From: Greg Kroah-Hartman Date: Wed, 15 May 2019 07:51:12 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v3.18.140~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce1956d3d2493c9fedf48ce47e5aad7a55cc09aa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bonding-fix-arp_validate-toggling-in-active-backup-mode.patch bridge-fix-error-path-for-kobject_init_and_add.patch dpaa_eth-fix-sg-frame-cleanup.patch fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch ipv4-fix-raw-socket-lookup-for-local-traffic.patch isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch net-dsa-fix-error-cleanup-path-in-dsa_init_module.patch net-ethernet-stmmac-dwmac-sun8i-enable-support-of-unicast-filtering.patch net-macb-change-interrupt-and-napi-enable-order-in-open.patch net-seeq-fix-crash-caused-by-not-set-dev.parent.patch net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch packet-fix-error-path-in-packet_init.patch selinux-do-not-report-error-on-connect-af_unspec.patch tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch tuntap-fix-dividing-by-zero-in-ebpf-queue-selection.patch tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch vlan-disable-siocshwtstamp-in-container.patch vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch --- diff --git a/queue-4.19/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch b/queue-4.19/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch new file mode 100644 index 00000000000..c308e840e32 --- /dev/null +++ b/queue-4.19/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch @@ -0,0 +1,78 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Jarod Wilson +Date: Fri, 10 May 2019 17:57:09 -0400 +Subject: bonding: fix arp_validate toggling in active-backup mode + +From: Jarod Wilson + +[ Upstream commit a9b8a2b39ce65df45687cf9ef648885c2a99fe75 ] + +There's currently a problem with toggling arp_validate on and off with an +active-backup bond. At the moment, you can start up a bond, like so: + +modprobe bonding mode=1 arp_interval=100 arp_validate=0 arp_ip_targets=192.168.1.1 +ip link set bond0 down +echo "ens4f0" > /sys/class/net/bond0/bonding/slaves +echo "ens4f1" > /sys/class/net/bond0/bonding/slaves +ip link set bond0 up +ip addr add 192.168.1.2/24 dev bond0 + +Pings to 192.168.1.1 work just fine. Now turn on arp_validate: + +echo 1 > /sys/class/net/bond0/bonding/arp_validate + +Pings to 192.168.1.1 continue to work just fine. Now when you go to turn +arp_validate off again, the link falls flat on it's face: + +echo 0 > /sys/class/net/bond0/bonding/arp_validate +dmesg +... +[133191.911987] bond0: Setting arp_validate to none (0) +[133194.257793] bond0: bond_should_notify_peers: slave ens4f0 +[133194.258031] bond0: link status definitely down for interface ens4f0, disabling it +[133194.259000] bond0: making interface ens4f1 the new active one +[133197.330130] bond0: link status definitely down for interface ens4f1, disabling it +[133197.331191] bond0: now running without any active interface! + +The problem lies in bond_options.c, where passing in arp_validate=0 +results in bond->recv_probe getting set to NULL. This flies directly in +the face of commit 3fe68df97c7f, which says we need to set recv_probe = +bond_arp_recv, even if we're not using arp_validate. Said commit fixed +this in bond_option_arp_interval_set, but missed that we can get to that +same state in bond_option_arp_validate_set as well. + +One solution would be to universally set recv_probe = bond_arp_recv here +as well, but I don't think bond_option_arp_validate_set has any business +touching recv_probe at all, and that should be left to the arp_interval +code, so we can just make things much tidier here. + +Fixes: 3fe68df97c7f ("bonding: always set recv_probe to bond_arp_rcv in arp monitor") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Signed-off-by: Jarod Wilson +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_options.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1098,13 +1098,6 @@ static int bond_option_arp_validate_set( + { + netdev_dbg(bond->dev, "Setting arp_validate to %s (%llu)\n", + newval->string, newval->value); +- +- if (bond->dev->flags & IFF_UP) { +- if (!newval->value) +- bond->recv_probe = NULL; +- else if (bond->params.arp_interval) +- bond->recv_probe = bond_arp_rcv; +- } + bond->params.arp_validate = newval->value; + + return 0; diff --git a/queue-4.19/bridge-fix-error-path-for-kobject_init_and_add.patch b/queue-4.19/bridge-fix-error-path-for-kobject_init_and_add.patch new file mode 100644 index 00000000000..4cd1ec68af8 --- /dev/null +++ b/queue-4.19/bridge-fix-error-path-for-kobject_init_and_add.patch @@ -0,0 +1,64 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: "Tobin C. Harding" +Date: Fri, 10 May 2019 12:52:12 +1000 +Subject: bridge: Fix error path for kobject_init_and_add() + +From: "Tobin C. Harding" + +[ Upstream commit bdfad5aec1392b93495b77b864d58d7f101dc1c1 ] + +Currently error return from kobject_init_and_add() is not followed by a +call to kobject_put(). This means there is a memory leak. We currently +set p to NULL so that kfree() may be called on it as a noop, the code is +arguably clearer if we move the kfree() up closer to where it is +called (instead of after goto jump). + +Remove a goto label 'err1' and jump to call to kobject_put() in error +return from kobject_init_and_add() fixing the memory leak. Re-name goto +label 'put_back' to 'err1' now that we don't use err1, following current +nomenclature (err1, err2 ...). Move call to kfree out of the error +code at bottom of function up to closer to where memory was allocated. +Add comment to clarify call to kfree(). + +Signed-off-by: Tobin C. Harding +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_if.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -603,13 +603,15 @@ int br_add_if(struct net_bridge *br, str + call_netdevice_notifiers(NETDEV_JOIN, dev); + + err = dev_set_allmulti(dev, 1); +- if (err) +- goto put_back; ++ if (err) { ++ kfree(p); /* kobject not yet init'd, manually free */ ++ goto err1; ++ } + + err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), + SYSFS_BRIDGE_PORT_ATTR); + if (err) +- goto err1; ++ goto err2; + + err = br_sysfs_addif(p); + if (err) +@@ -692,12 +694,9 @@ err3: + sysfs_remove_link(br->ifobj, p->dev->name); + err2: + kobject_put(&p->kobj); +- p = NULL; /* kobject_put frees */ +-err1: + dev_set_allmulti(dev, -1); +-put_back: ++err1: + dev_put(dev); +- kfree(p); + return err; + } + diff --git a/queue-4.19/dpaa_eth-fix-sg-frame-cleanup.patch b/queue-4.19/dpaa_eth-fix-sg-frame-cleanup.patch new file mode 100644 index 00000000000..40dd601dceb --- /dev/null +++ b/queue-4.19/dpaa_eth-fix-sg-frame-cleanup.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Laurentiu Tudor +Date: Fri, 3 May 2019 16:03:11 +0300 +Subject: dpaa_eth: fix SG frame cleanup + +From: Laurentiu Tudor + +[ Upstream commit 17170e6570c082717c142733d9a638bcd20551f8 ] + +Fix issue with the entry indexing in the sg frame cleanup code being +off-by-1. This problem showed up when doing some basic iperf tests and +manifested in traffic coming to a halt. + +Signed-off-by: Laurentiu Tudor +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -1648,7 +1648,7 @@ static struct sk_buff *dpaa_cleanup_tx_f + qm_sg_entry_get_len(&sgt[0]), dma_dir); + + /* remaining pages were mapped with skb_frag_dma_map() */ +- for (i = 1; i < nr_frags; i++) { ++ for (i = 1; i <= nr_frags; i++) { + WARN_ON(qm_sg_entry_is_ext(&sgt[i])); + + dma_unmap_page(dev, qm_sg_addr(&sgt[i]), diff --git a/queue-4.19/fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch b/queue-4.19/fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch new file mode 100644 index 00000000000..2b5e0823802 --- /dev/null +++ b/queue-4.19/fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch @@ -0,0 +1,48 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Hangbin Liu +Date: Tue, 7 May 2019 17:11:18 +0800 +Subject: fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied + +From: Hangbin Liu + +[ Upstream commit e9919a24d3022f72bcadc407e73a6ef17093a849 ] + +With commit 153380ec4b9 ("fib_rules: Added NLM_F_EXCL support to +fib_nl_newrule") we now able to check if a rule already exists. But this +only works with iproute2. For other tools like libnl, NetworkManager, +it still could add duplicate rules with only NLM_F_CREATE flag, like + +[localhost ~ ]# ip rule +0: from all lookup local +32766: from all lookup main +32767: from all lookup default +100000: from 192.168.7.5 lookup 5 +100000: from 192.168.7.5 lookup 5 + +As it doesn't make sense to create two duplicate rules, let's just return +0 if the rule exists. + +Fixes: 153380ec4b9 ("fib_rules: Added NLM_F_EXCL support to fib_nl_newrule") +Reported-by: Thomas Haller +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/fib_rules.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -756,9 +756,9 @@ int fib_nl_newrule(struct sk_buff *skb, + if (err) + goto errout; + +- if ((nlh->nlmsg_flags & NLM_F_EXCL) && +- rule_exists(ops, frh, tb, rule)) { +- err = -EEXIST; ++ if (rule_exists(ops, frh, tb, rule)) { ++ if (nlh->nlmsg_flags & NLM_F_EXCL) ++ err = -EEXIST; + goto errout_free; + } + diff --git a/queue-4.19/ipv4-fix-raw-socket-lookup-for-local-traffic.patch b/queue-4.19/ipv4-fix-raw-socket-lookup-for-local-traffic.patch new file mode 100644 index 00000000000..629366baf9f --- /dev/null +++ b/queue-4.19/ipv4-fix-raw-socket-lookup-for-local-traffic.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: David Ahern +Date: Tue, 7 May 2019 20:44:59 -0700 +Subject: ipv4: Fix raw socket lookup for local traffic + +From: David Ahern + +[ Upstream commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f ] + +inet_iif should be used for the raw socket lookup. inet_iif considers +rt_iif which handles the case of local traffic. + +As it stands, ping to a local address with the '-I ' option fails +ever since ping was changed to use SO_BINDTODEVICE instead of +cmsg + IP_PKTINFO. + +IPv6 works fine. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -174,6 +174,7 @@ static int icmp_filter(const struct sock + static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + { + int sdif = inet_sdif(skb); ++ int dif = inet_iif(skb); + struct sock *sk; + struct hlist_head *head; + int delivered = 0; +@@ -186,8 +187,7 @@ static int raw_v4_input(struct sk_buff * + + net = dev_net(skb->dev); + sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, +- iph->saddr, iph->daddr, +- skb->dev->ifindex, sdif); ++ iph->saddr, iph->daddr, dif, sdif); + + while (sk) { + delivered = 1; diff --git a/queue-4.19/isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch b/queue-4.19/isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch new file mode 100644 index 00000000000..abf9fafbef4 --- /dev/null +++ b/queue-4.19/isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch @@ -0,0 +1,120 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Paul Bolle +Date: Wed, 1 May 2019 23:19:03 +0200 +Subject: isdn: bas_gigaset: use usb_fill_int_urb() properly + +From: Paul Bolle + +[ Upstream commit 4014dfae3ccaaf3ec19c9ae0691a3f14e7132eae ] + +The switch to make bas_gigaset use usb_fill_int_urb() - instead of +filling that urb "by hand" - missed the subtle ordering of the previous +code. + +See, before the switch urb->dev was set to a member somewhere deep in a +complicated structure and then supplied to usb_rcvisocpipe() and +usb_sndisocpipe(). After that switch urb->dev wasn't set to anything +specific before being supplied to those two macros. This triggers a +nasty oops: + + BUG: unable to handle kernel NULL pointer dereference at 00000000 + #PF error: [normal kernel read fault] + *pde = 00000000 + Oops: 0000 [#1] SMP + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-0.rc4.1.local0.fc28.i686 #1 + Hardware name: IBM 2525FAG/2525FAG, BIOS 74ET64WW (2.09 ) 12/14/2006 + EIP: gigaset_init_bchannel+0x89/0x320 [bas_gigaset] + Code: 75 07 83 8b 84 00 00 00 40 8d 47 74 c7 07 01 00 00 00 89 45 f0 8b 44 b7 68 85 c0 0f 84 6a 02 00 00 8b 48 28 8b 93 88 00 00 00 <8b> 09 8d 54 12 03 c1 e2 0f c1 e1 08 09 ca 8b 8b 8c 00 00 00 80 ca + EAX: f05ec200 EBX: ed404200 ECX: 00000000 EDX: 00000000 + ESI: 00000000 EDI: f065a000 EBP: f30c9f40 ESP: f30c9f20 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010086 + CR0: 80050033 CR2: 00000000 CR3: 0ddc7000 CR4: 000006d0 + Call Trace: + + ? gigaset_isdn_connD+0xf6/0x140 [gigaset] + gigaset_handle_event+0x173e/0x1b90 [gigaset] + tasklet_action_common.isra.16+0x4e/0xf0 + tasklet_action+0x1e/0x20 + __do_softirq+0xb2/0x293 + ? __irqentry_text_end+0x3/0x3 + call_on_stack+0x45/0x50 + + ? irq_exit+0xb5/0xc0 + ? do_IRQ+0x78/0xd0 + ? acpi_idle_enter_s2idle+0x50/0x50 + ? common_interrupt+0xd4/0xdc + ? acpi_idle_enter_s2idle+0x50/0x50 + ? sched_cpu_activate+0x1b/0xf0 + ? acpi_fan_resume.cold.7+0x9/0x18 + ? cpuidle_enter_state+0x152/0x4c0 + ? cpuidle_enter+0x14/0x20 + ? call_cpuidle+0x21/0x40 + ? do_idle+0x1c8/0x200 + ? cpu_startup_entry+0x25/0x30 + ? rest_init+0x88/0x8a + ? arch_call_rest_init+0xd/0x19 + ? start_kernel+0x42f/0x448 + ? i386_start_kernel+0xac/0xb0 + ? startup_32_smp+0x164/0x168 + Modules linked in: ppp_generic slhc capi bas_gigaset gigaset kernelcapi nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables sunrpc ipw2200 iTCO_wdt gpio_ich snd_intel8x0 libipw iTCO_vendor_support snd_ac97_codec lib80211 ppdev ac97_bus snd_seq cfg80211 snd_seq_device pcspkr thinkpad_acpi lpc_ich snd_pcm i2c_i801 snd_timer ledtrig_audio snd soundcore rfkill parport_pc parport pcc_cpufreq acpi_cpufreq i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sdhci_pci sysimgblt cqhci fb_sys_fops drm sdhci mmc_core tg3 ata_generic serio_raw yenta_socket pata_acpi video + CR2: 0000000000000000 + ---[ end trace 1fe07487b9200c73 ]--- + EIP: gigaset_init_bchannel+0x89/0x320 [bas_gigaset] + Code: 75 07 83 8b 84 00 00 00 40 8d 47 74 c7 07 01 00 00 00 89 45 f0 8b 44 b7 68 85 c0 0f 84 6a 02 00 00 8b 48 28 8b 93 88 00 00 00 <8b> 09 8d 54 12 03 c1 e2 0f c1 e1 08 09 ca 8b 8b 8c 00 00 00 80 ca + EAX: f05ec200 EBX: ed404200 ECX: 00000000 EDX: 00000000 + ESI: 00000000 EDI: f065a000 EBP: f30c9f40 ESP: cddcb3bc + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010086 + CR0: 80050033 CR2: 00000000 CR3: 0ddc7000 CR4: 000006d0 + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: 0xcc00000 from 0xc0400000 (relocation range: 0xc0000000-0xf6ffdfff) + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +No-one noticed because this Oops is apparently only triggered by setting +up an ISDN data connection on a live ISDN line on a gigaset base (ie, +the PBX that the gigaset driver support). Very few people do that +running present day kernels. + +Anyhow, a little code reorganization makes this problem go away, while +avoiding the subtle ordering that was used in the past. So let's do +that. + +Fixes: 78c696c19578 ("isdn: gigaset: use usb_fill_int_urb()") +Signed-off-by: Paul Bolle +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/gigaset/bas-gigaset.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -958,6 +958,7 @@ static void write_iso_callback(struct ur + */ + static int starturbs(struct bc_state *bcs) + { ++ struct usb_device *udev = bcs->cs->hw.bas->udev; + struct bas_bc_state *ubc = bcs->hw.bas; + struct urb *urb; + int j, k; +@@ -975,8 +976,8 @@ static int starturbs(struct bc_state *bc + rc = -EFAULT; + goto error; + } +- usb_fill_int_urb(urb, bcs->cs->hw.bas->udev, +- usb_rcvisocpipe(urb->dev, 3 + 2 * bcs->channel), ++ usb_fill_int_urb(urb, udev, ++ usb_rcvisocpipe(udev, 3 + 2 * bcs->channel), + ubc->isoinbuf + k * BAS_INBUFSIZE, + BAS_INBUFSIZE, read_iso_callback, bcs, + BAS_FRAMETIME); +@@ -1006,8 +1007,8 @@ static int starturbs(struct bc_state *bc + rc = -EFAULT; + goto error; + } +- usb_fill_int_urb(urb, bcs->cs->hw.bas->udev, +- usb_sndisocpipe(urb->dev, 4 + 2 * bcs->channel), ++ usb_fill_int_urb(urb, udev, ++ usb_sndisocpipe(udev, 4 + 2 * bcs->channel), + ubc->isooutbuf->data, + sizeof(ubc->isooutbuf->data), + write_iso_callback, &ubc->isoouturbs[k], diff --git a/queue-4.19/net-dsa-fix-error-cleanup-path-in-dsa_init_module.patch b/queue-4.19/net-dsa-fix-error-cleanup-path-in-dsa_init_module.patch new file mode 100644 index 00000000000..1d3a12d8ff9 --- /dev/null +++ b/queue-4.19/net-dsa-fix-error-cleanup-path-in-dsa_init_module.patch @@ -0,0 +1,83 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: YueHaibing +Date: Mon, 6 May 2019 23:25:29 +0800 +Subject: net: dsa: Fix error cleanup path in dsa_init_module + +From: YueHaibing + +[ Upstream commit 68be930249d051fd54d3d99156b3dcadcb2a1f9b ] + +BUG: unable to handle kernel paging request at ffffffffa01c5430 +PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bc5067 PTE 0 +Oops: 0000 [#1 +CPU: 0 PID: 6159 Comm: modprobe Not tainted 5.1.0+ #33 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:raw_notifier_chain_register+0x16/0x40 +Code: 63 f8 66 90 e9 5d ff ff ff 90 90 90 90 90 90 90 90 90 90 90 55 48 8b 07 48 89 e5 48 85 c0 74 1c 8b 56 10 3b 50 10 7e 07 eb 12 <39> 50 10 7c 0d 48 8d 78 08 48 8b 40 08 48 85 c0 75 ee 48 89 46 08 +RSP: 0018:ffffc90001c33c08 EFLAGS: 00010282 +RAX: ffffffffa01c5420 RBX: ffffffffa01db420 RCX: 4fcef45928070a8b +RDX: 0000000000000000 RSI: ffffffffa01db420 RDI: ffffffffa01b0068 +RBP: ffffc90001c33c08 R08: 000000003e0a33d0 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000094443661 R12: ffff88822c320700 +R13: ffff88823109be80 R14: 0000000000000000 R15: ffffc90001c33e78 +FS: 00007fab8bd08540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa01c5430 CR3: 00000002297ea000 CR4: 00000000000006f0 +Call Trace: + register_netdevice_notifier+0x43/0x250 + ? 0xffffffffa01e0000 + dsa_slave_register_notifier+0x13/0x70 [dsa_core + ? 0xffffffffa01e0000 + dsa_init_module+0x2e/0x1000 [dsa_core + do_one_initcall+0x6c/0x3cc + ? do_init_module+0x22/0x1f1 + ? rcu_read_lock_sched_held+0x97/0xb0 + ? kmem_cache_alloc_trace+0x325/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Cleanup allocated resourses if there are errors, +otherwise it will trgger memleak. + +Fixes: c9eb3e0f8701 ("net: dsa: Add support for learning FDB through notification") +Signed-off-by: YueHaibing +Reviewed-by: Vivien Didelot +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -293,15 +293,22 @@ static int __init dsa_init_module(void) + + rc = dsa_slave_register_notifier(); + if (rc) +- return rc; ++ goto register_notifier_fail; + + rc = dsa_legacy_register(); + if (rc) +- return rc; ++ goto legacy_register_fail; + + dev_add_pack(&dsa_pack_type); + + return 0; ++ ++legacy_register_fail: ++ dsa_slave_unregister_notifier(); ++register_notifier_fail: ++ destroy_workqueue(dsa_owq); ++ ++ return rc; + } + module_init(dsa_init_module); + diff --git a/queue-4.19/net-ethernet-stmmac-dwmac-sun8i-enable-support-of-unicast-filtering.patch b/queue-4.19/net-ethernet-stmmac-dwmac-sun8i-enable-support-of-unicast-filtering.patch new file mode 100644 index 00000000000..8a92fbb30a1 --- /dev/null +++ b/queue-4.19/net-ethernet-stmmac-dwmac-sun8i-enable-support-of-unicast-filtering.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Corentin Labbe +Date: Mon, 13 May 2019 13:06:39 +0000 +Subject: net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering + +From: Corentin Labbe + +[ Upstream commit d4c26eb6e721683a0f93e346ce55bc8dc3cbb175 ] + +When adding more MAC addresses to a dwmac-sun8i interface, the device goes +directly in promiscuous mode. +This is due to IFF_UNICAST_FLT missing flag. + +So since the hardware support unicast filtering, let's add IFF_UNICAST_FLT. + +Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i") +Signed-off-by: Corentin Labbe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -1015,6 +1015,8 @@ static struct mac_device_info *sun8i_dwm + mac->mac = &sun8i_dwmac_ops; + mac->dma = &sun8i_dwmac_dma_ops; + ++ priv->dev->priv_flags |= IFF_UNICAST_FLT; ++ + /* The loopback bit seems to be re-set when link change + * Simply mask it each time + * Speed 10/100/1000 are set in BIT(2)/BIT(3) diff --git a/queue-4.19/net-macb-change-interrupt-and-napi-enable-order-in-open.patch b/queue-4.19/net-macb-change-interrupt-and-napi-enable-order-in-open.patch new file mode 100644 index 00000000000..54f630261c8 --- /dev/null +++ b/queue-4.19/net-macb-change-interrupt-and-napi-enable-order-in-open.patch @@ -0,0 +1,52 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Harini Katakam +Date: Tue, 7 May 2019 19:59:10 +0530 +Subject: net: macb: Change interrupt and napi enable order in open + +From: Harini Katakam + +[ Upstream commit 0504453139ef5a593c9587e1e851febee859c7d8 ] + +Current order in open: +-> Enable interrupts (macb_init_hw) +-> Enable NAPI +-> Start PHY + +Sequence of RX handling: +-> RX interrupt occurs +-> Interrupt is cleared and interrupt bits disabled in handler +-> NAPI is scheduled +-> In NAPI, RX budget is processed and RX interrupts are re-enabled + +With the above, on QEMU or fixed link setups (where PHY state doesn't +matter), there's a chance macb RX interrupt occurs before NAPI is +enabled. This will result in NAPI being scheduled before it is enabled. +Fix this macb open by changing the order. + +Fixes: ae1f2a56d273 ("net: macb: Added support for many RX queues") +Signed-off-by: Harini Katakam +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -2419,12 +2419,12 @@ static int macb_open(struct net_device * + return err; + } + +- bp->macbgem_ops.mog_init_rings(bp); +- macb_init_hw(bp); +- + for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) + napi_enable(&queue->napi); + ++ bp->macbgem_ops.mog_init_rings(bp); ++ macb_init_hw(bp); ++ + /* schedule a link state check */ + phy_start(dev->phydev); + diff --git a/queue-4.19/net-seeq-fix-crash-caused-by-not-set-dev.parent.patch b/queue-4.19/net-seeq-fix-crash-caused-by-not-set-dev.parent.patch new file mode 100644 index 00000000000..c5a96e8a2ba --- /dev/null +++ b/queue-4.19/net-seeq-fix-crash-caused-by-not-set-dev.parent.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Thomas Bogendoerfer +Date: Mon, 13 May 2019 13:15:17 +0200 +Subject: net: seeq: fix crash caused by not set dev.parent + +From: Thomas Bogendoerfer + +[ Upstream commit 5afcd14cfc7fed1bcc8abcee2cef82732772bfc2 ] + +The old MIPS implementation of dma_cache_sync() didn't use the dev argument, +but commit c9eb6172c328 ("dma-mapping: turn dma_cache_sync into a +dma_map_ops method") changed that, so we now need to set dev.parent. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/seeq/sgiseeq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/seeq/sgiseeq.c ++++ b/drivers/net/ethernet/seeq/sgiseeq.c +@@ -735,6 +735,7 @@ static int sgiseeq_probe(struct platform + } + + platform_set_drvdata(pdev, dev); ++ SET_NETDEV_DEV(dev, &pdev->dev); + sp = netdev_priv(dev); + + /* Make private data page aligned */ diff --git a/queue-4.19/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch b/queue-4.19/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch new file mode 100644 index 00000000000..c5cd85ae67b --- /dev/null +++ b/queue-4.19/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch @@ -0,0 +1,81 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Christophe Leroy +Date: Fri, 3 May 2019 13:33:23 +0000 +Subject: net: ucc_geth - fix Oops when changing number of buffers in the ring + +From: Christophe Leroy + +[ Upstream commit ee0df19305d9fabd9479b785918966f6e25b733b ] + +When changing the number of buffers in the RX ring while the interface +is running, the following Oops is encountered due to the new number +of buffers being taken into account immediately while their allocation +is done when opening the device only. + +[ 69.882706] Unable to handle kernel paging request for data at address 0xf0000100 +[ 69.890172] Faulting instruction address: 0xc033e164 +[ 69.895122] Oops: Kernel access of bad area, sig: 11 [#1] +[ 69.900494] BE PREEMPT CMPCPRO +[ 69.907120] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.115-00006-g179ade8ce3-dirty #269 +[ 69.915956] task: c0684310 task.stack: c06da000 +[ 69.920470] NIP: c033e164 LR: c02e44d0 CTR: c02e41fc +[ 69.925504] REGS: dfff1e20 TRAP: 0300 Not tainted (4.14.115-00006-g179ade8ce3-dirty) +[ 69.934161] MSR: 00009032 CR: 22004428 XER: 20000000 +[ 69.940869] DAR: f0000100 DSISR: 20000000 +[ 69.940869] GPR00: c0352d70 dfff1ed0 c0684310 f00000a4 00000040 dfff1f68 00000000 0000001f +[ 69.940869] GPR08: df53f410 1cc00040 00000021 c0781640 42004424 100c82b6 f00000a4 df53f5b0 +[ 69.940869] GPR16: df53f6c0 c05daf84 00000040 00000000 00000040 c0782be4 00000000 00000001 +[ 69.940869] GPR24: 00000000 df53f400 000001b0 df53f410 df53f000 0000003f df708220 1cc00044 +[ 69.978348] NIP [c033e164] skb_put+0x0/0x5c +[ 69.982528] LR [c02e44d0] ucc_geth_poll+0x2d4/0x3f8 +[ 69.987384] Call Trace: +[ 69.989830] [dfff1ed0] [c02e4554] ucc_geth_poll+0x358/0x3f8 (unreliable) +[ 69.996522] [dfff1f20] [c0352d70] net_rx_action+0x248/0x30c +[ 70.002099] [dfff1f80] [c04e93e4] __do_softirq+0xfc/0x310 +[ 70.007492] [dfff1fe0] [c0021124] irq_exit+0xd0/0xd4 +[ 70.012458] [dfff1ff0] [c000e7e0] call_do_irq+0x24/0x3c +[ 70.017683] [c06dbe80] [c0006bac] do_IRQ+0x64/0xc4 +[ 70.022474] [c06dbea0] [c001097c] ret_from_except+0x0/0x14 +[ 70.027964] --- interrupt: 501 at rcu_idle_exit+0x84/0x90 +[ 70.027964] LR = rcu_idle_exit+0x74/0x90 +[ 70.037585] [c06dbf60] [20000000] 0x20000000 (unreliable) +[ 70.042984] [c06dbf80] [c004bb0c] do_idle+0xb4/0x11c +[ 70.047945] [c06dbfa0] [c004bd14] cpu_startup_entry+0x18/0x1c +[ 70.053682] [c06dbfb0] [c05fb034] start_kernel+0x370/0x384 +[ 70.059153] [c06dbff0] [00003438] 0x3438 +[ 70.063062] Instruction dump: +[ 70.066023] 38a00000 38800000 90010014 4bfff015 80010014 7c0803a6 3123ffff 7c691910 +[ 70.073767] 38210010 4e800020 38600000 4e800020 <80e3005c> 80c30098 3107ffff 7d083910 +[ 70.081690] ---[ end trace be7ccd9c1e1a9f12 ]--- + +This patch forbids the modification of the number of buffers in the +ring while the interface is running. + +Fixes: ac421852b3a0 ("ucc_geth: add ethtool support") +Signed-off-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/ucc_geth_ethtool.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c ++++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +@@ -252,14 +252,12 @@ uec_set_ringparam(struct net_device *net + return -EINVAL; + } + ++ if (netif_running(netdev)) ++ return -EBUSY; ++ + ug_info->bdRingLenRx[queue] = ring->rx_pending; + ug_info->bdRingLenTx[queue] = ring->tx_pending; + +- if (netif_running(netdev)) { +- /* FIXME: restart automatically */ +- netdev_info(netdev, "Please re-open the interface\n"); +- } +- + return ret; + } + diff --git a/queue-4.19/packet-fix-error-path-in-packet_init.patch b/queue-4.19/packet-fix-error-path-in-packet_init.patch new file mode 100644 index 00000000000..8bf0a03dccd --- /dev/null +++ b/queue-4.19/packet-fix-error-path-in-packet_init.patch @@ -0,0 +1,87 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: YueHaibing +Date: Thu, 9 May 2019 22:52:20 +0800 +Subject: packet: Fix error path in packet_init + +From: YueHaibing + +[ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ] + +kernel BUG at lib/list_debug.c:47! +invalid opcode: 0000 [#1 +CPU: 0 PID: 12914 Comm: rmmod Tainted: G W 5.1.0+ #47 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:__list_del_entry_valid+0x53/0x90 +Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48 +89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2 +RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff +RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000 +R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000 +FS: 00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0 +Call Trace: + unregister_pernet_operations+0x34/0x120 + unregister_pernet_subsys+0x1c/0x30 + packet_exit+0x1c/0x369 [af_packet + __x64_sys_delete_module+0x156/0x260 + ? lockdep_hardirqs_on+0x133/0x1b0 + ? do_syscall_64+0x12/0x1f0 + do_syscall_64+0x6e/0x1f0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +When modprobe af_packet, register_pernet_subsys +fails and does a cleanup, ops->list is set to LIST_POISON1, +but the module init is considered to success, then while rmmod it, +BUG() is triggered in __list_del_entry_valid which is called from +unregister_pernet_subsys. This patch fix error handing path in +packet_init to avoid possilbe issue if some error occur. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4578,14 +4578,29 @@ static void __exit packet_exit(void) + + static int __init packet_init(void) + { +- int rc = proto_register(&packet_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&packet_proto, 0); ++ if (rc) + goto out; ++ rc = sock_register(&packet_family_ops); ++ if (rc) ++ goto out_proto; ++ rc = register_pernet_subsys(&packet_net_ops); ++ if (rc) ++ goto out_sock; ++ rc = register_netdevice_notifier(&packet_netdev_notifier); ++ if (rc) ++ goto out_pernet; + +- sock_register(&packet_family_ops); +- register_pernet_subsys(&packet_net_ops); +- register_netdevice_notifier(&packet_netdev_notifier); ++ return 0; ++ ++out_pernet: ++ unregister_pernet_subsys(&packet_net_ops); ++out_sock: ++ sock_unregister(PF_PACKET); ++out_proto: ++ proto_unregister(&packet_proto); + out: + return rc; + } diff --git a/queue-4.19/selinux-do-not-report-error-on-connect-af_unspec.patch b/queue-4.19/selinux-do-not-report-error-on-connect-af_unspec.patch new file mode 100644 index 00000000000..df7410b5dfe --- /dev/null +++ b/queue-4.19/selinux-do-not-report-error-on-connect-af_unspec.patch @@ -0,0 +1,55 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Paolo Abeni +Date: Wed, 8 May 2019 15:32:51 +0200 +Subject: selinux: do not report error on connect(AF_UNSPEC) + +From: Paolo Abeni + +[ Upstream commit c7e0d6cca86581092cbbf2cd868b3601495554cf ] + +calling connect(AF_UNSPEC) on an already connected TCP socket is an +established way to disconnect() such socket. After commit 68741a8adab9 +("selinux: Fix ltp test connect-syscall failure") it no longer works +and, in the above scenario connect() fails with EAFNOSUPPORT. + +Fix the above falling back to the generic/old code when the address family +is not AF_INET{4,6}, but leave the SCTP code path untouched, as it has +specific constraints. + +Fixes: 68741a8adab9 ("selinux: Fix ltp test connect-syscall failure") +Reported-by: Tom Deseyn +Signed-off-by: Paolo Abeni +Reviewed-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4800,7 +4800,7 @@ static int selinux_socket_connect_helper + struct lsm_network_audit net = {0,}; + struct sockaddr_in *addr4 = NULL; + struct sockaddr_in6 *addr6 = NULL; +- unsigned short snum; ++ unsigned short snum = 0; + u32 sid, perm; + + /* sctp_connectx(3) calls via selinux_sctp_bind_connect() +@@ -4823,12 +4823,12 @@ static int selinux_socket_connect_helper + break; + default: + /* Note that SCTP services expect -EINVAL, whereas +- * others expect -EAFNOSUPPORT. ++ * others must handle this at the protocol level: ++ * connect(AF_UNSPEC) on a connected socket is ++ * a documented way disconnect the socket. + */ + if (sksec->sclass == SECCLASS_SCTP_SOCKET) + return -EINVAL; +- else +- return -EAFNOSUPPORT; + } + + err = sel_netport_sid(sk->sk_protocol, snum, &sid); diff --git a/queue-4.19/series b/queue-4.19/series index 0c86878f11f..e675c359cc9 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -85,3 +85,21 @@ rtlwifi-rtl8723ae-fix-missing-break-in-switch-statement.patch don-t-jump-to-compute_result-state-from-check_result-state.patch um-don-t-hardcode-path-as-it-is-architecture-dependent.patch powerpc-64s-include-cpu-header.patch +bonding-fix-arp_validate-toggling-in-active-backup-mode.patch +bridge-fix-error-path-for-kobject_init_and_add.patch +dpaa_eth-fix-sg-frame-cleanup.patch +fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch +ipv4-fix-raw-socket-lookup-for-local-traffic.patch +net-dsa-fix-error-cleanup-path-in-dsa_init_module.patch +net-ethernet-stmmac-dwmac-sun8i-enable-support-of-unicast-filtering.patch +net-macb-change-interrupt-and-napi-enable-order-in-open.patch +net-seeq-fix-crash-caused-by-not-set-dev.parent.patch +net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch +packet-fix-error-path-in-packet_init.patch +selinux-do-not-report-error-on-connect-af_unspec.patch +vlan-disable-siocshwtstamp-in-container.patch +vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch +tuntap-fix-dividing-by-zero-in-ebpf-queue-selection.patch +tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch +isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch +tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch diff --git a/queue-4.19/tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch b/queue-4.19/tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch new file mode 100644 index 00000000000..b1bedbcf611 --- /dev/null +++ b/queue-4.19/tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch @@ -0,0 +1,54 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Parthasarathy Bhuvaragan +Date: Thu, 9 May 2019 07:13:42 +0200 +Subject: tipc: fix hanging clients using poll with EPOLLOUT flag + +From: Parthasarathy Bhuvaragan + +[ Upstream commit ff946833b70e0c7f93de9a3f5b329b5ae2287b38 ] + +commit 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets") +introduced a regression for clients using non-blocking sockets. +After the commit, we send EPOLLOUT event to the client even in +TIPC_CONNECTING state. This causes the subsequent send() to fail +with ENOTCONN, as the socket is still not in TIPC_ESTABLISHED state. + +In this commit, we: +- improve the fix for hanging poll() by replacing sk_data_ready() + with sk_state_change() to wake up all clients. +- revert the faulty updates introduced by commit 517d7c79bdb398 + ("tipc: fix hanging poll() for stream sockets"). + +Fixes: 517d7c79bdb398 ("tipc: fix hanging poll() for stream sockets") +Signed-off-by: Parthasarathy Bhuvaragan +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -726,11 +726,11 @@ static __poll_t tipc_poll(struct file *f + + switch (sk->sk_state) { + case TIPC_ESTABLISHED: +- case TIPC_CONNECTING: + if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk)) + revents |= EPOLLOUT; + /* fall thru' */ + case TIPC_LISTEN: ++ case TIPC_CONNECTING: + if (!skb_queue_empty(&sk->sk_receive_queue)) + revents |= EPOLLIN | EPOLLRDNORM; + break; +@@ -2039,7 +2039,7 @@ static bool tipc_sk_filter_connect(struc + return true; + + /* If empty 'ACK-' message, wake up sleeping connect() */ +- sk->sk_data_ready(sk); ++ sk->sk_state_change(sk); + + /* 'ACK-' message is neither accepted nor rejected: */ + msg_set_dest_droppable(hdr, 1); diff --git a/queue-4.19/tuntap-fix-dividing-by-zero-in-ebpf-queue-selection.patch b/queue-4.19/tuntap-fix-dividing-by-zero-in-ebpf-queue-selection.patch new file mode 100644 index 00000000000..afc989c8002 --- /dev/null +++ b/queue-4.19/tuntap-fix-dividing-by-zero-in-ebpf-queue-selection.patch @@ -0,0 +1,44 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Jason Wang +Date: Wed, 8 May 2019 23:20:17 -0400 +Subject: tuntap: fix dividing by zero in ebpf queue selection + +From: Jason Wang + +[ Upstream commit a35d310f03a692bf4798eb309a1950a06a150620 ] + +We need check if tun->numqueues is zero (e.g for the persist device) +before trying to use it for modular arithmetic. + +Reported-by: Eric Dumazet +Fixes: 96f84061620c6("tun: add eBPF based queue selection method") +Signed-off-by: Jason Wang +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -599,13 +599,18 @@ static u16 tun_automq_select_queue(struc + static u16 tun_ebpf_select_queue(struct tun_struct *tun, struct sk_buff *skb) + { + struct tun_prog *prog; ++ u32 numqueues; + u16 ret = 0; + ++ numqueues = READ_ONCE(tun->numqueues); ++ if (!numqueues) ++ return 0; ++ + prog = rcu_dereference(tun->steering_prog); + if (prog) + ret = bpf_prog_run_clear_cb(prog->prog, skb); + +- return ret % tun->numqueues; ++ return ret % numqueues; + } + + static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, diff --git a/queue-4.19/tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch b/queue-4.19/tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch new file mode 100644 index 00000000000..8ef6f6071da --- /dev/null +++ b/queue-4.19/tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch @@ -0,0 +1,70 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Jason Wang +Date: Wed, 8 May 2019 23:20:18 -0400 +Subject: tuntap: synchronize through tfiles array instead of tun->numqueues + +From: Jason Wang + +[ Upstream commit 9871a9e47a2646fe30ae7fd2e67668a8d30912f6 ] + +When a queue(tfile) is detached through __tun_detach(), we move the +last enabled tfile to the position where detached one sit but don't +NULL out last position. We expect to synchronize the datapath through +tun->numqueues. Unfortunately, this won't work since we're lacking +sufficient mechanism to order or synchronize the access to +tun->numqueues. + +To fix this, NULL out the last position during detaching and check +RCU protected tfile against NULL instead of checking tun->numqueues in +datapath. + +Cc: YueHaibing +Cc: Cong Wang +Cc: weiyongjun (A) +Cc: Eric Dumazet +Fixes: c8d68e6be1c3b ("tuntap: multiqueue support") +Signed-off-by: Jason Wang +Reviewed-by: Wei Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -708,6 +708,8 @@ static void __tun_detach(struct tun_file + tun->tfiles[tun->numqueues - 1]); + ntfile = rtnl_dereference(tun->tfiles[index]); + ntfile->queue_index = index; ++ rcu_assign_pointer(tun->tfiles[tun->numqueues - 1], ++ NULL); + + --tun->numqueues; + if (clean) { +@@ -1090,7 +1092,7 @@ static netdev_tx_t tun_net_xmit(struct s + tfile = rcu_dereference(tun->tfiles[txq]); + + /* Drop packet if interface is not attached */ +- if (txq >= tun->numqueues) ++ if (!tfile) + goto drop; + + if (!rcu_dereference(tun->steering_prog)) +@@ -1281,6 +1283,7 @@ static int tun_xdp_xmit(struct net_devic + + rcu_read_lock(); + ++resample: + numqueues = READ_ONCE(tun->numqueues); + if (!numqueues) { + rcu_read_unlock(); +@@ -1289,6 +1292,8 @@ static int tun_xdp_xmit(struct net_devic + + tfile = rcu_dereference(tun->tfiles[smp_processor_id() % + numqueues]); ++ if (unlikely(!tfile)) ++ goto resample; + + spin_lock(&tfile->tx_ring.producer_lock); + for (i = 0; i < n; i++) { diff --git a/queue-4.19/vlan-disable-siocshwtstamp-in-container.patch b/queue-4.19/vlan-disable-siocshwtstamp-in-container.patch new file mode 100644 index 00000000000..4556a94f6dc --- /dev/null +++ b/queue-4.19/vlan-disable-siocshwtstamp-in-container.patch @@ -0,0 +1,39 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Hangbin Liu +Date: Thu, 9 May 2019 14:55:07 +0800 +Subject: vlan: disable SIOCSHWTSTAMP in container + +From: Hangbin Liu + +[ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ] + +With NET_ADMIN enabled in container, a normal user could be mapped to +root and is able to change the real device's rx filter via ioctl on +vlan, which would affect the other ptp process on host. Fix it by +disabling SIOCSHWTSTAMP in container. + +Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") +Signed-off-by: Hangbin Liu +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -368,10 +368,12 @@ static int vlan_dev_ioctl(struct net_dev + ifrr.ifr_ifru = ifr->ifr_ifru; + + switch (cmd) { ++ case SIOCSHWTSTAMP: ++ if (!net_eq(dev_net(dev), &init_net)) ++ break; + case SIOCGMIIPHY: + case SIOCGMIIREG: + case SIOCSMIIREG: +- case SIOCSHWTSTAMP: + case SIOCGHWTSTAMP: + if (netif_device_present(real_dev) && ops->ndo_do_ioctl) + err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); diff --git a/queue-4.19/vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch b/queue-4.19/vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch new file mode 100644 index 00000000000..f60d70de655 --- /dev/null +++ b/queue-4.19/vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 15 May 2019 09:35:25 AM CEST +From: Stephen Suryaputra +Date: Mon, 6 May 2019 15:00:01 -0400 +Subject: vrf: sit mtu should not be updated when vrf netdev is the link + +From: Stephen Suryaputra + +[ Upstream commit ff6ab32bd4e073976e4d8797b4d514a172cfe6cb ] + +VRF netdev mtu isn't typically set and have an mtu of 65536. When the +link of a tunnel is set, the tunnel mtu is changed from 1480 to the link +mtu minus tunnel header. In the case of VRF netdev is the link, then the +tunnel mtu becomes 65516. So, fix it by not setting the tunnel mtu in +this case. + +Signed-off-by: Stephen Suryaputra +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1084,7 +1084,7 @@ static void ipip6_tunnel_bind_dev(struct + if (!tdev && tunnel->parms.link) + tdev = __dev_get_by_index(tunnel->net, tunnel->parms.link); + +- if (tdev) { ++ if (tdev && !netif_is_l3_master(tdev)) { + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + + dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr);