From: Greg Kroah-Hartman Date: Mon, 18 Nov 2019 08:17:23 +0000 (+0100) Subject: 5.3-stable patches X-Git-Tag: v5.3.12~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4a7b00e0626bdc49de420ccb399bf2e1997492e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: ax88172a-fix-information-leak-on-short-answers.patch devlink-add-method-for-time-stamp-on-reporter-s-dump.patch devlink-disallow-reload-operation-during-device-cleanup.patch dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch ipmr-fix-skb-headroom-in-ipmr_get_route.patch mlxsw-core-enable-devlink-reload-only-on-probe.patch net-gemini-add-missed-free_netdev.patch net-smc-fix-fastopen-for-non-blocking-connect.patch net-smc-fix-refcount-non-blocking-connect-part-2.patch net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch slip-fix-memory-leak-in-slip_open-error-path.patch tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch --- diff --git a/queue-5.3/ax88172a-fix-information-leak-on-short-answers.patch b/queue-5.3/ax88172a-fix-information-leak-on-short-answers.patch new file mode 100644 index 00000000000..8772c2ae01d --- /dev/null +++ b/queue-5.3/ax88172a-fix-information-leak-on-short-answers.patch @@ -0,0 +1,32 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Oliver Neukum +Date: Thu, 14 Nov 2019 11:16:01 +0100 +Subject: ax88172a: fix information leak on short answers + +From: Oliver Neukum + +[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ] + +If a malicious device gives a short MAC it can elicit up to +5 bytes of leaked memory out of the driver. We need to check for +ETH_ALEN instead. + +Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88172a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/ax88172a.c ++++ b/drivers/net/usb/ax88172a.c +@@ -196,7 +196,7 @@ static int ax88172a_bind(struct usbnet * + + /* Get the MAC address */ + ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0); +- if (ret < 0) { ++ if (ret < ETH_ALEN) { + netdev_err(dev->net, "Failed to read MAC address: %d\n", ret); + goto free; + } diff --git a/queue-5.3/devlink-add-method-for-time-stamp-on-reporter-s-dump.patch b/queue-5.3/devlink-add-method-for-time-stamp-on-reporter-s-dump.patch new file mode 100644 index 00000000000..e0123110105 --- /dev/null +++ b/queue-5.3/devlink-add-method-for-time-stamp-on-reporter-s-dump.patch @@ -0,0 +1,64 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Aya Levin +Date: Sun, 10 Nov 2019 14:11:56 +0200 +Subject: devlink: Add method for time-stamp on reporter's dump + +From: Aya Levin + +[ Upstream commit d279505b723cba058b604ed8cf9cd4c854e2a041 ] + +When setting the dump's time-stamp, use ktime_get_real in addition to +jiffies. This simplifies the user space implementation and bypasses +some inconsistent behavior with translating jiffies to current time. +The time taken is transformed into nsec, to comply with y2038 issue. + +Fixes: c8e1da0bf923 ("devlink: Add health report functionality") +Signed-off-by: Aya Levin +Acked-by: Jiri Pirko +Acked-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/devlink.h | 1 + + net/core/devlink.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/include/uapi/linux/devlink.h ++++ b/include/uapi/linux/devlink.h +@@ -348,6 +348,7 @@ enum devlink_attr { + DEVLINK_ATTR_PORT_PCI_PF_NUMBER, /* u16 */ + DEVLINK_ATTR_PORT_PCI_VF_NUMBER, /* u16 */ + ++ DEVLINK_ATTR_HEALTH_REPORTER_DUMP_TS_NS, /* u64 */ + /* add new attributes above here, update the policy in devlink.c */ + + __DEVLINK_ATTR_MAX, +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -4577,6 +4577,7 @@ struct devlink_health_reporter { + bool auto_recover; + u8 health_state; + u64 dump_ts; ++ u64 dump_real_ts; + u64 error_count; + u64 recovery_count; + u64 last_recovery_ts; +@@ -4749,6 +4750,7 @@ static int devlink_health_do_dump(struct + goto dump_err; + + reporter->dump_ts = jiffies; ++ reporter->dump_real_ts = ktime_get_real_ns(); + + return 0; + +@@ -4911,6 +4913,10 @@ devlink_nl_health_reporter_fill(struct s + jiffies_to_msecs(reporter->dump_ts), + DEVLINK_ATTR_PAD)) + goto reporter_nest_cancel; ++ if (reporter->dump_fmsg && ++ nla_put_u64_64bit(msg, DEVLINK_ATTR_HEALTH_REPORTER_DUMP_TS_NS, ++ reporter->dump_real_ts, DEVLINK_ATTR_PAD)) ++ goto reporter_nest_cancel; + + nla_nest_end(msg, reporter_attr); + genlmsg_end(msg, hdr); diff --git a/queue-5.3/devlink-disallow-reload-operation-during-device-cleanup.patch b/queue-5.3/devlink-disallow-reload-operation-during-device-cleanup.patch new file mode 100644 index 00000000000..a39d9c26c06 --- /dev/null +++ b/queue-5.3/devlink-disallow-reload-operation-during-device-cleanup.patch @@ -0,0 +1,176 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Jiri Pirko +Date: Sat, 9 Nov 2019 11:29:46 +0100 +Subject: devlink: disallow reload operation during device cleanup + +From: Jiri Pirko + +[ Upstream commit 5a508a254bed9a2e36a5fb96c9065532a6bf1e9c ] + +There is a race between driver code that does setup/cleanup of device +and devlink reload operation that in some drivers works with the same +code. Use after free could we easily obtained by running: + +while true; do + echo "0000:00:10.0" >/sys/bus/pci/drivers/mlxsw_spectrum2/bind + devlink dev reload pci/0000:00:10.0 & + echo "0000:00:10.0" >/sys/bus/pci/drivers/mlxsw_spectrum2/unbind +done + +Fix this by enabling reload only after setup of device is complete and +disabling it at the beginning of the cleanup process. + +Reported-by: Ido Schimmel +Fixes: 2d8dc5bbf4e7 ("devlink: Add support for reload") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 3 ++ + drivers/net/ethernet/mellanox/mlxsw/core.c | 6 +++- + drivers/net/netdevsim/dev.c | 2 + + include/net/devlink.h | 3 ++ + net/core/devlink.c | 39 ++++++++++++++++++++++++++++- + 5 files changed, 51 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -3982,6 +3982,7 @@ static int mlx4_init_one(struct pci_dev + goto err_params_unregister; + + devlink_params_publish(devlink); ++ devlink_reload_enable(devlink); + pci_save_state(pdev); + return 0; + +@@ -4093,6 +4094,8 @@ static void mlx4_remove_one(struct pci_d + struct devlink *devlink = priv_to_devlink(priv); + int active_vfs = 0; + ++ devlink_reload_disable(devlink); ++ + if (mlx4_is_slave(dev)) + persist->interface_state |= MLX4_INTERFACE_STATE_NOWAIT; + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1128,8 +1128,10 @@ __mlxsw_core_bus_device_register(const s + if (err) + goto err_thermal_init; + +- if (mlxsw_driver->params_register) ++ if (mlxsw_driver->params_register) { + devlink_params_publish(devlink); ++ devlink_reload_enable(devlink); ++ } + + return 0; + +@@ -1191,6 +1193,8 @@ void mlxsw_core_bus_device_unregister(st + { + struct devlink *devlink = priv_to_devlink(mlxsw_core); + ++ if (!reload) ++ devlink_reload_disable(devlink); + if (mlxsw_core->reload_fail) { + if (!reload) + /* Only the parts that were not de-initialized in the +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -297,6 +297,7 @@ nsim_dev_create(struct nsim_bus_dev *nsi + if (err) + goto err_debugfs_exit; + ++ devlink_reload_enable(devlink); + return nsim_dev; + + err_debugfs_exit: +@@ -314,6 +315,7 @@ static void nsim_dev_destroy(struct nsim + { + struct devlink *devlink = priv_to_devlink(nsim_dev); + ++ devlink_reload_disable(devlink); + nsim_bpf_dev_exit(nsim_dev); + nsim_dev_debugfs_exit(nsim_dev); + devlink_unregister(devlink); +--- a/include/net/devlink.h ++++ b/include/net/devlink.h +@@ -35,6 +35,7 @@ struct devlink { + struct device *dev; + possible_net_t _net; + struct mutex lock; ++ u8 reload_enabled:1; + char priv[0] __aligned(NETDEV_ALIGN); + }; + +@@ -594,6 +595,8 @@ struct ib_device; + struct devlink *devlink_alloc(const struct devlink_ops *ops, size_t priv_size); + int devlink_register(struct devlink *devlink, struct device *dev); + void devlink_unregister(struct devlink *devlink); ++void devlink_reload_enable(struct devlink *devlink); ++void devlink_reload_disable(struct devlink *devlink); + void devlink_free(struct devlink *devlink); + int devlink_port_register(struct devlink *devlink, + struct devlink_port *devlink_port, +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -2677,7 +2677,7 @@ static int devlink_nl_cmd_reload(struct + struct devlink *devlink = info->user_ptr[0]; + int err; + +- if (!devlink->ops->reload) ++ if (!devlink->ops->reload || !devlink->reload_enabled) + return -EOPNOTSUPP; + + err = devlink_resources_validate(devlink, NULL, info); +@@ -5559,6 +5559,8 @@ EXPORT_SYMBOL_GPL(devlink_register); + void devlink_unregister(struct devlink *devlink) + { + mutex_lock(&devlink_mutex); ++ WARN_ON(devlink_reload_supported(devlink) && ++ devlink->reload_enabled); + devlink_notify(devlink, DEVLINK_CMD_DEL); + list_del(&devlink->list); + mutex_unlock(&devlink_mutex); +@@ -5566,6 +5568,41 @@ void devlink_unregister(struct devlink * + EXPORT_SYMBOL_GPL(devlink_unregister); + + /** ++ * devlink_reload_enable - Enable reload of devlink instance ++ * ++ * @devlink: devlink ++ * ++ * Should be called at end of device initialization ++ * process when reload operation is supported. ++ */ ++void devlink_reload_enable(struct devlink *devlink) ++{ ++ mutex_lock(&devlink_mutex); ++ devlink->reload_enabled = true; ++ mutex_unlock(&devlink_mutex); ++} ++EXPORT_SYMBOL_GPL(devlink_reload_enable); ++ ++/** ++ * devlink_reload_disable - Disable reload of devlink instance ++ * ++ * @devlink: devlink ++ * ++ * Should be called at the beginning of device cleanup ++ * process when reload operation is supported. ++ */ ++void devlink_reload_disable(struct devlink *devlink) ++{ ++ mutex_lock(&devlink_mutex); ++ /* Mutex is taken which ensures that no reload operation is in ++ * progress while setting up forbidded flag. ++ */ ++ devlink->reload_enabled = false; ++ mutex_unlock(&devlink_mutex); ++} ++EXPORT_SYMBOL_GPL(devlink_reload_disable); ++ ++/** + * devlink_free - Free devlink instance resources + * + * @devlink: devlink diff --git a/queue-5.3/dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch b/queue-5.3/dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch new file mode 100644 index 00000000000..34b0a1506eb --- /dev/null +++ b/queue-5.3/dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch @@ -0,0 +1,44 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Ioana Ciornei +Date: Tue, 12 Nov 2019 18:21:52 +0200 +Subject: dpaa2-eth: free already allocated channels on probe defer + +From: Ioana Ciornei + +[ Upstream commit 5aa4277d4368c099223bbcd3a9086f3351a12ce9 ] + +The setup_dpio() function tries to allocate a number of channels equal +to the number of CPUs online. When there are not enough DPCON objects +already probed, the function will return EPROBE_DEFER. When this +happens, the already allocated channels are not freed. This results in +the incapacity of properly probing the next time around. +Fix this by freeing the channels on the error path. + +Fixes: d7f5a9d89a55 ("dpaa2-eth: defer probe on object allocate") +Signed-off-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -2166,8 +2166,16 @@ err_set_cdan: + err_service_reg: + free_channel(priv, channel); + err_alloc_ch: +- if (err == -EPROBE_DEFER) ++ if (err == -EPROBE_DEFER) { ++ for (i = 0; i < priv->num_channels; i++) { ++ channel = priv->channel[i]; ++ nctx = &channel->nctx; ++ dpaa2_io_service_deregister(channel->dpio, nctx, dev); ++ free_channel(priv, channel); ++ } ++ priv->num_channels = 0; + return err; ++ } + + if (cpumask_empty(&priv->dpio_cpumask)) { + dev_err(dev, "No cpu with an affine DPIO/DPCON\n"); diff --git a/queue-5.3/ipmr-fix-skb-headroom-in-ipmr_get_route.patch b/queue-5.3/ipmr-fix-skb-headroom-in-ipmr_get_route.patch new file mode 100644 index 00000000000..7fb66282bbe --- /dev/null +++ b/queue-5.3/ipmr-fix-skb-headroom-in-ipmr_get_route.patch @@ -0,0 +1,83 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Guillaume Nault +Date: Fri, 15 Nov 2019 18:29:52 +0100 +Subject: ipmr: Fix skb headroom in ipmr_get_route(). + +From: Guillaume Nault + +[ Upstream commit 7901cd97963d6cbde88fa25a4a446db3554c16c6 ] + +In route.c, inet_rtm_getroute_build_skb() creates an skb with no +headroom. This skb is then used by inet_rtm_getroute() which may pass +it to rt_fill_info() and, from there, to ipmr_get_route(). The later +might try to reuse this skb by cloning it and prepending an IPv4 +header. But since the original skb has no headroom, skb_push() triggers +skb_under_panic(): + +skbuff: skb_under_panic: text:00000000ca46ad8a len:80 put:20 head:00000000cd28494e data:000000009366fd6b tail:0x3c end:0xec0 dev:veth0 +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:108! +invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 6 PID: 587 Comm: ip Not tainted 5.4.0-rc6+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 +RIP: 0010:skb_panic+0xbf/0xd0 +Code: 41 a2 ff 8b 4b 70 4c 8b 4d d0 48 c7 c7 20 76 f5 8b 44 8b 45 bc 48 8b 55 c0 48 8b 75 c8 41 54 41 57 41 56 41 55 e8 75 dc 7a ff <0f> 0b 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 +RSP: 0018:ffff888059ddf0b0 EFLAGS: 00010286 +RAX: 0000000000000086 RBX: ffff888060a315c0 RCX: ffffffff8abe4822 +RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88806c9a79cc +RBP: ffff888059ddf118 R08: ffffed100d9361b1 R09: ffffed100d9361b0 +R10: ffff88805c68aee3 R11: ffffed100d9361b1 R12: ffff88805d218000 +R13: ffff88805c689fec R14: 000000000000003c R15: 0000000000000ec0 +FS: 00007f6af184b700(0000) GS:ffff88806c980000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffc8204a000 CR3: 0000000057b40006 CR4: 0000000000360ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + skb_push+0x7e/0x80 + ipmr_get_route+0x459/0x6fa + rt_fill_info+0x692/0x9f0 + inet_rtm_getroute+0xd26/0xf20 + rtnetlink_rcv_msg+0x45d/0x630 + netlink_rcv_skb+0x1a5/0x220 + rtnetlink_rcv+0x15/0x20 + netlink_unicast+0x305/0x3a0 + netlink_sendmsg+0x575/0x730 + sock_sendmsg+0xb5/0xc0 + ___sys_sendmsg+0x497/0x4f0 + __sys_sendmsg+0xcb/0x150 + __x64_sys_sendmsg+0x48/0x50 + do_syscall_64+0xd2/0xac0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Actually the original skb used to have enough headroom, but the +reserve_skb() call was lost with the introduction of +inet_rtm_getroute_build_skb() by commit 404eb77ea766 ("ipv4: support +sport, dport and ip_proto in RTM_GETROUTE"). + +We could reserve some headroom again in inet_rtm_getroute_build_skb(), +but this function shouldn't be responsible for handling the special +case of ipmr_get_route(). Let's handle that directly in +ipmr_get_route() by calling skb_realloc_headroom() instead of +skb_clone(). + +Fixes: 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -2289,7 +2289,8 @@ int ipmr_get_route(struct net *net, stru + rcu_read_unlock(); + return -ENODEV; + } +- skb2 = skb_clone(skb, GFP_ATOMIC); ++ ++ skb2 = skb_realloc_headroom(skb, sizeof(struct iphdr)); + if (!skb2) { + read_unlock(&mrt_lock); + rcu_read_unlock(); diff --git a/queue-5.3/mlxsw-core-enable-devlink-reload-only-on-probe.patch b/queue-5.3/mlxsw-core-enable-devlink-reload-only-on-probe.patch new file mode 100644 index 00000000000..83835e15e8d --- /dev/null +++ b/queue-5.3/mlxsw-core-enable-devlink-reload-only-on-probe.patch @@ -0,0 +1,50 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Jiri Pirko +Date: Sun, 10 Nov 2019 16:31:23 +0100 +Subject: mlxsw: core: Enable devlink reload only on probe + +From: Jiri Pirko + +[ Upstream commit 73a533ecf0af5f73ff72dd7c96d1c8598ca93649 ] + +Call devlink enable only during probe time and avoid deadlock +during reload. + +Reported-by: Shalom Toledo +Fixes: 5a508a254bed ("devlink: disallow reload operation during device cleanup") +Signed-off-by: Jiri Pirko +Tested-by: Shalom Toledo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 5 +++-- + net/core/devlink.c | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1128,10 +1128,11 @@ __mlxsw_core_bus_device_register(const s + if (err) + goto err_thermal_init; + +- if (mlxsw_driver->params_register) { ++ if (mlxsw_driver->params_register) + devlink_params_publish(devlink); ++ ++ if (!reload) + devlink_reload_enable(devlink); +- } + + return 0; + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -5559,7 +5559,7 @@ EXPORT_SYMBOL_GPL(devlink_register); + void devlink_unregister(struct devlink *devlink) + { + mutex_lock(&devlink_mutex); +- WARN_ON(devlink_reload_supported(devlink) && ++ WARN_ON(devlink->ops->reload && + devlink->reload_enabled); + devlink_notify(devlink, DEVLINK_CMD_DEL); + list_del(&devlink->list); diff --git a/queue-5.3/net-gemini-add-missed-free_netdev.patch b/queue-5.3/net-gemini-add-missed-free_netdev.patch new file mode 100644 index 00000000000..37cdb81ed66 --- /dev/null +++ b/queue-5.3/net-gemini-add-missed-free_netdev.patch @@ -0,0 +1,31 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Chuhong Yuan +Date: Fri, 15 Nov 2019 14:24:54 +0800 +Subject: net: gemini: add missed free_netdev + +From: Chuhong Yuan + +[ Upstream commit 18d647ae74116bfee38953978501cea2960a0c25 ] + +This driver forgets to free allocated netdev in remove like +what is done in probe failure. +Add the free to fix it. + +Signed-off-by: Chuhong Yuan +Reviewed-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cortina/gemini.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -2527,6 +2527,7 @@ static int gemini_ethernet_port_remove(s + struct gemini_ethernet_port *port = platform_get_drvdata(pdev); + + gemini_port_remove(port); ++ free_netdev(port->netdev); + return 0; + } + diff --git a/queue-5.3/net-smc-fix-fastopen-for-non-blocking-connect.patch b/queue-5.3/net-smc-fix-fastopen-for-non-blocking-connect.patch new file mode 100644 index 00000000000..6a26c287d53 --- /dev/null +++ b/queue-5.3/net-smc-fix-fastopen-for-non-blocking-connect.patch @@ -0,0 +1,39 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Ursula Braun +Date: Fri, 15 Nov 2019 12:39:30 +0100 +Subject: net/smc: fix fastopen for non-blocking connect() + +From: Ursula Braun + +[ Upstream commit 8204df72bea1a7d83d0777add6da98a41dfbdc34 ] + +FASTOPEN does not work with SMC-sockets. Since SMC allows fallback to +TCP native during connection start, the FASTOPEN setsockopts trigger +this fallback, if the SMC-socket is still in state SMC_INIT. +But if a FASTOPEN setsockopt is called after a non-blocking connect(), +this is broken, and fallback does not make sense. +This change complements +commit cd2063604ea6 ("net/smc: avoid fallback in case of non-blocking connect") +and fixes the syzbot reported problem "WARNING in smc_unhash_sk". + +Reported-by: syzbot+8488cc4cf1c9e09b8b86@syzkaller.appspotmail.com +Fixes: e1bbdd570474 ("net/smc: reduce sock_put() for fallback sockets") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1731,7 +1731,7 @@ static int smc_setsockopt(struct socket + case TCP_FASTOPEN_KEY: + case TCP_FASTOPEN_NO_COOKIE: + /* option not supported by SMC */ +- if (sk->sk_state == SMC_INIT) { ++ if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) { + smc_switch_to_fallback(smc); + smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP; + } else { diff --git a/queue-5.3/net-smc-fix-refcount-non-blocking-connect-part-2.patch b/queue-5.3/net-smc-fix-refcount-non-blocking-connect-part-2.patch new file mode 100644 index 00000000000..e2482dbc394 --- /dev/null +++ b/queue-5.3/net-smc-fix-refcount-non-blocking-connect-part-2.patch @@ -0,0 +1,37 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Ursula Braun +Date: Tue, 12 Nov 2019 16:03:41 +0100 +Subject: net/smc: fix refcount non-blocking connect() -part 2 + +From: Ursula Braun + +[ Upstream commit 6d6dd528d5af05dc2d0c773951ed68d630a0c3f1 ] + +If an SMC socket is immediately terminated after a non-blocking connect() +has been called, a memory leak is possible. +Due to the sock_hold move in +commit 301428ea3708 ("net/smc: fix refcounting for non-blocking connect()") +an extra sock_put() is needed in smc_connect_work(), if the internal +TCP socket is aborted and cancels the sk_stream_wait_connect() of the +connect worker. + +Reported-by: syzbot+4b73ad6fc767e576e275@syzkaller.appspotmail.com +Fixes: 301428ea3708 ("net/smc: fix refcounting for non-blocking connect()") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -796,6 +796,7 @@ static void smc_connect_work(struct work + smc->sk.sk_err = EPIPE; + else if (signal_pending(current)) + smc->sk.sk_err = -sock_intr_errno(timeo); ++ sock_put(&smc->sk); /* passive closing */ + goto out; + } + diff --git a/queue-5.3/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch b/queue-5.3/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch new file mode 100644 index 00000000000..e94ecdc956f --- /dev/null +++ b/queue-5.3/net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch @@ -0,0 +1,45 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Aleksander Morgado +Date: Wed, 13 Nov 2019 11:11:10 +0100 +Subject: net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules + +From: Aleksander Morgado + +[ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ] + +These are the Foxconn-branded variants of the Dell DW5821e modules, +same USB layout as those. + +The QMI interface is exposed in USB configuration #1: + +P: Vendor=0489 ProdID=e0b4 Rev=03.18 +S: Manufacturer=FII +S: Product=T77W968 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +Signed-off-by: Aleksander Morgado +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1370,6 +1370,8 @@ static const struct usb_device_id produc + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ + {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ + {QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */ ++ {QMI_FIXED_INTF(0x0489, 0xe0b4, 0)}, /* Foxconn T77W968 LTE */ ++ {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ diff --git a/queue-5.3/series b/queue-5.3/series index 1f4c546d086..a13f44cdba1 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -1 +1,13 @@ scsi-core-handle-drivers-which-set-sg_tablesize-to-zero.patch +ax88172a-fix-information-leak-on-short-answers.patch +devlink-disallow-reload-operation-during-device-cleanup.patch +ipmr-fix-skb-headroom-in-ipmr_get_route.patch +mlxsw-core-enable-devlink-reload-only-on-probe.patch +net-gemini-add-missed-free_netdev.patch +net-smc-fix-fastopen-for-non-blocking-connect.patch +net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch +slip-fix-memory-leak-in-slip_open-error-path.patch +tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch +dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch +devlink-add-method-for-time-stamp-on-reporter-s-dump.patch +net-smc-fix-refcount-non-blocking-connect-part-2.patch diff --git a/queue-5.3/slip-fix-memory-leak-in-slip_open-error-path.patch b/queue-5.3/slip-fix-memory-leak-in-slip_open-error-path.patch new file mode 100644 index 00000000000..3eef88187d9 --- /dev/null +++ b/queue-5.3/slip-fix-memory-leak-in-slip_open-error-path.patch @@ -0,0 +1,55 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Jouni Hogander +Date: Wed, 13 Nov 2019 13:45:02 +0200 +Subject: slip: Fix memory leak in slip_open error path + +From: Jouni Hogander + +[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] + +Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected +by Syzkaller in slcan. Same issue exists in slip.c and this patch is +addressing the leak in slip.c. + +Here is the slcan memory leak trace reported by Syzkaller: + +BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): + comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) + hex dump (first 32 bytes): + 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 + [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 + [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 + [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 + [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 + [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 + [<000000004de5a617>] tty_ioctl+0x48d/0x1590 + [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 + [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 + [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 + [<0000000053d0332e>] do_syscall_64+0x16f/0x580 + [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<000000008ea75434>] 0xfffffffffffffff + +Cc: "David S. Miller" +Cc: Oliver Hartkopp +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -855,6 +855,7 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ free_netdev(sl->dev); + + err_exit: + rtnl_unlock(); diff --git a/queue-5.3/tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch b/queue-5.3/tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch new file mode 100644 index 00000000000..03ef942b975 --- /dev/null +++ b/queue-5.3/tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch @@ -0,0 +1,33 @@ +From foo@baz Mon 18 Nov 2019 09:15:35 AM CET +From: Tony Lu +Date: Sat, 9 Nov 2019 18:43:06 +0800 +Subject: tcp: remove redundant new line from tcp_event_sk_skb + +From: Tony Lu + +[ Upstream commit dd3d792def0d4f33bbf319982b1878b0c8aaca34 ] + +This removes '\n' from trace event class tcp_event_sk_skb to avoid +redundant new blank line and make output compact. + +Fixes: af4325ecc24f ("tcp: expose sk_state in tcp_retransmit_skb tracepoint") +Reviewed-by: Eric Dumazet +Reviewed-by: Yafang Shao +Signed-off-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/trace/events/tcp.h ++++ b/include/trace/events/tcp.h +@@ -86,7 +86,7 @@ DECLARE_EVENT_CLASS(tcp_event_sk_skb, + sk->sk_v6_rcv_saddr, sk->sk_v6_daddr); + ), + +- TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c state=%s\n", ++ TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c state=%s", + __entry->sport, __entry->dport, __entry->saddr, __entry->daddr, + __entry->saddr_v6, __entry->daddr_v6, + show_tcp_state_name(__entry->state))