From: Greg Kroah-Hartman Date: Wed, 21 Aug 2019 02:39:34 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.19.68~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed0c512dce7b13ba4550ad44f37bc134bce213ad;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bonding-add-vlan-tx-offload-to-hw_enc_features.patch net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch net-packet-fix-race-in-tpacket_snd.patch sctp-fix-the-transport-error_count-check.patch xen-netback-reset-nr_frags-before-freeing-skb.patch --- diff --git a/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch b/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch new file mode 100644 index 00000000000..69540e7c647 --- /dev/null +++ b/queue-4.4/bonding-add-vlan-tx-offload-to-hw_enc_features.patch @@ -0,0 +1,62 @@ +From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT +From: YueHaibing +Date: Wed, 7 Aug 2019 10:19:59 +0800 +Subject: bonding: Add vlan tx offload to hw_enc_features + +From: YueHaibing + +[ Upstream commit d595b03de2cb0bdf9bcdf35ff27840cc3a37158f ] + +As commit 30d8177e8ac7 ("bonding: Always enable vlan tx offload") +said, we should always enable bonding's vlan tx offload, pass the +vlan packets to the slave devices with vlan tci, let them to handle +vlan implementation. + +Now if encapsulation protocols like VXLAN is used, skb->encapsulation +may be set, then the packet is passed to vlan device which based on +bonding device. However in netif_skb_features(), the check of +hw_enc_features: + + if (skb->encapsulation) + features &= dev->hw_enc_features; + +clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results +in same issue in commit 30d8177e8ac7 like this: + +vlan_dev_hard_start_xmit + -->dev_queue_xmit + -->validate_xmit_skb + -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared + -->validate_xmit_vlan + -->__vlan_hwaccel_push_inside //skb->tci is cleared +... + --> bond_start_xmit + --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34 + --> __skb_flow_dissect // nhoff point to IP header + --> case htons(ETH_P_8021Q) + // skb_vlan_tag_present is false, so + vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan), + //vlan point to ip header wrongly + +Fixes: b2a103e6d0af ("bonding: convert to ndo_fix_features") +Signed-off-by: YueHaibing +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1111,7 +1111,9 @@ static void bond_compute_features(struct + + done: + bond_dev->vlan_features = vlan_features; +- bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL; ++ bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | ++ NETIF_F_HW_VLAN_CTAG_TX | ++ NETIF_F_HW_VLAN_STAG_TX; + bond_dev->gso_max_segs = gso_max_segs; + netif_set_gso_max_size(bond_dev, gso_max_size); + diff --git a/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch b/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch new file mode 100644 index 00000000000..5690f9ceb06 --- /dev/null +++ b/queue-4.4/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT +From: Huy Nguyen +Date: Thu, 1 Aug 2019 11:10:19 -0500 +Subject: net/mlx5e: Only support tx/rx pause setting for port owner + +From: Huy Nguyen + +[ Upstream commit 466df6eb4a9e813b3cfc674363316450c57a89c5 ] + +Only support changing tx/rx pause frame setting if the net device +is the vport group manager. + +Fixes: 3c2d18ef22df ("net/mlx5e: Support ethtool get/set_pauseparam") +Signed-off-by: Huy Nguyen +Reviewed-by: Parav Pandit +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -855,6 +855,9 @@ static int mlx5e_set_pauseparam(struct n + struct mlx5_core_dev *mdev = priv->mdev; + int err; + ++ if (!MLX5_CAP_GEN(mdev, vport_group_manager)) ++ return -EOPNOTSUPP; ++ + if (pauseparam->autoneg) + return -EINVAL; + diff --git a/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch b/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch new file mode 100644 index 00000000000..c80c417b5de --- /dev/null +++ b/queue-4.4/net-packet-fix-race-in-tpacket_snd.patch @@ -0,0 +1,78 @@ +From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT +From: Eric Dumazet +Date: Wed, 14 Aug 2019 02:11:57 -0700 +Subject: net/packet: fix race in tpacket_snd() + +From: Eric Dumazet + +[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ] + +packet_sendmsg() checks tx_ring.pg_vec to decide +if it must call tpacket_snd(). + +Problem is that the check is lockless, meaning another thread +can issue a concurrent setsockopt(PACKET_TX_RING ) to flip +tx_ring.pg_vec back to NULL. + +Given that tpacket_snd() grabs pg_vec_lock mutex, we can +perform the check again to solve the race. + +syzbot reported : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474 +Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00 +RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c +RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50 +R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000 +R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000 +FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + packet_current_frame net/packet/af_packet.c:487 [inline] + tpacket_snd net/packet/af_packet.c:2667 [inline] + packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 + __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 + __do_sys_sendmmsg net/socket.c:2442 [inline] + __se_sys_sendmmsg net/socket.c:2439 [inline] + __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 + do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2498,6 +2498,13 @@ static int tpacket_snd(struct packet_soc + + mutex_lock(&po->pg_vec_lock); + ++ /* packet_sendmsg() check on tx_ring.pg_vec was lockless, ++ * we need to confirm it under protection of pg_vec_lock. ++ */ ++ if (unlikely(!po->tx_ring.pg_vec)) { ++ err = -EBUSY; ++ goto out; ++ } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; diff --git a/queue-4.4/sctp-fix-the-transport-error_count-check.patch b/queue-4.4/sctp-fix-the-transport-error_count-check.patch new file mode 100644 index 00000000000..290061e8b07 --- /dev/null +++ b/queue-4.4/sctp-fix-the-transport-error_count-check.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT +From: Xin Long +Date: Mon, 12 Aug 2019 20:49:12 +0800 +Subject: sctp: fix the transport error_count check + +From: Xin Long + +[ Upstream commit a1794de8b92ea6bc2037f445b296814ac826693e ] + +As the annotation says in sctp_do_8_2_transport_strike(): + + "If the transport error count is greater than the pf_retrans + threshold, and less than pathmaxrtx ..." + +It should be transport->error_count checked with pathmaxrxt, +instead of asoc->pf_retrans. + +Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -504,7 +504,7 @@ static void sctp_do_8_2_transport_strike + * see SCTP Quick Failover Draft, section 5.1 + */ + if ((transport->state == SCTP_ACTIVE) && +- (asoc->pf_retrans < transport->pathmaxrxt) && ++ (transport->error_count < transport->pathmaxrxt) && + (transport->error_count > asoc->pf_retrans)) { + + sctp_assoc_control_transport(asoc, transport, diff --git a/queue-4.4/series b/queue-4.4/series index 28ecb043692..916cfc64a40 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -72,3 +72,8 @@ ib-mlx5-make-coding-style-more-consistent.patch x86-vdso-remove-direct-hpet-access-through-the-vdso.patch iommu-amd-move-iommu_init_pci-to-.init-section.patch x86-boot-disable-the-address-of-packed-member-compiler-warning.patch +net-packet-fix-race-in-tpacket_snd.patch +xen-netback-reset-nr_frags-before-freeing-skb.patch +net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch +sctp-fix-the-transport-error_count-check.patch +bonding-add-vlan-tx-offload-to-hw_enc_features.patch diff --git a/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch b/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch new file mode 100644 index 00000000000..aef9681cff0 --- /dev/null +++ b/queue-4.4/xen-netback-reset-nr_frags-before-freeing-skb.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 20 Aug 2019 07:11:28 PM PDT +From: Ross Lagerwall +Date: Mon, 5 Aug 2019 16:34:34 +0100 +Subject: xen/netback: Reset nr_frags before freeing skb + +From: Ross Lagerwall + +[ Upstream commit 3a0233ddec554b886298de2428edb5c50a20e694 ] + +At this point nr_frags has been incremented but the frag does not yet +have a page assigned so freeing the skb results in a crash. Reset +nr_frags before freeing the skb to prevent this. + +Signed-off-by: Ross Lagerwall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1421,6 +1421,7 @@ static void xenvif_tx_build_gops(struct + skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS; + nskb = xenvif_alloc_skb(0); + if (unlikely(nskb == NULL)) { ++ skb_shinfo(skb)->nr_frags = 0; + kfree_skb(skb); + xenvif_tx_err(queue, &txreq, idx); + if (net_ratelimit()) +@@ -1436,6 +1437,7 @@ static void xenvif_tx_build_gops(struct + + if (xenvif_set_skb_gso(queue->vif, skb, gso)) { + /* Failure in xenvif_set_skb_gso is fatal. */ ++ skb_shinfo(skb)->nr_frags = 0; + kfree_skb(skb); + kfree_skb(nskb); + break;