From: Greg Kroah-Hartman Date: Tue, 1 Oct 2019 13:28:56 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v4.4.195~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=caec0e4ffad8a6378b7374a9325029ad7a48a255;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: appletalk-enforce-cap_net_raw-for-raw-sockets.patch arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch ax25-enforce-cap_net_raw-for-raw-sockets.patch cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch ieee802154-enforce-cap_net_raw-for-raw-sockets.patch ipv4-revert-removal-of-rt_uses_gateway.patch ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch macsec-drop-skb-sk-before-calling-gro_cells_receive.patch misdn-enforce-cap_net_raw-for-raw-sockets.patch net-mlx5-add-device-id-of-upcoming-bluefield-2.patch net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch net-qrtr-stop-rx_worker-before-freeing-node.patch net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch net-sched-fix-possible-crash-in-tcf_action_destroy.patch net_sched-add-max-len-check-for-tca_kind.patch net_sched-add-policy-validation-for-action-attributes.patch nfc-enforce-cap_net_raw-for-raw-sockets.patch nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch ppp-fix-memory-leak-in-ppp_write.patch sch_netem-fix-a-divide-by-zero-in-tabledist.patch selftests-update-fib_tests-to-handle-missing-ping6.patch skge-fix-checksum-byte-order.patch tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch --- diff --git a/queue-5.2/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/queue-5.2/appletalk-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..924b40be5ce --- /dev/null +++ b/queue-5.2/appletalk-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:46 +0200 +Subject: appletalk: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ] + +When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/appletalk/ddp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, + */ + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) + goto out; ++ ++ rc = -EPERM; ++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) ++ goto out; ++ + rc = -ENOMEM; + sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern); + if (!sk) diff --git a/queue-5.2/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch b/queue-5.2/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch new file mode 100644 index 00000000000..d3bf0a1bcbe --- /dev/null +++ b/queue-5.2/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch @@ -0,0 +1,101 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: "Uwe Kleine-König" +Date: Fri, 20 Sep 2019 16:08:21 +0200 +Subject: arcnet: provide a buffer big enough to actually receive packets + +From: "Uwe Kleine-König" + +[ Upstream commit 108639aac35eb57f1d0e8333f5fc8c7ff68df938 ] + +struct archdr is only big enough to hold the header of various types of +arcnet packets. So to provide enough space to hold the data read from +hardware provide a buffer large enough to hold a packet with maximal +size. + +The problem was noticed by the stack protector which makes the kernel +oops. + +Signed-off-by: Uwe Kleine-König +Acked-by: Michael Grzeschik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/arcnet/arcnet.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -1063,31 +1063,34 @@ EXPORT_SYMBOL(arcnet_interrupt); + static void arcnet_rx(struct net_device *dev, int bufnum) + { + struct arcnet_local *lp = netdev_priv(dev); +- struct archdr pkt; ++ union { ++ struct archdr pkt; ++ char buf[512]; ++ } rxdata; + struct arc_rfc1201 *soft; + int length, ofs; + +- soft = &pkt.soft.rfc1201; ++ soft = &rxdata.pkt.soft.rfc1201; + +- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE); +- if (pkt.hard.offset[0]) { +- ofs = pkt.hard.offset[0]; ++ lp->hw.copy_from_card(dev, bufnum, 0, &rxdata.pkt, ARC_HDR_SIZE); ++ if (rxdata.pkt.hard.offset[0]) { ++ ofs = rxdata.pkt.hard.offset[0]; + length = 256 - ofs; + } else { +- ofs = pkt.hard.offset[1]; ++ ofs = rxdata.pkt.hard.offset[1]; + length = 512 - ofs; + } + + /* get the full header, if possible */ +- if (sizeof(pkt.soft) <= length) { +- lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(pkt.soft)); ++ if (sizeof(rxdata.pkt.soft) <= length) { ++ lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(rxdata.pkt.soft)); + } else { +- memset(&pkt.soft, 0, sizeof(pkt.soft)); ++ memset(&rxdata.pkt.soft, 0, sizeof(rxdata.pkt.soft)); + lp->hw.copy_from_card(dev, bufnum, ofs, soft, length); + } + + arc_printk(D_DURING, dev, "Buffer #%d: received packet from %02Xh to %02Xh (%d+4 bytes)\n", +- bufnum, pkt.hard.source, pkt.hard.dest, length); ++ bufnum, rxdata.pkt.hard.source, rxdata.pkt.hard.dest, length); + + dev->stats.rx_packets++; + dev->stats.rx_bytes += length + ARC_HDR_SIZE; +@@ -1096,13 +1099,13 @@ static void arcnet_rx(struct net_device + if (arc_proto_map[soft->proto]->is_ip) { + if (BUGLVL(D_PROTO)) { + struct ArcProto +- *oldp = arc_proto_map[lp->default_proto[pkt.hard.source]], ++ *oldp = arc_proto_map[lp->default_proto[rxdata.pkt.hard.source]], + *newp = arc_proto_map[soft->proto]; + + if (oldp != newp) { + arc_printk(D_PROTO, dev, + "got protocol %02Xh; encap for host %02Xh is now '%c' (was '%c')\n", +- soft->proto, pkt.hard.source, ++ soft->proto, rxdata.pkt.hard.source, + newp->suffix, oldp->suffix); + } + } +@@ -1111,10 +1114,10 @@ static void arcnet_rx(struct net_device + lp->default_proto[0] = soft->proto; + + /* in striking contrast, the following isn't a hack. */ +- lp->default_proto[pkt.hard.source] = soft->proto; ++ lp->default_proto[rxdata.pkt.hard.source] = soft->proto; + } + /* call the protocol-specific receiver. */ +- arc_proto_map[soft->proto]->rx(dev, bufnum, &pkt, length); ++ arc_proto_map[soft->proto]->rx(dev, bufnum, &rxdata.pkt, length); + } + + static void null_rx(struct net_device *dev, int bufnum, diff --git a/queue-5.2/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/queue-5.2/ax25-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..56802557095 --- /dev/null +++ b/queue-5.2/ax25-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:47 +0200 +Subject: ax25: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ] + +When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, + break; + + case SOCK_RAW: ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + break; + default: + return -ESOCKTNOSUPPORT; diff --git a/queue-5.2/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/queue-5.2/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch new file mode 100644 index 00000000000..76668fdc9db --- /dev/null +++ b/queue-5.2/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: "Bjørn Mork" +Date: Wed, 18 Sep 2019 14:01:46 +0200 +Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize + +From: "Bjørn Mork" + +[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the driver more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of the out pipe is used as divisor. So this change +fixes a divide-by-zero bug. + +Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com +Signed-off-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -681,8 +681,12 @@ cdc_ncm_find_endpoints(struct usbnet *de + u8 ep; + + for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) { +- + e = intf->cur_altsetting->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { + case USB_ENDPOINT_XFER_INT: + if (usb_endpoint_dir_in(&e->desc)) { diff --git a/queue-5.2/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/queue-5.2/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..393f0ac75cb --- /dev/null +++ b/queue-5.2/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:48 +0200 +Subject: ieee802154: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ] + +When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be +checked first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net + + switch (sock->type) { + case SOCK_RAW: ++ rc = -EPERM; ++ if (!capable(CAP_NET_RAW)) ++ goto out; + proto = &ieee802154_raw_prot; + ops = &ieee802154_raw_ops; + break; diff --git a/queue-5.2/ipv4-revert-removal-of-rt_uses_gateway.patch b/queue-5.2/ipv4-revert-removal-of-rt_uses_gateway.patch new file mode 100644 index 00000000000..233cd32cbc5 --- /dev/null +++ b/queue-5.2/ipv4-revert-removal-of-rt_uses_gateway.patch @@ -0,0 +1,196 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: David Ahern +Date: Tue, 17 Sep 2019 10:39:49 -0700 +Subject: ipv4: Revert removal of rt_uses_gateway + +From: David Ahern + +[ Upstream commit 77d5bc7e6a6cf8bbeca31aab7f0c5449a5eee762 ] + +Julian noted that rt_uses_gateway has a more subtle use than 'is gateway +set': + https://lore.kernel.org/netdev/alpine.LFD.2.21.1909151104060.2546@ja.home.ssi.bg/ + +Revert that part of the commit referenced in the Fixes tag. + +Currently, there are no u8 holes in 'struct rtable'. There is a 4-byte hole +in the second cacheline which contains the gateway declaration. So move +rt_gw_family down to the gateway declarations since they are always used +together, and then re-use that u8 for rt_uses_gateway. End result is that +rtable size is unchanged. + +Fixes: 1550c171935d ("ipv4: Prepare rtable for IPv6 gateway") +Reported-by: Julian Anastasov +Signed-off-by: David Ahern +Reviewed-by: Julian Anastasov +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/addr.c | 2 +- + include/net/route.h | 3 ++- + net/ipv4/inet_connection_sock.c | 4 ++-- + net/ipv4/ip_forward.c | 2 +- + net/ipv4/ip_output.c | 2 +- + net/ipv4/route.c | 36 +++++++++++++++++++++--------------- + net/ipv4/xfrm4_policy.c | 1 + + 7 files changed, 29 insertions(+), 21 deletions(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -352,7 +352,7 @@ static bool has_gateway(const struct dst + + if (family == AF_INET) { + rt = container_of(dst, struct rtable, dst); +- return rt->rt_gw_family == AF_INET; ++ return rt->rt_uses_gateway; + } + + rt6 = container_of(dst, struct rt6_info, dst); +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -53,10 +53,11 @@ struct rtable { + unsigned int rt_flags; + __u16 rt_type; + __u8 rt_is_input; +- u8 rt_gw_family; ++ __u8 rt_uses_gateway; + + int rt_iif; + ++ u8 rt_gw_family; + /* Info on neighbour */ + union { + __be32 rt_gw4; +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -560,7 +560,7 @@ struct dst_entry *inet_csk_route_req(con + rt = ip_route_output_flow(net, fl4, sk); + if (IS_ERR(rt)) + goto no_route; +- if (opt && opt->opt.is_strictroute && rt->rt_gw_family) ++ if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway) + goto route_err; + rcu_read_unlock(); + return &rt->dst; +@@ -598,7 +598,7 @@ struct dst_entry *inet_csk_route_child_s + rt = ip_route_output_flow(net, fl4, sk); + if (IS_ERR(rt)) + goto no_route; +- if (opt && opt->opt.is_strictroute && rt->rt_gw_family) ++ if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway) + goto route_err; + return &rt->dst; + +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -123,7 +123,7 @@ int ip_forward(struct sk_buff *skb) + + rt = skb_rtable(skb); + +- if (opt->is_strictroute && rt->rt_gw_family) ++ if (opt->is_strictroute && rt->rt_uses_gateway) + goto sr_failed; + + IPCB(skb)->flags |= IPSKB_FORWARDED; +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -482,7 +482,7 @@ int __ip_queue_xmit(struct sock *sk, str + skb_dst_set_noref(skb, &rt->dst); + + packet_routed: +- if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_gw_family) ++ if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_uses_gateway) + goto no_route; + + /* OK, we know where to send it, allocate and build IP header. */ +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -634,6 +634,7 @@ static void fill_route_from_fnhe(struct + + if (fnhe->fnhe_gw) { + rt->rt_flags |= RTCF_REDIRECTED; ++ rt->rt_uses_gateway = 1; + rt->rt_gw_family = AF_INET; + rt->rt_gw4 = fnhe->fnhe_gw; + } +@@ -1312,7 +1313,7 @@ static unsigned int ipv4_mtu(const struc + mtu = READ_ONCE(dst->dev->mtu); + + if (unlikely(ip_mtu_locked(dst))) { +- if (rt->rt_gw_family && mtu > 576) ++ if (rt->rt_uses_gateway && mtu > 576) + mtu = 576; + } + +@@ -1569,6 +1570,7 @@ static void rt_set_nexthop(struct rtable + struct fib_nh_common *nhc = FIB_RES_NHC(*res); + + if (nhc->nhc_gw_family && nhc->nhc_scope == RT_SCOPE_LINK) { ++ rt->rt_uses_gateway = 1; + rt->rt_gw_family = nhc->nhc_gw_family; + /* only INET and INET6 are supported */ + if (likely(nhc->nhc_gw_family == AF_INET)) +@@ -1634,6 +1636,7 @@ struct rtable *rt_dst_alloc(struct net_d + rt->rt_iif = 0; + rt->rt_pmtu = 0; + rt->rt_mtu_locked = 0; ++ rt->rt_uses_gateway = 0; + rt->rt_gw_family = 0; + rt->rt_gw4 = 0; + INIT_LIST_HEAD(&rt->rt_uncached); +@@ -2664,6 +2667,7 @@ struct dst_entry *ipv4_blackhole_route(s + rt->rt_genid = rt_genid_ipv4(net); + rt->rt_flags = ort->rt_flags; + rt->rt_type = ort->rt_type; ++ rt->rt_uses_gateway = ort->rt_uses_gateway; + rt->rt_gw_family = ort->rt_gw_family; + if (rt->rt_gw_family == AF_INET) + rt->rt_gw4 = ort->rt_gw4; +@@ -2747,21 +2751,23 @@ static int rt_fill_info(struct net *net, + if (nla_put_in_addr(skb, RTA_PREFSRC, fl4->saddr)) + goto nla_put_failure; + } +- if (rt->rt_gw_family == AF_INET && +- nla_put_in_addr(skb, RTA_GATEWAY, rt->rt_gw4)) { +- goto nla_put_failure; +- } else if (rt->rt_gw_family == AF_INET6) { +- int alen = sizeof(struct in6_addr); +- struct nlattr *nla; +- struct rtvia *via; +- +- nla = nla_reserve(skb, RTA_VIA, alen + 2); +- if (!nla) ++ if (rt->rt_uses_gateway) { ++ if (rt->rt_gw_family == AF_INET && ++ nla_put_in_addr(skb, RTA_GATEWAY, rt->rt_gw4)) { + goto nla_put_failure; +- +- via = nla_data(nla); +- via->rtvia_family = AF_INET6; +- memcpy(via->rtvia_addr, &rt->rt_gw6, alen); ++ } else if (rt->rt_gw_family == AF_INET6) { ++ int alen = sizeof(struct in6_addr); ++ struct nlattr *nla; ++ struct rtvia *via; ++ ++ nla = nla_reserve(skb, RTA_VIA, alen + 2); ++ if (!nla) ++ goto nla_put_failure; ++ ++ via = nla_data(nla); ++ via->rtvia_family = AF_INET6; ++ memcpy(via->rtvia_addr, &rt->rt_gw6, alen); ++ } + } + + expires = rt->dst.expires; +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -85,6 +85,7 @@ static int xfrm4_fill_dst(struct xfrm_ds + xdst->u.rt.rt_flags = rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST | + RTCF_LOCAL); + xdst->u.rt.rt_type = rt->rt_type; ++ xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; + xdst->u.rt.rt_gw_family = rt->rt_gw_family; + if (rt->rt_gw_family == AF_INET) + xdst->u.rt.rt_gw4 = rt->rt_gw4; diff --git a/queue-5.2/ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch b/queue-5.2/ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch new file mode 100644 index 00000000000..5f76fd618e7 --- /dev/null +++ b/queue-5.2/ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch @@ -0,0 +1,79 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: "Jason A. Donenfeld" +Date: Tue, 24 Sep 2019 16:01:28 +0200 +Subject: ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule + +From: "Jason A. Donenfeld" + +[ Upstream commit ca7a03c4175366a92cee0ccc4fec0038c3266e26 ] + +Commit 7d9e5f422150 removed references from certain dsts, but accounting +for this never translated down into the fib6 suppression code. This bug +was triggered by WireGuard users who use wg-quick(8), which uses the +"suppress-prefix" directive to ip-rule(8) for routing all of their +internet traffic without routing loops. The test case added here +causes the reference underflow by causing packets to evaluate a suppress +rule. + +Fixes: 7d9e5f422150 ("ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF") +Signed-off-by: Jason A. Donenfeld +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/fib6_rules.c | 3 ++- + tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++- + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -285,7 +285,8 @@ static bool fib6_rule_suppress(struct fi + return false; + + suppress_route: +- ip6_rt_put(rt); ++ if (!(arg->flags & FIB_LOOKUP_NOREF)) ++ ip6_rt_put(rt); + return true; + } + +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -9,7 +9,7 @@ ret=0 + ksft_skip=4 + + # all tests in this script. Can be overridden with -t option +-TESTS="unregister down carrier nexthop ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw" ++TESTS="unregister down carrier nexthop suppress ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw" + + VERBOSE=0 + PAUSE_ON_FAIL=no +@@ -582,6 +582,20 @@ fib_nexthop_test() + cleanup + } + ++fib_suppress_test() ++{ ++ $IP link add dummy1 type dummy ++ $IP link set dummy1 up ++ $IP -6 route add default dev dummy1 ++ $IP -6 rule add table main suppress_prefixlength 0 ++ ping -f -c 1000 -W 1 1234::1 || true ++ $IP -6 rule del table main suppress_prefixlength 0 ++ $IP link del dummy1 ++ ++ # If we got here without crashing, we're good. ++ return 0 ++} ++ + ################################################################################ + # Tests on route add and replace + +@@ -1558,6 +1572,7 @@ do + fib_down_test|down) fib_down_test;; + fib_carrier_test|carrier) fib_carrier_test;; + fib_nexthop_test|nexthop) fib_nexthop_test;; ++ fib_suppress_test|suppress) fib_suppress_test;; + ipv6_route_test|ipv6_rt) ipv6_route_test;; + ipv4_route_test|ipv4_rt) ipv4_route_test;; + ipv6_addr_metric) ipv6_addr_metric_test;; diff --git a/queue-5.2/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch b/queue-5.2/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch new file mode 100644 index 00000000000..1bd8ffafa2a --- /dev/null +++ b/queue-5.2/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch @@ -0,0 +1,61 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Xin Long +Date: Mon, 23 Sep 2019 17:02:46 +0800 +Subject: macsec: drop skb sk before calling gro_cells_receive + +From: Xin Long + +[ Upstream commit ba56d8ce38c8252fff5b745db3899cf092578ede ] + +Fei Liu reported a crash when doing netperf on a topo of macsec +dev over veth: + + [ 448.919128] refcount_t: underflow; use-after-free. + [ 449.090460] Call trace: + [ 449.092895] refcount_sub_and_test+0xb4/0xc0 + [ 449.097155] tcp_wfree+0x2c/0x150 + [ 449.100460] ip_rcv+0x1d4/0x3a8 + [ 449.103591] __netif_receive_skb_core+0x554/0xae0 + [ 449.108282] __netif_receive_skb+0x28/0x78 + [ 449.112366] netif_receive_skb_internal+0x54/0x100 + [ 449.117144] napi_gro_complete+0x70/0xc0 + [ 449.121054] napi_gro_flush+0x6c/0x90 + [ 449.124703] napi_complete_done+0x50/0x130 + [ 449.128788] gro_cell_poll+0x8c/0xa8 + [ 449.132351] net_rx_action+0x16c/0x3f8 + [ 449.136088] __do_softirq+0x128/0x320 + +The issue was caused by skb's true_size changed without its sk's +sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the +skb is being freed and the skb's truesize is subtracted from its +sk's sk_wmem_alloc in tcp_wfree(), underflow occurs. + +macsec is calling gro_cells_receive() to receive a packet, which +actually requires skb->sk to be NULL. However when macsec dev is +over veth, it's possible the skb->sk is still set if the skb was +not unshared or expanded from the peer veth. + +ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy, +but it is too late for macsec's calling gro_cells_receive(). So +fix it by dropping the skb's sk earlier on rx path of macsec. + +Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices") +Reported-by: Xiumei Mu +Reported-by: Fei Liu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1235,6 +1235,7 @@ deliver: + macsec_rxsa_put(rx_sa); + macsec_rxsc_put(rx_sc); + ++ skb_orphan(skb); + ret = gro_cells_receive(&macsec->gro_cells, skb); + if (ret == NET_RX_SUCCESS) + count_rx(dev, skb->len); diff --git a/queue-5.2/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/queue-5.2/misdn-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..0ad6bc69390 --- /dev/null +++ b/queue-5.2/misdn-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:45 +0200 +Subject: mISDN: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ] + +When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct + + if (sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + + sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern); + if (!sk) diff --git a/queue-5.2/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch b/queue-5.2/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch new file mode 100644 index 00000000000..3973fac4e99 --- /dev/null +++ b/queue-5.2/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Bodong Wang +Date: Mon, 26 Aug 2019 16:34:12 -0500 +Subject: net/mlx5: Add device ID of upcoming BlueField-2 + +From: Bodong Wang + +[ Upstream commit d19a79ee38c8fda6d297e4227e80db8bf51c71a6 ] + +Add the device ID of upcoming BlueField-2 integrated ConnectX-6 Dx +network controller. Its VFs will be using the generic VF device ID: +0x101e "ConnectX Family mlx5Gen Virtual Function". + +Fixes: 2e9d3e83ab82 ("net/mlx5: Update the list of the PCI supported devices") +Signed-off-by: Bodong Wang +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1525,6 +1525,7 @@ static const struct pci_device_id mlx5_c + { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */ + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */ + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */ ++ { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */ + { 0, } + }; + diff --git a/queue-5.2/net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch b/queue-5.2/net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch new file mode 100644 index 00000000000..e830a846c5c --- /dev/null +++ b/queue-5.2/net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Saeed Mahameed +Date: Wed, 11 Sep 2019 07:50:13 -0700 +Subject: net/mlx5e: Fix traffic duplication in ethtool steering + +From: Saeed Mahameed + +[ Upstream commit d22fcc806b84b9818de08b32e494f3c05dd236c7 ] + +Before this patch, when adding multiple ethtool steering rules with +identical classification, the driver used to append the new destination +to the already existing hw rule, which caused the hw to forward the +traffic to all destinations (rx queues). + +Here we avoid this by setting the "no append" mlx5 fs core flag when +adding a new ethtool rule. + +Fixes: 6dc6071cfcde ("net/mlx5e: Add ethtool flow steering support") +Signed-off-by: Saeed Mahameed +Reviewed-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c +@@ -397,10 +397,10 @@ add_ethtool_flow_rule(struct mlx5e_priv + struct mlx5_flow_table *ft, + struct ethtool_rx_flow_spec *fs) + { ++ struct mlx5_flow_act flow_act = { .flags = FLOW_ACT_NO_APPEND }; + struct mlx5_flow_destination *dst = NULL; +- struct mlx5_flow_act flow_act = {0}; +- struct mlx5_flow_spec *spec; + struct mlx5_flow_handle *rule; ++ struct mlx5_flow_spec *spec; + int err = 0; + + spec = kvzalloc(sizeof(*spec), GFP_KERNEL); diff --git a/queue-5.2/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/queue-5.2/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch new file mode 100644 index 00000000000..3472e7afeeb --- /dev/null +++ b/queue-5.2/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Peter Mamonov +Date: Wed, 18 Sep 2019 19:27:55 +0300 +Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function + +From: Peter Mamonov + +[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ] + +According to the DP83865 datasheet "the 10 Mbps HDX loopback can be +disabled in the expanded memory register 0x1C0.1". The driver erroneously +used bit 0 instead of bit 1. + +Fixes: 4621bf129856 ("phy: Add file missed in previous commit.") +Signed-off-by: Peter Mamonov +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/national.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/national.c ++++ b/drivers/net/phy/national.c +@@ -105,14 +105,17 @@ static void ns_giga_speed_fallback(struc + + static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable) + { ++ u16 lb_dis = BIT(1); ++ + if (disable) +- ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1); ++ ns_exp_write(phydev, 0x1c0, ++ ns_exp_read(phydev, 0x1c0) | lb_dis); + else + ns_exp_write(phydev, 0x1c0, +- ns_exp_read(phydev, 0x1c0) & 0xfffe); ++ ns_exp_read(phydev, 0x1c0) & ~lb_dis); + + pr_debug("10BASE-T HDX loopback %s\n", +- (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on"); ++ (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on"); + } + + static int ns_config_init(struct phy_device *phydev) diff --git a/queue-5.2/net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch b/queue-5.2/net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch new file mode 100644 index 00000000000..6f3ec33a321 --- /dev/null +++ b/queue-5.2/net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Hans Andersson +Date: Thu, 26 Sep 2019 09:54:37 +0200 +Subject: net: phy: micrel: add Asym Pause workaround for KSZ9021 + +From: Hans Andersson + +[ Upstream commit 407d8098cb1ab338199f4753162799a488d87d23 ] + +The Micrel KSZ9031 PHY may fail to establish a link when the Asymmetric +Pause capability is set. This issue is described in a Silicon Errata +(DS80000691D or DS80000692D), which advises to always disable the +capability. + +Micrel KSZ9021 has no errata, but has the same issue with Asymmetric Pause. +This patch apply the same workaround as the one for KSZ9031. + +Fixes: 3aed3e2a143c ("net: phy: micrel: add Asym Pause workaround") +Signed-off-by: Hans Andersson +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -763,6 +763,8 @@ static int ksz9031_get_features(struct p + * Whenever the device's Asymmetric Pause capability is set to 1, + * link-up may fail after a link-up to link-down transition. + * ++ * The Errata Sheet is for ksz9031, but ksz9021 has the same issue ++ * + * Workaround: + * Do not enable the Asymmetric Pause capability bit. + */ +@@ -1076,6 +1078,7 @@ static struct phy_driver ksphy_driver[] + /* PHY_GBIT_FEATURES */ + .driver_data = &ksz9021_type, + .probe = kszphy_probe, ++ .get_features = ksz9031_get_features, + .config_init = ksz9021_config_init, + .ack_interrupt = kszphy_ack_interrupt, + .config_intr = kszphy_config_intr, diff --git a/queue-5.2/net-qrtr-stop-rx_worker-before-freeing-node.patch b/queue-5.2/net-qrtr-stop-rx_worker-before-freeing-node.patch new file mode 100644 index 00000000000..8e6d0c0fe2f --- /dev/null +++ b/queue-5.2/net-qrtr-stop-rx_worker-before-freeing-node.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Bjorn Andersson +Date: Wed, 18 Sep 2019 10:21:17 -0700 +Subject: net: qrtr: Stop rx_worker before freeing node + +From: Bjorn Andersson + +[ Upstream commit 73f0c11d11329a0d6d205d4312b6e5d2512af7c5 ] + +As the endpoint is unregistered there might still be work pending to +handle incoming messages, which will result in a use after free +scenario. The plan is to remove the rx_worker, but until then (and for +stable@) ensure that the work is stopped before the node is freed. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Cc: stable@vger.kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -150,6 +150,7 @@ static void __qrtr_node_release(struct k + list_del(&node->item); + mutex_unlock(&qrtr_node_lock); + ++ cancel_work_sync(&node->work); + skb_queue_purge(&node->rx_queue); + kfree(node); + } diff --git a/queue-5.2/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch b/queue-5.2/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch new file mode 100644 index 00000000000..d62287f2e98 --- /dev/null +++ b/queue-5.2/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Davide Caratti +Date: Tue, 17 Sep 2019 11:30:55 +0200 +Subject: net/sched: act_sample: don't push mac header on ip6gre ingress + +From: Davide Caratti + +[ Upstream commit 92974a1d006ad8b30d53047c70974c9e065eb7df ] + +current 'sample' action doesn't push the mac header of ingress packets if +they are received by a layer 3 tunnel (like gre or sit); but it forgot to +check for gre over ipv6, so the following script: + + # tc q a dev $d clsact + # tc f a dev $d ingress protocol ip flower ip_proto icmp action sample \ + > group 100 rate 1 + # psample -v -g 100 + +dumps everything, including outer header and mac, when $d is a gre tunnel +over ipv6. Fix this adding a missing label for ARPHRD_IP6GRE devices. + +Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action") +Signed-off-by: Davide Caratti +Reviewed-by: Yotam Gigi +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_sample.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/act_sample.c ++++ b/net/sched/act_sample.c +@@ -146,6 +146,7 @@ static bool tcf_sample_dev_ok_push(struc + case ARPHRD_TUNNEL6: + case ARPHRD_SIT: + case ARPHRD_IPGRE: ++ case ARPHRD_IP6GRE: + case ARPHRD_VOID: + case ARPHRD_NONE: + return false; diff --git a/queue-5.2/net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch b/queue-5.2/net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch new file mode 100644 index 00000000000..00e22aba3e1 --- /dev/null +++ b/queue-5.2/net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch @@ -0,0 +1,169 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Vinicius Costa Gomes +Date: Mon, 23 Sep 2019 22:04:58 -0700 +Subject: net/sched: cbs: Fix not adding cbs instance to list + +From: Vinicius Costa Gomes + +[ Upstream commit 3e8b9bfa110896f95d602d8c98d5f9d67e41d78c ] + +When removing a cbs instance when offloading is enabled, the crash +below can be observed. + +The problem happens because that when offloading is enabled, the cbs +instance is not added to the list. + +Also, the current code doesn't handle correctly the case when offload +is disabled without removing the qdisc: if the link speed changes the +credit calculations will be wrong. When we create the cbs instance +with offloading enabled, it's not added to the notification list, when +later we disable offloading, it's not in the list, so link speed +changes will not affect it. + +The solution for both issues is the same, add the cbs instance being +created unconditionally to the global list, even if the link state +notification isn't useful "right now". + +Crash log: + +[518758.189866] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[518758.189870] #PF: supervisor read access in kernel mode +[518758.189871] #PF: error_code(0x0000) - not-present page +[518758.189872] PGD 0 P4D 0 +[518758.189874] Oops: 0000 [#1] SMP PTI +[518758.189876] CPU: 3 PID: 4825 Comm: tc Not tainted 5.2.9 #1 +[518758.189877] Hardware name: Gigabyte Technology Co., Ltd. Z390 AORUS ULTRA/Z390 AORUS ULTRA-CF, BIOS F7 03/14/2019 +[518758.189881] RIP: 0010:__list_del_entry_valid+0x29/0xa0 +[518758.189883] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00 +[518758.189885] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207 +[518758.189887] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000 +[518758.189888] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0 +[518758.189890] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0 +[518758.189891] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000 +[518758.189892] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000 +[518758.189894] FS: 00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000 +[518758.189895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[518758.189896] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0 +[518758.189898] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[518758.189899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[518758.189900] Call Trace: +[518758.189904] cbs_destroy+0x32/0xa0 [sch_cbs] +[518758.189906] qdisc_destroy+0x45/0x120 +[518758.189907] qdisc_put+0x25/0x30 +[518758.189908] qdisc_graft+0x2c1/0x450 +[518758.189910] tc_get_qdisc+0x1c8/0x310 +[518758.189912] ? get_page_from_freelist+0x91a/0xcb0 +[518758.189914] rtnetlink_rcv_msg+0x293/0x360 +[518758.189916] ? kmem_cache_alloc_node_trace+0x178/0x260 +[518758.189918] ? __kmalloc_node_track_caller+0x38/0x50 +[518758.189920] ? rtnl_calcit.isra.0+0xf0/0xf0 +[518758.189922] netlink_rcv_skb+0x48/0x110 +[518758.189923] rtnetlink_rcv+0x10/0x20 +[518758.189925] netlink_unicast+0x15b/0x1d0 +[518758.189926] netlink_sendmsg+0x1ea/0x380 +[518758.189929] sock_sendmsg+0x2f/0x40 +[518758.189930] ___sys_sendmsg+0x295/0x2f0 +[518758.189932] ? ___sys_recvmsg+0x151/0x1e0 +[518758.189933] ? do_wp_page+0x7e/0x450 +[518758.189935] __sys_sendmsg+0x48/0x80 +[518758.189937] __x64_sys_sendmsg+0x1a/0x20 +[518758.189939] do_syscall_64+0x53/0x1f0 +[518758.189941] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[518758.189942] RIP: 0033:0x7fa15755169a +[518758.189944] Code: 48 c7 c0 ff ff ff ff eb be 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 18 b8 2e 00 00 00 c5 fc 77 0f 05 <48> 3d 00 f0 ff ff 77 5e c3 0f 1f 44 00 00 48 83 ec 28 89 54 24 1c +[518758.189946] RSP: 002b:00007ffda58b60b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[518758.189948] RAX: ffffffffffffffda RBX: 000055e4b836d9a0 RCX: 00007fa15755169a +[518758.189949] RDX: 0000000000000000 RSI: 00007ffda58b6128 RDI: 0000000000000003 +[518758.189951] RBP: 00007ffda58b6190 R08: 0000000000000001 R09: 000055e4b9d848a0 +[518758.189952] R10: 0000000000000000 R11: 0000000000000246 R12: 000000005d654b49 +[518758.189953] R13: 0000000000000000 R14: 00007ffda58b6230 R15: 00007ffda58b6210 +[518758.189955] Modules linked in: sch_cbs sch_etf sch_mqprio netlink_diag unix_diag e1000e igb intel_pch_thermal thermal video backlight pcc_cpufreq +[518758.189960] CR2: 0000000000000000 +[518758.189961] ---[ end trace 6a13f7aaf5376019 ]--- +[518758.189963] RIP: 0010:__list_del_entry_valid+0x29/0xa0 +[518758.189964] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00 +[518758.189967] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207 +[518758.189968] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000 +[518758.189969] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0 +[518758.189971] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0 +[518758.189972] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000 +[518758.189973] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000 +[518758.189975] FS: 00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000 +[518758.189976] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[518758.189977] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0 +[518758.189979] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[518758.189980] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: e0a7683d30e9 ("net/sched: cbs: fix port_rate miscalculation") +Signed-off-by: Vinicius Costa Gomes +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbs.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/net/sched/sch_cbs.c ++++ b/net/sched/sch_cbs.c +@@ -392,7 +392,6 @@ static int cbs_init(struct Qdisc *sch, s + { + struct cbs_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); +- int err; + + if (!opt) { + NL_SET_ERR_MSG(extack, "Missing CBS qdisc options which are mandatory"); +@@ -404,6 +403,10 @@ static int cbs_init(struct Qdisc *sch, s + if (!q->qdisc) + return -ENOMEM; + ++ spin_lock(&cbs_list_lock); ++ list_add(&q->cbs_list, &cbs_list); ++ spin_unlock(&cbs_list_lock); ++ + qdisc_hash_add(q->qdisc, false); + + q->queue = sch->dev_queue - netdev_get_tx_queue(dev, 0); +@@ -413,17 +416,7 @@ static int cbs_init(struct Qdisc *sch, s + + qdisc_watchdog_init(&q->watchdog, sch); + +- err = cbs_change(sch, opt, extack); +- if (err) +- return err; +- +- if (!q->offload) { +- spin_lock(&cbs_list_lock); +- list_add(&q->cbs_list, &cbs_list); +- spin_unlock(&cbs_list_lock); +- } +- +- return 0; ++ return cbs_change(sch, opt, extack); + } + + static void cbs_destroy(struct Qdisc *sch) +@@ -431,15 +424,18 @@ static void cbs_destroy(struct Qdisc *sc + struct cbs_sched_data *q = qdisc_priv(sch); + struct net_device *dev = qdisc_dev(sch); + +- spin_lock(&cbs_list_lock); +- list_del(&q->cbs_list); +- spin_unlock(&cbs_list_lock); ++ /* Nothing to do if we couldn't create the underlying qdisc */ ++ if (!q->qdisc) ++ return; + + qdisc_watchdog_cancel(&q->watchdog); + cbs_disable_offload(dev, q); + +- if (q->qdisc) +- qdisc_put(q->qdisc); ++ spin_lock(&cbs_list_lock); ++ list_del(&q->cbs_list); ++ spin_unlock(&cbs_list_lock); ++ ++ qdisc_put(q->qdisc); + } + + static int cbs_dump(struct Qdisc *sch, struct sk_buff *skb) diff --git a/queue-5.2/net-sched-fix-possible-crash-in-tcf_action_destroy.patch b/queue-5.2/net-sched-fix-possible-crash-in-tcf_action_destroy.patch new file mode 100644 index 00000000000..6a28765159b --- /dev/null +++ b/queue-5.2/net-sched-fix-possible-crash-in-tcf_action_destroy.patch @@ -0,0 +1,72 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Eric Dumazet +Date: Wed, 18 Sep 2019 12:57:04 -0700 +Subject: net: sched: fix possible crash in tcf_action_destroy() + +From: Eric Dumazet + +[ Upstream commit 3d66b89c30f9220a72e92847768fc8ba4d027d88 ] + +If the allocation done in tcf_exts_init() failed, +we end up with a NULL pointer in exts->actions. + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 8198 Comm: syz-executor.3 Not tainted 5.3.0-rc8+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:tcf_action_destroy+0x71/0x160 net/sched/act_api.c:705 +Code: c3 08 44 89 ee e8 4f cb bb fb 41 83 fd 20 0f 84 c9 00 00 00 e8 c0 c9 bb fb 48 89 d8 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 08 00 0f 85 c0 00 00 00 4c 8b 33 4d 85 f6 0f 84 9d 00 00 00 +RSP: 0018:ffff888096e16ff0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000 +RDX: 0000000000040000 RSI: ffffffff85b6ab30 RDI: 0000000000000000 +RBP: ffff888096e17020 R08: ffff8880993f6140 R09: fffffbfff11cae67 +R10: fffffbfff11cae66 R11: ffffffff88e57333 R12: 0000000000000000 +R13: 0000000000000000 R14: ffff888096e177a0 R15: 0000000000000001 +FS: 00007f62bc84a700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000758040 CR3: 0000000088b64000 CR4: 00000000001426e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + tcf_exts_destroy+0x38/0xb0 net/sched/cls_api.c:3030 + tcindex_set_parms+0xf7f/0x1e50 net/sched/cls_tcindex.c:488 + tcindex_change+0x230/0x318 net/sched/cls_tcindex.c:519 + tc_new_tfilter+0xa4b/0x1c70 net/sched/cls_api.c:2152 + rtnetlink_rcv_msg+0x838/0xb00 net/core/rtnetlink.c:5214 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 + __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 + __do_sys_sendmmsg net/socket.c:2442 [inline] + +Fixes: 90b73b77d08e ("net: sched: change action API to use array of pointers to actions") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Vlad Buslov +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_api.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -3031,8 +3031,10 @@ out: + void tcf_exts_destroy(struct tcf_exts *exts) + { + #ifdef CONFIG_NET_CLS_ACT +- tcf_action_destroy(exts->actions, TCA_ACT_UNBIND); +- kfree(exts->actions); ++ if (exts->actions) { ++ tcf_action_destroy(exts->actions, TCA_ACT_UNBIND); ++ kfree(exts->actions); ++ } + exts->nr_actions = 0; + #endif + } diff --git a/queue-5.2/net_sched-add-max-len-check-for-tca_kind.patch b/queue-5.2/net_sched-add-max-len-check-for-tca_kind.patch new file mode 100644 index 00000000000..c4a6d51aa08 --- /dev/null +++ b/queue-5.2/net_sched-add-max-len-check-for-tca_kind.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Cong Wang +Date: Wed, 18 Sep 2019 16:24:12 -0700 +Subject: net_sched: add max len check for TCA_KIND + +From: Cong Wang + +[ Upstream commit 62794fc4fbf52f2209dc094ea255eaef760e7d01 ] + +The TCA_KIND attribute is of NLA_STRING which does not check +the NUL char. KMSAN reported an uninit-value of TCA_KIND which +is likely caused by the lack of NUL. + +Change it to NLA_NUL_STRING and add a max len too. + +Fixes: 8b4c3cdd9dd8 ("net: sched: Add policy validation for tc attributes") +Reported-and-tested-by: syzbot+618aacd49e8c8b8486bd@syzkaller.appspotmail.com +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Reviewed-by: David Ahern +Acked-by: Jiri Pirko +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1390,7 +1390,8 @@ check_loop_fn(struct Qdisc *q, unsigned + } + + const struct nla_policy rtm_tca_policy[TCA_MAX + 1] = { +- [TCA_KIND] = { .type = NLA_STRING }, ++ [TCA_KIND] = { .type = NLA_NUL_STRING, ++ .len = IFNAMSIZ - 1 }, + [TCA_RATE] = { .type = NLA_BINARY, + .len = sizeof(struct tc_estimator) }, + [TCA_STAB] = { .type = NLA_NESTED }, diff --git a/queue-5.2/net_sched-add-policy-validation-for-action-attributes.patch b/queue-5.2/net_sched-add-policy-validation-for-action-attributes.patch new file mode 100644 index 00000000000..1d1ef2c2d31 --- /dev/null +++ b/queue-5.2/net_sched-add-policy-validation-for-action-attributes.patch @@ -0,0 +1,102 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Cong Wang +Date: Wed, 18 Sep 2019 18:44:43 -0700 +Subject: net_sched: add policy validation for action attributes + +From: Cong Wang + +[ Upstream commit 199ce850ce112315cfc68d42b694bcaa27b097b7 ] + +Similar to commit 8b4c3cdd9dd8 +("net: sched: Add policy validation for tc attributes"), we need +to add proper policy validation for TC action attributes too. + +Cc: David Ahern +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Acked-by: Jiri Pirko +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -828,6 +828,15 @@ static struct tc_cookie *nla_memdup_cook + return c; + } + ++static const struct nla_policy tcf_action_policy[TCA_ACT_MAX + 1] = { ++ [TCA_ACT_KIND] = { .type = NLA_NUL_STRING, ++ .len = IFNAMSIZ - 1 }, ++ [TCA_ACT_INDEX] = { .type = NLA_U32 }, ++ [TCA_ACT_COOKIE] = { .type = NLA_BINARY, ++ .len = TC_COOKIE_MAX_SIZE }, ++ [TCA_ACT_OPTIONS] = { .type = NLA_NESTED }, ++}; ++ + struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp, + struct nlattr *nla, struct nlattr *est, + char *name, int ovr, int bind, +@@ -843,8 +852,8 @@ struct tc_action *tcf_action_init_1(stru + int err; + + if (name == NULL) { +- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL, +- extack); ++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, ++ tcf_action_policy, extack); + if (err < 0) + goto err_out; + err = -EINVAL; +@@ -853,18 +862,9 @@ struct tc_action *tcf_action_init_1(stru + NL_SET_ERR_MSG(extack, "TC action kind must be specified"); + goto err_out; + } +- if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ) { +- NL_SET_ERR_MSG(extack, "TC action name too long"); +- goto err_out; +- } +- if (tb[TCA_ACT_COOKIE]) { +- int cklen = nla_len(tb[TCA_ACT_COOKIE]); +- +- if (cklen > TC_COOKIE_MAX_SIZE) { +- NL_SET_ERR_MSG(extack, "TC cookie size above the maximum"); +- goto err_out; +- } ++ nla_strlcpy(act_name, kind, IFNAMSIZ); + ++ if (tb[TCA_ACT_COOKIE]) { + cookie = nla_memdup_cookie(tb); + if (!cookie) { + NL_SET_ERR_MSG(extack, "No memory to generate TC cookie"); +@@ -1095,7 +1095,8 @@ static struct tc_action *tcf_action_get_ + int index; + int err; + +- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL, extack); ++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, ++ tcf_action_policy, extack); + if (err < 0) + goto err_out; + +@@ -1149,7 +1150,8 @@ static int tca_action_flush(struct net * + + b = skb_tail_pointer(skb); + +- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL, extack); ++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, ++ tcf_action_policy, extack); + if (err < 0) + goto err_out; + +@@ -1437,7 +1439,7 @@ static struct nlattr *find_dump_kind(str + + if (tb[1] == NULL) + return NULL; +- if (nla_parse_nested_deprecated(tb2, TCA_ACT_MAX, tb[1], NULL, NULL) < 0) ++ if (nla_parse_nested_deprecated(tb2, TCA_ACT_MAX, tb[1], tcf_action_policy, NULL) < 0) + return NULL; + kind = tb2[TCA_ACT_KIND]; + diff --git a/queue-5.2/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/queue-5.2/nfc-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..84bfa5a481b --- /dev/null +++ b/queue-5.2/nfc-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:49 +0200 +Subject: nfc: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ] + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net * + sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &llcp_rawsock_ops; +- else ++ } else { + sock->ops = &llcp_sock_ops; ++ } + + sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern); + if (sk == NULL) diff --git a/queue-5.2/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch b/queue-5.2/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch new file mode 100644 index 00000000000..a1dfac12baa --- /dev/null +++ b/queue-5.2/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Navid Emamdoost +Date: Wed, 25 Sep 2019 14:05:09 -0500 +Subject: nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs + +From: Navid Emamdoost + +[ Upstream commit 8ce39eb5a67aee25d9f05b40b673c95b23502e3e ] + +In nfp_flower_spawn_vnic_reprs in the loop if initialization or the +allocations fail memory is leaked. Appropriate releases are added. + +Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload") +Signed-off-by: Navid Emamdoost +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -400,6 +400,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a + repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL); + if (!repr_priv) { + err = -ENOMEM; ++ nfp_repr_free(repr); + goto err_reprs_clean; + } + +@@ -413,6 +414,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a + port = nfp_port_alloc(app, port_type, repr); + if (IS_ERR(port)) { + err = PTR_ERR(port); ++ kfree(repr_priv); + nfp_repr_free(repr); + goto err_reprs_clean; + } +@@ -433,6 +435,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a + err = nfp_repr_init(app, repr, + port_id, port, priv->nn->dp.netdev); + if (err) { ++ kfree(repr_priv); + nfp_port_free(port); + nfp_repr_free(repr); + goto err_reprs_clean; diff --git a/queue-5.2/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch b/queue-5.2/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch new file mode 100644 index 00000000000..41d5e10d35e --- /dev/null +++ b/queue-5.2/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch @@ -0,0 +1,54 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Navid Emamdoost +Date: Wed, 25 Sep 2019 13:24:02 -0500 +Subject: nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs + +From: Navid Emamdoost + +[ Upstream commit 8572cea1461a006bce1d06c0c4b0575869125fa4 ] + +In nfp_flower_spawn_phy_reprs, in the for loop over eth_tbl if any of +intermediate allocations or initializations fail memory is leaked. +requiered releases are added. + +Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload") +Signed-off-by: Navid Emamdoost +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -518,6 +518,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap + repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL); + if (!repr_priv) { + err = -ENOMEM; ++ nfp_repr_free(repr); + goto err_reprs_clean; + } + +@@ -528,11 +529,13 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap + port = nfp_port_alloc(app, NFP_PORT_PHYS_PORT, repr); + if (IS_ERR(port)) { + err = PTR_ERR(port); ++ kfree(repr_priv); + nfp_repr_free(repr); + goto err_reprs_clean; + } + err = nfp_port_init_phy_port(app->pf, app, port, i); + if (err) { ++ kfree(repr_priv); + nfp_port_free(port); + nfp_repr_free(repr); + goto err_reprs_clean; +@@ -545,6 +548,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap + err = nfp_repr_init(app, repr, + cmsg_port_id, port, priv->nn->dp.netdev); + if (err) { ++ kfree(repr_priv); + nfp_port_free(port); + nfp_repr_free(repr); + goto err_reprs_clean; diff --git a/queue-5.2/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/queue-5.2/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch new file mode 100644 index 00000000000..4a042ff1fec --- /dev/null +++ b/queue-5.2/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Li RongQing +Date: Tue, 24 Sep 2019 19:11:52 +0800 +Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC + +From: Li RongQing + +[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ] + +userspace openvswitch patch "(dpif-linux: Implement the API +functions to allow multiple handler threads read upcall)" +changes its type from U32 to UNSPEC, but leave the kernel +unchanged + +and after kernel 6e237d099fac "(netlink: Relax attr validation +for fixed length types)", this bug is exposed by the below +warning + + [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length. + +Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's") +Signed-off-by: Li RongQing +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -2245,7 +2245,7 @@ static const struct nla_policy vport_pol + [OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) }, + [OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 }, + [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 }, +- [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 }, ++ [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC }, + [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED }, + [OVS_VPORT_ATTR_IFINDEX] = { .type = NLA_U32 }, + [OVS_VPORT_ATTR_NETNSID] = { .type = NLA_S32 }, diff --git a/queue-5.2/ppp-fix-memory-leak-in-ppp_write.patch b/queue-5.2/ppp-fix-memory-leak-in-ppp_write.patch new file mode 100644 index 00000000000..c62c85e3dca --- /dev/null +++ b/queue-5.2/ppp-fix-memory-leak-in-ppp_write.patch @@ -0,0 +1,61 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Takeshi Misawa +Date: Sun, 22 Sep 2019 16:45:31 +0900 +Subject: ppp: Fix memory leak in ppp_write + +From: Takeshi Misawa + +[ Upstream commit 4c247de564f1ff614d11b3bb5313fb70d7b9598b ] + +When ppp is closing, __ppp_xmit_process() failed to enqueue skb +and skb allocated in ppp_write() is leaked. + +syzbot reported : +BUG: memory leak +unreferenced object 0xffff88812a17bc00 (size 224): + comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline] + [<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline] + [<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574 + [<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197 + [<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline] + [<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502 + [<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494 + [<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline] + [<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542 + [<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611 + [<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline] + [<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline] + [<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620 + [<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296 + [<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by freeing skb, if ppp is closing. + +Fixes: 6d066734e9f0 ("ppp: avoid loop in xmit recursion detection code") +Reported-and-tested-by: syzbot+d9c8bf24e56416d7ce2c@syzkaller.appspotmail.com +Signed-off-by: Takeshi Misawa +Reviewed-by: Guillaume Nault +Tested-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1415,6 +1415,8 @@ static void __ppp_xmit_process(struct pp + netif_wake_queue(ppp->dev); + else + netif_stop_queue(ppp->dev); ++ } else { ++ kfree_skb(skb); + } + ppp_xmit_unlock(ppp); + } diff --git a/queue-5.2/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/queue-5.2/sch_netem-fix-a-divide-by-zero-in-tabledist.patch new file mode 100644 index 00000000000..b8c35fa7434 --- /dev/null +++ b/queue-5.2/sch_netem-fix-a-divide-by-zero-in-tabledist.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Eric Dumazet +Date: Wed, 18 Sep 2019 08:05:39 -0700 +Subject: sch_netem: fix a divide by zero in tabledist() + +From: Eric Dumazet + +[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ] + +syzbot managed to crash the kernel in tabledist() loading +an empty distribution table. + + t = dist->table[rnd % dist->size]; + +Simply return an error when such load is attempted. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -777,7 +777,7 @@ static int get_dist_table(struct Qdisc * + struct disttable *d; + int i; + +- if (n > NETEM_DIST_MAX) ++ if (!n || n > NETEM_DIST_MAX) + return -EINVAL; + + d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL); diff --git a/queue-5.2/selftests-update-fib_tests-to-handle-missing-ping6.patch b/queue-5.2/selftests-update-fib_tests-to-handle-missing-ping6.patch new file mode 100644 index 00000000000..f9167ab4e49 --- /dev/null +++ b/queue-5.2/selftests-update-fib_tests-to-handle-missing-ping6.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: David Ahern +Date: Tue, 17 Sep 2019 10:30:21 -0700 +Subject: selftests: Update fib_tests to handle missing ping6 + +From: David Ahern + +[ Upstream commit 0360894a05ed52be268e3c4d40b2df9d94975fa6 ] + +Some distributions (e.g., debian buster) do not install ping6. Re-use +the hook in pmtu.sh to detect this and fallback to ping. + +Fixes: a0e11da78f48 ("fib_tests: Add tests for metrics on routes") +Signed-off-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib_tests.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -16,6 +16,8 @@ PAUSE_ON_FAIL=no + PAUSE=no + IP="ip -netns ns1" + ++which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) ++ + log_test() + { + local rc=$1 +@@ -1068,7 +1070,7 @@ ipv6_route_metrics_test() + log_test $rc 0 "Multipath route with mtu metric" + + $IP -6 ro add 2001:db8:104::/64 via 2001:db8:101::2 mtu 1300 +- run_cmd "ip netns exec ns1 ping6 -w1 -c1 -s 1500 2001:db8:104::1" ++ run_cmd "ip netns exec ns1 ${ping6} -w1 -c1 -s 1500 2001:db8:104::1" + log_test $? 0 "Using route with mtu metric" + + run_cmd "$IP -6 ro add 2001:db8:114::/64 via 2001:db8:101::2 congctl lock foo" diff --git a/queue-5.2/series b/queue-5.2/series new file mode 100644 index 00000000000..1e43a948e12 --- /dev/null +++ b/queue-5.2/series @@ -0,0 +1,32 @@ +arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch +cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch +ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch +macsec-drop-skb-sk-before-calling-gro_cells_receive.patch +net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch +net-qrtr-stop-rx_worker-before-freeing-node.patch +net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch +net_sched-add-max-len-check-for-tca_kind.patch +nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch +nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch +openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch +ppp-fix-memory-leak-in-ppp_write.patch +sch_netem-fix-a-divide-by-zero-in-tabledist.patch +selftests-update-fib_tests-to-handle-missing-ping6.patch +skge-fix-checksum-byte-order.patch +tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch +usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch +usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch +net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch +net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch +ipv4-revert-removal-of-rt_uses_gateway.patch +net_sched-add-policy-validation-for-action-attributes.patch +vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch +net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch +net-sched-fix-possible-crash-in-tcf_action_destroy.patch +tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch +net-mlx5-add-device-id-of-upcoming-bluefield-2.patch +misdn-enforce-cap_net_raw-for-raw-sockets.patch +appletalk-enforce-cap_net_raw-for-raw-sockets.patch +ax25-enforce-cap_net_raw-for-raw-sockets.patch +ieee802154-enforce-cap_net_raw-for-raw-sockets.patch +nfc-enforce-cap_net_raw-for-raw-sockets.patch diff --git a/queue-5.2/skge-fix-checksum-byte-order.patch b/queue-5.2/skge-fix-checksum-byte-order.patch new file mode 100644 index 00000000000..0993a6039b4 --- /dev/null +++ b/queue-5.2/skge-fix-checksum-byte-order.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Stephen Hemminger +Date: Fri, 20 Sep 2019 18:18:26 +0200 +Subject: skge: fix checksum byte order + +From: Stephen Hemminger + +[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ] + +Running old skge driver on PowerPC causes checksum errors +because hardware reported 1's complement checksum is in little-endian +byte order. + +Reported-by: Benoit +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/skge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -3110,7 +3110,7 @@ static struct sk_buff *skge_rx_get(struc + skb_put(skb, len); + + if (dev->features & NETIF_F_RXCSUM) { +- skb->csum = csum; ++ skb->csum = le16_to_cpu(csum); + skb->ip_summed = CHECKSUM_COMPLETE; + } + diff --git a/queue-5.2/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch b/queue-5.2/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch new file mode 100644 index 00000000000..b93aff4eb43 --- /dev/null +++ b/queue-5.2/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch @@ -0,0 +1,64 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Eric Dumazet +Date: Thu, 26 Sep 2019 15:42:51 -0700 +Subject: tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state + +From: Eric Dumazet + +[ Upstream commit a66b10c05ee2d744189e9a2130394b070883d289 ] + +Yuchung Cheng and Marek Majkowski independently reported a weird +behavior of TCP_USER_TIMEOUT option when used at connect() time. + +When the TCP_USER_TIMEOUT is reached, tcp_write_timeout() +believes the flow should live, and the following condition +in tcp_clamp_rto_to_user_timeout() programs one jiffie timers : + + remaining = icsk->icsk_user_timeout - elapsed; + if (remaining <= 0) + return 1; /* user timeout has passed; fire ASAP */ + +This silly situation ends when the max syn rtx count is reached. + +This patch makes sure we honor both TCP_SYNCNT and TCP_USER_TIMEOUT, +avoiding these spurious SYN packets. + +Fixes: b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy") +Signed-off-by: Eric Dumazet +Reported-by: Yuchung Cheng +Reported-by: Marek Majkowski +Cc: Jon Maxwell +Link: https://marc.info/?l=linux-netdev&m=156940118307949&w=2 +Acked-by: Jon Maxwell +Tested-by: Marek Majkowski +Signed-off-by: Marek Majkowski +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_timer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -210,7 +210,7 @@ static int tcp_write_timeout(struct sock + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + struct net *net = sock_net(sk); +- bool expired, do_reset; ++ bool expired = false, do_reset; + int retry_until; + + if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) { +@@ -242,9 +242,10 @@ static int tcp_write_timeout(struct sock + if (tcp_out_of_resources(sk, do_reset)) + return 1; + } ++ } ++ if (!expired) + expired = retransmits_timed_out(sk, retry_until, + icsk->icsk_user_timeout); +- } + tcp_fastopen_active_detect_blackhole(sk, expired); + + if (BPF_SOCK_OPS_TEST_FLAG(tp, BPF_SOCK_OPS_RTO_CB_FLAG)) diff --git a/queue-5.2/tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch b/queue-5.2/tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch new file mode 100644 index 00000000000..28985e911ca --- /dev/null +++ b/queue-5.2/tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: "Kevin(Yudong) Yang" +Date: Thu, 26 Sep 2019 10:30:05 -0400 +Subject: tcp_bbr: fix quantization code to not raise cwnd if not probing bandwidth + +From: "Kevin(Yudong) Yang" + +[ Upstream commit 6b3656a60f2067738d1a423328199720806f0c44 ] + +There was a bug in the previous logic that attempted to ensure gain cycling +gets inflight above BDP even for small BDPs. This code correctly raised and +lowered target inflight values during the gain cycle. And this code +correctly ensured that cwnd was raised when probing bandwidth. However, it +did not correspondingly ensure that cwnd was *not* raised in this way when +*not* probing for bandwidth. The result was that small-BDP flows that were +always cwnd-bound could go for many cycles with a fixed cwnd, and not probe +or yield bandwidth at all. This meant that multiple small-BDP flows could +fail to converge in their bandwidth allocations. + +Fixes: 3c346b233c68 ("tcp_bbr: fix bw probing to raise in-flight data for very small BDPs") +Signed-off-by: Kevin(Yudong) Yang +Acked-by: Neal Cardwell +Acked-by: Yuchung Cheng +Acked-by: Soheil Hassas Yeganeh +Acked-by: Priyaranjan Jha +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_bbr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -386,7 +386,7 @@ static u32 bbr_bdp(struct sock *sk, u32 + * which allows 2 outstanding 2-packet sequences, to try to keep pipe + * full even with ACK-every-other-packet delayed ACKs. + */ +-static u32 bbr_quantization_budget(struct sock *sk, u32 cwnd, int gain) ++static u32 bbr_quantization_budget(struct sock *sk, u32 cwnd) + { + struct bbr *bbr = inet_csk_ca(sk); + +@@ -397,7 +397,7 @@ static u32 bbr_quantization_budget(struc + cwnd = (cwnd + 1) & ~1U; + + /* Ensure gain cycling gets inflight above BDP even for small BDPs. */ +- if (bbr->mode == BBR_PROBE_BW && gain > BBR_UNIT) ++ if (bbr->mode == BBR_PROBE_BW && bbr->cycle_idx == 0) + cwnd += 2; + + return cwnd; +@@ -409,7 +409,7 @@ static u32 bbr_inflight(struct sock *sk, + u32 inflight; + + inflight = bbr_bdp(sk, bw, gain); +- inflight = bbr_quantization_budget(sk, inflight, gain); ++ inflight = bbr_quantization_budget(sk, inflight); + + return inflight; + } +@@ -529,7 +529,7 @@ static void bbr_set_cwnd(struct sock *sk + * due to aggregation (of data and/or ACKs) visible in the ACK stream. + */ + target_cwnd += bbr_ack_aggregation_cwnd(sk); +- target_cwnd = bbr_quantization_budget(sk, target_cwnd, gain); ++ target_cwnd = bbr_quantization_budget(sk, target_cwnd); + + /* If we're below target cwnd, slow start cwnd toward target cwnd. */ + if (bbr_full_bw_reached(sk)) /* only cut cwnd if we filled the pipe */ diff --git a/queue-5.2/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/queue-5.2/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch new file mode 100644 index 00000000000..a42c2212e14 --- /dev/null +++ b/queue-5.2/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: "Bjørn Mork" +Date: Wed, 18 Sep 2019 14:17:38 +0200 +Subject: usbnet: ignore endpoints with invalid wMaxPacketSize + +From: "Bjørn Mork" + +[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the drivers more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of these endpoints are used for memory allocations +and as divisors in many usbnet minidrivers. Avoiding zero is therefore +critical. + +Signed-off-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -100,6 +100,11 @@ int usbnet_get_endpoints(struct usbnet * + int intr = 0; + + e = alt->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes) { + case USB_ENDPOINT_XFER_INT: + if (!usb_endpoint_dir_in(&e->desc)) diff --git a/queue-5.2/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/queue-5.2/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch new file mode 100644 index 00000000000..b7add3c51a6 --- /dev/null +++ b/queue-5.2/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: Oliver Neukum +Date: Thu, 19 Sep 2019 10:23:08 +0200 +Subject: usbnet: sanity checking of packet sizes and device mtu + +From: Oliver Neukum + +[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ] + +After a reset packet sizes and device mtu can change and need +to be reevaluated to calculate queue sizes. +Malicious devices can set this to zero and we divide by it. +Introduce sanity checking. + +Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -344,6 +344,8 @@ void usbnet_update_max_qlen(struct usbne + { + enum usb_device_speed speed = dev->udev->speed; + ++ if (!dev->rx_urb_size || !dev->hard_mtu) ++ goto insanity; + switch (speed) { + case USB_SPEED_HIGH: + dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size; +@@ -360,6 +362,7 @@ void usbnet_update_max_qlen(struct usbne + dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu; + break; + default: ++insanity: + dev->rx_qlen = dev->tx_qlen = 4; + } + } diff --git a/queue-5.2/vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch b/queue-5.2/vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch new file mode 100644 index 00000000000..8e8ea5dc803 --- /dev/null +++ b/queue-5.2/vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 01 Oct 2019 03:28:23 PM CEST +From: David Ahern +Date: Wed, 25 Sep 2019 07:53:19 -0700 +Subject: vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled + +From: David Ahern + +[ Upstream commit dac91170f8e9c73784af5fad6225e954b795601c ] + +A user reported that vrf create fails when IPv6 is disabled at boot using +'ipv6.disable=1': + https://bugzilla.kernel.org/show_bug.cgi?id=204903 + +The failure is adding fib rules at create time. Add RTNL_FAMILY_IP6MR to +the check in vrf_fib_rule if ipv6_mod_enabled is disabled. + +Fixes: e4a38c0c4b27 ("ipv6: add vrf table handling code for ipv6 mcast") +Signed-off-by: David Ahern +Cc: Patrick Ruddy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -1153,7 +1153,8 @@ static int vrf_fib_rule(const struct net + struct sk_buff *skb; + int err; + +- if (family == AF_INET6 && !ipv6_mod_enabled()) ++ if ((family == AF_INET6 || family == RTNL_FAMILY_IP6MR) && ++ !ipv6_mod_enabled()) + return 0; + + skb = nlmsg_new(vrf_fib_rule_nl_size(), GFP_KERNEL);