From: Greg Kroah-Hartman Date: Fri, 22 Jan 2021 12:38:55 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.253~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8e895db32ddae3989f74122922abea99e38e97b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: esp-avoid-unneeded-kmap_atomic-call.patch net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch net-dcb-validate-netlink-message-in-dcb-handler.patch net-introduce-skb_list_walk_safe-for-skb-segment-walking.patch net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch net-sit-unregister_netdevice-on-newlink-s-error-path.patch net-skbuff-disambiguate-argument-and-member-for-skb_list_walk_safe-helper.patch net-stmmac-fixed-mtu-channged-by-cache-aligned.patch net-use-skb_list_del_init-to-remove-from-rx-sublists.patch netxen_nic-fix-msi-msi-x-interrupts.patch rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch tipc-fix-null-deref-in-tipc_link_xmit.patch --- diff --git a/queue-4.14/esp-avoid-unneeded-kmap_atomic-call.patch b/queue-4.14/esp-avoid-unneeded-kmap_atomic-call.patch new file mode 100644 index 00000000000..6b530776713 --- /dev/null +++ b/queue-4.14/esp-avoid-unneeded-kmap_atomic-call.patch @@ -0,0 +1,87 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Willem de Bruijn +Date: Sat, 9 Jan 2021 17:18:34 -0500 +Subject: esp: avoid unneeded kmap_atomic call + +From: Willem de Bruijn + +[ Upstream commit 9bd6b629c39e3fa9e14243a6d8820492be1a5b2e ] + +esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for +the esp trailer. + +It accesses the page with kmap_atomic to handle highmem. But +skb_page_frag_refill can return compound pages, of which +kmap_atomic only maps the first underlying page. + +skb_page_frag_refill does not return highmem, because flag +__GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP. +That also does not call kmap_atomic, but directly uses page_address, +in skb_copy_to_page_nocache. Do the same for ESP. + +This issue has become easier to trigger with recent kmap local +debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Signed-off-by: Willem de Bruijn +Acked-by: Steffen Klassert +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 7 +------ + net/ipv6/esp6.c | 7 +------ + 2 files changed, 2 insertions(+), 12 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -252,7 +252,6 @@ static int esp_output_udp_encap(struct x + int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) + { + u8 *tail; +- u8 *vaddr; + int nfrags; + int esph_offset; + struct page *page; +@@ -294,14 +293,10 @@ int esp_output_head(struct xfrm_state *x + page = pfrag->page; + get_page(page); + +- vaddr = kmap_atomic(page); +- +- tail = vaddr + pfrag->offset; ++ tail = page_address(page) + pfrag->offset; + + esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto); + +- kunmap_atomic(vaddr); +- + nfrags = skb_shinfo(skb)->nr_frags; + + __skb_fill_page_desc(skb, nfrags, page, pfrag->offset, +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -219,7 +219,6 @@ static void esp_output_fill_trailer(u8 * + int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) + { + u8 *tail; +- u8 *vaddr; + int nfrags; + struct page *page; + struct sk_buff *trailer; +@@ -252,14 +251,10 @@ int esp6_output_head(struct xfrm_state * + page = pfrag->page; + get_page(page); + +- vaddr = kmap_atomic(page); +- +- tail = vaddr + pfrag->offset; ++ tail = page_address(page) + pfrag->offset; + + esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto); + +- kunmap_atomic(vaddr); +- + nfrags = skb_shinfo(skb)->nr_frags; + + __skb_fill_page_desc(skb, nfrags, page, pfrag->offset, diff --git a/queue-4.14/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch b/queue-4.14/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch new file mode 100644 index 00000000000..b598ddfa0d0 --- /dev/null +++ b/queue-4.14/net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch @@ -0,0 +1,81 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Eric Dumazet +Date: Wed, 13 Jan 2021 08:18:19 -0800 +Subject: net: avoid 32 x truesize under-estimation for tiny skbs + +From: Eric Dumazet + +[ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ] + +Both virtio net and napi_get_frags() allocate skbs +with a very small skb->head + +While using page fragments instead of a kmalloc backed skb->head might give +a small performance improvement in some cases, there is a huge risk of +under estimating memory usage. + +For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations +per page (order-3 page in x86), or even 64 on PowerPC + +We have been tracking OOM issues on GKE hosts hitting tcp_mem limits +but consuming far more memory for TCP buffers than instructed in tcp_mem[2] + +Even if we force napi_alloc_skb() to only use order-0 pages, the issue +would still be there on arches with PAGE_SIZE >= 32768 + +This patch makes sure that small skb head are kmalloc backed, so that +other objects in the slab page can be reused instead of being held as long +as skbs are sitting in socket queues. + +Note that we might in the future use the sk_buff napi cache, +instead of going through a more expensive __alloc_skb() + +Another idea would be to use separate page sizes depending +on the allocated length (to never have more than 4 frags per page) + +I would like to thank Greg Thelen for his precious help on this matter, +analysing crash dumps is always a time consuming task. + +Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb") +Signed-off-by: Eric Dumazet +Cc: Paolo Abeni +Cc: Greg Thelen +Reviewed-by: Alexander Duyck +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -459,13 +459,17 @@ EXPORT_SYMBOL(__netdev_alloc_skb); + struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len, + gfp_t gfp_mask) + { +- struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache); ++ struct napi_alloc_cache *nc; + struct sk_buff *skb; + void *data; + + len += NET_SKB_PAD + NET_IP_ALIGN; + +- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) || ++ /* If requested length is either too small or too big, ++ * we use kmalloc() for skb->head allocation. ++ */ ++ if (len <= SKB_WITH_OVERHEAD(1024) || ++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) || + (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) { + skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE); + if (!skb) +@@ -473,6 +477,7 @@ struct sk_buff *__napi_alloc_skb(struct + goto skb_success; + } + ++ nc = this_cpu_ptr(&napi_alloc_cache); + len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); + len = SKB_DATA_ALIGN(len); + diff --git a/queue-4.14/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch b/queue-4.14/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch new file mode 100644 index 00000000000..23fade1d9cf --- /dev/null +++ b/queue-4.14/net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch @@ -0,0 +1,49 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Petr Machata +Date: Mon, 11 Jan 2021 18:07:07 +0100 +Subject: net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands + +From: Petr Machata + +[ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ] + +In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB +handler"), Linux started rejecting RTM_GETDCB netlink messages if they +contained a set-like DCB_CMD_ command. + +The reason was that privileges were only verified for RTM_SETDCB messages, +but the value that determined the action to be taken is the command, not +the message type. And validation of message type against the DCB command +was the obvious missing piece. + +Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool +for configuration of DCB, accesses the DCB set-like APIs through +RTM_GETDCB. + +Therefore do not bounce the discrepancy between message type and command. +Instead, in addition to validating privileges based on the actual message +type, validate them also based on the expected message type. This closes +the loophole of allowing DCB configuration on non-admin accounts, while +maintaining backward compatibility. + +Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") +Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler") +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1727,7 +1727,7 @@ static int dcb_doit(struct sk_buff *skb, + fn = &reply_funcs[dcb->cmd]; + if (!fn->cb) + return -EOPNOTSUPP; +- if (fn->type != nlh->nlmsg_type) ++ if (fn->type == RTM_SETDCB && !netlink_capable(skb, CAP_NET_ADMIN)) + return -EPERM; + + if (!tb[DCB_ATTR_IFNAME]) diff --git a/queue-4.14/net-dcb-validate-netlink-message-in-dcb-handler.patch b/queue-4.14/net-dcb-validate-netlink-message-in-dcb-handler.patch new file mode 100644 index 00000000000..9020040629c --- /dev/null +++ b/queue-4.14/net-dcb-validate-netlink-message-in-dcb-handler.patch @@ -0,0 +1,47 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Petr Machata +Date: Tue, 22 Dec 2020 22:49:44 +0100 +Subject: net: dcb: Validate netlink message in DCB handler + +From: Petr Machata + +[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ] + +DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB +messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have +the CAP_NET_ADMIN capability. + +However, the operation to be performed is not decided from the DCB message +type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for +reading DCB objects, the corresponding SET and DEL commands are used for +manipulation. + +The assumption is that set-like commands will be sent via an RTM_SETDCB +message, and get-like ones via RTM_GETDCB. However, this assumption is not +enforced. + +It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN +capability by sending the corresponding command in an RTM_GETDCB message. +That is a bug. Fix it by validating the type of the request message against +the type used for the response. + +Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1727,6 +1727,8 @@ static int dcb_doit(struct sk_buff *skb, + fn = &reply_funcs[dcb->cmd]; + if (!fn->cb) + return -EOPNOTSUPP; ++ if (fn->type != nlh->nlmsg_type) ++ return -EPERM; + + if (!tb[DCB_ATTR_IFNAME]) + return -EINVAL; diff --git a/queue-4.14/net-introduce-skb_list_walk_safe-for-skb-segment-walking.patch b/queue-4.14/net-introduce-skb_list_walk_safe-for-skb-segment-walking.patch new file mode 100644 index 00000000000..16c87513d64 --- /dev/null +++ b/queue-4.14/net-introduce-skb_list_walk_safe-for-skb-segment-walking.patch @@ -0,0 +1,56 @@ +From dcfea72e79b0aa7a057c8f6024169d86a1bbc84b Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Wed, 8 Jan 2020 16:59:02 -0500 +Subject: net: introduce skb_list_walk_safe for skb segment walking + +From: Jason A. Donenfeld + +commit dcfea72e79b0aa7a057c8f6024169d86a1bbc84b upstream. + +As part of the continual effort to remove direct usage of skb->next and +skb->prev, this patch adds a helper for iterating through the +singly-linked variant of skb lists, which are used for lists of GSO +packet. The name "skb_list_..." has been chosen to match the existing +function, "kfree_skb_list, which also operates on these singly-linked +lists, and the "..._walk_safe" part is the same idiom as elsewhere in +the kernel. + +This patch removes the helper from wireguard and puts it into +linux/skbuff.h, while making it a bit more robust for general usage. In +particular, parenthesis are added around the macro argument usage, and it +now accounts for trying to iterate through an already-null skb pointer, +which will simply run the iteration zero times. This latter enhancement +means it can be used to replace both do { ... } while and while (...) +open-coded idioms. + +This should take care of these three possible usages, which match all +current methods of iterations. + +skb_list_walk_safe(segs, skb, next) { ... } +skb_list_walk_safe(skb, skb, next) { ... } +skb_list_walk_safe(segs, skb, segs) { ... } + +Gcc appears to generate efficient code for each of these. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +[ Just the skbuff.h changes for backporting - gregkh] +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1340,6 +1340,11 @@ static inline void skb_mark_not_on_list( + skb->next = NULL; + } + ++/* Iterate through singly-linked GSO fragments of an skb. */ ++#define skb_list_walk_safe(first, skb, next) \ ++ for ((skb) = (first), (next) = (skb) ? (skb)->next : NULL; (skb); \ ++ (skb) = (next), (next) = (skb) ? (skb)->next : NULL) ++ + static inline void skb_list_del_init(struct sk_buff *skb) + { + __list_del_entry(&skb->list); diff --git a/queue-4.14/net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch b/queue-4.14/net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch new file mode 100644 index 00000000000..7825368ce30 --- /dev/null +++ b/queue-4.14/net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch @@ -0,0 +1,96 @@ +From foo@baz Fri Jan 22 01:21:57 PM CET 2021 +From: Aya Levin +Date: Thu, 7 Jan 2021 15:50:18 +0200 +Subject: net: ipv6: Validate GSO SKB before finish IPv6 processing + +From: Aya Levin + +[ Upstream commit b210de4f8c97d57de051e805686248ec4c6cfc52 ] + +There are cases where GSO segment's length exceeds the egress MTU: + - Forwarding of a TCP GRO skb, when DF flag is not set. + - Forwarding of an skb that arrived on a virtualisation interface + (virtio-net/vhost/tap) with TSO/GSO size set by other network + stack. + - Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an + interface with a smaller MTU. + - Arriving GRO skb (or GSO skb in a virtualised environment) that is + bridged to a NETIF_F_TSO tunnel stacked over an interface with an + insufficient MTU. + +If so: + - Consume the SKB and its segments. + - Issue an ICMP packet with 'Packet Too Big' message containing the + MTU, allowing the source host to reduce its Path MTU appropriately. + +Note: These cases are handled in the same manner in IPv4 output finish. +This patch aligns the behavior of IPv6 and the one of IPv4. + +Fixes: 9e50849054a4 ("netfilter: ipv6: move POSTROUTING invocation before fragmentation") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/1610027418-30438-1-git-send-email-ayal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 40 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -128,8 +128,42 @@ static int ip6_finish_output2(struct net + return -EINVAL; + } + ++static int ++ip6_finish_output_gso_slowpath_drop(struct net *net, struct sock *sk, ++ struct sk_buff *skb, unsigned int mtu) ++{ ++ struct sk_buff *segs, *nskb; ++ netdev_features_t features; ++ int ret = 0; ++ ++ /* Please see corresponding comment in ip_finish_output_gso ++ * describing the cases where GSO segment length exceeds the ++ * egress MTU. ++ */ ++ features = netif_skb_features(skb); ++ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); ++ if (IS_ERR_OR_NULL(segs)) { ++ kfree_skb(skb); ++ return -ENOMEM; ++ } ++ ++ consume_skb(skb); ++ ++ skb_list_walk_safe(segs, segs, nskb) { ++ int err; ++ ++ skb_mark_not_on_list(segs); ++ err = ip6_fragment(net, sk, segs, ip6_finish_output2); ++ if (err && ret == 0) ++ ret = err; ++ } ++ ++ return ret; ++} ++ + static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb) + { ++ unsigned int mtu; + int ret; + + ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb); +@@ -146,7 +180,11 @@ static int ip6_finish_output(struct net + } + #endif + +- if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || ++ mtu = ip6_skb_dst_mtu(skb); ++ if (skb_is_gso(skb) && !skb_gso_validate_mtu(skb, mtu)) ++ return ip6_finish_output_gso_slowpath_drop(net, sk, skb, mtu); ++ ++ if ((skb->len > mtu && !skb_is_gso(skb)) || + dst_allfrag(skb_dst(skb)) || + (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) + return ip6_fragment(net, sk, skb, ip6_finish_output2); diff --git a/queue-4.14/net-sit-unregister_netdevice-on-newlink-s-error-path.patch b/queue-4.14/net-sit-unregister_netdevice-on-newlink-s-error-path.patch new file mode 100644 index 00000000000..1dbfbbc3e70 --- /dev/null +++ b/queue-4.14/net-sit-unregister_netdevice-on-newlink-s-error-path.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Jakub Kicinski +Date: Wed, 13 Jan 2021 17:29:47 -0800 +Subject: net: sit: unregister_netdevice on newlink's error path + +From: Jakub Kicinski + +[ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ] + +We need to unregister the netdevice if config failed. +.ndo_uninit takes care of most of the heavy lifting. + +This was uncovered by recent commit c269a24ce057 ("net: make +free_netdev() more lenient with unregistering devices"). +Previously the partially-initialized device would be left +in the system. + +Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com +Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink") +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1582,8 +1582,11 @@ static int ipip6_newlink(struct net *src + } + + #ifdef CONFIG_IPV6_SIT_6RD +- if (ipip6_netlink_6rd_parms(data, &ip6rd)) ++ if (ipip6_netlink_6rd_parms(data, &ip6rd)) { + err = ipip6_tunnel_update_6rd(nt, &ip6rd); ++ if (err < 0) ++ unregister_netdevice_queue(dev, NULL); ++ } + #endif + + return err; diff --git a/queue-4.14/net-skbuff-disambiguate-argument-and-member-for-skb_list_walk_safe-helper.patch b/queue-4.14/net-skbuff-disambiguate-argument-and-member-for-skb_list_walk_safe-helper.patch new file mode 100644 index 00000000000..0ad5ebd9fb7 --- /dev/null +++ b/queue-4.14/net-skbuff-disambiguate-argument-and-member-for-skb_list_walk_safe-helper.patch @@ -0,0 +1,36 @@ +From 5eee7bd7e245914e4e050c413dfe864e31805207 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 13 Jan 2020 18:42:26 -0500 +Subject: net: skbuff: disambiguate argument and member for skb_list_walk_safe helper + +From: Jason A. Donenfeld + +commit 5eee7bd7e245914e4e050c413dfe864e31805207 upstream. + +This worked before, because we made all callers name their next pointer +"next". But in trying to be more "drop-in" ready, the silliness here is +revealed. This commit fixes the problem by making the macro argument and +the member use different names. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1341,9 +1341,9 @@ static inline void skb_mark_not_on_list( + } + + /* Iterate through singly-linked GSO fragments of an skb. */ +-#define skb_list_walk_safe(first, skb, next) \ +- for ((skb) = (first), (next) = (skb) ? (skb)->next : NULL; (skb); \ +- (skb) = (next), (next) = (skb) ? (skb)->next : NULL) ++#define skb_list_walk_safe(first, skb, next_skb) \ ++ for ((skb) = (first), (next_skb) = (skb) ? (skb)->next : NULL; (skb); \ ++ (skb) = (next_skb), (next_skb) = (skb) ? (skb)->next : NULL) + + static inline void skb_list_del_init(struct sk_buff *skb) + { diff --git a/queue-4.14/net-stmmac-fixed-mtu-channged-by-cache-aligned.patch b/queue-4.14/net-stmmac-fixed-mtu-channged-by-cache-aligned.patch new file mode 100644 index 00000000000..bf30cafedd6 --- /dev/null +++ b/queue-4.14/net-stmmac-fixed-mtu-channged-by-cache-aligned.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: David Wu +Date: Wed, 13 Jan 2021 11:41:09 +0800 +Subject: net: stmmac: Fixed mtu channged by cache aligned + +From: David Wu + +[ Upstream commit 5b55299eed78538cc4746e50ee97103a1643249c ] + +Since the original mtu is not used when the mtu is updated, +the mtu is aligned with cache, this will get an incorrect. +For example, if you want to configure the mtu to be 1500, +but mtu 1536 is configured in fact. + +Fixed: eaf4fac478077 ("net: stmmac: Do not accept invalid MTU values") +Signed-off-by: David Wu +Link: https://lore.kernel.org/r/20210113034109.27865-1-david.wu@rock-chips.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3613,6 +3613,7 @@ static int stmmac_change_mtu(struct net_ + { + struct stmmac_priv *priv = netdev_priv(dev); + int txfifosz = priv->plat->tx_fifo_size; ++ const int mtu = new_mtu; + + if (txfifosz == 0) + txfifosz = priv->dma_cap.tx_fifo_size; +@@ -3630,7 +3631,7 @@ static int stmmac_change_mtu(struct net_ + if ((txfifosz < new_mtu) || (new_mtu > BUF_SIZE_16KiB)) + return -EINVAL; + +- dev->mtu = new_mtu; ++ dev->mtu = mtu; + + netdev_update_features(dev); + diff --git a/queue-4.14/net-use-skb_list_del_init-to-remove-from-rx-sublists.patch b/queue-4.14/net-use-skb_list_del_init-to-remove-from-rx-sublists.patch new file mode 100644 index 00000000000..01d07c98eee --- /dev/null +++ b/queue-4.14/net-use-skb_list_del_init-to-remove-from-rx-sublists.patch @@ -0,0 +1,113 @@ +From 7fafda16bb64c134658ffde0ac9332d23ba26fd0 Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Tue, 4 Dec 2018 17:37:57 +0000 +Subject: net: use skb_list_del_init() to remove from RX sublists + +From: Edward Cree + +[ Upstream commit 22f6bbb7bcfcef0b373b0502a7ff390275c575dd ] + +list_del() leaves the skb->next pointer poisoned, which can then lead to + a crash in e.g. OVS forwarding. For example, setting up an OVS VXLAN + forwarding bridge on sfc as per: + +======== +$ ovs-vsctl show +5dfd9c47-f04b-4aaa-aa96-4fbb0a522a30 + Bridge "br0" + Port "br0" + Interface "br0" + type: internal + Port "enp6s0f0" + Interface "enp6s0f0" + Port "vxlan0" + Interface "vxlan0" + type: vxlan + options: {key="1", local_ip="10.0.0.5", remote_ip="10.0.0.4"} + ovs_version: "2.5.0" +======== +(where 10.0.0.5 is an address on enp6s0f1) +and sending traffic across it will lead to the following panic: +======== +general protection fault: 0000 [#1] SMP PTI +CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.20.0-rc3-ehc+ #701 +Hardware name: Dell Inc. PowerEdge R710/0M233H, BIOS 6.4.0 07/23/2013 +RIP: 0010:dev_hard_start_xmit+0x38/0x200 +Code: 53 48 89 fb 48 83 ec 20 48 85 ff 48 89 54 24 08 48 89 4c 24 18 0f 84 ab 01 00 00 48 8d 86 90 00 00 00 48 89 f5 48 89 44 24 10 <4c> 8b 33 48 c7 03 00 00 00 00 48 8b 05 c7 d1 b3 00 4d 85 f6 0f 95 +RSP: 0018:ffff888627b437e0 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88862279c000 +RDX: ffff888614a342c0 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff888618a88000 R08: 0000000000000001 R09: 00000000000003e8 +R10: 0000000000000000 R11: ffff888614a34140 R12: 0000000000000000 +R13: 0000000000000062 R14: dead000000000100 R15: ffff888616430000 +FS: 0000000000000000(0000) GS:ffff888627b40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6d2bc6d000 CR3: 000000000200a000 CR4: 00000000000006e0 +Call Trace: + + __dev_queue_xmit+0x623/0x870 + ? masked_flow_lookup+0xf7/0x220 [openvswitch] + ? ep_poll_callback+0x101/0x310 + do_execute_actions+0xaba/0xaf0 [openvswitch] + ? __wake_up_common+0x8a/0x150 + ? __wake_up_common_lock+0x87/0xc0 + ? queue_userspace_packet+0x31c/0x5b0 [openvswitch] + ovs_execute_actions+0x47/0x120 [openvswitch] + ovs_dp_process_packet+0x7d/0x110 [openvswitch] + ovs_vport_receive+0x6e/0xd0 [openvswitch] + ? dst_alloc+0x64/0x90 + ? rt_dst_alloc+0x50/0xd0 + ? ip_route_input_slow+0x19a/0x9a0 + ? __udp_enqueue_schedule_skb+0x198/0x1b0 + ? __udp4_lib_rcv+0x856/0xa30 + ? __udp4_lib_rcv+0x856/0xa30 + ? cpumask_next_and+0x19/0x20 + ? find_busiest_group+0x12d/0xcd0 + netdev_frame_hook+0xce/0x150 [openvswitch] + __netif_receive_skb_core+0x205/0xae0 + __netif_receive_skb_list_core+0x11e/0x220 + netif_receive_skb_list+0x203/0x460 + ? __efx_rx_packet+0x335/0x5e0 [sfc] + efx_poll+0x182/0x320 [sfc] + net_rx_action+0x294/0x3c0 + __do_softirq+0xca/0x297 + irq_exit+0xa6/0xb0 + do_IRQ+0x54/0xd0 + common_interrupt+0xf/0xf + +======== +So, in all listified-receive handling, instead pull skbs off the lists with + skb_list_del_init(). + +Fixes: 9af86f933894 ("net: core: fix use-after-free in __netif_receive_skb_list_core") +Fixes: 7da517a3bc52 ("net: core: Another step of skb receive list processing") +Fixes: a4ca8b7df73c ("net: ipv4: fix drop handling in ip_list_rcv() and ip_list_rcv_finish()") +Fixes: d8269e2cbf90 ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()") +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +[ for 4.14.y and older, just take the skbuff.h change - gregkh ] +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1335,6 +1335,17 @@ static inline void skb_zcopy_abort(struc + } + } + ++static inline void skb_mark_not_on_list(struct sk_buff *skb) ++{ ++ skb->next = NULL; ++} ++ ++static inline void skb_list_del_init(struct sk_buff *skb) ++{ ++ __list_del_entry(&skb->list); ++ skb_mark_not_on_list(skb); ++} ++ + /** + * skb_queue_empty - check if a queue is empty + * @list: queue head diff --git a/queue-4.14/netxen_nic-fix-msi-msi-x-interrupts.patch b/queue-4.14/netxen_nic-fix-msi-msi-x-interrupts.patch new file mode 100644 index 00000000000..1c8b718c393 --- /dev/null +++ b/queue-4.14/netxen_nic-fix-msi-msi-x-interrupts.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Manish Chopra +Date: Thu, 7 Jan 2021 02:15:20 -0800 +Subject: netxen_nic: fix MSI/MSI-x interrupts + +From: Manish Chopra + +[ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ] + +For all PCI functions on the netxen_nic adapter, interrupt +mode (INTx or MSI) configuration is dependent on what has +been configured by the PCI function zero in the shared +interrupt register, as these adapters do not support mixed +mode interrupts among the functions of a given adapter. + +Logic for setting MSI/MSI-x interrupt mode in the shared interrupt +register based on PCI function id zero check is not appropriate for +all family of netxen adapters, as for some of the netxen family +adapters PCI function zero is not really meant to be probed/loaded +in the host but rather just act as a management function on the device, +which caused all the other PCI functions on the adapter to always use +legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode. + +This patch replaces that check with port number so that for all +type of adapters driver attempts for MSI/MSI-x interrupt modes. + +Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts") +Signed-off-by: Manish Chopra +Signed-off-by: Igor Russkikh +Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -586,11 +586,6 @@ static const struct net_device_ops netxe + #endif + }; + +-static inline bool netxen_function_zero(struct pci_dev *pdev) +-{ +- return (PCI_FUNC(pdev->devfn) == 0) ? true : false; +-} +- + static inline void netxen_set_interrupt_mode(struct netxen_adapter *adapter, + u32 mode) + { +@@ -686,7 +681,7 @@ static int netxen_setup_intr(struct netx + netxen_initialize_interrupt_registers(adapter); + netxen_set_msix_bit(pdev, 0); + +- if (netxen_function_zero(pdev)) { ++ if (adapter->portnum == 0) { + if (!netxen_setup_msi_interrupts(adapter, num_msix)) + netxen_set_interrupt_mode(adapter, NETXEN_MSI_MODE); + else diff --git a/queue-4.14/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch b/queue-4.14/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch new file mode 100644 index 00000000000..59eb12fbaf8 --- /dev/null +++ b/queue-4.14/rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: Andrey Zhizhikin +Date: Fri, 8 Jan 2021 09:58:39 +0000 +Subject: rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request + +From: Andrey Zhizhikin + +[ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ] + +MSFT ActiveSync implementation requires that the size of the response for +incoming query is to be provided in the request input length. Failure to +set the input size proper results in failed request transfer, where the +ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L) +error. + +Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size +of the response in order for the ActiveSync to properly respond to the +request. + +Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()") +Signed-off-by: Andrey Zhizhikin +Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/rndis_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -399,7 +399,7 @@ generic_rndis_bind(struct usbnet *dev, s + reply_len = sizeof *phym; + retval = rndis_query(dev, intf, u.buf, + RNDIS_OID_GEN_PHYSICAL_MEDIUM, +- 0, (void **) &phym, &reply_len); ++ reply_len, (void **)&phym, &reply_len); + if (retval != 0 || !phym) { + /* OID is optional so don't fail here. */ + phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED); diff --git a/queue-4.14/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch b/queue-4.14/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch new file mode 100644 index 00000000000..c2035f23e52 --- /dev/null +++ b/queue-4.14/rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Jan 22 01:28:02 PM CET 2021 +From: David Howells +Date: Tue, 12 Jan 2021 15:23:51 +0000 +Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ] + +Clang static analysis reports the following: + +net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined + toksize = toksizes[tok++]; + ^ ~~~~~~~~~~~~~~~ + +rxrpc_read() contains two consecutive loops. The first loop calculates the +token sizes and stores the results in toksizes[] and the second one uses +the array. When there is an error in identifying the token in the first +loop, the token is skipped, no change is made to the toksizes[] array. +When the same error happens in the second loop, the token is not skipped. +This will cause the toksizes[] array to be out of step and will overrun +past the calculated sizes. + +Fix this by making both loops log a message and return an error in this +case. This should only happen if a new token type is incompletely +implemented, so it should normally be impossible to trigger this. + +Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()") +Reported-by: Tom Rix +Signed-off-by: David Howells +Reviewed-by: Tom Rix +Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1112,7 +1112,7 @@ static long rxrpc_read(const struct key + default: /* we have a ticket we can't encode */ + pr_err("Unsupported key token type (%u)\n", + token->security_index); +- continue; ++ return -ENOPKG; + } + + _debug("token[%u]: toksize=%u", ntoks, toksize); +@@ -1227,7 +1227,9 @@ static long rxrpc_read(const struct key + break; + + default: +- break; ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); ++ return -ENOPKG; + } + + ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==, diff --git a/queue-4.14/series b/queue-4.14/series index 90e5165f5fc..397f0438115 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,17 @@ netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch usb-ohci-make-distrust_firmware-param-default-to-false.patch compiler.h-raise-minimum-version-of-gcc-to-5.1-for-arm64.patch nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch +netxen_nic-fix-msi-msi-x-interrupts.patch +rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch +esp-avoid-unneeded-kmap_atomic-call.patch +net-dcb-validate-netlink-message-in-dcb-handler.patch +net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch +net-stmmac-fixed-mtu-channged-by-cache-aligned.patch +net-sit-unregister_netdevice-on-newlink-s-error-path.patch +net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch +rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch +tipc-fix-null-deref-in-tipc_link_xmit.patch +net-use-skb_list_del_init-to-remove-from-rx-sublists.patch +net-introduce-skb_list_walk_safe-for-skb-segment-walking.patch +net-skbuff-disambiguate-argument-and-member-for-skb_list_walk_safe-helper.patch +net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch diff --git a/queue-4.14/tipc-fix-null-deref-in-tipc_link_xmit.patch b/queue-4.14/tipc-fix-null-deref-in-tipc_link_xmit.patch new file mode 100644 index 00000000000..35a498335bd --- /dev/null +++ b/queue-4.14/tipc-fix-null-deref-in-tipc_link_xmit.patch @@ -0,0 +1,74 @@ +From foo@baz Fri Jan 22 12:59:03 PM CET 2021 +From: Hoang Le +Date: Fri, 8 Jan 2021 14:13:37 +0700 +Subject: tipc: fix NULL deref in tipc_link_xmit() + +From: Hoang Le + +[ Upstream commit b77413446408fdd256599daf00d5be72b5f3e7c6 ] + +The buffer list can have zero skb as following path: +tipc_named_node_up()->tipc_node_xmit()->tipc_link_xmit(), so +we need to check the list before casting an &sk_buff. + +Fault report: + [] tipc: Bulk publication failure + [] general protection fault, probably for non-canonical [#1] PREEMPT [...] + [] KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] + [] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2 + [] Hardware name: Bochs ..., BIOS Bochs 01/01/2011 + [] RIP: 0010:tipc_link_xmit+0xc1/0x2180 + [] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 [...] + [] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202 + [] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d + [] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8 + [] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded + [] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148 + [] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018 + [] FS: 0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000[...] + [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0 + +Fixes: af9b028e270fd ("tipc: make media xmit call outside node spinlock context") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/link.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -882,9 +882,7 @@ void tipc_link_reset(struct tipc_link *l + int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, + struct sk_buff_head *xmitq) + { +- struct tipc_msg *hdr = buf_msg(skb_peek(list)); + unsigned int maxwin = l->window; +- int imp = msg_importance(hdr); + unsigned int mtu = l->mtu; + u16 ack = l->rcv_nxt - 1; + u16 seqno = l->snd_nxt; +@@ -893,13 +891,20 @@ int tipc_link_xmit(struct tipc_link *l, + struct sk_buff_head *backlogq = &l->backlogq; + struct sk_buff *skb, *_skb, **tskb; + int pkt_cnt = skb_queue_len(list); ++ struct tipc_msg *hdr; + int rc = 0; ++ int imp; + ++ if (pkt_cnt <= 0) ++ return 0; ++ ++ hdr = buf_msg(skb_peek(list)); + if (unlikely(msg_size(hdr) > mtu)) { + skb_queue_purge(list); + return -EMSGSIZE; + } + ++ imp = msg_importance(hdr); + /* Allow oversubscription of one data msg per source at congestion */ + if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) { + if (imp == TIPC_SYSTEM_IMPORTANCE) {