From: Greg Kroah-Hartman Date: Fri, 31 May 2019 23:34:17 +0000 (-0700) Subject: 4.19-stable patches X-Git-Tag: v5.1.7~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e201c2e6ca67881b7199a9a58f8481daae9a2e13;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch bonding-802.3ad-fix-slave-link-initialization-transition-states.patch cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch inet-switch-ip-id-generator-to-siphash.patch ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch ipv4-igmp-fix-build-error-if-config_ip_multicast.patch ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch ipv6-fix-redirect-with-vrf.patch llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch net-gro-fix-use-after-free-read-in-napi_gro_frags.patch net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch net-mvneta-fix-err-code-path-of-probe.patch net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch net-sched-don-t-use-tc_action-order-during-action-dump.patch net-stmmac-dma-channel-control-register-need-to-be-init-first.patch net-stmmac-fix-reset-gpio-free-missing.patch net-tls-avoid-null-deref-on-resync-during-device-removal.patch net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch net-tls-fix-state-removal-with-feature-flags-off.patch tipc-avoid-copying-bytes-beyond-the-supplied-data.patch usbnet-fix-kernel-crash-after-disconnect.patch --- diff --git a/queue-4.19/bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch b/queue-4.19/bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch new file mode 100644 index 00000000000..19a1cc79ef2 --- /dev/null +++ b/queue-4.19/bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch @@ -0,0 +1,37 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Michael Chan +Date: Wed, 22 May 2019 19:12:54 -0400 +Subject: bnxt_en: Fix aggregation buffer leak under OOM condition. + +From: Michael Chan + +[ Upstream commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 ] + +For every RX packet, the driver replenishes all buffers used for that +packet and puts them back into the RX ring and RX aggregation ring. +In one code path where the RX packet has one RX buffer and one or more +aggregation buffers, we missed recycling the aggregation buffer(s) if +we are unable to allocate a new SKB buffer. This leads to the +aggregation ring slowly running out of buffers over time. Fix it +by properly recycling the aggregation buffers. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Reported-by: Rakesh Hemnani +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1599,6 +1599,8 @@ static int bnxt_rx_pkt(struct bnxt *bp, + skb = bnxt_copy_skb(bnapi, data_ptr, len, dma_addr); + bnxt_reuse_rx_data(rxr, cons, data); + if (!skb) { ++ if (agg_bufs) ++ bnxt_reuse_rx_agg_bufs(bnapi, cp_cons, agg_bufs); + rc = -ENOMEM; + goto next_rx; + } diff --git a/queue-4.19/bonding-802.3ad-fix-slave-link-initialization-transition-states.patch b/queue-4.19/bonding-802.3ad-fix-slave-link-initialization-transition-states.patch new file mode 100644 index 00000000000..798da726574 --- /dev/null +++ b/queue-4.19/bonding-802.3ad-fix-slave-link-initialization-transition-states.patch @@ -0,0 +1,67 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jarod Wilson +Date: Fri, 24 May 2019 09:49:28 -0400 +Subject: bonding/802.3ad: fix slave link initialization transition states + +From: Jarod Wilson + +[ Upstream commit 334031219a84b9994594015aab85ed7754c80176 ] + +Once in a while, with just the right timing, 802.3ad slaves will fail to +properly initialize, winding up in a weird state, with a partner system +mac address of 00:00:00:00:00:00. This started happening after a fix to +properly track link_failure_count tracking, where an 802.3ad slave that +reported itself as link up in the miimon code, but wasn't able to get a +valid speed/duplex, started getting set to BOND_LINK_FAIL instead of +BOND_LINK_DOWN. That was the proper thing to do for the general "my link +went down" case, but has created a link initialization race that can put +the interface in this odd state. + +The simple fix is to instead set the slave link to BOND_LINK_DOWN again, +if the link has never been up (last_link_up == 0), so the link state +doesn't bounce from BOND_LINK_DOWN to BOND_LINK_FAIL -- it hasn't failed +in this case, it simply hasn't been up yet, and this prevents the +unnecessary state change from DOWN to FAIL and getting stuck in an init +failure w/o a partner mac. + +Fixes: ea53abfab960 ("bonding/802.3ad: fix link_failure_count tracking") +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +CC: "David S. Miller" +CC: netdev@vger.kernel.org +Tested-by: Heesoon Kim +Signed-off-by: Jarod Wilson +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3107,13 +3107,18 @@ static int bond_slave_netdev_event(unsig + case NETDEV_CHANGE: + /* For 802.3ad mode only: + * Getting invalid Speed/Duplex values here will put slave +- * in weird state. So mark it as link-fail for the time +- * being and let link-monitoring (miimon) set it right when +- * correct speeds/duplex are available. ++ * in weird state. Mark it as link-fail if the link was ++ * previously up or link-down if it hasn't yet come up, and ++ * let link-monitoring (miimon) set it right when correct ++ * speeds/duplex are available. + */ + if (bond_update_speed_duplex(slave) && +- BOND_MODE(bond) == BOND_MODE_8023AD) +- slave->link = BOND_LINK_FAIL; ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ if (slave->last_link_up) ++ slave->link = BOND_LINK_FAIL; ++ else ++ slave->link = BOND_LINK_DOWN; ++ } + + if (BOND_MODE(bond) == BOND_MODE_8023AD) + bond_3ad_adapter_speed_duplex_changed(slave); diff --git a/queue-4.19/cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch b/queue-4.19/cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch new file mode 100644 index 00000000000..6ed2e74c33c --- /dev/null +++ b/queue-4.19/cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch @@ -0,0 +1,44 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Raju Rangoju +Date: Thu, 23 May 2019 20:41:44 +0530 +Subject: cxgb4: offload VLAN flows regardless of VLAN ethtype + +From: Raju Rangoju + +[ Upstream commit b5730061d1056abf317caea823b94d6e12b5b4f6 ] + +VLAN flows never get offloaded unless ivlan_vld is set in filter spec. +It's not compulsory for vlan_ethtype to be set. + +So, always enable ivlan_vld bit for offloading VLAN flows regardless of +vlan_ethtype is set or not. + +Fixes: ad9af3e09c (cxgb4: add tc flower match support for vlan) +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +@@ -228,6 +228,9 @@ static void cxgb4_process_flow_match(str + fs->val.ivlan = vlan_tci; + fs->mask.ivlan = vlan_tci_mask; + ++ fs->val.ivlan_vld = 1; ++ fs->mask.ivlan_vld = 1; ++ + /* Chelsio adapters use ivlan_vld bit to match vlan packets + * as 802.1Q. Also, when vlan tag is present in packets, + * ethtype match is used then to match on ethtype of inner +@@ -238,8 +241,6 @@ static void cxgb4_process_flow_match(str + * ethtype value with ethtype of inner header. + */ + if (fs->val.ethtype == ETH_P_8021Q) { +- fs->val.ivlan_vld = 1; +- fs->mask.ivlan_vld = 1; + fs->val.ethtype = 0; + fs->mask.ethtype = 0; + } diff --git a/queue-4.19/inet-switch-ip-id-generator-to-siphash.patch b/queue-4.19/inet-switch-ip-id-generator-to-siphash.patch new file mode 100644 index 00000000000..9814284e223 --- /dev/null +++ b/queue-4.19/inet-switch-ip-id-generator-to-siphash.patch @@ -0,0 +1,152 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Eric Dumazet +Date: Wed, 27 Mar 2019 12:40:33 -0700 +Subject: inet: switch IP ID generator to siphash + +From: Eric Dumazet + +[ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ] + +According to Amit Klein and Benny Pinkas, IP ID generation is too weak +and might be used by attackers. + +Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) +having 64bit key and Jenkins hash is risky. + +It is time to switch to siphash and its 128bit keys. + +Signed-off-by: Eric Dumazet +Reported-by: Amit Klein +Reported-by: Benny Pinkas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/siphash.h | 5 +++++ + include/net/netns/ipv4.h | 2 ++ + net/ipv4/route.c | 12 +++++++----- + net/ipv6/output_core.c | 30 ++++++++++++++++-------------- + 4 files changed, 30 insertions(+), 19 deletions(-) + +--- a/include/linux/siphash.h ++++ b/include/linux/siphash.h +@@ -21,6 +21,11 @@ typedef struct { + u64 key[2]; + } siphash_key_t; + ++static inline bool siphash_key_is_zero(const siphash_key_t *key) ++{ ++ return !(key->key[0] | key->key[1]); ++} ++ + u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); + #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + struct tcpm_hash_bucket; + struct ctl_table_header; +@@ -214,5 +215,6 @@ struct netns_ipv4 { + unsigned int ipmr_seq; /* protected by rtnl_mutex */ + + atomic_t rt_genid; ++ siphash_key_t ip_id_key; + }; + #endif +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -500,15 +500,17 @@ EXPORT_SYMBOL(ip_idents_reserve); + + void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) + { +- static u32 ip_idents_hashrnd __read_mostly; + u32 hash, id; + +- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); + +- hash = jhash_3words((__force u32)iph->daddr, ++ hash = siphash_3u32((__force u32)iph->daddr, + (__force u32)iph->saddr, +- iph->protocol ^ net_hash_mix(net), +- ip_idents_hashrnd); ++ iph->protocol, ++ &net->ipv4.ip_id_key); + id = ip_idents_reserve(hash, segs); + iph->id = htons(id); + } +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -10,15 +10,25 @@ + #include + #include + +-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, ++static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { ++ const struct { ++ struct in6_addr dst; ++ struct in6_addr src; ++ } __aligned(SIPHASH_ALIGNMENT) combined = { ++ .dst = *dst, ++ .src = *src, ++ }; + u32 hash, id; + +- hash = __ipv6_addr_jhash(dst, hashrnd); +- hash = __ipv6_addr_jhash(src, hash); +- hash ^= net_hash_mix(net); ++ /* Note the following code is not safe, but this is okay. */ ++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) ++ get_random_bytes(&net->ipv4.ip_id_key, ++ sizeof(net->ipv4.ip_id_key)); ++ ++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); + + /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, + * set the hight order instead thus minimizing possible future +@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct ne + */ + __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) + { +- static u32 ip6_proxy_idents_hashrnd __read_mostly; + struct in6_addr buf[2]; + struct in6_addr *addrs; + u32 id; +@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct ne + if (!addrs) + return 0; + +- net_get_random_once(&ip6_proxy_idents_hashrnd, +- sizeof(ip6_proxy_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, +- &addrs[1], &addrs[0]); ++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); + return htonl(id); + } + EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); +@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net + const struct in6_addr *daddr, + const struct in6_addr *saddr) + { +- static u32 ip6_idents_hashrnd __read_mostly; + u32 id; + +- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); +- +- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr); ++ id = __ipv6_select_ident(net, daddr, saddr); + return htonl(id); + } + EXPORT_SYMBOL(ipv6_select_ident); diff --git a/queue-4.19/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch b/queue-4.19/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch new file mode 100644 index 00000000000..267d2678d68 --- /dev/null +++ b/queue-4.19/ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch @@ -0,0 +1,162 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Eric Dumazet +Date: Wed, 22 May 2019 16:51:22 -0700 +Subject: ipv4/igmp: fix another memory leak in igmpv3_del_delrec() + +From: Eric Dumazet + +[ Upstream commit 3580d04aa674383c42de7b635d28e52a1e5bc72c ] + +syzbot reported memory leaks [1] that I have back tracked to +a missing cleanup from igmpv3_del_delrec() when +(im->sfmode != MCAST_INCLUDE) + +Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely +handle the cleanups before freeing. + +[1] + +BUG: memory leak +unreferenced object 0xffff888123e32b00 (size 64): + comm "softirq", pid 0, jiffies 4294942968 (age 8.010s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline] + [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline] + [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline] + [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957 + [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 + [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 + [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()") +Signed-off-by: Eric Dumazet +Cc: Hangbin Liu +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 47 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 30 insertions(+), 17 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -635,6 +635,24 @@ static void igmpv3_clear_zeros(struct ip + } + } + ++static void ip_sf_list_clear_all(struct ip_sf_list *psf) ++{ ++ struct ip_sf_list *next; ++ ++ while (psf) { ++ next = psf->sf_next; ++ kfree(psf); ++ psf = next; ++ } ++} ++ ++static void kfree_pmc(struct ip_mc_list *pmc) ++{ ++ ip_sf_list_clear_all(pmc->sources); ++ ip_sf_list_clear_all(pmc->tomb); ++ kfree(pmc); ++} ++ + static void igmpv3_send_cr(struct in_device *in_dev) + { + struct ip_mc_list *pmc, *pmc_prev, *pmc_next; +@@ -671,7 +689,7 @@ static void igmpv3_send_cr(struct in_dev + else + in_dev->mc_tomb = pmc_next; + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } else + pmc_prev = pmc; + } +@@ -1201,14 +1219,18 @@ static void igmpv3_del_delrec(struct in_ + im->interface = pmc->interface; + if (im->sfmode == MCAST_INCLUDE) { + im->tomb = pmc->tomb; ++ pmc->tomb = NULL; ++ + im->sources = pmc->sources; ++ pmc->sources = NULL; ++ + for (psf = im->sources; psf; psf = psf->sf_next) + psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + } else { + im->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv; + } + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } + spin_unlock_bh(&im->lock); + } +@@ -1229,21 +1251,18 @@ static void igmpv3_clear_delrec(struct i + nextpmc = pmc->next; + ip_mc_clear_src(pmc); + in_dev_put(pmc->interface); +- kfree(pmc); ++ kfree_pmc(pmc); + } + /* clear dead sources, too */ + rcu_read_lock(); + for_each_pmc_rcu(in_dev, pmc) { +- struct ip_sf_list *psf, *psf_next; ++ struct ip_sf_list *psf; + + spin_lock_bh(&pmc->lock); + psf = pmc->tomb; + pmc->tomb = NULL; + spin_unlock_bh(&pmc->lock); +- for (; psf; psf = psf_next) { +- psf_next = psf->sf_next; +- kfree(psf); +- } ++ ip_sf_list_clear_all(psf); + } + rcu_read_unlock(); + } +@@ -2114,7 +2133,7 @@ static int ip_mc_add_src(struct in_devic + + static void ip_mc_clear_src(struct ip_mc_list *pmc) + { +- struct ip_sf_list *psf, *nextpsf, *tomb, *sources; ++ struct ip_sf_list *tomb, *sources; + + spin_lock_bh(&pmc->lock); + tomb = pmc->tomb; +@@ -2126,14 +2145,8 @@ static void ip_mc_clear_src(struct ip_mc + pmc->sfcount[MCAST_EXCLUDE] = 1; + spin_unlock_bh(&pmc->lock); + +- for (psf = tomb; psf; psf = nextpsf) { +- nextpsf = psf->sf_next; +- kfree(psf); +- } +- for (psf = sources; psf; psf = nextpsf) { +- nextpsf = psf->sf_next; +- kfree(psf); +- } ++ ip_sf_list_clear_all(tomb); ++ ip_sf_list_clear_all(sources); + } + + /* Join a multicast group diff --git a/queue-4.19/ipv4-igmp-fix-build-error-if-config_ip_multicast.patch b/queue-4.19/ipv4-igmp-fix-build-error-if-config_ip_multicast.patch new file mode 100644 index 00000000000..9115a2628f0 --- /dev/null +++ b/queue-4.19/ipv4-igmp-fix-build-error-if-config_ip_multicast.patch @@ -0,0 +1,58 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Eric Dumazet +Date: Wed, 22 May 2019 18:35:16 -0700 +Subject: ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST + +From: Eric Dumazet + +[ Upstream commit 903869bd10e6719b9df6718e785be7ec725df59f ] + +ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST + +Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()") +Signed-off-by: Eric Dumazet +Reported-by: kbuild test robot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -190,6 +190,17 @@ static void ip_ma_put(struct ip_mc_list + pmc != NULL; \ + pmc = rtnl_dereference(pmc->next_rcu)) + ++static void ip_sf_list_clear_all(struct ip_sf_list *psf) ++{ ++ struct ip_sf_list *next; ++ ++ while (psf) { ++ next = psf->sf_next; ++ kfree(psf); ++ psf = next; ++ } ++} ++ + #ifdef CONFIG_IP_MULTICAST + + /* +@@ -635,17 +646,6 @@ static void igmpv3_clear_zeros(struct ip + } + } + +-static void ip_sf_list_clear_all(struct ip_sf_list *psf) +-{ +- struct ip_sf_list *next; +- +- while (psf) { +- next = psf->sf_next; +- kfree(psf); +- psf = next; +- } +-} +- + static void kfree_pmc(struct ip_mc_list *pmc) + { + ip_sf_list_clear_all(pmc->sources); diff --git a/queue-4.19/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch b/queue-4.19/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch new file mode 100644 index 00000000000..7a576b10323 --- /dev/null +++ b/queue-4.19/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch @@ -0,0 +1,37 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Mike Manning +Date: Mon, 20 May 2019 19:57:17 +0100 +Subject: ipv6: Consider sk_bound_dev_if when binding a raw socket to an address + +From: Mike Manning + +[ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ] + +IPv6 does not consider if the socket is bound to a device when binding +to an address. The result is that a socket can be bound to eth0 and +then bound to the address of eth1. If the device is a VRF, the result +is that a socket can only be bound to an address in the default VRF. + +Resolve by considering the device if sk_bound_dev_if is set. + +Signed-off-by: Mike Manning +Reviewed-by: David Ahern +Tested-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/raw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -288,7 +288,9 @@ static int rawv6_bind(struct sock *sk, s + /* Binding to link-local address requires an interface */ + if (!sk->sk_bound_dev_if) + goto out_unlock; ++ } + ++ if (sk->sk_bound_dev_if) { + err = -ENODEV; + dev = dev_get_by_index_rcu(sock_net(sk), + sk->sk_bound_dev_if); diff --git a/queue-4.19/ipv6-fix-redirect-with-vrf.patch b/queue-4.19/ipv6-fix-redirect-with-vrf.patch new file mode 100644 index 00000000000..8f4aab8abe6 --- /dev/null +++ b/queue-4.19/ipv6-fix-redirect-with-vrf.patch @@ -0,0 +1,39 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: David Ahern +Date: Wed, 22 May 2019 15:12:18 -0700 +Subject: ipv6: Fix redirect with VRF + +From: David Ahern + +[ Upstream commit 31680ac265802397937d75461a2809a067b9fb93 ] + +IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB +entries looking for an exact match on ifindex. With VRF the flowi6_oif +is updated by l3mdev_update_flow to the l3mdev index and the +FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the +device match. For redirects the device match is requires so use that +flag to know when the oif needs to be reset to the skb device index. + +Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2480,6 +2480,12 @@ static struct rt6_info *__ip6_route_redi + struct fib6_info *rt; + struct fib6_node *fn; + ++ /* l3mdev_update_flow overrides oif if the device is enslaved; in ++ * this case we must match on the real ingress device, so reset it ++ */ ++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF) ++ fl6->flowi6_oif = skb->dev->ifindex; ++ + /* Get the "current" route for this destination and + * check if the redirect has come from appropriate router. + * diff --git a/queue-4.19/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch b/queue-4.19/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch new file mode 100644 index 00000000000..23a23da3b72 --- /dev/null +++ b/queue-4.19/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch @@ -0,0 +1,84 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Eric Dumazet +Date: Mon, 27 May 2019 17:35:52 -0700 +Subject: llc: fix skb leak in llc_build_and_send_ui_pkt() + +From: Eric Dumazet + +[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ] + +If llc_mac_hdr_init() returns an error, we must drop the skb +since no llc_build_and_send_ui_pkt() caller will take care of this. + +BUG: memory leak +unreferenced object 0xffff8881202b6800 (size 2048): + comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] + [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] + [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 + [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] + [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 + [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 + [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 + [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 + [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 + [<000000008bdec225>] sock_create net/socket.c:1481 [inline] + [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 + [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] + [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] + [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 + [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +BUG: memory leak +unreferenced object 0xffff88811d750d00 (size 224): + comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... + backtrace: + [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] + [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 + [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 + [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] + [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 + [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 + [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 + [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 + [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 + [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 + [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] + [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] + [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 + [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/llc_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/llc/llc_output.c ++++ b/net/llc/llc_output.c +@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc + rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); + if (likely(!rc)) + rc = dev_queue_xmit(skb); ++ else ++ kfree_skb(skb); + return rc; + } + diff --git a/queue-4.19/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch b/queue-4.19/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch new file mode 100644 index 00000000000..7e6f27a5b31 --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch @@ -0,0 +1,33 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Rasmus Villemoes +Date: Wed, 29 May 2019 07:02:11 +0000 +Subject: net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT + +From: Rasmus Villemoes + +[ Upstream commit 84b3fd1fc9592d431e23b077e692fa4e3fd0f086 ] + +Currently, the upper half of a 4-byte STATS_TYPE_PORT statistic ends +up in bits 47:32 of the return value, instead of bits 31:16 as they +should. + +Fixes: 6e46e2d821bb ("net: dsa: mv88e6xxx: Fix u64 statistics") +Signed-off-by: Rasmus Villemoes +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -877,7 +877,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s + err = mv88e6xxx_port_read(chip, port, s->reg + 1, ®); + if (err) + return U64_MAX; +- high = reg; ++ low |= ((u32)reg) << 16; + } + break; + case STATS_TYPE_BANK1: diff --git a/queue-4.19/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch b/queue-4.19/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch new file mode 100644 index 00000000000..7c692ea7932 --- /dev/null +++ b/queue-4.19/net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch @@ -0,0 +1,34 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Andy Duan +Date: Thu, 23 May 2019 01:55:28 +0000 +Subject: net: fec: fix the clk mismatch in failed_reset path + +From: Andy Duan + +[ Upstream commit ce8d24f9a5965a58c588f9342689702a1024433c ] + +Fix the clk mismatch in the error path "failed_reset" because +below error path will disable clk_ahb and clk_ipg directly, it +should use pm_runtime_put_noidle() instead of pm_runtime_put() +to avoid to call runtime resume callback. + +Reported-by: Baruch Siach +Signed-off-by: Fugang Duan +Tested-by: Baruch Siach +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3571,7 +3571,7 @@ failed_init: + if (fep->reg_phy) + regulator_disable(fep->reg_phy); + failed_reset: +- pm_runtime_put(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + failed_regulator: + clk_disable_unprepare(fep->clk_ahb); diff --git a/queue-4.19/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch b/queue-4.19/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch new file mode 100644 index 00000000000..d87a96f3429 --- /dev/null +++ b/queue-4.19/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch @@ -0,0 +1,69 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Eric Dumazet +Date: Wed, 29 May 2019 15:36:10 -0700 +Subject: net-gro: fix use-after-free read in napi_gro_frags() + +From: Eric Dumazet + +[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ] + +If a network driver provides to napi_gro_frags() an +skb with a page fragment of exactly 14 bytes, the call +to gro_pull_from_frag0() will 'consume' the fragment +by calling skb_frag_unref(skb, 0), and the page might +be freed and reused. + +Reading eth->h_proto at the end of napi_frags_skb() might +read mangled data, or crash under specific debugging features. + +BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline] +BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 +Read of size 2 at addr ffff88809366840c by task syz-executor599/8957 + +CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 + __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + kasan_report+0x12/0x20 mm/kasan/common.c:614 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142 + napi_frags_skb net/core/dev.c:5833 [inline] + napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 + tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991 + tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037 + call_write_iter include/linux/fs.h:1872 [inline] + do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693 + do_iter_write fs/read_write.c:970 [inline] + do_iter_write+0x184/0x610 fs/read_write.c:951 + vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015 + do_writev+0x15b/0x330 fs/read_write.c:1058 + +Fixes: a50e233c50db ("net-gro: restore frag0 optimization") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5725,7 +5725,6 @@ static struct sk_buff *napi_frags_skb(st + skb_reset_mac_header(skb); + skb_gro_reset_offset(skb); + +- eth = skb_gro_header_fast(skb, 0); + if (unlikely(skb_gro_header_hard(skb, hlen))) { + eth = skb_gro_header_slow(skb, hlen, 0); + if (unlikely(!eth)) { +@@ -5735,6 +5734,7 @@ static struct sk_buff *napi_frags_skb(st + return NULL; + } + } else { ++ eth = (const struct ethhdr *)skb->data; + gro_pull_from_frag0(skb, hlen); + NAPI_GRO_CB(skb)->frag0 += hlen; + NAPI_GRO_CB(skb)->frag0_len -= hlen; diff --git a/queue-4.19/net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch b/queue-4.19/net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch new file mode 100644 index 00000000000..944bfac82a5 --- /dev/null +++ b/queue-4.19/net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch @@ -0,0 +1,38 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Parav Pandit +Date: Fri, 10 May 2019 10:40:08 -0500 +Subject: net/mlx5: Allocate root ns memory using kzalloc to match kfree + +From: Parav Pandit + +[ Upstream commit 25fa506b70cadb580c1e9cbd836d6417276d4bcd ] + +root ns is yet another fs core node which is freed using kfree() by +tree_put_node(). +Rest of the other fs core objects are also allocated using kmalloc +variants. + +However, root ns memory is allocated using kvzalloc(). +Hence allocate root ns memory using kzalloc(). + +Fixes: 2530236303d9e ("net/mlx5_core: Flow steering tree initialization") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2220,7 +2220,7 @@ static struct mlx5_flow_root_namespace + cmds = mlx5_fs_cmd_get_default_ipsec_fpga_cmds(table_type); + + /* Create the root namespace */ +- root_ns = kvzalloc(sizeof(*root_ns), GFP_KERNEL); ++ root_ns = kzalloc(sizeof(*root_ns), GFP_KERNEL); + if (!root_ns) + return NULL; + diff --git a/queue-4.19/net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch b/queue-4.19/net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch new file mode 100644 index 00000000000..efa4e4f0c52 --- /dev/null +++ b/queue-4.19/net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch @@ -0,0 +1,71 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Parav Pandit +Date: Fri, 10 May 2019 10:26:23 -0500 +Subject: net/mlx5: Avoid double free in fs init error unwinding path + +From: Parav Pandit + +[ Upstream commit 9414277a5df3669c67e818708c0f881597e0118e ] + +In below code flow, for ingress acl table root ns memory leads +to double free. + +mlx5_init_fs + init_ingress_acls_root_ns() + init_ingress_acl_root_ns + kfree(steering->esw_ingress_root_ns); + /* steering->esw_ingress_root_ns is not marked NULL */ + mlx5_cleanup_fs + cleanup_ingress_acls_root_ns + steering->esw_ingress_root_ns non NULL check passes. + kfree(steering->esw_ingress_root_ns); + /* double free */ + +Similar issue exist for other tables. + +Hence zero out the pointers to not process the table again. + +Fixes: 9b93ab981e3bf ("net/mlx5: Separate ingress/egress namespaces for each vport") +Fixes: 40c3eebb49e51 ("net/mlx5: Add support in RDMA RX steering") +Signed-off-by: Parav Pandit +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2363,6 +2363,7 @@ static void cleanup_egress_acls_root_ns( + cleanup_root_ns(steering->esw_egress_root_ns[i]); + + kfree(steering->esw_egress_root_ns); ++ steering->esw_egress_root_ns = NULL; + } + + static void cleanup_ingress_acls_root_ns(struct mlx5_core_dev *dev) +@@ -2377,6 +2378,7 @@ static void cleanup_ingress_acls_root_ns + cleanup_root_ns(steering->esw_ingress_root_ns[i]); + + kfree(steering->esw_ingress_root_ns); ++ steering->esw_ingress_root_ns = NULL; + } + + void mlx5_cleanup_fs(struct mlx5_core_dev *dev) +@@ -2505,6 +2507,7 @@ cleanup_root_ns: + for (i--; i >= 0; i--) + cleanup_root_ns(steering->esw_egress_root_ns[i]); + kfree(steering->esw_egress_root_ns); ++ steering->esw_egress_root_ns = NULL; + return err; + } + +@@ -2532,6 +2535,7 @@ cleanup_root_ns: + for (i--; i >= 0; i--) + cleanup_root_ns(steering->esw_ingress_root_ns[i]); + kfree(steering->esw_ingress_root_ns); ++ steering->esw_ingress_root_ns = NULL; + return err; + } + diff --git a/queue-4.19/net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch b/queue-4.19/net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch new file mode 100644 index 00000000000..ad9131f8808 --- /dev/null +++ b/queue-4.19/net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch @@ -0,0 +1,64 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Saeed Mahameed +Date: Thu, 23 May 2019 12:55:10 -0700 +Subject: net/mlx5e: Disable rxhash when CQE compress is enabled + +From: Saeed Mahameed + +[ Upstream commit c0194e2d0ef0e5ce5e21a35640d23a706827ae28 ] + +When CQE compression is enabled (Multi-host systems), compressed CQEs +might arrive to the driver rx, compressed CQEs don't have a valid hash +offload and the driver already reports a hash value of 0 and invalid hash +type on the skb for compressed CQEs, but this is not good enough. + +On a congested PCIe, where CQE compression will kick in aggressively, +gro will deliver lots of out of order packets due to the invalid hash +and this might cause a serious performance drop. + +The only valid solution, is to disable rxhash offload at all when CQE +compression is favorable (Multi-host systems). + +Fixes: 7219ab34f184 ("net/mlx5e: CQE compression") +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3734,6 +3734,12 @@ static netdev_features_t mlx5e_fix_featu + netdev_warn(netdev, "Disabling LRO, not supported in legacy RQ\n"); + } + ++ if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) { ++ features &= ~NETIF_F_RXHASH; ++ if (netdev->features & NETIF_F_RXHASH) ++ netdev_warn(netdev, "Disabling rxhash, not supported when CQE compress is active\n"); ++ } ++ + mutex_unlock(&priv->state_lock); + + return features; +@@ -3860,6 +3866,9 @@ int mlx5e_hwstamp_set(struct mlx5e_priv + memcpy(&priv->tstamp, &config, sizeof(config)); + mutex_unlock(&priv->state_lock); + ++ /* might need to fix some features */ ++ netdev_update_features(priv->netdev); ++ + return copy_to_user(ifr->ifr_data, &config, + sizeof(config)) ? -EFAULT : 0; + } +@@ -4702,6 +4711,10 @@ static void mlx5e_build_nic_netdev(struc + if (!priv->channels.params.scatter_fcs_en) + netdev->features &= ~NETIF_F_RXFCS; + ++ /* prefere CQE compression over rxhash */ ++ if (MLX5E_GET_PFLAG(&priv->channels.params, MLX5E_PFLAG_RX_CQE_COMPRESS)) ++ netdev->features &= ~NETIF_F_RXHASH; ++ + #define FT_CAP(f) MLX5_CAP_FLOWTABLE(mdev, flow_table_properties_nic_receive.f) + if (FT_CAP(flow_modify_en) && + FT_CAP(modify_root) && diff --git a/queue-4.19/net-mvneta-fix-err-code-path-of-probe.patch b/queue-4.19/net-mvneta-fix-err-code-path-of-probe.patch new file mode 100644 index 00000000000..095f72c1492 --- /dev/null +++ b/queue-4.19/net-mvneta-fix-err-code-path-of-probe.patch @@ -0,0 +1,49 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jisheng Zhang +Date: Mon, 27 May 2019 11:04:17 +0000 +Subject: net: mvneta: Fix err code path of probe + +From: Jisheng Zhang + +[ Upstream commit d484e06e25ebb937d841dac02ac1fe76ec7d4ddd ] + +Fix below issues in err code path of probe: +1. we don't need to unregister_netdev() because the netdev isn't +registered. +2. when register_netdev() fails, we also need to destroy bm pool for +HWBM case. + +Fixes: dc35a10f68d3 ("net: mvneta: bm: add support for hardware buffer management") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4611,7 +4611,7 @@ static int mvneta_probe(struct platform_ + err = register_netdev(dev); + if (err < 0) { + dev_err(&pdev->dev, "failed to register\n"); +- goto err_free_stats; ++ goto err_netdev; + } + + netdev_info(dev, "Using %s mac address %pM\n", mac_from, +@@ -4622,14 +4622,12 @@ static int mvneta_probe(struct platform_ + return 0; + + err_netdev: +- unregister_netdev(dev); + if (pp->bm_priv) { + mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_long, 1 << pp->id); + mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_short, + 1 << pp->id); + mvneta_bm_put(pp->bm_priv); + } +-err_free_stats: + free_percpu(pp->stats); + err_free_ports: + free_percpu(pp->ports); diff --git a/queue-4.19/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch b/queue-4.19/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch new file mode 100644 index 00000000000..8762f87d18c --- /dev/null +++ b/queue-4.19/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch @@ -0,0 +1,57 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Antoine Tenart +Date: Wed, 29 May 2019 15:59:48 +0200 +Subject: net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value + +From: Antoine Tenart + +[ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ] + +MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but +the current code is passing the global tx queue offset, so it ends +up writing to unknown registers (between 0x8280 and 0x82fc, which +seemed to be unused by the hardware). This fixes the issue by using +the logical queue id instead. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -1404,7 +1404,7 @@ static inline void mvpp2_xlg_max_rx_size + /* Set defaults to the MVPP2 port */ + static void mvpp2_defaults_set(struct mvpp2_port *port) + { +- int tx_port_num, val, queue, ptxq, lrxq; ++ int tx_port_num, val, queue, lrxq; + + if (port->priv->hw_version == MVPP21) { + /* Update TX FIFO MIN Threshold */ +@@ -1422,11 +1422,9 @@ static void mvpp2_defaults_set(struct mv + mvpp2_write(port->priv, MVPP2_TXP_SCHED_CMD_1_REG, 0); + + /* Close bandwidth for all queues */ +- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) { +- ptxq = mvpp2_txq_phys(port->id, queue); ++ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) + mvpp2_write(port->priv, +- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0); +- } ++ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0); + + /* Set refill period to 1 usec, refill tokens + * and bucket size to maximum +@@ -2271,7 +2269,7 @@ static void mvpp2_txq_deinit(struct mvpp + txq->descs_dma = 0; + + /* Set minimum bandwidth for disabled TXQs */ +- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0); ++ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0); + + /* Set Tx descriptors queue starting address and size */ + cpu = get_cpu(); diff --git a/queue-4.19/net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch b/queue-4.19/net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch new file mode 100644 index 00000000000..1e21a6177fe --- /dev/null +++ b/queue-4.19/net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch @@ -0,0 +1,52 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Russell King +Date: Tue, 28 May 2019 10:34:42 +0100 +Subject: net: phy: marvell10g: report if the PHY fails to boot firmware + +From: Russell King + +[ Upstream commit 3d3ced2ec5d71b99d72ae6910fbdf890bc2eccf0 ] + +Some boards do not have the PHY firmware programmed in the 3310's flash, +which leads to the PHY not working as expected. Warn the user when the +PHY fails to boot the firmware and refuse to initialise. + +Fixes: 20b2af32ff3f ("net: phy: add Marvell Alaska X 88X3310 10Gigabit PHY support") +Signed-off-by: Russell King +Tested-by: Maxime Chevallier +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell10g.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/net/phy/marvell10g.c ++++ b/drivers/net/phy/marvell10g.c +@@ -27,6 +27,9 @@ + #include + + enum { ++ MV_PMA_BOOT = 0xc050, ++ MV_PMA_BOOT_FATAL = BIT(0), ++ + MV_PCS_BASE_T = 0x0000, + MV_PCS_BASE_R = 0x1000, + MV_PCS_1000BASEX = 0x2000, +@@ -226,6 +229,16 @@ static int mv3310_probe(struct phy_devic + (phydev->c45_ids.devices_in_package & mmd_mask) != mmd_mask) + return -ENODEV; + ++ ret = phy_read_mmd(phydev, MDIO_MMD_PMAPMD, MV_PMA_BOOT); ++ if (ret < 0) ++ return ret; ++ ++ if (ret & MV_PMA_BOOT_FATAL) { ++ dev_warn(&phydev->mdio.dev, ++ "PHY failed to boot firmware, status=%04x\n", ret); ++ return -ENODEV; ++ } ++ + priv = devm_kzalloc(&phydev->mdio.dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; diff --git a/queue-4.19/net-sched-don-t-use-tc_action-order-during-action-dump.patch b/queue-4.19/net-sched-don-t-use-tc_action-order-during-action-dump.patch new file mode 100644 index 00000000000..cc9db581b52 --- /dev/null +++ b/queue-4.19/net-sched-don-t-use-tc_action-order-during-action-dump.patch @@ -0,0 +1,55 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Vlad Buslov +Date: Thu, 23 May 2019 09:32:31 +0300 +Subject: net: sched: don't use tc_action->order during action dump + +From: Vlad Buslov + +[ Upstream commit 4097e9d250fb17958c1d9b94538386edd3f20144 ] + +Function tcf_action_dump() relies on tc_action->order field when starting +nested nla to send action data to userspace. This approach breaks in +several cases: + +- When multiple filters point to same shared action, tc_action->order field + is overwritten each time it is attached to filter. This causes filter + dump to output action with incorrect attribute for all filters that have + the action in different position (different order) from the last set + tc_action->order value. + +- When action data is displayed using tc action API (RTM_GETACTION), action + order is overwritten by tca_action_gd() according to its position in + resulting array of nl attributes, which will break filter dump for all + filters attached to that shared action that expect it to have different + order value. + +Don't rely on tc_action->order when dumping actions. Set nla according to +action position in resulting array of actions instead. + +Signed-off-by: Vlad Buslov +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -744,7 +744,7 @@ int tcf_action_dump(struct sk_buff *skb, + + for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) { + a = actions[i]; +- nest = nla_nest_start(skb, a->order); ++ nest = nla_nest_start(skb, i + 1); + if (nest == NULL) + goto nla_put_failure; + err = tcf_action_dump_1(skb, a, bind, ref); +@@ -1257,7 +1257,6 @@ tca_action_gd(struct net *net, struct nl + ret = PTR_ERR(act); + goto err; + } +- act->order = i; + attr_size += tcf_action_fill_size(act); + actions[i - 1] = act; + } diff --git a/queue-4.19/net-stmmac-dma-channel-control-register-need-to-be-init-first.patch b/queue-4.19/net-stmmac-dma-channel-control-register-need-to-be-init-first.patch new file mode 100644 index 00000000000..04182feee2e --- /dev/null +++ b/queue-4.19/net-stmmac-dma-channel-control-register-need-to-be-init-first.patch @@ -0,0 +1,46 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Weifeng Voon +Date: Tue, 21 May 2019 13:38:38 +0800 +Subject: net: stmmac: dma channel control register need to be init first + +From: Weifeng Voon + +stmmac_init_chan() needs to be called before stmmac_init_rx_chan() and +stmmac_init_tx_chan(). This is because if PBLx8 is to be used, +"DMA_CH(#i)_Control.PBLx8" needs to be set before programming +"DMA_CH(#i)_TX_Control.TxPBL" and "DMA_CH(#i)_RX_Control.RxPBL". + +Fixes: 47f2a9ce527a ("net: stmmac: dma channel init prepared for multiple queues") +Reviewed-by: Zhang, Baoli +Signed-off-by: Ong Boon Leong +Signed-off-by: Weifeng Voon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2195,6 +2195,10 @@ static int stmmac_init_dma_engine(struct + if (priv->plat->axi) + stmmac_axi(priv, priv->ioaddr, priv->plat->axi); + ++ /* DMA CSR Channel configuration */ ++ for (chan = 0; chan < dma_csr_ch; chan++) ++ stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan); ++ + /* DMA RX Channel Configuration */ + for (chan = 0; chan < rx_channels_count; chan++) { + rx_q = &priv->rx_queue[chan]; +@@ -2220,10 +2224,6 @@ static int stmmac_init_dma_engine(struct + tx_q->tx_tail_addr, chan); + } + +- /* DMA CSR Channel configuration */ +- for (chan = 0; chan < dma_csr_ch; chan++) +- stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan); +- + return ret; + } + diff --git a/queue-4.19/net-stmmac-fix-reset-gpio-free-missing.patch b/queue-4.19/net-stmmac-fix-reset-gpio-free-missing.patch new file mode 100644 index 00000000000..07433092c57 --- /dev/null +++ b/queue-4.19/net-stmmac-fix-reset-gpio-free-missing.patch @@ -0,0 +1,36 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jisheng Zhang +Date: Wed, 22 May 2019 10:05:09 +0000 +Subject: net: stmmac: fix reset gpio free missing + +From: Jisheng Zhang + +[ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ] + +Commit 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") +removed the reset gpio free, when the driver is unbinded or rmmod, +we miss the gpio free. + +This patch uses managed API to request the reset gpio, so that the +gpio could be freed properly. + +Fixes: 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -267,7 +267,8 @@ int stmmac_mdio_reset(struct mii_bus *bu + of_property_read_u32_array(np, + "snps,reset-delays-us", data->delays, 3); + +- if (gpio_request(data->reset_gpio, "mdio-reset")) ++ if (devm_gpio_request(priv->device, data->reset_gpio, ++ "mdio-reset")) + return 0; + } + diff --git a/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch b/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch new file mode 100644 index 00000000000..0679860ecd3 --- /dev/null +++ b/queue-4.19/net-tls-avoid-null-deref-on-resync-during-device-removal.patch @@ -0,0 +1,70 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jakub Kicinski +Date: Tue, 21 May 2019 19:02:00 -0700 +Subject: net/tls: avoid NULL-deref on resync during device removal + +From: Jakub Kicinski + +[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ] + +When netdev with active kTLS sockets in unregistered +notifier callback walks the offloaded sockets and +cleans up offload state. RX data may still be processed, +however, and if resync was requested prior to device +removal we would hit a NULL pointer dereference on +ctx->netdev use. + +Make sure resync is under the device offload lock +and NULL-check the netdev pointer. + +This should be safe, because the pointer is set to +NULL either in the netdev notifier (under said lock) +or when socket is completely dead and no resync can +happen. + +The other access to ctx->netdev in tls_validate_xmit_skb() +does not dereference the pointer, it just checks it against +other device pointer, so it should be pretty safe (perhaps +we can add a READ_ONCE/WRITE_ONCE there, if paranoid). + +Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -548,8 +548,8 @@ static int tls_device_push_pending_recor + void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct net_device *netdev = tls_ctx->netdev; + struct tls_offload_context_rx *rx_ctx; ++ struct net_device *netdev; + u32 is_req_pending; + s64 resync_req; + u32 req_seq; +@@ -563,10 +563,15 @@ void handle_device_resync(struct sock *s + is_req_pending = resync_req; + + if (unlikely(is_req_pending) && req_seq == seq && +- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) +- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, +- seq + TLS_HEADER_SIZE - 1, +- rcd_sn); ++ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) { ++ seq += TLS_HEADER_SIZE - 1; ++ down_read(&device_offload_lock); ++ netdev = tls_ctx->netdev; ++ if (netdev) ++ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq, ++ rcd_sn); ++ up_read(&device_offload_lock); ++ } + } + + static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) diff --git a/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch b/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch new file mode 100644 index 00000000000..a28a6330607 --- /dev/null +++ b/queue-4.19/net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch @@ -0,0 +1,37 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jakub Kicinski +Date: Tue, 21 May 2019 19:02:02 -0700 +Subject: net/tls: don't ignore netdev notifications if no TLS features + +From: Jakub Kicinski + +[ Upstream commit c3f4a6c39cf269a40d45f813c05fa830318ad875 ] + +On device surprise removal path (the notifier) we can't +bail just because the features are disabled. They may +have been enabled during the lifetime of the device. +This bug leads to leaking netdev references and +use-after-frees if there are active connections while +device features are cleared. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -979,7 +979,8 @@ static int tls_dev_event(struct notifier + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + +- if (!(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX))) ++ if (!dev->tlsdev_ops && ++ !(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX))) + return NOTIFY_DONE; + + switch (event) { diff --git a/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch b/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch new file mode 100644 index 00000000000..b8bbc501cb8 --- /dev/null +++ b/queue-4.19/net-tls-fix-state-removal-with-feature-flags-off.patch @@ -0,0 +1,60 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Jakub Kicinski +Date: Tue, 21 May 2019 19:02:01 -0700 +Subject: net/tls: fix state removal with feature flags off + +From: Jakub Kicinski + +[ Upstream commit 3686637e507b48525fcea6fb91e1988bdbc14530 ] + +TLS offload drivers shouldn't (and currently don't) block +the TLS offload feature changes based on whether there are +active offloaded connections or not. + +This seems to be a good idea, because we want the admin to +be able to disable the TLS offload at any time, and there +is no clean way of disabling it for active connections +(TX side is quite problematic). So if features are cleared +existing connections will stay offloaded until they close, +and new connections will not attempt offload to a given +device. + +However, the offload state removal handling is currently +broken if feature flags get cleared while there are +active TLS offloads. + +RX side will completely bail from cleanup, even on normal +remove path, leaving device state dangling, potentially +causing issues when the 5-tuple is reused. It will also +fail to release the netdev reference. + +Remove the RX-side warning message, in next release cycle +it should be printed when features are disabled, rather +than when connection dies, but for that we need a more +efficient method of finding connection of a given netdev +(a'la BPF offload code). + +Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -921,12 +921,6 @@ void tls_device_offload_cleanup_rx(struc + if (!netdev) + goto out; + +- if (!(netdev->features & NETIF_F_HW_TLS_RX)) { +- pr_err_ratelimited("%s: device is missing NETIF_F_HW_TLS_RX cap\n", +- __func__); +- goto out; +- } +- + netdev->tlsdev_ops->tls_dev_del(netdev, tls_ctx, + TLS_OFFLOAD_CTX_DIR_RX); + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..0250de052bc --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,26 @@ +bonding-802.3ad-fix-slave-link-initialization-transition-states.patch +cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch +inet-switch-ip-id-generator-to-siphash.patch +ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch +ipv4-igmp-fix-build-error-if-config_ip_multicast.patch +ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch +ipv6-fix-redirect-with-vrf.patch +llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch +net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch +net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch +net-gro-fix-use-after-free-read-in-napi_gro_frags.patch +net-mvneta-fix-err-code-path-of-probe.patch +net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch +net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch +net-sched-don-t-use-tc_action-order-during-action-dump.patch +net-stmmac-fix-reset-gpio-free-missing.patch +usbnet-fix-kernel-crash-after-disconnect.patch +net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch +tipc-avoid-copying-bytes-beyond-the-supplied-data.patch +net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch +net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch +net-stmmac-dma-channel-control-register-need-to-be-init-first.patch +bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch +net-tls-avoid-null-deref-on-resync-during-device-removal.patch +net-tls-fix-state-removal-with-feature-flags-off.patch +net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch diff --git a/queue-4.19/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch b/queue-4.19/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch new file mode 100644 index 00000000000..eb995ac092b --- /dev/null +++ b/queue-4.19/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch @@ -0,0 +1,67 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Chris Packham +Date: Mon, 20 May 2019 15:45:36 +1200 +Subject: tipc: Avoid copying bytes beyond the supplied data + +From: Chris Packham + +TLV_SET is called with a data pointer and a len parameter that tells us +how many bytes are pointed to by data. When invoking memcpy() we need +to careful to only copy len bytes. + +Previously we would copy TLV_LENGTH(len) bytes which would copy an extra +4 bytes past the end of the data pointer which newer GCC versions +complain about. + + In file included from test.c:17: + In function 'TLV_SET', + inlined from 'test' at test.c:186:5: + /usr/include/linux/tipc_config.h:317:3: + warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32] + of object 'bearer_name' with type 'char[32]' [-Warray-bounds] + memcpy(TLV_DATA(tlv_ptr), data, tlv_len); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + test.c: In function 'test': + test.c::161:10: note: + 'bearer_name' declared here + char bearer_name[TIPC_MAX_BEARER_NAME]; + ^~~~~~~~~~~ + +We still want to ensure any padding bytes at the end are initialised, do +this with a explicit memset() rather than copy bytes past the end of +data. Apply the same logic to TCM_SET. + +Signed-off-by: Chris Packham +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/tipc_config.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/include/uapi/linux/tipc_config.h ++++ b/include/uapi/linux/tipc_config.h +@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u + tlv_ptr = (struct tlv_desc *)tlv; + tlv_ptr->tlv_type = htons(type); + tlv_ptr->tlv_len = htons(tlv_len); +- if (len && data) +- memcpy(TLV_DATA(tlv_ptr), data, tlv_len); ++ if (len && data) { ++ memcpy(TLV_DATA(tlv_ptr), data, len); ++ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len); ++ } + return TLV_SPACE(len); + } + +@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u + tcm_hdr->tcm_len = htonl(msg_len); + tcm_hdr->tcm_type = htons(cmd); + tcm_hdr->tcm_flags = htons(flags); +- if (data_len && data) ++ if (data_len && data) { + memcpy(TCM_DATA(msg), data, data_len); ++ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len); ++ } + return TCM_SPACE(data_len); + } + diff --git a/queue-4.19/usbnet-fix-kernel-crash-after-disconnect.patch b/queue-4.19/usbnet-fix-kernel-crash-after-disconnect.patch new file mode 100644 index 00000000000..e0009bf8df5 --- /dev/null +++ b/queue-4.19/usbnet-fix-kernel-crash-after-disconnect.patch @@ -0,0 +1,90 @@ +From foo@baz Fri 31 May 2019 03:21:27 PM PDT +From: Kloetzke Jan +Date: Tue, 21 May 2019 13:18:40 +0000 +Subject: usbnet: fix kernel crash after disconnect + +From: Kloetzke Jan + +[ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ] + +When disconnecting cdc_ncm the kernel sporadically crashes shortly +after the disconnect: + + [ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000 + ... + [ 58.006653] PC is at 0x0 + [ 58.009202] LR is at call_timer_fn+0xec/0x1b4 + [ 58.013567] pc : [<0000000000000000>] lr : [] pstate: 00000145 + [ 58.020976] sp : ffffff8008003da0 + [ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001 + [ 58.029618] x27: 000000000000000a x26: 0000000000000100 + [ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68 + [ 58.040263] x23: 0000000000000000 x22: 0000000000000000 + [ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808 + [ 58.050910] x19: 0000000000000100 x18: 0000000000000000 + [ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10 + [ 58.061556] x15: 0000000000000001 x14: 000000000000006e + [ 58.066878] x13: 0000000000000000 x12: 00000000000000ba + [ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020 + [ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001 + [ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70 + [ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b + [ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000 + [ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000 + ... + [ 58.205800] [< (null)>] (null) + [ 58.210521] [] expire_timers+0xa0/0x14c + [ 58.215937] [] run_timer_softirq+0xe8/0x128 + [ 58.221702] [] __do_softirq+0x298/0x348 + [ 58.227118] [] irq_exit+0x74/0xbc + [ 58.232009] [] __handle_domain_irq+0x78/0xac + [ 58.237857] [] gic_handle_irq+0x80/0xac + ... + +The crash happens roughly 125..130ms after the disconnect. This +correlates with the 'delay' timer that is started on certain USB tx/rx +errors in the URB completion handler. + +The problem is a race of usbnet_stop() with usbnet_start_xmit(). In +usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in +flight. This only makes sense if no new URBs are submitted +concurrently, though. But the usbnet_start_xmit() can run at the same +time on another CPU which almost unconditionally submits an URB. The +error callback of the new URB will then schedule the timer after it was +already stopped. + +The fix adds a check if the tx queue is stopped after the tx list lock +has been taken. This should reliably prevent the submission of new URBs +while usbnet_terminate_urbs() does its job. The same thing is done on +the rx side even though it might be safe due to other flags that are +checked there. + +Signed-off-by: Jan Klötzke +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -506,6 +506,7 @@ static int rx_submit (struct usbnet *dev + + if (netif_running (dev->net) && + netif_device_present (dev->net) && ++ test_bit(EVENT_DEV_OPEN, &dev->flags) && + !test_bit (EVENT_RX_HALT, &dev->flags) && + !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) { + switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) { +@@ -1431,6 +1432,11 @@ netdev_tx_t usbnet_start_xmit (struct sk + spin_unlock_irqrestore(&dev->txq.lock, flags); + goto drop; + } ++ if (netif_queue_stopped(net)) { ++ usb_autopm_put_interface_async(dev->intf); ++ spin_unlock_irqrestore(&dev->txq.lock, flags); ++ goto drop; ++ } + + #ifdef CONFIG_PM + /* if this triggers the device is still a sleep */