diff --git a/queue-4.14/ipv6-return-error-for-rta_via-attribute.patch b/queue-4.14/ipv6-return-error-for-rta_via-attribute.patch new file mode 100644 index 00000000000..e5ccffc7012 --- /dev/null +++ b/queue-4.14/ipv6-return-error-for-rta_via-attribute.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:03 -0800 +Subject: ipv6: Return error for RTA_VIA attribute + +From: David Ahern + +[ Upstream commit e3818541b49fb88650ba339d33cc53e4095da5b3 ] + +IPv6 currently does not support nexthops outside of the AF_INET6 family. +Specifically, it does not handle RTA_VIA attribute. If it is passed +in a route add request, the actual route added only uses the device +which is clearly not what the user intended: + + $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0 + $ ip ro ls + ... + 2001:db8:2::/64 dev eth0 metric 1024 pref medium + +Catch this and fail the route add: + $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0 + Error: IPv6 does not support RTA_VIA attribute. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3024,6 +3024,10 @@ static int rtm_to_fib6_config(struct sk_ + cfg->fc_gateway = nla_get_in6_addr(tb[RTA_GATEWAY]); + cfg->fc_flags |= RTF_GATEWAY; + } ++ if (tb[RTA_VIA]) { ++ NL_SET_ERR_MSG(extack, "IPv6 does not support RTA_VIA attribute"); ++ goto errout; ++ } + + if (tb[RTA_DST]) { + int plen = (rtm->rtm_dst_len + 7) >> 3; diff --git a/queue-4.14/mpls-return-error-for-rta_gateway-attribute.patch b/queue-4.14/mpls-return-error-for-rta_gateway-attribute.patch new file mode 100644 index 00000000000..17a43e5f3bb --- /dev/null +++ b/queue-4.14/mpls-return-error-for-rta_gateway-attribute.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: David Ahern +Date: Tue, 26 Feb 2019 09:00:04 -0800 +Subject: mpls: Return error for RTA_GATEWAY attribute + +From: David Ahern + +[ Upstream commit be48220edd48ca0d569782992840488a52373a24 ] + +MPLS does not support nexthops with an MPLS address family. +Specifically, it does not handle RTA_GATEWAY attribute. Make it +clear by returning an error. + +Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mpls/af_mpls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1787,6 +1787,9 @@ static int rtm_to_route_config(struct sk + goto errout; + break; + } ++ case RTA_GATEWAY: ++ NL_SET_ERR_MSG(extack, "MPLS does not support RTA_GATEWAY attribute"); ++ goto errout; + case RTA_VIA: + { + if (nla_get_via(nla, &cfg->rc_via_alen, diff --git a/queue-4.14/net-add-__icmp_send-helper.patch b/queue-4.14/net-add-__icmp_send-helper.patch new file mode 100644 index 00000000000..66b32825d0a --- /dev/null +++ b/queue-4.14/net-add-__icmp_send-helper.patch @@ -0,0 +1,75 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Nazarov Sergey +Date: Mon, 25 Feb 2019 19:24:15 +0300 +Subject: net: Add __icmp_send helper. + +From: Nazarov Sergey + +[ Upstream commit 9ef6b42ad6fd7929dd1b6092cb02014e382c6a91 ] + +Add __icmp_send function having ip_options struct parameter + +Signed-off-by: Sergey Nazarov +Reviewed-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/icmp.h | 9 ++++++++- + net/ipv4/icmp.c | 7 ++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/include/net/icmp.h ++++ b/include/net/icmp.h +@@ -22,6 +22,7 @@ + + #include + #include ++#include + + struct icmp_err { + int errno; +@@ -39,7 +40,13 @@ struct net_proto_family; + struct sk_buff; + struct net; + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info); ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt); ++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++{ ++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); ++} ++ + int icmp_rcv(struct sk_buff *skb); + void icmp_err(struct sk_buff *skb, u32 info); + int icmp_init(void); +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -573,7 +573,8 @@ relookup_failed: + * MUST reply to only the first fragment. + */ + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt) + { + struct iphdr *iph; + int room; +@@ -694,7 +695,7 @@ void icmp_send(struct sk_buff *skb_in, i + iph->tos; + mark = IP4_REPLY_MARK(net, skb_in->mark); + +- if (ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in)) ++ if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt)) + goto out_unlock; + + +@@ -747,7 +748,7 @@ out_bh_enable: + local_bh_enable(); + out:; + } +-EXPORT_SYMBOL(icmp_send); ++EXPORT_SYMBOL(__icmp_send); + + + static void icmp_socket_deliver(struct sk_buff *skb, u32 info) diff --git a/queue-4.14/net-avoid-use-ipcb-in-cipso_v4_error.patch b/queue-4.14/net-avoid-use-ipcb-in-cipso_v4_error.patch new file mode 100644 index 00000000000..85f14b0bad1 --- /dev/null +++ b/queue-4.14/net-avoid-use-ipcb-in-cipso_v4_error.patch @@ -0,0 +1,103 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Nazarov Sergey +Date: Mon, 25 Feb 2019 19:27:15 +0300 +Subject: net: avoid use IPCB in cipso_v4_error + +From: Nazarov Sergey + +[ Upstream commit 3da1ed7ac398f34fff1694017a07054d69c5f5c5 ] + +Extract IP options in cipso_v4_error and use __icmp_send. + +Signed-off-by: Sergey Nazarov +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 2 ++ + net/ipv4/cipso_ipv4.c | 17 +++++++++++++++-- + net/ipv4/ip_options.c | 22 +++++++++++++++++----- + 3 files changed, 34 insertions(+), 7 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -593,6 +593,8 @@ static inline int ip_options_echo(struct + } + + void ip_options_fragment(struct sk_buff *skb); ++int __ip_options_compile(struct net *net, struct ip_options *opt, ++ struct sk_buff *skb, __be32 *info); + int ip_options_compile(struct net *net, struct ip_options *opt, + struct sk_buff *skb); + int ip_options_get(struct net *net, struct ip_options_rcu **optp, +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1736,13 +1736,26 @@ validate_return: + */ + void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) + { ++ unsigned char optbuf[sizeof(struct ip_options) + 40]; ++ struct ip_options *opt = (struct ip_options *)optbuf; ++ + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) + return; + ++ /* ++ * We might be called above the IP layer, ++ * so we can not use icmp_send and IPCB here. ++ */ ++ ++ memset(opt, 0, sizeof(struct ip_options)); ++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL)) ++ return; ++ + if (gateway) +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt); + else +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt); + } + + /** +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_d + * If opt == NULL, then skb->data should point to IP header. + */ + +-int ip_options_compile(struct net *net, +- struct ip_options *opt, struct sk_buff *skb) ++int __ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb, ++ __be32 *info) + { + __be32 spec_dst = htonl(INADDR_ANY); + unsigned char *pp_ptr = NULL; +@@ -468,11 +469,22 @@ eol: + return 0; + + error: +- if (skb) { +- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); +- } ++ if (info) ++ *info = htonl((pp_ptr-iph)<<24); + return -EINVAL; + } ++ ++int ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb) ++{ ++ int ret; ++ __be32 info; ++ ++ ret = __ip_options_compile(net, opt, skb, &info); ++ if (ret != 0 && skb) ++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info); ++ return ret; ++} + EXPORT_SYMBOL(ip_options_compile); + + /* diff --git a/queue-4.14/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch b/queue-4.14/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch new file mode 100644 index 00000000000..22176856af1 --- /dev/null +++ b/queue-4.14/net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Andrew Lunn +Date: Fri, 1 Mar 2019 23:43:39 +0100 +Subject: net: dsa: mv88e6xxx: Fix statistics on mv88e6161 + +From: Andrew Lunn + +[ Upstream commit a6da21bb0eae459a375d5bd48baed821d14301d0 ] + +Despite what the datesheet says, the silicon implements the older way +of snapshoting the statistics. Change the op. + +Reported-by: Chris.Healy@zii.aero +Tested-by: Chris.Healy@zii.aero +Fixes: 0ac64c394900 ("net: dsa: mv88e6xxx: mv88e6161 uses mv88e6320 stats snapshot") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2569,7 +2569,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_pause_limit = mv88e6097_port_pause_limit, + .port_disable_learn_limit = mv88e6xxx_port_disable_learn_limit, + .port_disable_pri_override = mv88e6xxx_port_disable_pri_override, +- .stats_snapshot = mv88e6320_g1_stats_snapshot, ++ .stats_snapshot = mv88e6xxx_g1_stats_snapshot, + .stats_get_sset_count = mv88e6095_stats_get_sset_count, + .stats_get_strings = mv88e6095_stats_get_strings, + .stats_get_stats = mv88e6095_stats_get_stats, diff --git a/queue-4.14/net-dsa-mv88e6xxx-fix-u64-statistics.patch b/queue-4.14/net-dsa-mv88e6xxx-fix-u64-statistics.patch new file mode 100644 index 00000000000..e49d8db8f89 --- /dev/null +++ b/queue-4.14/net-dsa-mv88e6xxx-fix-u64-statistics.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Andrew Lunn +Date: Thu, 28 Feb 2019 18:14:03 +0100 +Subject: net: dsa: mv88e6xxx: Fix u64 statistics + +From: Andrew Lunn + +[ Upstream commit 6e46e2d821bb22b285ae8187959096b65d063b0d ] + +The switch maintains u64 counters for the number of octets sent and +received. These are kept as two u32's which need to be combined. Fix +the combing, which wrongly worked on u16's. + +Fixes: 80c4627b2719 ("dsa: mv88x6xxx: Refactor getting a single statistic") +Reported-by: Chris Healy +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -639,7 +639,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s + default: + return UINT64_MAX; + } +- value = (((u64)high) << 16) | low; ++ value = (((u64)high) << 32) | low; + return value; + } + diff --git a/queue-4.14/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch b/queue-4.14/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch new file mode 100644 index 00000000000..e869f4e9f9d --- /dev/null +++ b/queue-4.14/net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Heiner Kallweit +Date: Fri, 1 Mar 2019 19:53:57 +0100 +Subject: net: dsa: mv88e6xxx: handle unknown duplex modes gracefully in mv88e6xxx_port_set_duplex + +From: Heiner Kallweit + +[ Upstream commit c6195a8bdfc62a7cecf7df685e64847a4b700275 ] + +When testing another issue I faced the problem that +mv88e6xxx_port_setup_mac() failed due to DUPLEX_UNKNOWN being passed +as argument to mv88e6xxx_port_set_duplex(). We should handle this case +gracefully and return -EOPNOTSUPP, like e.g. mv88e6xxx_port_set_speed() +is doing it. + +Fixes: 7f1ae07b51e8 ("net: dsa: mv88e6xxx: add port duplex setter") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -165,7 +165,7 @@ int mv88e6xxx_port_set_duplex(struct mv8 + /* normal duplex detection */ + break; + default: +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + err = mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_MAC_CTL, reg); diff --git a/queue-4.14/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch b/queue-4.14/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch new file mode 100644 index 00000000000..1a396441022 --- /dev/null +++ b/queue-4.14/net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch @@ -0,0 +1,108 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Sheng Lan +Date: Thu, 28 Feb 2019 18:47:58 +0800 +Subject: net: netem: fix skb length BUG_ON in __skb_to_sgvec + +From: Sheng Lan + +[ Upstream commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 ] + +It can be reproduced by following steps: +1. virtio_net NIC is configured with gso/tso on +2. configure nginx as http server with an index file bigger than 1M bytes +3. use tc netem to produce duplicate packets and delay: + tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90% +4. continually curl the nginx http server to get index file on client +5. BUG_ON is seen quickly + +[10258690.371129] kernel BUG at net/core/skbuff.c:4028! +[10258690.371748] invalid opcode: 0000 [#1] SMP PTI +[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2 +[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202 +[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea +[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002 +[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028 +[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000 +[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0 +[10258690.372094] Call Trace: +[10258690.372094] +[10258690.372094] skb_to_sgvec+0x11/0x40 +[10258690.372094] start_xmit+0x38c/0x520 [virtio_net] +[10258690.372094] dev_hard_start_xmit+0x9b/0x200 +[10258690.372094] sch_direct_xmit+0xff/0x260 +[10258690.372094] __qdisc_run+0x15e/0x4e0 +[10258690.372094] net_tx_action+0x137/0x210 +[10258690.372094] __do_softirq+0xd6/0x2a9 +[10258690.372094] irq_exit+0xde/0xf0 +[10258690.372094] smp_apic_timer_interrupt+0x74/0x140 +[10258690.372094] apic_timer_interrupt+0xf/0x20 +[10258690.372094] + +In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's +linear data size and nonlinear data size, thus BUG_ON triggered. +Because the skb is cloned and a part of nonlinear data is split off. + +Duplicate packet is cloned in netem_enqueue() and may be delayed +some time in qdisc. When qdisc len reached the limit and returns +NET_XMIT_DROP, the skb will be retransmit later in write queue. +the skb will be fragmented by tso_fragment(), the limit size +that depends on cwnd and mss decrease, the skb's nonlinear +data will be split off. The length of the skb cloned by netem +will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(), +the BUG_ON trigger. + +To fix it, netem returns NET_XMIT_SUCCESS to upper stack +when it clones a duplicate packet. + +Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()") +Signed-off-by: Sheng Lan +Reported-by: Qin Ji +Suggested-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -435,6 +435,7 @@ static int netem_enqueue(struct sk_buff + int nb = 0; + int count = 1; + int rc = NET_XMIT_SUCCESS; ++ int rc_drop = NET_XMIT_DROP; + + /* Do not fool qdisc_drop_all() */ + skb->prev = NULL; +@@ -474,6 +475,7 @@ static int netem_enqueue(struct sk_buff + q->duplicate = 0; + rootq->enqueue(skb2, rootq, to_free); + q->duplicate = dupsave; ++ rc_drop = NET_XMIT_SUCCESS; + } + + /* +@@ -486,7 +488,7 @@ static int netem_enqueue(struct sk_buff + if (skb_is_gso(skb)) { + segs = netem_segment(skb, sch, to_free); + if (!segs) +- return NET_XMIT_DROP; ++ return rc_drop; + } else { + segs = skb; + } +@@ -509,8 +511,10 @@ static int netem_enqueue(struct sk_buff + 1<<(prandom_u32() % 8); + } + +- if (unlikely(sch->q.qlen >= sch->limit)) +- return qdisc_drop_all(skb, sch, to_free); ++ if (unlikely(sch->q.qlen >= sch->limit)) { ++ qdisc_drop_all(skb, sch, to_free); ++ return rc_drop; ++ } + + qdisc_qstats_backlog_inc(sch, skb); + diff --git a/queue-4.14/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch b/queue-4.14/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch new file mode 100644 index 00000000000..2761b16579d --- /dev/null +++ b/queue-4.14/net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch @@ -0,0 +1,156 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: YueHaibing +Date: Fri, 22 Feb 2019 15:37:58 +0800 +Subject: net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails + +From: YueHaibing + +[ Upstream commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 ] + +KASAN report this: + +BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] +Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401 + +CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + kasan_report+0x171/0x18d mm/kasan/report.c:321 + memcpy+0x1f/0x50 mm/kasan/common.c:130 + nfc_llcp_build_gb+0x37f/0x540 [nfc] + nfc_llcp_register_device+0x6eb/0xb50 [nfc] + nfc_register_device+0x50/0x1d0 [nfc] + nfcsim_device_new+0x394/0x67d [nfcsim] + ? 0xffffffffc1080000 + nfcsim_init+0x6b/0x1000 [nfcsim] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 +RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +nfc_llcp_build_tlv will return NULL on fails, caller should check it, +otherwise will trigger a NULL dereference. + +Reported-by: Hulk Robot +Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames") +Fixes: d646960f7986 ("NFC: Initial LLCP support") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_commands.c | 20 ++++++++++++++++++++ + net/nfc/llcp_core.c | 24 ++++++++++++++++++++---- + 2 files changed, 40 insertions(+), 4 deletions(-) + +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llc + sock->service_name, + sock->service_name_len, + &service_name_tlv_length); ++ if (!service_name_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += service_name_tlv_length; + } + +@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llc + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len); +@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size); +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -532,10 +532,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru + + static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { +- u8 *gb_cur, *version_tlv, version, version_length; +- u8 *lto_tlv, lto_length; +- u8 *wks_tlv, wks_length; +- u8 *miux_tlv, miux_length; ++ u8 *gb_cur, version, version_length; ++ u8 lto_length, wks_length, miux_length; ++ u8 *version_tlv = NULL, *lto_tlv = NULL, ++ *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; + int ret = 0; +@@ -543,17 +543,33 @@ static int nfc_llcp_build_gb(struct nfc_ + version = LLCP_VERSION_11; + version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version, + 1, &version_length); ++ if (!version_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += version_length; + + lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length); ++ if (!lto_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += lto_length; + + pr_debug("Local wks 0x%lx\n", local->local_wks); + wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length); ++ if (!wks_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += wks_length; + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0, + &miux_length); ++ if (!miux_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += miux_length; + + gb_len += ARRAY_SIZE(llcp_magic); diff --git a/queue-4.14/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch b/queue-4.14/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch new file mode 100644 index 00000000000..3a9a209e401 --- /dev/null +++ b/queue-4.14/net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch @@ -0,0 +1,101 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Rajasingh Thavamani +Date: Wed, 27 Feb 2019 17:43:19 +0530 +Subject: net: phy: Micrel KSZ8061: link failure after cable connect + +From: Rajasingh Thavamani + +[ Upstream commit 232ba3a51cc224b339c7114888ed7f0d4d95695e ] + +With Micrel KSZ8061 PHY, the link may occasionally not come up after +Ethernet cable connect. The vendor's (Microchip, former Micrel) errata +sheet 80000688A.pdf descripes the problem and possible workarounds in +detail, see below. +The batch implements workaround 1, which permanently fixes the issue. + +DESCRIPTION +Link-up may not occur properly when the Ethernet cable is initially +connected. This issue occurs more commonly when the cable is connected +slowly, but it may occur any time a cable is connected. This issue occurs +in the auto-negotiation circuit, and will not occur if auto-negotiation +is disabled (which requires that the two link partners be set to the +same speed and duplex). + +END USER IMPLICATIONS +When this issue occurs, link is not established. Subsequent cable +plug/unplaug cycle will not correct the issue. + +WORk AROUND +There are four approaches to work around this issue: +1. This issue can be prevented by setting bit 15 in MMD device address 1, + register 2, prior to connecting the cable or prior to setting the + Restart Auto-negotiation bit in register 0h. The MMD registers are + accessed via the indirect access registers Dh and Eh, or via the Micrel + EthUtil utility as shown here: + . if using the EthUtil utility (usually with a Micrel KSZ8061 + Evaluation Board), type the following commands: + > address 1 + > mmd 1 + > iw 2 b61a + . Alternatively, write the following registers to write to the + indirect MMD register: + Write register Dh, data 0001h + Write register Eh, data 0002h + Write register Dh, data 4001h + Write register Eh, data B61Ah +2. The issue can be avoided by disabling auto-negotiation in the KSZ8061, + either by the strapping option, or by clearing bit 12 in register 0h. + Care must be taken to ensure that the KSZ8061 and the link partner + will link with the same speed and duplex. Note that the KSZ8061 + defaults to full-duplex when auto-negotiation is off, but other + devices may default to half-duplex in the event of failed + auto-negotiation. +3. The issue can be avoided by connecting the cable prior to powering-up + or resetting the KSZ8061, and leaving it plugged in thereafter. +4. If the above measures are not taken and the problem occurs, link can + be recovered by setting the Restart Auto-Negotiation bit in + register 0h, or by resetting or power cycling the device. Reset may + be either hardware reset or software reset (register 0h, bit 15). + +PLAN +This errata will not be corrected in the future revision. + +Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs") +Signed-off-by: Alexander Onnasch +Signed-off-by: Rajasingh Thavamani +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -339,6 +339,17 @@ static int ksz8041_config_aneg(struct ph + return genphy_config_aneg(phydev); + } + ++static int ksz8061_config_init(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A); ++ if (ret) ++ return ret; ++ ++ return kszphy_config_init(phydev); ++} ++ + static int ksz9021_load_values_from_of(struct phy_device *phydev, + const struct device_node *of_node, + u16 reg, +@@ -799,7 +810,7 @@ static struct phy_driver ksphy_driver[] + .features = PHY_BASIC_FEATURES, + .flags = PHY_HAS_INTERRUPT, + .driver_data = &ks8737_type, +- .config_init = kszphy_config_init, ++ .config_init = ksz8061_config_init, + .config_aneg = genphy_config_aneg, + .read_status = genphy_read_status, + .ack_interrupt = kszphy_ack_interrupt, diff --git a/queue-4.14/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch b/queue-4.14/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch new file mode 100644 index 00000000000..c51fe3c27ab --- /dev/null +++ b/queue-4.14/net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch @@ -0,0 +1,41 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Heiner Kallweit +Date: Tue, 26 Feb 2019 19:29:22 +0100 +Subject: net: phy: phylink: fix uninitialized variable in phylink_get_mac_state + +From: Heiner Kallweit + +[ Upstream commit d25ed413d5e51644e18f66e34eec049f17a7abcb ] + +When debugging an issue I found implausible values in state->pause. +Reason in that state->pause isn't initialized and later only single +bits are changed. Also the struct itself isn't initialized in +phylink_resolve(). So better initialize state->pause and other +not yet initialized fields. + +v2: +- use right function name in subject +v3: +- initialize additional fields + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -333,6 +333,10 @@ static int phylink_get_mac_state(struct + linkmode_zero(state->lp_advertising); + state->interface = pl->link_config.interface; + state->an_enabled = pl->link_config.an_enabled; ++ state->speed = SPEED_UNKNOWN; ++ state->duplex = DUPLEX_UNKNOWN; ++ state->pause = MLO_PAUSE_NONE; ++ state->an_complete = 0; + state->link = 1; + + return pl->ops->mac_link_state(ndev, state); diff --git a/queue-4.14/net-sit-fix-memory-leak-in-sit_init_net.patch b/queue-4.14/net-sit-fix-memory-leak-in-sit_init_net.patch new file mode 100644 index 00000000000..b41e5a008ba --- /dev/null +++ b/queue-4.14/net-sit-fix-memory-leak-in-sit_init_net.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Mao Wenan +Date: Fri, 1 Mar 2019 23:06:40 +0800 +Subject: net: sit: fix memory leak in sit_init_net() + +From: Mao Wenan + +[ Upstream commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d ] + +If register_netdev() is failed to register sitn->fb_tunnel_dev, +it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev). + +BUG: memory leak +unreferenced object 0xffff888378daad00 (size 512): + comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s) + hex dump (first 32 bytes): + 00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: + [<00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline] + [<00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline] + [<00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline] + [<00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970 + [<00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848 + [<00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129 + [<00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314 + [<0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437 + [<0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107 + [<00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165 + [<0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919 + [<00000000fff78746>] copy_process kernel/fork.c:1713 [inline] + [<00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224 + [<000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 + [<00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<0000000039acff8a>] 0xffffffffffffffff + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1856,6 +1856,7 @@ static int __net_init sit_init_net(struc + + err_reg_dev: + ipip6_dev_free(sitn->fb_tunnel_dev); ++ free_netdev(sitn->fb_tunnel_dev); + err_alloc_dev: + return err; + } diff --git a/queue-4.14/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch b/queue-4.14/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch new file mode 100644 index 00000000000..e62927c2584 --- /dev/null +++ b/queue-4.14/net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch @@ -0,0 +1,85 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Eric Biggers +Date: Thu, 21 Feb 2019 14:13:56 -0800 +Subject: net: socket: set sock->sk to NULL after calling proto_ops::release() + +From: Eric Biggers + +[ Upstream commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf ] + +Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.") +fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is +closed concurrently with fchownat(). However, it ignored that many +other proto_ops::release() methods don't set sock->sk to NULL and +therefore allow the same use-after-free: + + - base_sock_release + - bnep_sock_release + - cmtp_sock_release + - data_sock_release + - dn_release + - hci_sock_release + - hidp_sock_release + - iucv_sock_release + - l2cap_sock_release + - llcp_sock_release + - llc_ui_release + - rawsock_release + - rfcomm_sock_release + - sco_sock_release + - svc_release + - vcc_release + - x25_release + +Rather than fixing all these and relying on every socket type to get +this right forever, just make __sock_release() set sock->sk to NULL +itself after calling proto_ops::release(). + +Reproducer that produces the KASAN splat when any of these socket types +are configured into the kernel: + + #include + #include + #include + #include + + pthread_t t; + volatile int fd; + + void *close_thread(void *arg) + { + for (;;) { + usleep(rand() % 100); + close(fd); + } + } + + int main() + { + pthread_create(&t, NULL, close_thread, NULL); + for (;;) { + fd = socket(rand() % 50, rand() % 11, 0); + fchownat(fd, "", 1000, 1000, 0x1000); + close(fd); + } + } + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Eric Biggers +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -600,6 +600,7 @@ static void __sock_release(struct socket + if (inode) + inode_lock(inode); + sock->ops->release(sock); ++ sock->sk = NULL; + if (inode) + inode_unlock(inode); + sock->ops = NULL; diff --git a/queue-4.14/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch b/queue-4.14/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch new file mode 100644 index 00000000000..0d518708169 --- /dev/null +++ b/queue-4.14/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: YueHaibing +Date: Sat, 2 Mar 2019 10:34:55 +0800 +Subject: net-sysfs: Fix mem leak in netdev_register_kobject + +From: YueHaibing + +[ Upstream commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab ] + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffff88837a71a500 (size 256): + comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ........ ....... + backtrace: + [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751 + [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516 + [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline] + [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883 + [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline] + [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690 + [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705 + [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline] + [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline] + [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710 + [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 + [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000115be9bb>] 0xffffffffffffffff + +It should call kset_unregister to free 'dev->queues_kset' +in error path of register_queue_kobjects, otherwise will cause a mem leak. + +Reported-by: Hulk Robot +Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1402,6 +1402,9 @@ static int register_queue_kobjects(struc + error: + netdev_queue_update_kobjects(dev, txq, 0); + net_rx_queue_update_kobjects(dev, rxq, 0); ++#ifdef CONFIG_SYSFS ++ kset_unregister(dev->queues_kset); ++#endif + return error; + } + diff --git a/queue-4.14/netlabel-fix-out-of-bounds-memory-accesses.patch b/queue-4.14/netlabel-fix-out-of-bounds-memory-accesses.patch new file mode 100644 index 00000000000..aaa75fbf6f8 --- /dev/null +++ b/queue-4.14/netlabel-fix-out-of-bounds-memory-accesses.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Paul Moore +Date: Mon, 25 Feb 2019 19:06:06 -0500 +Subject: netlabel: fix out-of-bounds memory accesses + +From: Paul Moore + +[ Upstream commit 5578de4834fe0f2a34fedc7374be691443396d1f ] + +There are two array out-of-bounds memory accesses, one in +cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both +errors are embarassingly simple, and the fixes are straightforward. + +As a FYI for anyone backporting this patch to kernels prior to v4.8, +you'll want to apply the netlbl_bitmap_walk() patch to +cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before +Linux v4.8. + +Reported-by: Jann Horn +Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") +Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.") +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 3 ++- + net/netlabel/netlabel_kapi.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const + case CIPSO_V4_MAP_PASS: + return 0; + case CIPSO_V4_MAP_TRANS: +- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) ++ if ((level < doi_def->map.std->lvl.cipso_size) && ++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) + return 0; + break; + } +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned ch + (state == 0 && (byte & bitmask) == 0)) + return bit_spot; + +- bit_spot++; ++ if (++bit_spot >= bitmap_len) ++ return -1; + bitmask >>= 1; + if (bitmask == 0) { + byte = bitmap[++byte_offset]; diff --git a/queue-4.14/series b/queue-4.14/series index a75229fe3b1..8d59bd04130 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,30 @@ usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch staging-comedi-ni_660x-fix-missing-break-in-switch-statement.patch staging-wilc1000-fix-to-set-correct-value-for-vif_num.patch staging-android-ion-fix-sys-heap-pool-s-gfp_flags.patch +ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch +net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch +net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch +sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch +team-free-bpf-filter-when-unregistering-netdev.patch +tipc-fix-rdm-dgram-connect-regression.patch +bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch +geneve-correctly-handle-ipv6.disable-module-parameter.patch +hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch +net-dsa-mv88e6xxx-fix-u64-statistics.patch +netlabel-fix-out-of-bounds-memory-accesses.patch +net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch +net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch +net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch +net-sit-fix-memory-leak-in-sit_init_net.patch +net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch +xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch +xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch +net-add-__icmp_send-helper.patch +net-avoid-use-ipcb-in-cipso_v4_error.patch +ipv4-return-error-for-rta_via-attribute.patch +ipv6-return-error-for-rta_via-attribute.patch +mpls-return-error-for-rta_gateway-attribute.patch +tun-fix-blocking-read.patch +tun-remove-unnecessary-memory-barrier.patch +net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch +net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch diff --git a/queue-4.14/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch b/queue-4.14/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch new file mode 100644 index 00000000000..40fa4918e72 --- /dev/null +++ b/queue-4.14/sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Kai-Heng Feng +Date: Mon, 4 Mar 2019 15:00:03 +0800 +Subject: sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 + +From: Kai-Heng Feng + +[ Upstream commit b33b7cd6fd86478dd2890a9abeb6f036aa01fdf7 ] + +Some sky2 chips fire IRQ after S3, before the driver is fully resumed: +[ 686.804877] do_IRQ: 1.37 No irq handler for vector + +This is likely a platform bug that device isn't fully quiesced during +S3. Use MSI-X, maskable MSI or INTx can prevent this issue from +happening. + +Since MSI-X and maskable MSI are not supported by this device, fallback +to use INTx on affected platforms. + +BugLink: https://bugs.launchpad.net/bugs/1807259 +BugLink: https://bugs.launchpad.net/bugs/1809843 +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #include + +@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128 + module_param(copybreak, int, 0); + MODULE_PARM_DESC(copybreak, "Receive copy threshold"); + +-static int disable_msi = 0; ++static int disable_msi = -1; + module_param(disable_msi, int, 0); + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)"); + +@@ -4931,6 +4932,24 @@ static const char *sky2_name(u8 chipid, + return buf; + } + ++static const struct dmi_system_id msi_blacklist[] = { ++ { ++ .ident = "Dell Inspiron 1545", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"), ++ }, ++ }, ++ { ++ .ident = "Gateway P-79", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"), ++ }, ++ }, ++ {} ++}; ++ + static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *dev, *dev1; +@@ -5042,6 +5061,9 @@ static int sky2_probe(struct pci_dev *pd + goto err_out_free_pci; + } + ++ if (disable_msi == -1) ++ disable_msi = !!dmi_check_system(msi_blacklist); ++ + if (!disable_msi && pci_enable_msi(pdev) == 0) { + err = sky2_test_msi(hw); + if (err) { diff --git a/queue-4.14/team-free-bpf-filter-when-unregistering-netdev.patch b/queue-4.14/team-free-bpf-filter-when-unregistering-netdev.patch new file mode 100644 index 00000000000..280fd43c902 --- /dev/null +++ b/queue-4.14/team-free-bpf-filter-when-unregistering-netdev.patch @@ -0,0 +1,99 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Ido Schimmel +Date: Sun, 3 Mar 2019 07:35:51 +0000 +Subject: team: Free BPF filter when unregistering netdev + +From: Ido Schimmel + +[ Upstream commit 692c31bd4054212312396b1d303bffab2c5b93a7 ] + +When team is used in loadbalance mode a BPF filter can be used to +provide a hash which will determine the Tx port. + +When the netdev is later unregistered the filter is not freed which +results in memory leaks [1]. + +Fix by freeing the program and the corresponding filter when +unregistering the netdev. + +[1] +unreferenced object 0xffff8881dbc47cc8 (size 16): + comm "teamd", pid 3068, jiffies 4294997779 (age 438.247s) + hex dump (first 16 bytes): + a3 00 6b 6b 6b 6b 6b 6b 88 a5 82 e1 81 88 ff ff ..kkkkkk........ + backtrace: + [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0 + [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080 + [<00000000610ef838>] genl_rcv_msg+0xca/0x170 + [<00000000a281df93>] netlink_rcv_skb+0x132/0x380 + [<000000004d9448a2>] genl_rcv+0x29/0x40 + [<000000000321b2f4>] netlink_unicast+0x4c0/0x690 + [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10 + [<00000000068298c5>] sock_sendmsg+0xc8/0x110 + [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0 + [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250 + [<0000000027c5f11a>] do_syscall_64+0x14d/0x610 + [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000e23197e2>] 0xffffffffffffffff +unreferenced object 0xffff8881e182a588 (size 2048): + comm "teamd", pid 3068, jiffies 4294997780 (age 438.247s) + hex dump (first 32 bytes): + 20 00 00 00 02 00 00 00 30 00 00 00 28 f0 ff ff .......0...(... + 07 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 ........(....... + backtrace: + [<000000002daf01fb>] lb_bpf_func_set+0x45c/0x6d0 + [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0 + [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080 + [<00000000610ef838>] genl_rcv_msg+0xca/0x170 + [<00000000a281df93>] netlink_rcv_skb+0x132/0x380 + [<000000004d9448a2>] genl_rcv+0x29/0x40 + [<000000000321b2f4>] netlink_unicast+0x4c0/0x690 + [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10 + [<00000000068298c5>] sock_sendmsg+0xc8/0x110 + [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0 + [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250 + [<0000000027c5f11a>] do_syscall_64+0x14d/0x610 + [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000e23197e2>] 0xffffffffffffffff + +Fixes: 01d7f30a9f96 ("team: add loadbalance mode") +Signed-off-by: Ido Schimmel +Reported-by: Amit Cohen +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/team/team_mode_loadbalance.c ++++ b/drivers/net/team/team_mode_loadbalance.c +@@ -319,6 +319,20 @@ static int lb_bpf_func_set(struct team * + return 0; + } + ++static void lb_bpf_func_free(struct team *team) ++{ ++ struct lb_priv *lb_priv = get_lb_priv(team); ++ struct bpf_prog *fp; ++ ++ if (!lb_priv->ex->orig_fprog) ++ return; ++ ++ __fprog_destroy(lb_priv->ex->orig_fprog); ++ fp = rcu_dereference_protected(lb_priv->fp, ++ lockdep_is_held(&team->lock)); ++ bpf_prog_destroy(fp); ++} ++ + static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx) + { + struct lb_priv *lb_priv = get_lb_priv(team); +@@ -633,6 +647,7 @@ static void lb_exit(struct team *team) + + team_options_unregister(team, lb_options, + ARRAY_SIZE(lb_options)); ++ lb_bpf_func_free(team); + cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw); + free_percpu(lb_priv->pcpu_stats); + kfree(lb_priv->ex); diff --git a/queue-4.14/tipc-fix-rdm-dgram-connect-regression.patch b/queue-4.14/tipc-fix-rdm-dgram-connect-regression.patch new file mode 100644 index 00000000000..b7a683d7b1b --- /dev/null +++ b/queue-4.14/tipc-fix-rdm-dgram-connect-regression.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Erik Hugne +Date: Mon, 4 Mar 2019 23:26:10 +0100 +Subject: tipc: fix RDM/DGRAM connect() regression + +From: Erik Hugne + +[ Upstream commit 0e63208915a8d7590d0a6218dadb2a6a00ac705a ] + +Fix regression bug introduced in +commit 365ad353c256 ("tipc: reduce risk of user starvation during link +congestion") + +Only signal -EDESTADDRREQ for RDM/DGRAM if we don't have a cached +sockaddr. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Signed-off-by: Erik Hugne +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -943,7 +943,7 @@ static int __tipc_sendmsg(struct socket + + if (unlikely(!dest)) { + dest = &tsk->peer; +- if (!syn || dest->family != AF_TIPC) ++ if (!syn && dest->family != AF_TIPC) + return -EDESTADDRREQ; + } + diff --git a/queue-4.14/tun-fix-blocking-read.patch b/queue-4.14/tun-fix-blocking-read.patch new file mode 100644 index 00000000000..6fa1d6974e9 --- /dev/null +++ b/queue-4.14/tun-fix-blocking-read.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Timur Celik +Date: Sat, 23 Feb 2019 12:53:13 +0100 +Subject: tun: fix blocking read + +From: Timur Celik + +[ Upstream commit 71828b2240692cec0e68b8d867bc00e1745e7fae ] + +This patch moves setting of the current state into the loop. Otherwise +the task may end up in a busy wait loop if none of the break conditions +are met. + +Signed-off-by: Timur Celik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1714,9 +1714,9 @@ static struct sk_buff *tun_ring_recv(str + } + + add_wait_queue(&tfile->wq.wait, &wait); +- current->state = TASK_INTERRUPTIBLE; + + while (1) { ++ set_current_state(TASK_INTERRUPTIBLE); + skb = skb_array_consume(&tfile->tx_array); + if (skb) + break; +@@ -1732,7 +1732,7 @@ static struct sk_buff *tun_ring_recv(str + schedule(); + } + +- current->state = TASK_RUNNING; ++ set_current_state(TASK_RUNNING); + remove_wait_queue(&tfile->wq.wait, &wait); + + out: diff --git a/queue-4.14/tun-remove-unnecessary-memory-barrier.patch b/queue-4.14/tun-remove-unnecessary-memory-barrier.patch new file mode 100644 index 00000000000..d2c4f8b38dc --- /dev/null +++ b/queue-4.14/tun-remove-unnecessary-memory-barrier.patch @@ -0,0 +1,31 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Timur Celik +Date: Mon, 25 Feb 2019 21:13:13 +0100 +Subject: tun: remove unnecessary memory barrier + +From: Timur Celik + +[ Upstream commit ecef67cb10db7b83b3b71c61dbb29aa070ab0112 ] + +Replace set_current_state with __set_current_state since no memory +barrier is needed at this point. + +Signed-off-by: Timur Celik +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1732,7 +1732,7 @@ static struct sk_buff *tun_ring_recv(str + schedule(); + } + +- set_current_state(TASK_RUNNING); ++ __set_current_state(TASK_RUNNING); + remove_wait_queue(&tfile->wq.wait, &wait); + + out: diff --git a/queue-4.14/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch b/queue-4.14/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch new file mode 100644 index 00000000000..6131470bbe9 --- /dev/null +++ b/queue-4.14/xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Igor Druzhinin +Date: Thu, 28 Feb 2019 14:11:26 +0000 +Subject: xen-netback: don't populate the hash cache on XenBus disconnect + +From: Igor Druzhinin + +[ Upstream commit a2288d4e355992d369c50c45d017a85f6061ff71 ] + +Occasionally, during the disconnection procedure on XenBus which +includes hash cache deinitialization there might be some packets +still in-flight on other processors. Handling of these packets includes +hashing and hash cache population that finally results in hash cache +data structure corruption. + +In order to avoid this we prevent hashing of those packets if there +are no queues initialized. In that case RCU protection of queues guards +the hash cache as well. + +Signed-off-by: Igor Druzhinin +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/hash.c | 2 ++ + drivers/net/xen-netback/interface.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -435,6 +435,8 @@ void xenvif_init_hash(struct xenvif *vif + if (xenvif_hash_cache_size == 0) + return; + ++ BUG_ON(vif->hash.cache.count); ++ + spin_lock_init(&vif->hash.cache.lock); + INIT_LIST_HEAD(&vif->hash.cache.list); + } +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -153,6 +153,13 @@ static u16 xenvif_select_queue(struct ne + { + struct xenvif *vif = netdev_priv(dev); + unsigned int size = vif->hash.size; ++ unsigned int num_queues; ++ ++ /* If queues are not set up internally - always return 0 ++ * as the packet going to be dropped anyway */ ++ num_queues = READ_ONCE(vif->num_queues); ++ if (num_queues < 1) ++ return 0; + + if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE) + return fallback(dev, skb) % dev->real_num_tx_queues; diff --git a/queue-4.14/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch b/queue-4.14/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch new file mode 100644 index 00000000000..051f91392ec --- /dev/null +++ b/queue-4.14/xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Mar 8 08:55:03 CET 2019 +From: Igor Druzhinin +Date: Thu, 28 Feb 2019 12:48:03 +0000 +Subject: xen-netback: fix occasional leak of grant ref mappings under memory pressure + +From: Igor Druzhinin + +[ Upstream commit 99e87f56b48f490fb16b6e0f74691c1e664dea95 ] + +Zero-copy callback flag is not yet set on frag list skb at the moment +xenvif_handle_frag_list() returns -ENOMEM. This eventually results in +leaking grant ref mappings since xenvif_zerocopy_callback() is never +called for these fragments. Those eventually build up and cause Xen +to kill Dom0 as the slots get reused for new mappings: + +"d0v0 Attempt to implicitly unmap a granted PTE c010000329fce005" + +That behavior is observed under certain workloads where sudden spikes +of page cache writes coexist with active atomic skb allocations from +network traffic. Additionally, rework the logic to deal with frag_list +deallocation in a single place. + +Signed-off-by: Paul Durrant +Signed-off-by: Igor Druzhinin +Acked-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1074,11 +1074,6 @@ static int xenvif_handle_frag_list(struc + skb_frag_size_set(&frags[i], len); + } + +- /* Copied all the bits from the frag list -- free it. */ +- skb_frag_list_init(skb); +- xenvif_skb_zerocopy_prepare(queue, nskb); +- kfree_skb(nskb); +- + /* Release all the original (foreign) frags. */ + for (f = 0; f < skb_shinfo(skb)->nr_frags; f++) + skb_frag_unref(skb, f); +@@ -1147,6 +1142,8 @@ static int xenvif_tx_submit(struct xenvi + xenvif_fill_frags(queue, skb); + + if (unlikely(skb_has_frag_list(skb))) { ++ struct sk_buff *nskb = skb_shinfo(skb)->frag_list; ++ xenvif_skb_zerocopy_prepare(queue, nskb); + if (xenvif_handle_frag_list(queue, skb)) { + if (net_ratelimit()) + netdev_err(queue->vif->dev, +@@ -1155,6 +1152,9 @@ static int xenvif_tx_submit(struct xenvi + kfree_skb(skb); + continue; + } ++ /* Copied all the bits from the frag list -- free it. */ ++ skb_frag_list_init(skb); ++ kfree_skb(nskb); + } + + skb->dev = queue->vif->dev;