From: Greg Kroah-Hartman Date: Thu, 26 Apr 2018 18:47:36 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v3.18.107~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f15ebea3b84912a6a7d21bc91083f0afd6bcbb3a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch amd-xgbe-improve-kr-auto-negotiation-and-training.patch amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch keys-dns-limit-the-length-of-option-strings.patch l2tp-check-sockaddr-length-in-pppol2tp_connect.patch l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch llc-delete-timers-synchronously-in-llc_sk_free.patch llc-fix-null-pointer-deref-for-sock_zapped.patch llc-hold-llc_sap-before-release_sock.patch net-af_packet-fix-race-in-packet_-r-t-x_ring.patch net-aquantia-oops-when-shutdown-on-already-stopped-device.patch net-aquantia-regression-on-reset-with-1.x-firmware.patch net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch net-fix-deadlock-while-clearing-neighbor-proxy-table.patch net-mvpp2-fix-dma-address-mask-size.patch net-qmi_wwan-add-wistron-neweb-d19q1.patch net-sched-ife-check-on-metadata-length.patch net-sched-ife-handle-malformed-tlv-length.patch net-sched-ife-signal-not-finding-metaid.patch net-smc-fix-shutdown-in-state-smc_listen.patch net-stmmac-disable-acs-feature-for-gmac-4.patch net-validate-attribute-sizes-in-neigh_dump_table.patch packet-fix-bitfield-update-race.patch pppoe-check-sockaddr-length-in-pppoe_connect.patch revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch s390-qeth-avoid-control-io-completion-stalls.patch s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch s390-qeth-handle-failure-on-workqueue-creation.patch sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch strparser-fix-incorrect-strp-need_bytes-value.patch tcp-clear-tp-packets_out-when-purging-write-queue.patch tcp-don-t-read-out-of-bounds-opsize.patch tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch team-avoid-adding-twice-the-same-option-to-the-event-list.patch team-fix-netconsole-setup-over-team.patch tipc-add-policy-for-tipc_nla_net_addr.patch tun-fix-vlan-packet-truncation.patch virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch virtio_net-fix-adding-vids-on-big-endian.patch virtio_net-split-out-ctrl-buffer.patch vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch vsock-make-af_vsock.ko-removable-again.patch --- diff --git a/queue-4.16/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch b/queue-4.16/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch new file mode 100644 index 00000000000..9e619d6e18c --- /dev/null +++ b/queue-4.16/amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Tom Lendacky +Date: Mon, 23 Apr 2018 11:43:08 -0500 +Subject: amd-xgbe: Add pre/post auto-negotiation phy hooks + +From: Tom Lendacky + + +[ Upstream commit 4d945663a6a0acf3cbe45940503f2eb9584bfee7 ] + +Add hooks to the driver auto-negotiation (AN) flow to allow the different +phy implementations to perform any steps necessary to improve AN. + +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 16 ++++++++++++++-- + drivers/net/ethernet/amd/xgbe/xgbe.h | 5 +++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -437,6 +437,9 @@ static void xgbe_an73_disable(struct xgb + + static void xgbe_an_restart(struct xgbe_prv_data *pdata) + { ++ if (pdata->phy_if.phy_impl.an_pre) ++ pdata->phy_if.phy_impl.an_pre(pdata); ++ + switch (pdata->an_mode) { + case XGBE_AN_MODE_CL73: + case XGBE_AN_MODE_CL73_REDRV: +@@ -453,6 +456,9 @@ static void xgbe_an_restart(struct xgbe_ + + static void xgbe_an_disable(struct xgbe_prv_data *pdata) + { ++ if (pdata->phy_if.phy_impl.an_post) ++ pdata->phy_if.phy_impl.an_post(pdata); ++ + switch (pdata->an_mode) { + case XGBE_AN_MODE_CL73: + case XGBE_AN_MODE_CL73_REDRV: +@@ -637,11 +643,11 @@ static enum xgbe_an xgbe_an73_incompat_l + return XGBE_AN_NO_LINK; + } + +- xgbe_an73_disable(pdata); ++ xgbe_an_disable(pdata); + + xgbe_switch_mode(pdata); + +- xgbe_an73_restart(pdata); ++ xgbe_an_restart(pdata); + + return XGBE_AN_INCOMPAT_LINK; + } +@@ -820,6 +826,9 @@ static void xgbe_an37_state_machine(stru + pdata->an_result = pdata->an_state; + pdata->an_state = XGBE_AN_READY; + ++ if (pdata->phy_if.phy_impl.an_post) ++ pdata->phy_if.phy_impl.an_post(pdata); ++ + netif_dbg(pdata, link, pdata->netdev, "CL37 AN result: %s\n", + xgbe_state_as_string(pdata->an_result)); + } +@@ -903,6 +912,9 @@ again: + pdata->kx_state = XGBE_RX_BPA; + pdata->an_start = 0; + ++ if (pdata->phy_if.phy_impl.an_post) ++ pdata->phy_if.phy_impl.an_post(pdata); ++ + netif_dbg(pdata, link, pdata->netdev, "CL73 AN result: %s\n", + xgbe_state_as_string(pdata->an_result)); + } +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -833,6 +833,7 @@ struct xgbe_hw_if { + /* This structure represents implementation specific routines for an + * implementation of a PHY. All routines are required unless noted below. + * Optional routines: ++ * an_pre, an_post + * kr_training_pre, kr_training_post + */ + struct xgbe_phy_impl_if { +@@ -875,6 +876,10 @@ struct xgbe_phy_impl_if { + /* Process results of auto-negotiation */ + enum xgbe_mode (*an_outcome)(struct xgbe_prv_data *); + ++ /* Pre/Post auto-negotiation support */ ++ void (*an_pre)(struct xgbe_prv_data *); ++ void (*an_post)(struct xgbe_prv_data *); ++ + /* Pre/Post KR training enablement support */ + void (*kr_training_pre)(struct xgbe_prv_data *); + void (*kr_training_post)(struct xgbe_prv_data *); diff --git a/queue-4.16/amd-xgbe-improve-kr-auto-negotiation-and-training.patch b/queue-4.16/amd-xgbe-improve-kr-auto-negotiation-and-training.patch new file mode 100644 index 00000000000..b8be8c2dc04 --- /dev/null +++ b/queue-4.16/amd-xgbe-improve-kr-auto-negotiation-and-training.patch @@ -0,0 +1,348 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Tom Lendacky +Date: Mon, 23 Apr 2018 11:43:17 -0500 +Subject: amd-xgbe: Improve KR auto-negotiation and training + +From: Tom Lendacky + + +[ Upstream commit 96f4d430c507ed4856048c2dc9c1a2ea5b5e74e4 ] + +Update xgbe-phy-v2.c to make use of the auto-negotiation (AN) phy hooks +to improve the ability to successfully complete Clause 73 AN when running +at 10gbps. Hardware can sometimes have issues with CDR lock when the +AN DME page exchange is being performed. + +The AN and KR training hooks are used as follows: +- The pre AN hook is used to disable CDR tracking in the PHY so that the + DME page exchange can be successfully and consistently completed. +- The post KR training hook is used to re-enable the CDR tracking so that + KR training can successfully complete. +- The post AN hook is used to check for an unsuccessful AN which will + increase a CDR tracking enablement delay (up to a maximum value). + +Add two debugfs entries to allow control over use of the CDR tracking +workaround. The debugfs entries allow the CDR tracking workaround to +be disabled and determine whether to re-enable CDR tracking before or +after link training has been initiated. + +Also, with these changes the receiver reset cycle that is performed during +the link status check can be performed less often. + +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 + + drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c | 16 +++ + drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 8 + + drivers/net/ethernet/amd/xgbe/xgbe-pci.c | 2 + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 125 ++++++++++++++++++++++++++- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + 7 files changed, 160 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1321,6 +1321,10 @@ + #define MDIO_VEND2_AN_STAT 0x8002 + #endif + ++#ifndef MDIO_VEND2_PMA_CDR_CONTROL ++#define MDIO_VEND2_PMA_CDR_CONTROL 0x8056 ++#endif ++ + #ifndef MDIO_CTRL1_SPEED1G + #define MDIO_CTRL1_SPEED1G (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100) + #endif +@@ -1369,6 +1373,10 @@ + #define XGBE_AN_CL37_TX_CONFIG_MASK 0x08 + #define XGBE_AN_CL37_MII_CTRL_8BIT 0x0100 + ++#define XGBE_PMA_CDR_TRACK_EN_MASK 0x01 ++#define XGBE_PMA_CDR_TRACK_EN_OFF 0x00 ++#define XGBE_PMA_CDR_TRACK_EN_ON 0x01 ++ + /* Bit setting and getting macros + * The get macro will extract the current bit field value from within + * the variable +--- a/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c +@@ -519,6 +519,22 @@ void xgbe_debugfs_init(struct xgbe_prv_d + "debugfs_create_file failed\n"); + } + ++ if (pdata->vdata->an_cdr_workaround) { ++ pfile = debugfs_create_bool("an_cdr_workaround", 0600, ++ pdata->xgbe_debugfs, ++ &pdata->debugfs_an_cdr_workaround); ++ if (!pfile) ++ netdev_err(pdata->netdev, ++ "debugfs_create_bool failed\n"); ++ ++ pfile = debugfs_create_bool("an_cdr_track_early", 0600, ++ pdata->xgbe_debugfs, ++ &pdata->debugfs_an_cdr_track_early); ++ if (!pfile) ++ netdev_err(pdata->netdev, ++ "debugfs_create_bool failed\n"); ++ } ++ + kfree(buf); + } + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +@@ -349,6 +349,7 @@ int xgbe_config_netdev(struct xgbe_prv_d + XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1); + + /* Call MDIO/PHY initialization routine */ ++ pdata->debugfs_an_cdr_workaround = pdata->vdata->an_cdr_workaround; + ret = pdata->phy_if.phy_init(pdata); + if (ret) + return ret; +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -432,6 +432,8 @@ static void xgbe_an73_disable(struct xgb + xgbe_an73_set(pdata, false, false); + xgbe_an73_disable_interrupts(pdata); + ++ pdata->an_start = 0; ++ + netif_dbg(pdata, link, pdata->netdev, "CL73 AN disabled\n"); + } + +@@ -511,11 +513,11 @@ static enum xgbe_an xgbe_an73_tx_trainin + XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL, + reg); + +- if (pdata->phy_if.phy_impl.kr_training_post) +- pdata->phy_if.phy_impl.kr_training_post(pdata); +- + netif_dbg(pdata, link, pdata->netdev, + "KR training initiated\n"); ++ ++ if (pdata->phy_if.phy_impl.kr_training_post) ++ pdata->phy_if.phy_impl.kr_training_post(pdata); + } + + return XGBE_AN_PAGE_RECEIVED; +--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c +@@ -456,6 +456,7 @@ static const struct xgbe_version_data xg + .irq_reissue_support = 1, + .tx_desc_prefetch = 5, + .rx_desc_prefetch = 5, ++ .an_cdr_workaround = 1, + }; + + static const struct xgbe_version_data xgbe_v2b = { +@@ -470,6 +471,7 @@ static const struct xgbe_version_data xg + .irq_reissue_support = 1, + .tx_desc_prefetch = 5, + .rx_desc_prefetch = 5, ++ .an_cdr_workaround = 1, + }; + + static const struct pci_device_id xgbe_pci_table[] = { +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -147,6 +147,14 @@ + /* Rate-change complete wait/retry count */ + #define XGBE_RATECHANGE_COUNT 500 + ++/* CDR delay values for KR support (in usec) */ ++#define XGBE_CDR_DELAY_INIT 10000 ++#define XGBE_CDR_DELAY_INC 10000 ++#define XGBE_CDR_DELAY_MAX 100000 ++ ++/* RRC frequency during link status check */ ++#define XGBE_RRC_FREQUENCY 10 ++ + enum xgbe_port_mode { + XGBE_PORT_MODE_RSVD = 0, + XGBE_PORT_MODE_BACKPLANE, +@@ -355,6 +363,10 @@ struct xgbe_phy_data { + unsigned int redrv_addr; + unsigned int redrv_lane; + unsigned int redrv_model; ++ ++ /* KR AN support */ ++ unsigned int phy_cdr_notrack; ++ unsigned int phy_cdr_delay; + }; + + /* I2C, MDIO and GPIO lines are muxed, so only one device at a time */ +@@ -2361,7 +2373,7 @@ static int xgbe_phy_link_status(struct x + return 1; + + /* No link, attempt a receiver reset cycle */ +- if (phy_data->rrc_count++) { ++ if (phy_data->rrc_count++ > XGBE_RRC_FREQUENCY) { + phy_data->rrc_count = 0; + xgbe_phy_rrc(pdata); + } +@@ -2669,6 +2681,103 @@ static bool xgbe_phy_port_enabled(struct + return true; + } + ++static void xgbe_phy_cdr_track(struct xgbe_prv_data *pdata) ++{ ++ struct xgbe_phy_data *phy_data = pdata->phy_data; ++ ++ if (!pdata->debugfs_an_cdr_workaround) ++ return; ++ ++ if (!phy_data->phy_cdr_notrack) ++ return; ++ ++ usleep_range(phy_data->phy_cdr_delay, ++ phy_data->phy_cdr_delay + 500); ++ ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL, ++ XGBE_PMA_CDR_TRACK_EN_MASK, ++ XGBE_PMA_CDR_TRACK_EN_ON); ++ ++ phy_data->phy_cdr_notrack = 0; ++} ++ ++static void xgbe_phy_cdr_notrack(struct xgbe_prv_data *pdata) ++{ ++ struct xgbe_phy_data *phy_data = pdata->phy_data; ++ ++ if (!pdata->debugfs_an_cdr_workaround) ++ return; ++ ++ if (phy_data->phy_cdr_notrack) ++ return; ++ ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL, ++ XGBE_PMA_CDR_TRACK_EN_MASK, ++ XGBE_PMA_CDR_TRACK_EN_OFF); ++ ++ xgbe_phy_rrc(pdata); ++ ++ phy_data->phy_cdr_notrack = 1; ++} ++ ++static void xgbe_phy_kr_training_post(struct xgbe_prv_data *pdata) ++{ ++ if (!pdata->debugfs_an_cdr_track_early) ++ xgbe_phy_cdr_track(pdata); ++} ++ ++static void xgbe_phy_kr_training_pre(struct xgbe_prv_data *pdata) ++{ ++ if (pdata->debugfs_an_cdr_track_early) ++ xgbe_phy_cdr_track(pdata); ++} ++ ++static void xgbe_phy_an_post(struct xgbe_prv_data *pdata) ++{ ++ struct xgbe_phy_data *phy_data = pdata->phy_data; ++ ++ switch (pdata->an_mode) { ++ case XGBE_AN_MODE_CL73: ++ case XGBE_AN_MODE_CL73_REDRV: ++ if (phy_data->cur_mode != XGBE_MODE_KR) ++ break; ++ ++ xgbe_phy_cdr_track(pdata); ++ ++ switch (pdata->an_result) { ++ case XGBE_AN_READY: ++ case XGBE_AN_COMPLETE: ++ break; ++ default: ++ if (phy_data->phy_cdr_delay < XGBE_CDR_DELAY_MAX) ++ phy_data->phy_cdr_delay += XGBE_CDR_DELAY_INC; ++ else ++ phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT; ++ break; ++ } ++ break; ++ default: ++ break; ++ } ++} ++ ++static void xgbe_phy_an_pre(struct xgbe_prv_data *pdata) ++{ ++ struct xgbe_phy_data *phy_data = pdata->phy_data; ++ ++ switch (pdata->an_mode) { ++ case XGBE_AN_MODE_CL73: ++ case XGBE_AN_MODE_CL73_REDRV: ++ if (phy_data->cur_mode != XGBE_MODE_KR) ++ break; ++ ++ xgbe_phy_cdr_notrack(pdata); ++ break; ++ default: ++ break; ++ } ++} ++ + static void xgbe_phy_stop(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +@@ -2680,6 +2789,9 @@ static void xgbe_phy_stop(struct xgbe_pr + xgbe_phy_sfp_reset(phy_data); + xgbe_phy_sfp_mod_absent(pdata); + ++ /* Reset CDR support */ ++ xgbe_phy_cdr_track(pdata); ++ + /* Power off the PHY */ + xgbe_phy_power_off(pdata); + +@@ -2712,6 +2824,9 @@ static int xgbe_phy_start(struct xgbe_pr + /* Start in highest supported mode */ + xgbe_phy_set_mode(pdata, phy_data->start_mode); + ++ /* Reset CDR support */ ++ xgbe_phy_cdr_track(pdata); ++ + /* After starting the I2C controller, we can check for an SFP */ + switch (phy_data->port_mode) { + case XGBE_PORT_MODE_SFP: +@@ -3019,6 +3134,8 @@ static int xgbe_phy_init(struct xgbe_prv + } + } + ++ phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT; ++ + /* Register for driving external PHYs */ + mii = devm_mdiobus_alloc(pdata->dev); + if (!mii) { +@@ -3071,4 +3188,10 @@ void xgbe_init_function_ptrs_phy_v2(stru + phy_impl->an_advertising = xgbe_phy_an_advertising; + + phy_impl->an_outcome = xgbe_phy_an_outcome; ++ ++ phy_impl->an_pre = xgbe_phy_an_pre; ++ phy_impl->an_post = xgbe_phy_an_post; ++ ++ phy_impl->kr_training_pre = xgbe_phy_kr_training_pre; ++ phy_impl->kr_training_post = xgbe_phy_kr_training_post; + } +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -994,6 +994,7 @@ struct xgbe_version_data { + unsigned int irq_reissue_support; + unsigned int tx_desc_prefetch; + unsigned int rx_desc_prefetch; ++ unsigned int an_cdr_workaround; + }; + + struct xgbe_vxlan_data { +@@ -1262,6 +1263,9 @@ struct xgbe_prv_data { + unsigned int debugfs_xprop_reg; + + unsigned int debugfs_xi2c_reg; ++ ++ bool debugfs_an_cdr_workaround; ++ bool debugfs_an_cdr_track_early; + }; + + /* Function prototypes*/ diff --git a/queue-4.16/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch b/queue-4.16/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch new file mode 100644 index 00000000000..7235abff7a8 --- /dev/null +++ b/queue-4.16/amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch @@ -0,0 +1,137 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Tom Lendacky +Date: Mon, 23 Apr 2018 11:43:34 -0500 +Subject: amd-xgbe: Only use the SFP supported transceiver signals + +From: Tom Lendacky + + +[ Upstream commit 117df655f8ed51adb6e6b163812a06ebeae9f453 ] + +The SFP eeprom indicates the transceiver signals (Rx LOS, Tx Fault, etc.) +that it supports. Update the driver to include checking the eeprom data +when deciding whether to use a transceiver signal. + +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 71 +++++++++++++++++++++------- + 1 file changed, 54 insertions(+), 17 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -253,6 +253,10 @@ enum xgbe_sfp_speed { + #define XGBE_SFP_BASE_VENDOR_SN 4 + #define XGBE_SFP_BASE_VENDOR_SN_LEN 16 + ++#define XGBE_SFP_EXTD_OPT1 1 ++#define XGBE_SFP_EXTD_OPT1_RX_LOS BIT(1) ++#define XGBE_SFP_EXTD_OPT1_TX_FAULT BIT(3) ++ + #define XGBE_SFP_EXTD_DIAG 28 + #define XGBE_SFP_EXTD_DIAG_ADDR_CHANGE BIT(2) + +@@ -332,6 +336,7 @@ struct xgbe_phy_data { + + unsigned int sfp_gpio_address; + unsigned int sfp_gpio_mask; ++ unsigned int sfp_gpio_inputs; + unsigned int sfp_gpio_rx_los; + unsigned int sfp_gpio_tx_fault; + unsigned int sfp_gpio_mod_absent; +@@ -986,6 +991,49 @@ static void xgbe_phy_sfp_external_phy(st + phy_data->sfp_phy_avail = 1; + } + ++static bool xgbe_phy_check_sfp_rx_los(struct xgbe_phy_data *phy_data) ++{ ++ u8 *sfp_extd = phy_data->sfp_eeprom.extd; ++ ++ if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_RX_LOS)) ++ return false; ++ ++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS) ++ return false; ++ ++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_rx_los)) ++ return true; ++ ++ return false; ++} ++ ++static bool xgbe_phy_check_sfp_tx_fault(struct xgbe_phy_data *phy_data) ++{ ++ u8 *sfp_extd = phy_data->sfp_eeprom.extd; ++ ++ if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_TX_FAULT)) ++ return false; ++ ++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT) ++ return false; ++ ++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_tx_fault)) ++ return true; ++ ++ return false; ++} ++ ++static bool xgbe_phy_check_sfp_mod_absent(struct xgbe_phy_data *phy_data) ++{ ++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT) ++ return false; ++ ++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_mod_absent)) ++ return true; ++ ++ return false; ++} ++ + static bool xgbe_phy_belfuse_parse_quirks(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +@@ -1031,6 +1079,10 @@ static void xgbe_phy_sfp_parse_eeprom(st + if (sfp_base[XGBE_SFP_BASE_EXT_ID] != XGBE_SFP_EXT_ID_SFP) + return; + ++ /* Update transceiver signals (eeprom extd/options) */ ++ phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data); ++ phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data); ++ + if (xgbe_phy_sfp_parse_quirks(pdata)) + return; + +@@ -1196,7 +1248,6 @@ put: + static void xgbe_phy_sfp_signals(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +- unsigned int gpio_input; + u8 gpio_reg, gpio_ports[2]; + int ret; + +@@ -1211,23 +1262,9 @@ static void xgbe_phy_sfp_signals(struct + return; + } + +- gpio_input = (gpio_ports[1] << 8) | gpio_ports[0]; +- +- if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT) { +- /* No GPIO, just assume the module is present for now */ +- phy_data->sfp_mod_absent = 0; +- } else { +- if (!(gpio_input & (1 << phy_data->sfp_gpio_mod_absent))) +- phy_data->sfp_mod_absent = 0; +- } +- +- if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS) && +- (gpio_input & (1 << phy_data->sfp_gpio_rx_los))) +- phy_data->sfp_rx_los = 1; ++ phy_data->sfp_gpio_inputs = (gpio_ports[1] << 8) | gpio_ports[0]; + +- if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT) && +- (gpio_input & (1 << phy_data->sfp_gpio_tx_fault))) +- phy_data->sfp_tx_fault = 1; ++ phy_data->sfp_mod_absent = xgbe_phy_check_sfp_mod_absent(phy_data); + } + + static void xgbe_phy_sfp_mod_absent(struct xgbe_prv_data *pdata) diff --git a/queue-4.16/bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch b/queue-4.16/bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch new file mode 100644 index 00000000000..a5795911ec7 --- /dev/null +++ b/queue-4.16/bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch @@ -0,0 +1,116 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Vasundhara Volam +Date: Thu, 19 Apr 2018 03:16:16 -0400 +Subject: bnxt_en: Fix memory fault in bnxt_ethtool_init() + +From: Vasundhara Volam + + +[ Upstream commit a60faa60da891e311e19fd3e88d611863f431130 ] + +In some firmware images, the length of BNX_DIR_TYPE_PKG_LOG nvram type +could be greater than the fixed buffer length of 4096 bytes allocated by +the driver. This was causing HWRM_NVM_READ to copy more data to the buffer +than the allocated size, causing general protection fault. + +Fix the issue by allocating the exact buffer length returned by +HWRM_NVM_FIND_DIR_ENTRY, instead of 4096. Move the kzalloc() call +into the bnxt_get_pkgver() function. + +Fixes: 3ebf6f0a09a2 ("bnxt_en: Add installed-package firmware version reporting via Ethtool GDRVINFO") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 51 +++++++++++---------- + drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h | 2 + 2 files changed, 28 insertions(+), 25 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1874,22 +1874,39 @@ static char *bnxt_parse_pkglog(int desir + return retval; + } + +-static char *bnxt_get_pkgver(struct net_device *dev, char *buf, size_t buflen) ++static void bnxt_get_pkgver(struct net_device *dev) + { ++ struct bnxt *bp = netdev_priv(dev); + u16 index = 0; +- u32 datalen; ++ char *pkgver; ++ u32 pkglen; ++ u8 *pkgbuf; ++ int len; + + if (bnxt_find_nvram_item(dev, BNX_DIR_TYPE_PKG_LOG, + BNX_DIR_ORDINAL_FIRST, BNX_DIR_EXT_NONE, +- &index, NULL, &datalen) != 0) +- return NULL; ++ &index, NULL, &pkglen) != 0) ++ return; ++ ++ pkgbuf = kzalloc(pkglen, GFP_KERNEL); ++ if (!pkgbuf) { ++ dev_err(&bp->pdev->dev, "Unable to allocate memory for pkg version, length = %u\n", ++ pkglen); ++ return; ++ } + +- memset(buf, 0, buflen); +- if (bnxt_get_nvram_item(dev, index, 0, datalen, buf) != 0) +- return NULL; ++ if (bnxt_get_nvram_item(dev, index, 0, pkglen, pkgbuf)) ++ goto err; + +- return bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, buf, +- datalen); ++ pkgver = bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, pkgbuf, ++ pkglen); ++ if (pkgver && *pkgver != 0 && isdigit(*pkgver)) { ++ len = strlen(bp->fw_ver_str); ++ snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1, ++ "/pkg %s", pkgver); ++ } ++err: ++ kfree(pkgbuf); + } + + static int bnxt_get_eeprom(struct net_device *dev, +@@ -2558,22 +2575,10 @@ void bnxt_ethtool_init(struct bnxt *bp) + struct hwrm_selftest_qlist_input req = {0}; + struct bnxt_test_info *test_info; + struct net_device *dev = bp->dev; +- char *pkglog; + int i, rc; + +- pkglog = kzalloc(BNX_PKG_LOG_MAX_LENGTH, GFP_KERNEL); +- if (pkglog) { +- char *pkgver; +- int len; +- +- pkgver = bnxt_get_pkgver(dev, pkglog, BNX_PKG_LOG_MAX_LENGTH); +- if (pkgver && *pkgver != 0 && isdigit(*pkgver)) { +- len = strlen(bp->fw_ver_str); +- snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1, +- "/pkg %s", pkgver); +- } +- kfree(pkglog); +- } ++ bnxt_get_pkgver(dev); ++ + if (bp->hwrm_spec_code < 0x10704 || !BNXT_SINGLE_PF(bp)) + return; + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h +@@ -59,8 +59,6 @@ enum bnxt_nvm_directory_type { + #define BNX_DIR_ATTR_NO_CHKSUM (1 << 0) + #define BNX_DIR_ATTR_PROP_STREAM (1 << 1) + +-#define BNX_PKG_LOG_MAX_LENGTH 4096 +- + enum bnxnvm_pkglog_field_index { + BNX_PKG_LOG_FIELD_IDX_INSTALLED_TIMESTAMP = 0, + BNX_PKG_LOG_FIELD_IDX_PKG_DESCRIPTION = 1, diff --git a/queue-4.16/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch b/queue-4.16/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch new file mode 100644 index 00000000000..c1e2b72b7c4 --- /dev/null +++ b/queue-4.16/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Xin Long +Date: Sun, 22 Apr 2018 19:11:50 +0800 +Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave + +From: Xin Long + + +[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ] + +After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it +would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev +if bond->dev->npinfo was set. + +However now slave_dev npinfo is set with bond->dev->npinfo before calling +slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called +in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup(). +It causes that the lower dev of this slave dev can't set its npinfo. + +One way to reproduce it: + + # modprobe bonding + # brctl addbr br0 + # brctl addif br0 eth1 + # ifconfig bond0 192.168.122.1/24 up + # ifenslave bond0 eth2 + # systemctl restart netconsole + # ifenslave bond0 br0 + # ifconfig eth2 down + # systemctl restart netconsole + +The netpoll won't really work. + +This patch is to remove that slave_dev npinfo setting in bond_enslave(). + +Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1660,8 +1660,7 @@ int bond_enslave(struct net_device *bond + } /* switch(bond_mode) */ + + #ifdef CONFIG_NET_POLL_CONTROLLER +- slave_dev->npinfo = bond->dev->npinfo; +- if (slave_dev->npinfo) { ++ if (bond->dev->npinfo) { + if (slave_enable_netpoll(new_slave)) { + netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n"); + res = -EBUSY; diff --git a/queue-4.16/docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch b/queue-4.16/docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch new file mode 100644 index 00000000000..0f1f32c2c0e --- /dev/null +++ b/queue-4.16/docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Olivier Gayot +Date: Wed, 18 Apr 2018 22:03:06 +0200 +Subject: docs: ip-sysctl.txt: fix name of some ipv6 variables + +From: Olivier Gayot + + +[ Upstream commit ab913455dd59b81204b6a0d387a44697b0e0bd85 ] + +The name of the following proc/sysctl entries were incorrectly +documented: + + /proc/sys/net/ipv6/conf//max_dst_opts_number + /proc/sys/net/ipv6/conf//max_hbt_opts_number + /proc/sys/net/ipv6/conf//max_dst_opts_length + /proc/sys/net/ipv6/conf//max_hbt_length + +Their name was set to the name of the symbol in the .data field of the +control table instead of their .proc name. + +Signed-off-by: Olivier Gayot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/networking/ip-sysctl.txt | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -1386,26 +1386,26 @@ mld_qrv - INTEGER + Default: 2 (as specified by RFC3810 9.1) + Minimum: 1 (as specified by RFC6636 4.5) + +-max_dst_opts_cnt - INTEGER ++max_dst_opts_number - INTEGER + Maximum number of non-padding TLVs allowed in a Destination + options extension header. If this value is less than zero + then unknown options are disallowed and the number of known + TLVs allowed is the absolute value of this number. + Default: 8 + +-max_hbh_opts_cnt - INTEGER ++max_hbh_opts_number - INTEGER + Maximum number of non-padding TLVs allowed in a Hop-by-Hop + options extension header. If this value is less than zero + then unknown options are disallowed and the number of known + TLVs allowed is the absolute value of this number. + Default: 8 + +-max dst_opts_len - INTEGER ++max_dst_opts_length - INTEGER + Maximum length allowed for a Destination options extension + header. + Default: INT_MAX (unlimited) + +-max hbh_opts_len - INTEGER ++max_hbh_length - INTEGER + Maximum length allowed for a Hop-by-Hop options extension + header. + Default: INT_MAX (unlimited) diff --git a/queue-4.16/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch b/queue-4.16/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch new file mode 100644 index 00000000000..d4443c0ec0c --- /dev/null +++ b/queue-4.16/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Dumazet +Date: Sun, 22 Apr 2018 18:29:23 -0700 +Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy + +From: Eric Dumazet + + +[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ] + +KMSAN reported use of uninit-value that I tracked to lack +of proper size check on RTA_TABLE attribute. + +I also believe RTA_PREFSRC lacks a similar check. + +Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config") +Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3862,6 +3862,7 @@ void rt6_mtu_change(struct net_device *d + + static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { + [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, ++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, + [RTA_OIF] = { .type = NLA_U32 }, + [RTA_IIF] = { .type = NLA_U32 }, + [RTA_PRIORITY] = { .type = NLA_U32 }, +@@ -3873,6 +3874,7 @@ static const struct nla_policy rtm_ipv6_ + [RTA_EXPIRES] = { .type = NLA_U32 }, + [RTA_UID] = { .type = NLA_U32 }, + [RTA_MARK] = { .type = NLA_U32 }, ++ [RTA_TABLE] = { .type = NLA_U32 }, + }; + + static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh, diff --git a/queue-4.16/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch b/queue-4.16/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch new file mode 100644 index 00000000000..1c9f65b12ec --- /dev/null +++ b/queue-4.16/ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Ahmed Abdelsalam +Date: Fri, 20 Apr 2018 15:58:05 +0200 +Subject: ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts + +From: Ahmed Abdelsalam + + +[ Upstream commit a957fa190aa9d9168b33d460a5241a6d088c6265 ] + +In case of seg6 in encap mode, seg6_do_srh_encap() calls set_tun_src() +in order to set the src addr of outer IPv6 header. + +The net_device is required for set_tun_src(). However calling ip6_dst_idev() +on dst_entry in case of IPv4 traffic results on the following bug. + +Using just dst->dev should fix this BUG. + +[ 196.242461] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 196.242975] PGD 800000010f076067 P4D 800000010f076067 PUD 10f060067 PMD 0 +[ 196.243329] Oops: 0000 [#1] SMP PTI +[ 196.243468] Modules linked in: nfsd auth_rpcgss nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd input_leds glue_helper led_class pcspkr serio_raw mac_hid video autofs4 hid_generic usbhid hid e1000 i2c_piix4 ahci pata_acpi libahci +[ 196.244362] CPU: 2 PID: 1089 Comm: ping Not tainted 4.16.0+ #1 +[ 196.244606] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 196.244968] RIP: 0010:seg6_do_srh_encap+0x1ac/0x300 +[ 196.245236] RSP: 0018:ffffb2ce00b23a60 EFLAGS: 00010202 +[ 196.245464] RAX: 0000000000000000 RBX: ffff8c7f53eea300 RCX: 0000000000000000 +[ 196.245742] RDX: 0000f10000000000 RSI: ffff8c7f52085a6c RDI: ffff8c7f41166850 +[ 196.246018] RBP: ffffb2ce00b23aa8 R08: 00000000000261e0 R09: ffff8c7f41166800 +[ 196.246294] R10: ffffdce5040ac780 R11: ffff8c7f41166828 R12: ffff8c7f41166808 +[ 196.246570] R13: ffff8c7f52085a44 R14: ffffffffb73211c0 R15: ffff8c7e69e44200 +[ 196.246846] FS: 00007fc448789700(0000) GS:ffff8c7f59d00000(0000) knlGS:0000000000000000 +[ 196.247286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 196.247526] CR2: 0000000000000000 CR3: 000000010f05a000 CR4: 00000000000406e0 +[ 196.247804] Call Trace: +[ 196.247972] seg6_do_srh+0x15b/0x1c0 +[ 196.248156] seg6_output+0x3c/0x220 +[ 196.248341] ? prandom_u32+0x14/0x20 +[ 196.248526] ? ip_idents_reserve+0x6c/0x80 +[ 196.248723] ? __ip_select_ident+0x90/0x100 +[ 196.248923] ? ip_append_data.part.50+0x6c/0xd0 +[ 196.249133] lwtunnel_output+0x44/0x70 +[ 196.249328] ip_send_skb+0x15/0x40 +[ 196.249515] raw_sendmsg+0x8c3/0xac0 +[ 196.249701] ? _copy_from_user+0x2e/0x60 +[ 196.249897] ? rw_copy_check_uvector+0x53/0x110 +[ 196.250106] ? _copy_from_user+0x2e/0x60 +[ 196.250299] ? copy_msghdr_from_user+0xce/0x140 +[ 196.250508] sock_sendmsg+0x36/0x40 +[ 196.250690] ___sys_sendmsg+0x292/0x2a0 +[ 196.250881] ? _cond_resched+0x15/0x30 +[ 196.251074] ? copy_termios+0x1e/0x70 +[ 196.251261] ? _copy_to_user+0x22/0x30 +[ 196.251575] ? tty_mode_ioctl+0x1c3/0x4e0 +[ 196.251782] ? _cond_resched+0x15/0x30 +[ 196.251972] ? mutex_lock+0xe/0x30 +[ 196.252152] ? vvar_fault+0xd2/0x110 +[ 196.252337] ? __do_fault+0x1f/0xc0 +[ 196.252521] ? __handle_mm_fault+0xc1f/0x12d0 +[ 196.252727] ? __sys_sendmsg+0x63/0xa0 +[ 196.252919] __sys_sendmsg+0x63/0xa0 +[ 196.253107] do_syscall_64+0x72/0x200 +[ 196.253305] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +[ 196.253530] RIP: 0033:0x7fc4480b0690 +[ 196.253715] RSP: 002b:00007ffde9f252f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 196.254053] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007fc4480b0690 +[ 196.254331] RDX: 0000000000000000 RSI: 000000000060a360 RDI: 0000000000000003 +[ 196.254608] RBP: 00007ffde9f253f0 R08: 00000000002d1e81 R09: 0000000000000002 +[ 196.254884] R10: 00007ffde9f250c0 R11: 0000000000000246 R12: 0000000000b22070 +[ 196.255205] R13: 20c49ba5e353f7cf R14: 431bde82d7b634db R15: 00007ffde9f278fe +[ 196.255484] Code: a5 0f b6 45 c0 41 88 41 28 41 0f b6 41 2c 48 c1 e0 04 49 8b 54 01 38 49 8b 44 01 30 49 89 51 20 49 89 41 18 48 8b 83 b0 00 00 00 <48> 8b 30 49 8b 86 08 0b 00 00 48 8b 40 20 48 8b 50 08 48 0b 10 +[ 196.256190] RIP: seg6_do_srh_encap+0x1ac/0x300 RSP: ffffb2ce00b23a60 +[ 196.256445] CR2: 0000000000000000 +[ 196.256676] ---[ end trace 71af7d093603885c ]--- + +Fixes: 8936ef7604c11 ("ipv6: sr: fix NULL pointer dereference when setting encap source address") +Signed-off-by: Ahmed Abdelsalam +Acked-by: David Lebrun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_iptunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -136,7 +136,7 @@ int seg6_do_srh_encap(struct sk_buff *sk + isrh->nexthdr = proto; + + hdr->daddr = isrh->segments[isrh->first_segment]; +- set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr); ++ set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr); + + #ifdef CONFIG_IPV6_SEG6_HMAC + if (sr_has_hmac(isrh)) { diff --git a/queue-4.16/keys-dns-limit-the-length-of-option-strings.patch b/queue-4.16/keys-dns-limit-the-length-of-option-strings.patch new file mode 100644 index 00000000000..fbb444237ed --- /dev/null +++ b/queue-4.16/keys-dns-limit-the-length-of-option-strings.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Biggers +Date: Tue, 17 Apr 2018 12:07:06 -0700 +Subject: KEYS: DNS: limit the length of option strings + +From: Eric Biggers + + +[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ] + +Adding a dns_resolver key whose payload contains a very long option name +resulted in that string being printed in full. This hit the WARN_ONCE() +in set_precision() during the printk(), because printk() only supports a +precision of up to 32767 bytes: + + precision 1000000 too large + WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 + +Fix it by limiting option strings (combined name + value) to a much more +reasonable 128 bytes. The exact limit is arbitrary, but currently the +only recognized option is formatted as "dnserror=%lu" which fits well +within this limit. + +Also ratelimit the printks. + +Reproducer: + + perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s + +This bug was found using syzkaller. + +Reported-by: Mark Rutland +Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") +Signed-off-by: Eric Biggers +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dns_resolver/dns_key.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_prepars + + next_opt = memchr(opt, '#', end - opt) ?: end; + opt_len = next_opt - opt; +- if (!opt_len) { +- printk(KERN_WARNING +- "Empty option to dns_resolver key\n"); ++ if (opt_len <= 0 || opt_len > 128) { ++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", ++ opt_len); + return -EINVAL; + } + +@@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_prepars + } + + bad_option_value: +- printk(KERN_WARNING +- "Option '%*.*s' to dns_resolver key:" +- " bad/missing value\n", +- opt_nlen, opt_nlen, opt); ++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", ++ opt_nlen, opt_nlen, opt); + return -EINVAL; + } while (opt = next_opt + 1, opt < end); + } diff --git a/queue-4.16/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch b/queue-4.16/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch new file mode 100644 index 00000000000..18754080cf6 --- /dev/null +++ b/queue-4.16/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Mon, 23 Apr 2018 16:15:14 +0200 +Subject: l2tp: check sockaddr length in pppol2tp_connect() + +From: Guillaume Nault + + +[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ] + +Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that +it actually points to valid data. + +Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") +Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -619,6 +619,13 @@ static int pppol2tp_connect(struct socke + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OL2TP) + goto end; + diff --git a/queue-4.16/l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch b/queue-4.16/l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch new file mode 100644 index 00000000000..25e3cf91468 --- /dev/null +++ b/queue-4.16/l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Thu, 19 Apr 2018 16:20:48 +0200 +Subject: l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow + +From: Guillaume Nault + + +[ Upstream commit 5411b6187adf62909e3b998ac782e722904c7487 ] + +Commit 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") +assumed that if pppol2tp_seq_stop() was called with non-NULL private +data (the 'v' pointer), then pppol2tp_seq_start() would not be called +again. It turns out that this isn't guaranteed, and overflowing the +seq_file's buffer in pppol2tp_seq_show() is a way to get into this +situation. + +Therefore, pppol2tp_seq_stop() needs to reset pd->tunnel, so that +pppol2tp_seq_start() won't drop a reference again if it gets called. +We also have to clear pd->session, because the rest of the code expects +a non-NULL tunnel when pd->session is set. + +The l2tp_debugfs module has the same issue. Fix it in the same way. + +Fixes: 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") +Fixes: f726214d9b23 ("l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_debugfs.c | 5 ++++- + net/l2tp/l2tp_ppp.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/l2tp/l2tp_debugfs.c ++++ b/net/l2tp/l2tp_debugfs.c +@@ -106,8 +106,11 @@ static void l2tp_dfs_seq_stop(struct seq + return; + + /* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */ +- if (pd->tunnel) ++ if (pd->tunnel) { + l2tp_tunnel_dec_refcount(pd->tunnel); ++ pd->tunnel = NULL; ++ pd->session = NULL; ++ } + } + + static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v) +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1626,8 +1626,11 @@ static void pppol2tp_seq_stop(struct seq + return; + + /* Drop reference taken by last invocation of pppol2tp_next_tunnel() */ +- if (pd->tunnel) ++ if (pd->tunnel) { + l2tp_tunnel_dec_refcount(pd->tunnel); ++ pd->tunnel = NULL; ++ pd->session = NULL; ++ } + } + + static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v) diff --git a/queue-4.16/l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch b/queue-4.16/l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch new file mode 100644 index 00000000000..040c93dc20c --- /dev/null +++ b/queue-4.16/l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch @@ -0,0 +1,116 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Thu, 12 Apr 2018 20:50:33 +0200 +Subject: l2tp: hold reference on tunnels in netlink dumps + +From: Guillaume Nault + + +[ Upstream commit 5846c131c39b6d0add36ec19dc8650700690f930 ] + +l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned +tunnel, therefore it can be freed whenever the caller uses it. +This patch defines l2tp_tunnel_get_nth() which works similarly, but +also takes a reference on the returned tunnel. The caller then has to +drop it after it stops using the tunnel. + +Convert netlink dumps to make them safe against concurrent tunnel +deletion. + +Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 20 ++++++++++++++++++++ + net/l2tp/l2tp_core.h | 2 ++ + net/l2tp/l2tp_netlink.c | 11 ++++++++--- + 3 files changed, 30 insertions(+), 3 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -183,6 +183,26 @@ struct l2tp_tunnel *l2tp_tunnel_get(cons + } + EXPORT_SYMBOL_GPL(l2tp_tunnel_get); + ++struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth) ++{ ++ const struct l2tp_net *pn = l2tp_pernet(net); ++ struct l2tp_tunnel *tunnel; ++ int count = 0; ++ ++ rcu_read_lock_bh(); ++ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { ++ if (++count > nth) { ++ l2tp_tunnel_inc_refcount(tunnel); ++ rcu_read_unlock_bh(); ++ return tunnel; ++ } ++ } ++ rcu_read_unlock_bh(); ++ ++ return NULL; ++} ++EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth); ++ + /* Lookup a session. A new reference is held on the returned session. */ + struct l2tp_session *l2tp_session_get(const struct net *net, + struct l2tp_tunnel *tunnel, +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -212,6 +212,8 @@ static inline void *l2tp_session_priv(st + } + + struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id); ++struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth); ++ + void l2tp_tunnel_free(struct l2tp_tunnel *tunnel); + + struct l2tp_session *l2tp_session_get(const struct net *net, +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -487,14 +487,17 @@ static int l2tp_nl_cmd_tunnel_dump(struc + struct net *net = sock_net(skb->sk); + + for (;;) { +- tunnel = l2tp_tunnel_find_nth(net, ti); ++ tunnel = l2tp_tunnel_get_nth(net, ti); + if (tunnel == NULL) + goto out; + + if (l2tp_nl_tunnel_send(skb, NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, NLM_F_MULTI, +- tunnel, L2TP_CMD_TUNNEL_GET) < 0) ++ tunnel, L2TP_CMD_TUNNEL_GET) < 0) { ++ l2tp_tunnel_dec_refcount(tunnel); + goto out; ++ } ++ l2tp_tunnel_dec_refcount(tunnel); + + ti++; + } +@@ -848,7 +851,7 @@ static int l2tp_nl_cmd_session_dump(stru + + for (;;) { + if (tunnel == NULL) { +- tunnel = l2tp_tunnel_find_nth(net, ti); ++ tunnel = l2tp_tunnel_get_nth(net, ti); + if (tunnel == NULL) + goto out; + } +@@ -856,6 +859,7 @@ static int l2tp_nl_cmd_session_dump(stru + session = l2tp_session_get_nth(tunnel, si); + if (session == NULL) { + ti++; ++ l2tp_tunnel_dec_refcount(tunnel); + tunnel = NULL; + si = 0; + continue; +@@ -865,6 +869,7 @@ static int l2tp_nl_cmd_session_dump(stru + cb->nlh->nlmsg_seq, NLM_F_MULTI, + session, L2TP_CMD_SESSION_GET) < 0) { + l2tp_session_dec_refcount(session); ++ l2tp_tunnel_dec_refcount(tunnel); + break; + } + l2tp_session_dec_refcount(session); diff --git a/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch b/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch new file mode 100644 index 00000000000..c692977c373 --- /dev/null +++ b/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch @@ -0,0 +1,100 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Thu, 12 Apr 2018 20:50:35 +0200 +Subject: l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file + +From: Guillaume Nault + + +[ Upstream commit f726214d9b23e5fce8c11937577a289a3202498f ] + +Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe +against concurrent tunnel deletion. + +Use the same mechanism as in l2tp_ppp.c for dropping the reference +taken by l2tp_tunnel_get_nth(). That is, drop the reference just +before looking up the next tunnel. In case of error, drop the last +accessed tunnel in l2tp_dfs_seq_stop(). + +That was the last use of l2tp_tunnel_find_nth(). + +Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 20 -------------------- + net/l2tp/l2tp_core.h | 1 - + net/l2tp/l2tp_debugfs.c | 15 +++++++++++++-- + 3 files changed, 13 insertions(+), 23 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -355,26 +355,6 @@ err_tlock: + } + EXPORT_SYMBOL_GPL(l2tp_session_register); + +-struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth) +-{ +- struct l2tp_net *pn = l2tp_pernet(net); +- struct l2tp_tunnel *tunnel; +- int count = 0; +- +- rcu_read_lock_bh(); +- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- if (++count > nth) { +- rcu_read_unlock_bh(); +- return tunnel; +- } +- } +- +- rcu_read_unlock_bh(); +- +- return NULL; +-} +-EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth); +- + /***************************************************************************** + * Receive data handling + *****************************************************************************/ +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -222,7 +222,6 @@ struct l2tp_session *l2tp_session_get(co + struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth); + struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net, + const char *ifname); +-struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth); + + int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, + u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, +--- a/net/l2tp/l2tp_debugfs.c ++++ b/net/l2tp/l2tp_debugfs.c +@@ -47,7 +47,11 @@ struct l2tp_dfs_seq_data { + + static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd) + { +- pd->tunnel = l2tp_tunnel_find_nth(pd->net, pd->tunnel_idx); ++ /* Drop reference taken during previous invocation */ ++ if (pd->tunnel) ++ l2tp_tunnel_dec_refcount(pd->tunnel); ++ ++ pd->tunnel = l2tp_tunnel_get_nth(pd->net, pd->tunnel_idx); + pd->tunnel_idx++; + } + +@@ -96,7 +100,14 @@ static void *l2tp_dfs_seq_next(struct se + + static void l2tp_dfs_seq_stop(struct seq_file *p, void *v) + { +- /* nothing to do */ ++ struct l2tp_dfs_seq_data *pd = v; ++ ++ if (!pd || pd == SEQ_START_TOKEN) ++ return; ++ ++ /* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */ ++ if (pd->tunnel) ++ l2tp_tunnel_dec_refcount(pd->tunnel); + } + + static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v) diff --git a/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch b/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch new file mode 100644 index 00000000000..6d187dd4b46 --- /dev/null +++ b/queue-4.16/l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch @@ -0,0 +1,77 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Thu, 12 Apr 2018 20:50:34 +0200 +Subject: l2tp: hold reference on tunnels printed in pppol2tp proc file + +From: Guillaume Nault + + +[ Upstream commit 0e0c3fee3a59a387aeecc4fca6f3a2e9615a5443 ] + +Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe +against concurrent tunnel deletion. + +Unlike sessions, we can't drop the reference held on tunnels in +pppol2tp_seq_show(). Tunnels are reused across several calls to +pppol2tp_seq_start() when iterating over sessions. These iterations +need the tunnel for accessing the next session. Therefore the only safe +moment for dropping the reference is just before searching for the next +tunnel. + +Normally, the last invocation of pppol2tp_next_tunnel() doesn't find +any new tunnel, so it drops the last tunnel without taking any new +reference. However, in case of error, pppol2tp_seq_stop() is called +directly, so we have to drop the reference there. + +Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1559,16 +1559,19 @@ struct pppol2tp_seq_data { + + static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd) + { ++ /* Drop reference taken during previous invocation */ ++ if (pd->tunnel) ++ l2tp_tunnel_dec_refcount(pd->tunnel); ++ + for (;;) { +- pd->tunnel = l2tp_tunnel_find_nth(net, pd->tunnel_idx); ++ pd->tunnel = l2tp_tunnel_get_nth(net, pd->tunnel_idx); + pd->tunnel_idx++; + +- if (pd->tunnel == NULL) +- break; ++ /* Only accept L2TPv2 tunnels */ ++ if (!pd->tunnel || pd->tunnel->version == 2) ++ return; + +- /* Ignore L2TPv3 tunnels */ +- if (pd->tunnel->version < 3) +- break; ++ l2tp_tunnel_dec_refcount(pd->tunnel); + } + } + +@@ -1617,7 +1620,14 @@ static void *pppol2tp_seq_next(struct se + + static void pppol2tp_seq_stop(struct seq_file *p, void *v) + { +- /* nothing to do */ ++ struct pppol2tp_seq_data *pd = v; ++ ++ if (!pd || pd == SEQ_START_TOKEN) ++ return; ++ ++ /* Drop reference taken by last invocation of pppol2tp_next_tunnel() */ ++ if (pd->tunnel) ++ l2tp_tunnel_dec_refcount(pd->tunnel); + } + + static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v) diff --git a/queue-4.16/llc-delete-timers-synchronously-in-llc_sk_free.patch b/queue-4.16/llc-delete-timers-synchronously-in-llc_sk_free.patch new file mode 100644 index 00000000000..08e4f6efe2f --- /dev/null +++ b/queue-4.16/llc-delete-timers-synchronously-in-llc_sk_free.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Cong Wang +Date: Thu, 19 Apr 2018 12:25:38 -0700 +Subject: llc: delete timers synchronously in llc_sk_free() + +From: Cong Wang + + +[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ] + +The connection timers of an llc sock could be still flying +after we delete them in llc_sk_free(), and even possibly +after we free the sock. We could just wait synchronously +here in case of troubles. + +Note, I leave other call paths as they are, since they may +not have to wait, at least we can change them to synchronously +when needed. + +Also, move the code to net/llc/llc_conn.c, which is apparently +a better place. + +Reported-by: +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/llc_conn.h | 1 + + net/llc/llc_c_ac.c | 9 +-------- + net/llc/llc_conn.c | 22 +++++++++++++++++++++- + 3 files changed, 23 insertions(+), 9 deletions(-) + +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type( + + struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority, + struct proto *prot, int kern); ++void llc_sk_stop_all_timers(struct sock *sk, bool sync); + void llc_sk_free(struct sock *sk); + + void llc_sk_reset(struct sock *sk); +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -1099,14 +1099,7 @@ int llc_conn_ac_inc_tx_win_size(struct s + + int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb) + { +- struct llc_sock *llc = llc_sk(sk); +- +- del_timer(&llc->pf_cycle_timer.timer); +- del_timer(&llc->ack_timer.timer); +- del_timer(&llc->rej_sent_timer.timer); +- del_timer(&llc->busy_state_timer.timer); +- llc->ack_must_be_send = 0; +- llc->ack_pf = 0; ++ llc_sk_stop_all_timers(sk, false); + return 0; + } + +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -961,6 +961,26 @@ out: + return sk; + } + ++void llc_sk_stop_all_timers(struct sock *sk, bool sync) ++{ ++ struct llc_sock *llc = llc_sk(sk); ++ ++ if (sync) { ++ del_timer_sync(&llc->pf_cycle_timer.timer); ++ del_timer_sync(&llc->ack_timer.timer); ++ del_timer_sync(&llc->rej_sent_timer.timer); ++ del_timer_sync(&llc->busy_state_timer.timer); ++ } else { ++ del_timer(&llc->pf_cycle_timer.timer); ++ del_timer(&llc->ack_timer.timer); ++ del_timer(&llc->rej_sent_timer.timer); ++ del_timer(&llc->busy_state_timer.timer); ++ } ++ ++ llc->ack_must_be_send = 0; ++ llc->ack_pf = 0; ++} ++ + /** + * llc_sk_free - Frees a LLC socket + * @sk - socket to free +@@ -973,7 +993,7 @@ void llc_sk_free(struct sock *sk) + + llc->state = LLC_CONN_OUT_OF_SVC; + /* Stop all (possibly) running timers */ +- llc_conn_ac_stop_all_timers(sk, NULL); ++ llc_sk_stop_all_timers(sk, true); + #ifdef DEBUG_LLC_CONN_ALLOC + printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__, + skb_queue_len(&llc->pdu_unack_q), diff --git a/queue-4.16/llc-fix-null-pointer-deref-for-sock_zapped.patch b/queue-4.16/llc-fix-null-pointer-deref-for-sock_zapped.patch new file mode 100644 index 00000000000..0bee491e43d --- /dev/null +++ b/queue-4.16/llc-fix-null-pointer-deref-for-sock_zapped.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Cong Wang +Date: Thu, 19 Apr 2018 21:54:34 -0700 +Subject: llc: fix NULL pointer deref for SOCK_ZAPPED + +From: Cong Wang + + +[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ] + +For SOCK_ZAPPED socket, we don't need to care about llc->sap, +so we should just skip these refcount functions in this case. + +Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()") +Reported-by: kernel test robot +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -189,7 +189,6 @@ static int llc_ui_release(struct socket + { + struct sock *sk = sock->sk; + struct llc_sock *llc; +- struct llc_sap *sap; + + if (unlikely(sk == NULL)) + goto out; +@@ -200,15 +199,19 @@ static int llc_ui_release(struct socket + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); +- sap = llc->sap; +- /* Hold this for release_sock(), so that llc_backlog_rcv() could still +- * use it. +- */ +- llc_sap_hold(sap); +- if (!sock_flag(sk, SOCK_ZAPPED)) ++ if (!sock_flag(sk, SOCK_ZAPPED)) { ++ struct llc_sap *sap = llc->sap; ++ ++ /* Hold this for release_sock(), so that llc_backlog_rcv() ++ * could still use it. ++ */ ++ llc_sap_hold(sap); + llc_sap_remove_socket(llc->sap, sk); +- release_sock(sk); +- llc_sap_put(sap); ++ release_sock(sk); ++ llc_sap_put(sap); ++ } else { ++ release_sock(sk); ++ } + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); diff --git a/queue-4.16/llc-hold-llc_sap-before-release_sock.patch b/queue-4.16/llc-hold-llc_sap-before-release_sock.patch new file mode 100644 index 00000000000..c18cf499009 --- /dev/null +++ b/queue-4.16/llc-hold-llc_sap-before-release_sock.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Cong Wang +Date: Wed, 18 Apr 2018 11:51:56 -0700 +Subject: llc: hold llc_sap before release_sock() + +From: Cong Wang + + +[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ] + +syzbot reported we still access llc->sap in llc_backlog_rcv() +after it is freed in llc_sap_remove_socket(): + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 + llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 + llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] + llc_conn_service net/llc/llc_conn.c:400 [inline] + llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 + llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 + sk_backlog_rcv include/net/sock.h:909 [inline] + __release_sock+0x12f/0x3a0 net/core/sock.c:2335 + release_sock+0xa4/0x2b0 net/core/sock.c:2850 + llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 + +llc->sap is refcount'ed and llc_sap_remove_socket() is paired +with llc_sap_add_socket(). This can be amended by holding its refcount +before llc_sap_remove_socket() and releasing it after release_sock(). + +Reported-by: +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -189,6 +189,7 @@ static int llc_ui_release(struct socket + { + struct sock *sk = sock->sk; + struct llc_sock *llc; ++ struct llc_sap *sap; + + if (unlikely(sk == NULL)) + goto out; +@@ -199,9 +200,15 @@ static int llc_ui_release(struct socket + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); ++ sap = llc->sap; ++ /* Hold this for release_sock(), so that llc_backlog_rcv() could still ++ * use it. ++ */ ++ llc_sap_hold(sap); + if (!sock_flag(sk, SOCK_ZAPPED)) + llc_sap_remove_socket(llc->sap, sk); + release_sock(sk); ++ llc_sap_put(sap); + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); diff --git a/queue-4.16/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch b/queue-4.16/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch new file mode 100644 index 00000000000..9896cd7125f --- /dev/null +++ b/queue-4.16/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch @@ -0,0 +1,121 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Dumazet +Date: Sun, 15 Apr 2018 17:52:04 -0700 +Subject: net: af_packet: fix race in PACKET_{R|T}X_RING + +From: Eric Dumazet + + +[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ] + +In order to remove the race caught by syzbot [1], we need +to lock the socket before using po->tp_version as this could +change under us otherwise. + +This means lock_sock() and release_sock() must be done by +packet_set_ring() callers. + +[1] : +BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 +CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 + packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662 + SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 + SyS_setsockopt+0x76/0xa0 net/socket.c:1828 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x449099 +RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099 +RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003 +RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000 +R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001 + +Local variable description: ----req_u@packet_setsockopt +Variable was created at: + packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612 + SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3008,6 +3008,7 @@ static int packet_release(struct socket + + packet_flush_mclist(sk); + ++ lock_sock(sk); + if (po->rx_ring.pg_vec) { + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 0); +@@ -3017,6 +3018,7 @@ static int packet_release(struct socket + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 1); + } ++ release_sock(sk); + + f = fanout_release(sk); + +@@ -3645,6 +3647,7 @@ packet_setsockopt(struct socket *sock, i + union tpacket_req_u req_u; + int len; + ++ lock_sock(sk); + switch (po->tp_version) { + case TPACKET_V1: + case TPACKET_V2: +@@ -3655,12 +3658,17 @@ packet_setsockopt(struct socket *sock, i + len = sizeof(req_u.req3); + break; + } +- if (optlen < len) +- return -EINVAL; +- if (copy_from_user(&req_u.req, optval, len)) +- return -EFAULT; +- return packet_set_ring(sk, &req_u, 0, +- optname == PACKET_TX_RING); ++ if (optlen < len) { ++ ret = -EINVAL; ++ } else { ++ if (copy_from_user(&req_u.req, optval, len)) ++ ret = -EFAULT; ++ else ++ ret = packet_set_ring(sk, &req_u, 0, ++ optname == PACKET_TX_RING); ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_COPY_THRESH: + { +@@ -4210,8 +4218,6 @@ static int packet_set_ring(struct sock * + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + +- lock_sock(sk); +- + rb = tx_ring ? &po->tx_ring : &po->rx_ring; + rb_queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue; + +@@ -4349,7 +4355,6 @@ static int packet_set_ring(struct sock * + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: +- release_sock(sk); + return err; + } + diff --git a/queue-4.16/net-aquantia-oops-when-shutdown-on-already-stopped-device.patch b/queue-4.16/net-aquantia-oops-when-shutdown-on-already-stopped-device.patch new file mode 100644 index 00000000000..da7cf533db6 --- /dev/null +++ b/queue-4.16/net-aquantia-oops-when-shutdown-on-already-stopped-device.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Igor Russkikh +Date: Wed, 11 Apr 2018 15:23:25 +0300 +Subject: net: aquantia: oops when shutdown on already stopped device + +From: Igor Russkikh + + +[ Upstream commit 9a11aff25fd43d5bd2660ababdc9f564b0ba183a ] + +In case netdev is closed at the moment of pci shutdown, aq_nic_stop +gets called second time. napi_disable in that case hangs indefinitely. +In other case, if device was never opened at all, we get oops because +of null pointer access. + +We should invoke aq_nic_stop conditionally, only if device is running +at the moment of shutdown. + +Reported-by: David Arcari +Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback") +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -951,9 +951,11 @@ void aq_nic_shutdown(struct aq_nic_s *se + + netif_device_detach(self->ndev); + +- err = aq_nic_stop(self); +- if (err < 0) +- goto err_exit; ++ if (netif_running(self->ndev)) { ++ err = aq_nic_stop(self); ++ if (err < 0) ++ goto err_exit; ++ } + aq_nic_deinit(self); + + err_exit: diff --git a/queue-4.16/net-aquantia-regression-on-reset-with-1.x-firmware.patch b/queue-4.16/net-aquantia-regression-on-reset-with-1.x-firmware.patch new file mode 100644 index 00000000000..b5c80e30818 --- /dev/null +++ b/queue-4.16/net-aquantia-regression-on-reset-with-1.x-firmware.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Igor Russkikh +Date: Wed, 11 Apr 2018 15:23:24 +0300 +Subject: net: aquantia: Regression on reset with 1.x firmware + +From: Igor Russkikh + + +[ Upstream commit cce96d1883dae4b79f44890e5118243d806da286 ] + +On ASUS XG-C100C with 1.5.44 firmware a special mode called "dirty wake" +is active. With this mode when motherboard gets powered (but no poweron +happens yet), NIC automatically enables powersave link and watches +for WOL packet. +This normally allows to powerup the PC after AC power failures. + +Not all motherboards or bios settings gives power to PCI slots, +so this mode is not enabled on all the hardware. + +4.16 linux driver introduced full hardware reset sequence +This is required since before that we had no NIC hardware +reset implemented and there were side effects of "not clean start". + +But this full reset is incompatible with "dirty wake" WOL feature +it keeps the PHY link in a special mode forever. As a consequence, +driver sees no link and no traffic. + +To fix this we forcibly change FW state to idle state before doing +the full reset. This makes FW to restore link state. + +Fixes: c8c82eb net: aquantia: Introduce global AQC hardware reset sequence +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 16 +++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +@@ -48,6 +48,8 @@ + #define FORCE_FLASHLESS 0 + + static int hw_atl_utils_ver_match(u32 ver_expected, u32 ver_actual); ++static int hw_atl_utils_mpi_set_state(struct aq_hw_s *self, ++ enum hal_atl_utils_fw_state_e state); + + int hw_atl_utils_initfw(struct aq_hw_s *self, const struct aq_fw_ops **fw_ops) + { +@@ -247,6 +249,20 @@ int hw_atl_utils_soft_reset(struct aq_hw + + self->rbl_enabled = (boot_exit_code != 0); + ++ /* FW 1.x may bootup in an invalid POWER state (WOL feature). ++ * We should work around this by forcing its state back to DEINIT ++ */ ++ if (!hw_atl_utils_ver_match(HW_ATL_FW_VER_1X, ++ aq_hw_read_reg(self, ++ HW_ATL_MPI_FW_VERSION))) { ++ int err = 0; ++ ++ hw_atl_utils_mpi_set_state(self, MPI_DEINIT); ++ AQ_HW_WAIT_FOR((aq_hw_read_reg(self, HW_ATL_MPI_STATE_ADR) & ++ HW_ATL_MPI_STATE_MSK) == MPI_DEINIT, ++ 10, 1000U); ++ } ++ + if (self->rbl_enabled) + return hw_atl_utils_soft_reset_rbl(self); + else diff --git a/queue-4.16/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch b/queue-4.16/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch new file mode 100644 index 00000000000..a3af2276a63 --- /dev/null +++ b/queue-4.16/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Ivan Khoronzhuk +Date: Thu, 19 Apr 2018 22:49:09 +0300 +Subject: net: ethernet: ti: cpsw: fix tx vlan priority mapping + +From: Ivan Khoronzhuk + + +[ Upstream commit 5e391dc5a8d801a2410d0032ad4a428d1d61800c ] + +The CPDMA_TX_PRIORITY_MAP in real is vlan pcp field priority mapping +register and basically replaces vlan pcp field for tagged packets. +So, set it to be 1:1 mapping. Otherwise, it will cause unexpected +change of egress vlan tagged packets, like prio 2 -> prio 5. + +Fixes: e05107e6b747 ("net: ethernet: ti: cpsw: add multi queue support") +Reviewed-by: Grygorii Strashko +Signed-off-by: Ivan Khoronzhuk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -125,7 +125,7 @@ do { \ + + #define RX_PRIORITY_MAPPING 0x76543210 + #define TX_PRIORITY_MAPPING 0x33221100 +-#define CPDMA_TX_PRIORITY_MAP 0x01234567 ++#define CPDMA_TX_PRIORITY_MAP 0x76543210 + + #define CPSW_VLAN_AWARE BIT(1) + #define CPSW_ALE_VLAN_AWARE 1 diff --git a/queue-4.16/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch b/queue-4.16/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch new file mode 100644 index 00000000000..5e2635600a1 --- /dev/null +++ b/queue-4.16/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch @@ -0,0 +1,97 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Wolfgang Bumiller +Date: Thu, 12 Apr 2018 10:46:55 +0200 +Subject: net: fix deadlock while clearing neighbor proxy table + +From: Wolfgang Bumiller + + +[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ] + +When coming from ndisc_netdev_event() in net/ipv6/ndisc.c, +neigh_ifdown() is called with &nd_tbl, locking this while +clearing the proxy neighbor entries when eg. deleting an +interface. Calling the table's pndisc_destructor() with the +lock still held, however, can cause a deadlock: When a +multicast listener is available an IGMP packet of type +ICMPV6_MGM_REDUCTION may be sent out. When reaching +ip6_finish_output2(), if no neighbor entry for the target +address is found, __neigh_create() is called with &nd_tbl, +which it'll want to lock. + +Move the elements into their own list, then unlock the table +and perform the destruction. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289 +Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") +Signed-off-by: Wolfgang Bumiller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -55,7 +55,8 @@ static void neigh_timer_handler(struct t + static void __neigh_notify(struct neighbour *n, int type, int flags, + u32 pid); + static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid); +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev); ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev); + + #ifdef CONFIG_PROC_FS + static const struct file_operations neigh_stat_seq_fops; +@@ -291,8 +292,7 @@ int neigh_ifdown(struct neigh_table *tbl + { + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); +- pneigh_ifdown(tbl, dev); +- write_unlock_bh(&tbl->lock); ++ pneigh_ifdown_and_unlock(tbl, dev); + + del_timer_sync(&tbl->proxy_timer); + pneigh_queue_purge(&tbl->proxy_queue); +@@ -681,9 +681,10 @@ int pneigh_delete(struct neigh_table *tb + return -ENOENT; + } + +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev) + { +- struct pneigh_entry *n, **np; ++ struct pneigh_entry *n, **np, *freelist = NULL; + u32 h; + + for (h = 0; h <= PNEIGH_HASHMASK; h++) { +@@ -691,16 +692,23 @@ static int pneigh_ifdown(struct neigh_ta + while ((n = *np) != NULL) { + if (!dev || n->dev == dev) { + *np = n->next; +- if (tbl->pdestructor) +- tbl->pdestructor(n); +- if (n->dev) +- dev_put(n->dev); +- kfree(n); ++ n->next = freelist; ++ freelist = n; + continue; + } + np = &n->next; + } + } ++ write_unlock_bh(&tbl->lock); ++ while ((n = freelist)) { ++ freelist = n->next; ++ n->next = NULL; ++ if (tbl->pdestructor) ++ tbl->pdestructor(n); ++ if (n->dev) ++ dev_put(n->dev); ++ kfree(n); ++ } + return -ENOENT; + } + diff --git a/queue-4.16/net-mvpp2-fix-dma-address-mask-size.patch b/queue-4.16/net-mvpp2-fix-dma-address-mask-size.patch new file mode 100644 index 00000000000..498e918f475 --- /dev/null +++ b/queue-4.16/net-mvpp2-fix-dma-address-mask-size.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Maxime Chevallier +Date: Wed, 18 Apr 2018 11:14:44 +0200 +Subject: net: mvpp2: Fix DMA address mask size + +From: Maxime Chevallier + + +[ Upstream commit da42bb271305d68df6cbf99eed90542f1f1ee1c9 ] + +PPv2 TX/RX descriptors uses 40bits DMA addresses, but 41 bits masks were +used (GENMASK_ULL(40, 0)). + +This commit fixes that by using the correct mask. + +Fixes: e7c5359f2eed ("net: mvpp2: introduce PPv2.2 HW descriptors and adapt accessors") +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -838,6 +838,8 @@ enum mvpp2_bm_type { + + #define MVPP2_MIB_COUNTERS_STATS_DELAY (1 * HZ) + ++#define MVPP2_DESC_DMA_MASK DMA_BIT_MASK(40) ++ + /* Definitions */ + + /* Shared Packet Processor resources */ +@@ -1336,7 +1338,7 @@ static dma_addr_t mvpp2_txdesc_dma_addr_ + if (port->priv->hw_version == MVPP21) + return tx_desc->pp21.buf_dma_addr; + else +- return tx_desc->pp22.buf_dma_addr_ptp & GENMASK_ULL(40, 0); ++ return tx_desc->pp22.buf_dma_addr_ptp & MVPP2_DESC_DMA_MASK; + } + + static void mvpp2_txdesc_dma_addr_set(struct mvpp2_port *port, +@@ -1354,7 +1356,7 @@ static void mvpp2_txdesc_dma_addr_set(st + } else { + u64 val = (u64)addr; + +- tx_desc->pp22.buf_dma_addr_ptp &= ~GENMASK_ULL(40, 0); ++ tx_desc->pp22.buf_dma_addr_ptp &= ~MVPP2_DESC_DMA_MASK; + tx_desc->pp22.buf_dma_addr_ptp |= val; + tx_desc->pp22.packet_offset = offset; + } +@@ -1414,7 +1416,7 @@ static dma_addr_t mvpp2_rxdesc_dma_addr_ + if (port->priv->hw_version == MVPP21) + return rx_desc->pp21.buf_dma_addr; + else +- return rx_desc->pp22.buf_dma_addr_key_hash & GENMASK_ULL(40, 0); ++ return rx_desc->pp22.buf_dma_addr_key_hash & MVPP2_DESC_DMA_MASK; + } + + static unsigned long mvpp2_rxdesc_cookie_get(struct mvpp2_port *port, +@@ -1423,7 +1425,7 @@ static unsigned long mvpp2_rxdesc_cookie + if (port->priv->hw_version == MVPP21) + return rx_desc->pp21.buf_cookie; + else +- return rx_desc->pp22.buf_cookie_misc & GENMASK_ULL(40, 0); ++ return rx_desc->pp22.buf_cookie_misc & MVPP2_DESC_DMA_MASK; + } + + static size_t mvpp2_rxdesc_size_get(struct mvpp2_port *port, +@@ -8347,7 +8349,7 @@ static int mvpp2_probe(struct platform_d + } + + if (priv->hw_version == MVPP22) { +- err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(40)); ++ err = dma_set_mask(&pdev->dev, MVPP2_DESC_DMA_MASK); + if (err) + goto err_mg_clk; + /* Sadly, the BM pools all share the same register to diff --git a/queue-4.16/net-qmi_wwan-add-wistron-neweb-d19q1.patch b/queue-4.16/net-qmi_wwan-add-wistron-neweb-d19q1.patch new file mode 100644 index 00000000000..0df8797af84 --- /dev/null +++ b/queue-4.16/net-qmi_wwan-add-wistron-neweb-d19q1.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Pawel Dembicki +Date: Wed, 18 Apr 2018 16:03:24 +0200 +Subject: net: qmi_wwan: add Wistron Neweb D19Q1 + +From: Pawel Dembicki + + +[ Upstream commit 4ec7eb3ff6eb5c9af3a84288a8d808a857fbc22b ] + +This modem is embedded on dlink dwr-960 router. +The oem configuration states: + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1435 ProdID=d191 Rev=ff.ff +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us + +Tested on openwrt distribution + +Signed-off-by: Pawel Dembicki +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1107,6 +1107,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */ ++ {QMI_FIXED_INTF(0x1435, 0xd191, 4)}, /* Wistron NeWeb D19Q1 */ + {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ + {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */ + {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */ diff --git a/queue-4.16/net-sched-ife-check-on-metadata-length.patch b/queue-4.16/net-sched-ife-check-on-metadata-length.patch new file mode 100644 index 00000000000..2a4245017d0 --- /dev/null +++ b/queue-4.16/net-sched-ife-check-on-metadata-length.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Alexander Aring +Date: Fri, 20 Apr 2018 15:15:05 -0400 +Subject: net: sched: ife: check on metadata length + +From: Alexander Aring + + +[ Upstream commit d57493d6d1be26c8ac8516a4463bfe24956978eb ] + +This patch checks if sk buffer is available to dererence ife header. If +not then NULL will returned to signal an malformed ife packet. This +avoids to crashing the kernel from outside. + +Signed-off-by: Alexander Aring +Reviewed-by: Yotam Gigi +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ife/ife.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -69,6 +69,9 @@ void *ife_decode(struct sk_buff *skb, u1 + int total_pull; + u16 ifehdrln; + ++ if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN)) ++ return NULL; ++ + ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len); + ifehdrln = ntohs(ifehdr->metalen); + total_pull = skb->dev->hard_header_len + ifehdrln; diff --git a/queue-4.16/net-sched-ife-handle-malformed-tlv-length.patch b/queue-4.16/net-sched-ife-handle-malformed-tlv-length.patch new file mode 100644 index 00000000000..38b24d75505 --- /dev/null +++ b/queue-4.16/net-sched-ife-handle-malformed-tlv-length.patch @@ -0,0 +1,101 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Alexander Aring +Date: Fri, 20 Apr 2018 15:15:04 -0400 +Subject: net: sched: ife: handle malformed tlv length + +From: Alexander Aring + + +[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ] + +There is currently no handling to check on a invalid tlv length. This +patch adds such handling to avoid killing the kernel with a malformed +ife packet. + +Signed-off-by: Alexander Aring +Reviewed-by: Yotam Gigi +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ife.h | 3 ++- + net/ife/ife.c | 35 +++++++++++++++++++++++++++++++++-- + net/sched/act_ife.c | 7 ++++++- + 3 files changed, 41 insertions(+), 4 deletions(-) + +--- a/include/net/ife.h ++++ b/include/net/ife.h +@@ -12,7 +12,8 @@ + void *ife_encode(struct sk_buff *skb, u16 metalen); + void *ife_decode(struct sk_buff *skb, u16 *metalen); + +-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen); ++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype, ++ u16 *dlen, u16 *totlen); + int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen, + const void *dval); + +--- a/net/ife/ife.c ++++ b/net/ife/ife.c +@@ -92,12 +92,43 @@ struct meta_tlvhdr { + __be16 len; + }; + ++static bool __ife_tlv_meta_valid(const unsigned char *skbdata, ++ const unsigned char *ifehdr_end) ++{ ++ const struct meta_tlvhdr *tlv; ++ u16 tlvlen; ++ ++ if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end)) ++ return false; ++ ++ tlv = (const struct meta_tlvhdr *)skbdata; ++ tlvlen = ntohs(tlv->len); ++ ++ /* tlv length field is inc header, check on minimum */ ++ if (tlvlen < NLA_HDRLEN) ++ return false; ++ ++ /* overflow by NLA_ALIGN check */ ++ if (NLA_ALIGN(tlvlen) < tlvlen) ++ return false; ++ ++ if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end)) ++ return false; ++ ++ return true; ++} ++ + /* Caller takes care of presenting data in network order + */ +-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen) ++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype, ++ u16 *dlen, u16 *totlen) + { +- struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata; ++ struct meta_tlvhdr *tlv; ++ ++ if (!__ife_tlv_meta_valid(skbdata, ifehdr_end)) ++ return NULL; + ++ tlv = (struct meta_tlvhdr *)skbdata; + *dlen = ntohs(tlv->len) - NLA_HDRLEN; + *attrtype = ntohs(tlv->type); + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff + u16 mtype; + u16 dlen; + +- curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL); ++ curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype, ++ &dlen, NULL); ++ if (!curr_data) { ++ qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); ++ return TC_ACT_SHOT; ++ } + + if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) { + /* abuse overlimits to count when we receive metadata diff --git a/queue-4.16/net-sched-ife-signal-not-finding-metaid.patch b/queue-4.16/net-sched-ife-signal-not-finding-metaid.patch new file mode 100644 index 00000000000..a529c711509 --- /dev/null +++ b/queue-4.16/net-sched-ife-signal-not-finding-metaid.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Alexander Aring +Date: Fri, 20 Apr 2018 15:15:03 -0400 +Subject: net: sched: ife: signal not finding metaid + +From: Alexander Aring + + +[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ] + +We need to record stats for received metadata that we dont know how +to process. Have find_decode_metaid() return -ENOENT to capture this. + +Signed-off-by: Alexander Aring +Reviewed-by: Yotam Gigi +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -652,7 +652,7 @@ static int find_decode_metaid(struct sk_ + } + } + +- return 0; ++ return -ENOENT; + } + + static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a, diff --git a/queue-4.16/net-smc-fix-shutdown-in-state-smc_listen.patch b/queue-4.16/net-smc-fix-shutdown-in-state-smc_listen.patch new file mode 100644 index 00000000000..9a4f711e11c --- /dev/null +++ b/queue-4.16/net-smc-fix-shutdown-in-state-smc_listen.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Ursula Braun +Date: Thu, 19 Apr 2018 15:56:40 +0200 +Subject: net/smc: fix shutdown in state SMC_LISTEN + +From: Ursula Braun + + +[ Upstream commit 1255fcb2a655f05e02f3a74675a6d6525f187afd ] + +Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket +crashes, because + commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker") +releases the internal clcsock in smc_close_active() and sets smc->clcsock +to NULL. +For SHUT_RD the smc_close_active() call is removed. +For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the +clcsock is already released. + +Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker") +Signed-off-by: Ursula Braun +Reported-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1254,14 +1254,12 @@ static int smc_shutdown(struct socket *s + rc = smc_close_shutdown_write(smc); + break; + case SHUT_RD: +- if (sk->sk_state == SMC_LISTEN) +- rc = smc_close_active(smc); +- else +- rc = 0; +- /* nothing more to do because peer is not involved */ ++ rc = 0; ++ /* nothing more to do because peer is not involved */ + break; + } +- rc1 = kernel_sock_shutdown(smc->clcsock, how); ++ if (smc->clcsock) ++ rc1 = kernel_sock_shutdown(smc->clcsock, how); + /* map sock_shutdown_cmd constants to sk_shutdown value range */ + sk->sk_shutdown |= how + 1; + diff --git a/queue-4.16/net-stmmac-disable-acs-feature-for-gmac-4.patch b/queue-4.16/net-stmmac-disable-acs-feature-for-gmac-4.patch new file mode 100644 index 00000000000..722176da45a --- /dev/null +++ b/queue-4.16/net-stmmac-disable-acs-feature-for-gmac-4.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Jose Abreu +Date: Wed, 18 Apr 2018 10:57:55 +0100 +Subject: net: stmmac: Disable ACS Feature for GMAC >= 4 + +From: Jose Abreu + + +[ Upstream commit 565020aaeebfa7c8b3ec077bee38f4c15acc9905 ] + +ACS Feature is currently enabled for GMAC >= 4 but the llc_snap status +is never checked in descriptor rx_status callback. This will cause +stmmac to always strip packets even that ACS feature is already +stripping them. + +Lets be safe and disable the ACS feature for GMAC >= 4 and always strip +the packets for this GMAC version. + +Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") +Signed-off-by: Jose Abreu +Cc: David S. Miller +Cc: Joao Pinto +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4.h | 2 +- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 7 ------- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++++- + 3 files changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h +@@ -343,7 +343,7 @@ enum power_event { + #define MTL_RX_OVERFLOW_INT BIT(16) + + /* Default operating mode of the MAC */ +-#define GMAC_CORE_INIT (GMAC_CONFIG_JD | GMAC_CONFIG_PS | GMAC_CONFIG_ACS | \ ++#define GMAC_CORE_INIT (GMAC_CONFIG_JD | GMAC_CONFIG_PS | \ + GMAC_CONFIG_BE | GMAC_CONFIG_DCRS) + + /* To dump the core regs excluding the Address Registers */ +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -30,13 +30,6 @@ static void dwmac4_core_init(struct mac_ + + value |= GMAC_CORE_INIT; + +- /* Clear ACS bit because Ethernet switch tagging formats such as +- * Broadcom tags can look like invalid LLC/SNAP packets and cause the +- * hardware to truncate packets on reception. +- */ +- if (netdev_uses_dsa(dev)) +- value &= ~GMAC_CONFIG_ACS; +- + if (mtu > 1500) + value |= GMAC_CONFIG_2K; + if (mtu > 2000) +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3435,8 +3435,13 @@ static int stmmac_rx(struct stmmac_priv + + /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3 + * Type frames (LLC/LLC-SNAP) ++ * ++ * llc_snap is never checked in GMAC >= 4, so this ACS ++ * feature is always disabled and packets need to be ++ * stripped manually. + */ +- if (unlikely(status != llc_snap)) ++ if (unlikely(priv->synopsys_id >= DWMAC_CORE_4_00) || ++ unlikely(status != llc_snap)) + frame_len -= ETH_FCS_LEN; + + if (netif_msg_rx_status(priv)) { diff --git a/queue-4.16/net-validate-attribute-sizes-in-neigh_dump_table.patch b/queue-4.16/net-validate-attribute-sizes-in-neigh_dump_table.patch new file mode 100644 index 00000000000..8d171459ddc --- /dev/null +++ b/queue-4.16/net-validate-attribute-sizes-in-neigh_dump_table.patch @@ -0,0 +1,109 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Dumazet +Date: Wed, 11 Apr 2018 14:46:00 -0700 +Subject: net: validate attribute sizes in neigh_dump_table() + +From: Eric Dumazet + + +[ Upstream commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 ] + +Since neigh_dump_table() calls nlmsg_parse() without giving policy +constraints, attributes can have arbirary size that we must validate + +Reported by syzbot/KMSAN : + +BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline] +BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline] +BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 +CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + neigh_master_filtered net/core/neighbour.c:2292 [inline] + neigh_dump_table net/core/neighbour.c:2348 [inline] + neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 + netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225 + __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322 + netlink_dump_start include/linux/netlink.h:214 [inline] + rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598 + netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fed9 +RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9 +RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800 +R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] + netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device") +Signed-off-by: Eric Dumazet +Cc: David Ahern +Reported-by: syzbot +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2331,12 +2331,16 @@ static int neigh_dump_table(struct neigh + + err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL, NULL); + if (!err) { +- if (tb[NDA_IFINDEX]) ++ if (tb[NDA_IFINDEX]) { ++ if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32)) ++ return -EINVAL; + filter_idx = nla_get_u32(tb[NDA_IFINDEX]); +- +- if (tb[NDA_MASTER]) ++ } ++ if (tb[NDA_MASTER]) { ++ if (nla_len(tb[NDA_MASTER]) != sizeof(u32)) ++ return -EINVAL; + filter_master_idx = nla_get_u32(tb[NDA_MASTER]); +- ++ } + if (filter_idx || filter_master_idx) + flags |= NLM_F_DUMP_FILTERED; + } diff --git a/queue-4.16/packet-fix-bitfield-update-race.patch b/queue-4.16/packet-fix-bitfield-update-race.patch new file mode 100644 index 00000000000..141d3709773 --- /dev/null +++ b/queue-4.16/packet-fix-bitfield-update-race.patch @@ -0,0 +1,198 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Willem de Bruijn +Date: Mon, 23 Apr 2018 17:37:03 -0400 +Subject: packet: fix bitfield update race + +From: Willem de Bruijn + + +[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ] + +Updates to the bitfields in struct packet_sock are not atomic. +Serialize these read-modify-write cycles. + +Move po->running into a separate variable. Its writes are protected by +po->bind_lock (except for one startup case at packet_create). Also +replace a textual precondition warning with lockdep annotation. + +All others are set only in packet_setsockopt. Serialize these +updates by holding the socket lock. Analogous to other field updates, +also hold the lock when testing whether a ring is active (pg_vec). + +Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg") +Reported-by: DaeRyong Jeong +Reported-by: Byoungyoung Lee +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 60 +++++++++++++++++++++++++++++++++++-------------- + net/packet/internal.h | 10 ++++---- + 2 files changed, 49 insertions(+), 21 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -329,11 +329,11 @@ static void packet_pick_tx_queue(struct + skb_set_queue_mapping(skb, queue_index); + } + +-/* register_prot_hook must be invoked with the po->bind_lock held, ++/* __register_prot_hook must be invoked through register_prot_hook + * or from a context in which asynchronous accesses to the packet + * socket is not possible (packet_create()). + */ +-static void register_prot_hook(struct sock *sk) ++static void __register_prot_hook(struct sock *sk) + { + struct packet_sock *po = pkt_sk(sk); + +@@ -348,8 +348,13 @@ static void register_prot_hook(struct so + } + } + +-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock +- * held. If the sync parameter is true, we will temporarily drop ++static void register_prot_hook(struct sock *sk) ++{ ++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock); ++ __register_prot_hook(sk); ++} ++ ++/* If the sync parameter is true, we will temporarily drop + * the po->bind_lock and do a synchronize_net to make sure no + * asynchronous packet processing paths still refer to the elements + * of po->prot_hook. If the sync parameter is false, it is the +@@ -359,6 +364,8 @@ static void __unregister_prot_hook(struc + { + struct packet_sock *po = pkt_sk(sk); + ++ lockdep_assert_held_once(&po->bind_lock); ++ + po->running = 0; + + if (po->fanout) +@@ -3252,7 +3259,7 @@ static int packet_create(struct net *net + + if (proto) { + po->prot_hook.type = proto; +- register_prot_hook(sk); ++ __register_prot_hook(sk); + } + + mutex_lock(&net->packet.sklist_lock); +@@ -3734,12 +3741,18 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_loss = !!val; +- return 0; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_loss = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_AUXDATA: + { +@@ -3750,7 +3763,9 @@ packet_setsockopt(struct socket *sock, i + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->auxdata = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_ORIGDEV: +@@ -3762,7 +3777,9 @@ packet_setsockopt(struct socket *sock, i + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->origdev = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_VNET_HDR: +@@ -3771,15 +3788,20 @@ packet_setsockopt(struct socket *sock, i + + if (sock->type != SOCK_RAW) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (optlen < sizeof(val)) + return -EINVAL; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + +- po->has_vnet_hdr = !!val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->has_vnet_hdr = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_TIMESTAMP: + { +@@ -3817,11 +3839,17 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_tx_has_off = !!val; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_tx_has_off = !!val; ++ ret = 0; ++ } ++ release_sock(sk); + return 0; + } + case PACKET_QDISC_BYPASS: +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -112,10 +112,12 @@ struct packet_sock { + int copy_thresh; + spinlock_t bind_lock; + struct mutex pg_vec_lock; +- unsigned int running:1, /* prot_hook is attached*/ +- auxdata:1, ++ unsigned int running; /* bind_lock must be held */ ++ unsigned int auxdata:1, /* writer must hold sock lock */ + origdev:1, +- has_vnet_hdr:1; ++ has_vnet_hdr:1, ++ tp_loss:1, ++ tp_tx_has_off:1; + int pressure; + int ifindex; /* bound device */ + __be16 num; +@@ -125,8 +127,6 @@ struct packet_sock { + enum tpacket_versions tp_version; + unsigned int tp_hdrlen; + unsigned int tp_reserve; +- unsigned int tp_loss:1; +- unsigned int tp_tx_has_off:1; + unsigned int tp_tstamp; + struct net_device __rcu *cached_dev; + int (*xmit)(struct sk_buff *skb); diff --git a/queue-4.16/pppoe-check-sockaddr-length-in-pppoe_connect.patch b/queue-4.16/pppoe-check-sockaddr-length-in-pppoe_connect.patch new file mode 100644 index 00000000000..7b7f86299ab --- /dev/null +++ b/queue-4.16/pppoe-check-sockaddr-length-in-pppoe_connect.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Guillaume Nault +Date: Mon, 23 Apr 2018 16:38:27 +0200 +Subject: pppoe: check sockaddr length in pppoe_connect() + +From: Guillaume Nault + + +[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ] + +We must validate sockaddr_len, otherwise userspace can pass fewer data +than we expect and we end up accessing invalid data. + +Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") +Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -620,6 +620,10 @@ static int pppoe_connect(struct socket * + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppox)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OE) + goto end; + diff --git a/queue-4.16/revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch b/queue-4.16/revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch new file mode 100644 index 00000000000..bc1f6eceb72 --- /dev/null +++ b/queue-4.16/revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Dan Carpenter +Date: Mon, 16 Apr 2018 13:17:50 +0300 +Subject: Revert "macsec: missing dev_put() on error in macsec_newlink()" + +From: Dan Carpenter + + +[ Upstream commit bd28899dd34f9283c567f7eeb31bb546f10820b5 ] + +This patch is just wrong, sorry. I was trying to fix a static checker +warning and misread the code. The reference taken in macsec_newlink() +is released in macsec_free_netdev() when the netdevice is destroyed. + +This reverts commit 5dcd8400884cc4a043a6d4617e042489e5d566a9. + +Reported-by: Laura Abbott +Fixes: 5dcd8400884c ("macsec: missing dev_put() on error in macsec_newlink()") +Signed-off-by: Dan Carpenter +Acked-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3277,7 +3277,7 @@ static int macsec_newlink(struct net *ne + + err = netdev_upper_dev_link(real_dev, dev, extack); + if (err < 0) +- goto put_dev; ++ goto unregister; + + /* need to be already registered so that ->init has run and + * the MAC addr is set +@@ -3316,8 +3316,7 @@ del_dev: + macsec_del_dev(macsec); + unlink: + netdev_upper_dev_unlink(real_dev, dev); +-put_dev: +- dev_put(real_dev); ++unregister: + unregister_netdevice(dev); + return err; + } diff --git a/queue-4.16/s390-qeth-avoid-control-io-completion-stalls.patch b/queue-4.16/s390-qeth-avoid-control-io-completion-stalls.patch new file mode 100644 index 00000000000..5e8a62d2976 --- /dev/null +++ b/queue-4.16/s390-qeth-avoid-control-io-completion-stalls.patch @@ -0,0 +1,123 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:07 +0200 +Subject: s390/qeth: avoid control IO completion stalls + +From: Julian Wiedmann + + +[ Upstream commit 901e3f49facbd31b2b3d1786637b4a35e1022e9b ] + +For control IO, qeth currently tracks the index of the buffer that it +expects to complete the next IO on each qeth_channel. If the channel +presents an IRQ while this buffer has not yet completed, no completion +processing for _any_ completed buffer takes place. +So if the 'next buffer' is skipped for any sort of reason* (eg. when it +is released due to error conditions, before the IO is started), the +buffer obviously won't switch to PROCESSED until it is eventually +allocated for a _different_ IO and completes. +Until this happens, all completion processing on that channel stalls +and pending requests possibly time out. + +As a fix, remove the whole 'next buffer' logic and simply process any +IO buffer right when it completes. A channel will never have more than +one IO pending, so there's no risk of processing out-of-sequence. + +*Note: currently just one location in the code really handles this problem, + by advancing the 'next' index manually. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core.h | 2 -- + drivers/s390/net/qeth_core_main.c | 22 +++++----------------- + 2 files changed, 5 insertions(+), 19 deletions(-) + +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -565,7 +565,6 @@ enum qeth_ip_types { + enum qeth_cmd_buffer_state { + BUF_STATE_FREE, + BUF_STATE_LOCKED, +- BUF_STATE_PROCESSED, + }; + + enum qeth_cq { +@@ -609,7 +608,6 @@ struct qeth_channel { + struct qeth_cmd_buffer iob[QETH_CMD_BUFFER_NO]; + atomic_t irq_pending; + int io_buf_no; +- int buf_no; + }; + + /** +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -821,7 +821,6 @@ void qeth_clear_cmd_buffers(struct qeth_ + + for (cnt = 0; cnt < QETH_CMD_BUFFER_NO; cnt++) + qeth_release_buffer(channel, &channel->iob[cnt]); +- channel->buf_no = 0; + channel->io_buf_no = 0; + } + EXPORT_SYMBOL_GPL(qeth_clear_cmd_buffers); +@@ -927,7 +926,6 @@ static int qeth_setup_channel(struct qet + kfree(channel->iob[cnt].data); + return -ENOMEM; + } +- channel->buf_no = 0; + channel->io_buf_no = 0; + atomic_set(&channel->irq_pending, 0); + spin_lock_init(&channel->iob_lock); +@@ -1103,11 +1101,9 @@ static void qeth_irq(struct ccw_device * + { + int rc; + int cstat, dstat; +- struct qeth_cmd_buffer *buffer; + struct qeth_channel *channel; + struct qeth_card *card; + struct qeth_cmd_buffer *iob; +- __u8 index; + + if (__qeth_check_irb_error(cdev, intparm, irb)) + return; +@@ -1185,25 +1181,18 @@ static void qeth_irq(struct ccw_device * + channel->state = CH_STATE_RCD_DONE; + goto out; + } +- if (intparm) { +- buffer = (struct qeth_cmd_buffer *) __va((addr_t)intparm); +- buffer->state = BUF_STATE_PROCESSED; +- } + if (channel == &card->data) + return; + if (channel == &card->read && + channel->state == CH_STATE_UP) + __qeth_issue_next_read(card); + +- iob = channel->iob; +- index = channel->buf_no; +- while (iob[index].state == BUF_STATE_PROCESSED) { +- if (iob[index].callback != NULL) +- iob[index].callback(channel, iob + index); +- +- index = (index + 1) % QETH_CMD_BUFFER_NO; ++ if (intparm) { ++ iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm); ++ if (iob->callback) ++ iob->callback(iob->channel, iob); + } +- channel->buf_no = index; ++ + out: + wake_up(&card->wait_q); + return; +@@ -2217,7 +2206,6 @@ time_err: + error: + atomic_set(&card->write.irq_pending, 0); + qeth_release_buffer(iob->channel, iob); +- card->write.buf_no = (card->write.buf_no + 1) % QETH_CMD_BUFFER_NO; + rc = reply->rc; + qeth_put_reply(reply); + return rc; diff --git a/queue-4.16/s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch b/queue-4.16/s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch new file mode 100644 index 00000000000..67e39e2af7e --- /dev/null +++ b/queue-4.16/s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch @@ -0,0 +1,217 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:06 +0200 +Subject: s390/qeth: fix error handling in adapter command callbacks + +From: Julian Wiedmann + + +[ Upstream commit 686c97ee29c886ee07d17987d0059874c5c3b5af ] + +Make sure to check both return code fields before(!) processing the +command response. Otherwise we risk operating on invalid data. + +This matches an earlier fix for SETASSPARMS commands, see +commit ad3cbf613329 ("s390/qeth: fix error handling in checksum cmd callback"). + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 85 ++++++++++++++++---------------------- + 1 file changed, 37 insertions(+), 48 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -3037,28 +3037,23 @@ static int qeth_send_startlan(struct qet + return rc; + } + +-static int qeth_default_setadapterparms_cb(struct qeth_card *card, +- struct qeth_reply *reply, unsigned long data) ++static int qeth_setadpparms_inspect_rc(struct qeth_ipa_cmd *cmd) + { +- struct qeth_ipa_cmd *cmd; +- +- QETH_CARD_TEXT(card, 4, "defadpcb"); +- +- cmd = (struct qeth_ipa_cmd *) data; +- if (cmd->hdr.return_code == 0) ++ if (!cmd->hdr.return_code) + cmd->hdr.return_code = + cmd->data.setadapterparms.hdr.return_code; +- return 0; ++ return cmd->hdr.return_code; + } + + static int qeth_query_setadapterparms_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + + QETH_CARD_TEXT(card, 3, "quyadpcb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *) data; + if (cmd->data.setadapterparms.data.query_cmds_supp.lan_type & 0x7f) { + card->info.link_type = + cmd->data.setadapterparms.data.query_cmds_supp.lan_type; +@@ -3066,7 +3061,7 @@ static int qeth_query_setadapterparms_cb + } + card->options.adp.supported_funcs = + cmd->data.setadapterparms.data.query_cmds_supp.supported_cmds; +- return qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd); ++ return 0; + } + + static struct qeth_cmd_buffer *qeth_get_adapter_cmd(struct qeth_card *card, +@@ -3158,22 +3153,20 @@ EXPORT_SYMBOL_GPL(qeth_query_ipassists); + static int qeth_query_switch_attributes_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; +- struct qeth_switch_info *sw_info; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_query_switch_attributes *attrs; ++ struct qeth_switch_info *sw_info; + + QETH_CARD_TEXT(card, 2, "qswiatcb"); +- cmd = (struct qeth_ipa_cmd *) data; +- sw_info = (struct qeth_switch_info *)reply->param; +- if (cmd->data.setadapterparms.hdr.return_code == 0) { +- attrs = &cmd->data.setadapterparms.data.query_switch_attributes; +- sw_info->capabilities = attrs->capabilities; +- sw_info->settings = attrs->settings; +- QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities, +- sw_info->settings); +- } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + ++ sw_info = (struct qeth_switch_info *)reply->param; ++ attrs = &cmd->data.setadapterparms.data.query_switch_attributes; ++ sw_info->capabilities = attrs->capabilities; ++ sw_info->settings = attrs->settings; ++ QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities, ++ sw_info->settings); + return 0; + } + +@@ -4211,16 +4204,13 @@ EXPORT_SYMBOL_GPL(qeth_do_send_packet); + static int qeth_setadp_promisc_mode_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_ipacmd_setadpparms *setparms; + + QETH_CARD_TEXT(card, 4, "prmadpcb"); + +- cmd = (struct qeth_ipa_cmd *) data; + setparms = &(cmd->data.setadapterparms); +- +- qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd); +- if (cmd->hdr.return_code) { ++ if (qeth_setadpparms_inspect_rc(cmd)) { + QETH_CARD_TEXT_(card, 4, "prmrc%x", cmd->hdr.return_code); + setparms->data.mode = SET_PROMISC_MODE_OFF; + } +@@ -4290,18 +4280,18 @@ EXPORT_SYMBOL_GPL(qeth_get_stats); + static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + + QETH_CARD_TEXT(card, 4, "chgmaccb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *) data; + if (!card->options.layer2 || + !(card->info.mac_bits & QETH_LAYER2_MAC_READ)) { + ether_addr_copy(card->dev->dev_addr, + cmd->data.setadapterparms.data.change_addr.addr); + card->info.mac_bits |= QETH_LAYER2_MAC_READ; + } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); + return 0; + } + +@@ -4332,13 +4322,15 @@ EXPORT_SYMBOL_GPL(qeth_setadpparms_chang + static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_set_access_ctrl *access_ctrl_req; + int fallback = *(int *)reply->param; + + QETH_CARD_TEXT(card, 4, "setaccb"); ++ if (cmd->hdr.return_code) ++ return 0; ++ qeth_setadpparms_inspect_rc(cmd); + +- cmd = (struct qeth_ipa_cmd *) data; + access_ctrl_req = &cmd->data.setadapterparms.data.set_access_ctrl; + QETH_DBF_TEXT_(SETUP, 2, "setaccb"); + QETH_DBF_TEXT_(SETUP, 2, "%s", card->gdev->dev.kobj.name); +@@ -4411,7 +4403,6 @@ static int qeth_setadpparms_set_access_c + card->options.isolation = card->options.prev_isolation; + break; + } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); + return 0; + } + +@@ -4699,14 +4690,15 @@ out: + static int qeth_setadpparms_query_oat_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data; + struct qeth_qoat_priv *priv; + char *resdata; + int resdatalen; + + QETH_CARD_TEXT(card, 3, "qoatcb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *)data; + priv = (struct qeth_qoat_priv *)reply->param; + resdatalen = cmd->data.setadapterparms.hdr.cmdlength; + resdata = (char *)data + 28; +@@ -4800,21 +4792,18 @@ out: + static int qeth_query_card_info_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct carrier_info *carrier_info = (struct carrier_info *)reply->param; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data; + struct qeth_query_card_info *card_info; +- struct carrier_info *carrier_info; + + QETH_CARD_TEXT(card, 2, "qcrdincb"); +- carrier_info = (struct carrier_info *)reply->param; +- cmd = (struct qeth_ipa_cmd *)data; +- card_info = &cmd->data.setadapterparms.data.card_info; +- if (cmd->data.setadapterparms.hdr.return_code == 0) { +- carrier_info->card_type = card_info->card_type; +- carrier_info->port_mode = card_info->port_mode; +- carrier_info->port_speed = card_info->port_speed; +- } ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); ++ card_info = &cmd->data.setadapterparms.data.card_info; ++ carrier_info->card_type = card_info->card_type; ++ carrier_info->port_mode = card_info->port_mode; ++ carrier_info->port_speed = card_info->port_speed; + return 0; + } + diff --git a/queue-4.16/s390-qeth-handle-failure-on-workqueue-creation.patch b/queue-4.16/s390-qeth-handle-failure-on-workqueue-creation.patch new file mode 100644 index 00000000000..f25af81cae5 --- /dev/null +++ b/queue-4.16/s390-qeth-handle-failure-on-workqueue-creation.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:08 +0200 +Subject: s390/qeth: handle failure on workqueue creation + +From: Julian Wiedmann + + +[ Upstream commit a936b1ef37ce1e996533878f4b23944f9444dcdf ] + +Creating the global workqueue during driver init may fail, deal with it. +Also, destroy the created workqueue on any subsequent error. + +Fixes: 0f54761d167f ("qeth: Support VEPA mode") +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -6544,10 +6544,14 @@ static int __init qeth_core_init(void) + mutex_init(&qeth_mod_mutex); + + qeth_wq = create_singlethread_workqueue("qeth_wq"); ++ if (!qeth_wq) { ++ rc = -ENOMEM; ++ goto out_err; ++ } + + rc = qeth_register_dbf_views(); + if (rc) +- goto out_err; ++ goto dbf_err; + qeth_core_root_dev = root_device_register("qeth"); + rc = PTR_ERR_OR_ZERO(qeth_core_root_dev); + if (rc) +@@ -6584,6 +6588,8 @@ slab_err: + root_device_unregister(qeth_core_root_dev); + register_err: + qeth_unregister_dbf_views(); ++dbf_err: ++ destroy_workqueue(qeth_wq); + out_err: + pr_err("Initializing the qeth device driver failed\n"); + return rc; diff --git a/queue-4.16/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch b/queue-4.16/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch new file mode 100644 index 00000000000..5fb3a24af49 --- /dev/null +++ b/queue-4.16/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch @@ -0,0 +1,136 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Xin Long +Date: Thu, 12 Apr 2018 14:24:31 +0800 +Subject: sctp: do not check port in sctp_inet6_cmp_addr + +From: Xin Long + + +[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ] + +pf->cmp_addr() is called before binding a v6 address to the sock. It +should not check ports, like in sctp_inet_cmp_addr. + +But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr, +sctp_v6_cmp_addr where it also compares the ports. + +This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind +multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp: +lack the check for ports in sctp_v6_cmp_addr"). + +This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr, +but do the proper check for both v6 addrs and v4mapped addrs. + +v1->v2: + - define __sctp_v6_cmp_addr to do the common address comparison + used for both pf and af v6 cmp_addr. + +Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr") +Reported-by: Jianwen Ji +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 60 ++++++++++++++++++++++++++++---------------------------- + 1 file changed, 30 insertions(+), 30 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -521,46 +521,49 @@ static void sctp_v6_to_addr(union sctp_a + addr->v6.sin6_scope_id = 0; + } + +-/* Compare addresses exactly. +- * v4-mapped-v6 is also in consideration. +- */ +-static int sctp_v6_cmp_addr(const union sctp_addr *addr1, +- const union sctp_addr *addr2) ++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) + { + if (addr1->sa.sa_family != addr2->sa.sa_family) { + if (addr1->sa.sa_family == AF_INET && + addr2->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) { +- if (addr2->v6.sin6_port == addr1->v4.sin_port && +- addr2->v6.sin6_addr.s6_addr32[3] == +- addr1->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) && ++ addr2->v6.sin6_addr.s6_addr32[3] == ++ addr1->v4.sin_addr.s_addr) ++ return 1; ++ + if (addr2->sa.sa_family == AF_INET && + addr1->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) { +- if (addr1->v6.sin6_port == addr2->v4.sin_port && +- addr1->v6.sin6_addr.s6_addr32[3] == +- addr2->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) && ++ addr1->v6.sin6_addr.s6_addr32[3] == ++ addr2->v4.sin_addr.s_addr) ++ return 1; ++ + return 0; + } +- if (addr1->v6.sin6_port != addr2->v6.sin6_port) +- return 0; ++ + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; ++ + /* If this is a linklocal address, compare the scope_id. */ +- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { +- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && +- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) { +- return 0; +- } +- } ++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) && ++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && ++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id) ++ return 0; + + return 1; + } + ++/* Compare addresses exactly. ++ * v4-mapped-v6 is also in consideration. ++ */ ++static int sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) ++{ ++ return __sctp_v6_cmp_addr(addr1, addr2) && ++ addr1->v6.sin6_port == addr2->v6.sin6_port; ++} ++ + /* Initialize addr struct to INADDR_ANY. */ + static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port) + { +@@ -846,8 +849,8 @@ static int sctp_inet6_cmp_addr(const uni + const union sctp_addr *addr2, + struct sctp_sock *opt) + { +- struct sctp_af *af1, *af2; + struct sock *sk = sctp_opt2sk(opt); ++ struct sctp_af *af1, *af2; + + af1 = sctp_get_af_specific(addr1->sa.sa_family); + af2 = sctp_get_af_specific(addr2->sa.sa_family); +@@ -863,10 +866,7 @@ static int sctp_inet6_cmp_addr(const uni + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) + return 1; + +- if (addr1->sa.sa_family != addr2->sa.sa_family) +- return 0; +- +- return af1->cmp_addr(addr1, addr2); ++ return __sctp_v6_cmp_addr(addr1, addr2); + } + + /* Verify that the provided sockaddr looks bindable. Common verification, diff --git a/queue-4.16/series b/queue-4.16/series index aaf3b267b2c..b7ff630b241 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -5,3 +5,55 @@ tpm-cmd_ready-command-can-be-issued-only-after-granting-locality.patch tpm-tpm-interface-fix-tpm_transmit-_cmd-kdoc.patch tpm-add-retry-logic.patch revert-ath10k-send-re-assoc-peer-command-when-nss-changed.patch +bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch +docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch +ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch +ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch +keys-dns-limit-the-length-of-option-strings.patch +l2tp-check-sockaddr-length-in-pppol2tp_connect.patch +llc-delete-timers-synchronously-in-llc_sk_free.patch +net-af_packet-fix-race-in-packet_-r-t-x_ring.patch +net-fix-deadlock-while-clearing-neighbor-proxy-table.patch +net-mvpp2-fix-dma-address-mask-size.patch +net-qmi_wwan-add-wistron-neweb-d19q1.patch +net-smc-fix-shutdown-in-state-smc_listen.patch +net-stmmac-disable-acs-feature-for-gmac-4.patch +packet-fix-bitfield-update-race.patch +pppoe-check-sockaddr-length-in-pppoe_connect.patch +revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch +sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch +strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch +strparser-fix-incorrect-strp-need_bytes-value.patch +tcp-clear-tp-packets_out-when-purging-write-queue.patch +tcp-don-t-read-out-of-bounds-opsize.patch +tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch +team-avoid-adding-twice-the-same-option-to-the-event-list.patch +team-fix-netconsole-setup-over-team.patch +tipc-add-policy-for-tipc_nla_net_addr.patch +vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch +vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch +amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch +amd-xgbe-improve-kr-auto-negotiation-and-training.patch +amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch +net-sched-ife-signal-not-finding-metaid.patch +net-sched-ife-handle-malformed-tlv-length.patch +net-sched-ife-check-on-metadata-length.patch +l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch +l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch +l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch +l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch +llc-hold-llc_sap-before-release_sock.patch +llc-fix-null-pointer-deref-for-sock_zapped.patch +s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch +s390-qeth-avoid-control-io-completion-stalls.patch +s390-qeth-handle-failure-on-workqueue-creation.patch +net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch +net-validate-attribute-sizes-in-neigh_dump_table.patch +bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch +virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch +vsock-make-af_vsock.ko-removable-again.patch +net-aquantia-regression-on-reset-with-1.x-firmware.patch +tun-fix-vlan-packet-truncation.patch +net-aquantia-oops-when-shutdown-on-already-stopped-device.patch +virtio_net-split-out-ctrl-buffer.patch +virtio_net-fix-adding-vids-on-big-endian.patch diff --git a/queue-4.16/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch b/queue-4.16/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch new file mode 100644 index 00000000000..f972c806bab --- /dev/null +++ b/queue-4.16/strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Doron Roberts-Kedes +Date: Fri, 20 Apr 2018 12:11:11 -0700 +Subject: strparser: Do not call mod_delayed_work with a timeout of LONG_MAX + +From: Doron Roberts-Kedes + + +[ Upstream commit 7c5aba211dd61f41d737a2c51729eb9fdcd3edf4 ] + +struct sock's sk_rcvtimeo is initialized to +LONG_MAX/MAX_SCHEDULE_TIMEOUT in sock_init_data. Calling +mod_delayed_work with a timeout of LONG_MAX causes spurious execution of +the work function. timer->expires is set equal to jiffies + LONG_MAX. +When timer_base->clk falls behind the current value of jiffies, +the delta between timer_base->clk and jiffies + LONG_MAX causes the +expiration to be in the past. Returning early from strp_start_timer if +timeo == LONG_MAX solves this problem. + +Found while testing net/tls_sw recv path. + +Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages") +Reviewed-by: Tejun Heo +Signed-off-by: Doron Roberts-Kedes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -67,7 +67,7 @@ static void strp_abort_strp(struct strpa + + static void strp_start_timer(struct strparser *strp, long timeo) + { +- if (timeo) ++ if (timeo && timeo != LONG_MAX) + mod_delayed_work(strp_wq, &strp->msg_timer_work, timeo); + } + diff --git a/queue-4.16/strparser-fix-incorrect-strp-need_bytes-value.patch b/queue-4.16/strparser-fix-incorrect-strp-need_bytes-value.patch new file mode 100644 index 00000000000..587b8902f3d --- /dev/null +++ b/queue-4.16/strparser-fix-incorrect-strp-need_bytes-value.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Doron Roberts-Kedes +Date: Wed, 11 Apr 2018 15:05:16 -0700 +Subject: strparser: Fix incorrect strp->need_bytes value. + +From: Doron Roberts-Kedes + + +[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ] + +strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates +that the remainder of the message has been received. However, +do_strp_work does not reset strp->need_bytes to 0. If do_strp_work +completes a partial message, the value of strp->need_bytes will continue +to reflect the needed bytes of the previous message, causing +future invocations of strp_data_ready to return early if +strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes +to 0 in __strp_recv on handing a full message to the upper layer solves +this problem. + +__strp_recv also calculates strp->need_bytes using stm->accum_len before +stm->accum_len has been incremented by cand_len. This can cause +strp->need_bytes to be equal to the full length of the message instead +of the full length minus the accumulated length. This, in turn, causes +strp_data_ready to return early, even when there is sufficient data to +complete the partial message. Incrementing stm->accum_len before using +it to calculate strp->need_bytes solves this problem. + +Found while testing net/tls_sw recv path. + +Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages") +Signed-off-by: Doron Roberts-Kedes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -296,9 +296,9 @@ static int __strp_recv(read_descriptor_t + strp_start_timer(strp, timeo); + } + ++ stm->accum_len += cand_len; + strp->need_bytes = stm->strp.full_len - + stm->accum_len; +- stm->accum_len += cand_len; + stm->early_eaten = cand_len; + STRP_STATS_ADD(strp->stats.bytes, cand_len); + desc->count = 0; /* Stop reading socket */ +@@ -321,6 +321,7 @@ static int __strp_recv(read_descriptor_t + /* Hurray, we have a new message! */ + cancel_delayed_work(&strp->msg_timer_work); + strp->skb_head = NULL; ++ strp->need_bytes = 0; + STRP_STATS_INCR(strp->stats.msgs); + + /* Give skb to upper layer */ +@@ -410,9 +411,7 @@ void strp_data_ready(struct strparser *s + return; + + if (strp->need_bytes) { +- if (strp_peek_len(strp) >= strp->need_bytes) +- strp->need_bytes = 0; +- else ++ if (strp_peek_len(strp) < strp->need_bytes) + return; + } + diff --git a/queue-4.16/tcp-clear-tp-packets_out-when-purging-write-queue.patch b/queue-4.16/tcp-clear-tp-packets_out-when-purging-write-queue.patch new file mode 100644 index 00000000000..3988996477e --- /dev/null +++ b/queue-4.16/tcp-clear-tp-packets_out-when-purging-write-queue.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Soheil Hassas Yeganeh +Date: Sat, 14 Apr 2018 20:44:46 -0400 +Subject: tcp: clear tp->packets_out when purging write queue + +From: Soheil Hassas Yeganeh + + +[ Upstream commit bffd168c3fc5cc7d2bad4c668fa90e7a9010db4b ] + +Clear tp->packets_out when purging the write queue, otherwise +tcp_rearm_rto() mistakenly assumes TCP write queue is not empty. +This results in NULL pointer dereference. + +Also, remove the redundant `tp->packets_out = 0` from +tcp_disconnect(), since tcp_disconnect() calls +tcp_write_queue_purge(). + +Fixes: a27fd7a8ed38 (tcp: purge write queue upon RST) +Reported-by: Subash Abhinov Kasiviswanathan +Reported-by: Sami Farin +Tested-by: Sami Farin +Signed-off-by: Eric Dumazet +Signed-off-by: Soheil Hassas Yeganeh +Acked-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2385,6 +2385,7 @@ void tcp_write_queue_purge(struct sock * + INIT_LIST_HEAD(&tcp_sk(sk)->tsorted_sent_queue); + sk_mem_reclaim(sk); + tcp_clear_all_retrans_hints(tcp_sk(sk)); ++ tcp_sk(sk)->packets_out = 0; + } + + int tcp_disconnect(struct sock *sk, int flags) +@@ -2434,7 +2435,6 @@ int tcp_disconnect(struct sock *sk, int + icsk->icsk_backoff = 0; + tp->snd_cwnd = 2; + icsk->icsk_probes_out = 0; +- tp->packets_out = 0; + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + tp->snd_cwnd_cnt = 0; + tp->window_clamp = 0; diff --git a/queue-4.16/tcp-don-t-read-out-of-bounds-opsize.patch b/queue-4.16/tcp-don-t-read-out-of-bounds-opsize.patch new file mode 100644 index 00000000000..ca98dab24d0 --- /dev/null +++ b/queue-4.16/tcp-don-t-read-out-of-bounds-opsize.patch @@ -0,0 +1,181 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Jann Horn +Date: Fri, 20 Apr 2018 15:57:30 +0200 +Subject: tcp: don't read out-of-bounds opsize + +From: Jann Horn + + +[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ] + +The old code reads the "opsize" variable from out-of-bounds memory (first +byte behind the segment) if a broken TCP segment ends directly after an +opcode that is neither EOL nor NOP. + +The result of the read isn't used for anything, so the worst thing that +could theoretically happen is a pagefault; and since the physmap is usually +mostly contiguous, even that seems pretty unlikely. + +The following C reproducer triggers the uninitialized read - however, you +can't actually see anything happen unless you put something like a +pr_warn() in tcp_parse_md5sig_option() to print the opsize. + +==================================== +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void systemf(const char *command, ...) { + char *full_command; + va_list ap; + va_start(ap, command); + if (vasprintf(&full_command, command, ap) == -1) + err(1, "vasprintf"); + va_end(ap); + printf("systemf: <<<%s>>>\n", full_command); + system(full_command); +} + +char *devname; + +int tun_alloc(char *name) { + int fd = open("/dev/net/tun", O_RDWR); + if (fd == -1) + err(1, "open tun dev"); + static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI }; + strcpy(req.ifr_name, name); + if (ioctl(fd, TUNSETIFF, &req)) + err(1, "TUNSETIFF"); + devname = req.ifr_name; + printf("device name: %s\n", devname); + return fd; +} + +#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24)) + +void sum_accumulate(unsigned int *sum, void *data, int len) { + assert((len&2)==0); + for (int i=0; i> 16) + (sum & 0xffff); + sum = (sum >> 16) + (sum & 0xffff); + return htons(~sum); +} + +void fix_ip_sum(struct iphdr *ip) { + unsigned int sum = 0; + sum_accumulate(&sum, ip, sizeof(*ip)); + ip->check = sum_final(sum); +} + +void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) { + unsigned int sum = 0; + struct { + unsigned int saddr; + unsigned int daddr; + unsigned char pad; + unsigned char proto_num; + unsigned short tcp_len; + } fakehdr = { + .saddr = ip->saddr, + .daddr = ip->daddr, + .proto_num = ip->protocol, + .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4) + }; + sum_accumulate(&sum, &fakehdr, sizeof(fakehdr)); + sum_accumulate(&sum, tcp, tcp->doff*4); + tcp->check = sum_final(sum); +} + +int main(void) { + int tun_fd = tun_alloc("inject_dev%d"); + systemf("ip link set %s up", devname); + systemf("ip addr add 192.168.42.1/24 dev %s", devname); + + struct { + struct iphdr ip; + struct tcphdr tcp; + unsigned char tcp_opts[20]; + } __attribute__((packed)) syn_packet = { + .ip = { + .ihl = sizeof(struct iphdr)/4, + .version = 4, + .tot_len = htons(sizeof(syn_packet)), + .ttl = 30, + .protocol = IPPROTO_TCP, + /* FIXUP check */ + .saddr = IPADDR(192,168,42,2), + .daddr = IPADDR(192,168,42,1) + }, + .tcp = { + .source = htons(1), + .dest = htons(1337), + .seq = 0x12345678, + .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4, + .syn = 1, + .window = htons(64), + .check = 0 /*FIXUP*/ + }, + .tcp_opts = { + /* INVALID: trailing MD5SIG opcode after NOPs */ + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 19 + } + }; + fix_ip_sum(&syn_packet.ip); + fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp); + while (1) { + int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet)); + if (write_res != sizeof(syn_packet)) + err(1, "packet write failed"); + } +} +==================================== + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Signed-off-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3871,11 +3871,8 @@ const u8 *tcp_parse_md5sig_option(const + int length = (th->doff << 2) - sizeof(*th); + const u8 *ptr = (const u8 *)(th + 1); + +- /* If the TCP option is too short, we can short cut */ +- if (length < TCPOLEN_MD5SIG) +- return NULL; +- +- while (length > 0) { ++ /* If not enough data remaining, we can short cut */ ++ while (length >= TCPOLEN_MD5SIG) { + int opcode = *ptr++; + int opsize; + diff --git a/queue-4.16/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch b/queue-4.16/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch new file mode 100644 index 00000000000..67db1072787 --- /dev/null +++ b/queue-4.16/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch @@ -0,0 +1,110 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Dumazet +Date: Wed, 11 Apr 2018 14:36:28 -0700 +Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets + +From: Eric Dumazet + + +[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ] + +syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1] + +I believe this was caused by a TCP_MD5SIG being set on live +flow. + +This is highly unexpected, since TCP option space is limited. + +For instance, presence of TCP MD5 option automatically disables +TCP TimeStamp option at SYN/SYNACK time, which we can not do +once flow has been established. + +Really, adding/deleting an MD5 key only makes sense on sockets +in CLOSE or LISTEN state. + +[1] +BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 +CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 + tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline] + tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184 + tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453 + tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 + SyS_sendto+0x8a/0xb0 net/socket.c:1715 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x448fe9 +RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9 +RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004 +RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010 +R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000 +R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624 + __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline] + tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline] + tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469 + tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 + SyS_sendto+0x8a/0xb0 net/socket.c:1715 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2830,8 +2830,10 @@ static int do_tcp_setsockopt(struct sock + #ifdef CONFIG_TCP_MD5SIG + case TCP_MD5SIG: + case TCP_MD5SIG_EXT: +- /* Read the IP->Key mappings from userspace */ +- err = tp->af_specific->md5_parse(sk, optname, optval, optlen); ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ++ err = tp->af_specific->md5_parse(sk, optname, optval, optlen); ++ else ++ err = -EINVAL; + break; + #endif + case TCP_USER_TIMEOUT: diff --git a/queue-4.16/team-avoid-adding-twice-the-same-option-to-the-event-list.patch b/queue-4.16/team-avoid-adding-twice-the-same-option-to-the-event-list.patch new file mode 100644 index 00000000000..0ad17ad0c99 --- /dev/null +++ b/queue-4.16/team-avoid-adding-twice-the-same-option-to-the-event-list.patch @@ -0,0 +1,118 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Paolo Abeni +Date: Fri, 13 Apr 2018 13:59:25 +0200 +Subject: team: avoid adding twice the same option to the event list + +From: Paolo Abeni + + +[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ] + +When parsing the options provided by the user space, +team_nl_cmd_options_set() insert them in a temporary list to send +multiple events with a single message. +While each option's attribute is correctly validated, the code does +not check for duplicate entries before inserting into the event +list. + +Exploiting the above, the syzbot was able to trigger the following +splat: + +kernel BUG at lib/list_debug.c:31! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29 +RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286 +RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000 +RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f +RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90 +R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90 +R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000 +FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __list_add include/linux/list.h:60 [inline] + list_add include/linux/list.h:79 [inline] + team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571 + genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599 + genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624 + netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg+0xd5/0x120 net/socket.c:639 + ___sys_sendmsg+0x805/0x940 net/socket.c:2117 + __sys_sendmsg+0x115/0x270 net/socket.c:2155 + SYSC_sendmsg net/socket.c:2164 [inline] + SyS_sendmsg+0x29/0x30 net/socket.c:2162 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4458b9 +RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9 +RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004 +RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348 +R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000 +Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48 +89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f +40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 +RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248 + +This changeset addresses the avoiding list_add() if the current +option is already present in the event list. + +Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -261,6 +261,17 @@ static void __team_option_inst_mark_remo + } + } + ++static bool __team_option_inst_tmp_find(const struct list_head *opts, ++ const struct team_option_inst *needle) ++{ ++ struct team_option_inst *opt_inst; ++ ++ list_for_each_entry(opt_inst, opts, tmp_list) ++ if (opt_inst == needle) ++ return true; ++ return false; ++} ++ + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2562,6 +2573,14 @@ static int team_nl_cmd_options_set(struc + if (err) + goto team_put; + opt_inst->changed = true; ++ ++ /* dumb/evil user-space can send us duplicate opt, ++ * keep only the last one ++ */ ++ if (__team_option_inst_tmp_find(&opt_inst_list, ++ opt_inst)) ++ continue; ++ + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { diff --git a/queue-4.16/team-fix-netconsole-setup-over-team.patch b/queue-4.16/team-fix-netconsole-setup-over-team.patch new file mode 100644 index 00000000000..9c069513c2b --- /dev/null +++ b/queue-4.16/team-fix-netconsole-setup-over-team.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Xin Long +Date: Tue, 24 Apr 2018 14:33:37 +0800 +Subject: team: fix netconsole setup over team + +From: Xin Long + + +[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ] + +The same fix in Commit dbe173079ab5 ("bridge: fix netconsole +setup over bridge") is also needed for team driver. + +While at it, remove the unnecessary parameter *team from +team_port_enable_netpoll(). + +v1->v2: + - fix it in a better way, as does bridge. + +Fixes: 0fb52a27a04a ("team: cleanup netpoll clode") +Reported-by: João Avelino Bellomo Filho +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1072,14 +1072,11 @@ static void team_port_leave(struct team + } + + #ifdef CONFIG_NET_POLL_CONTROLLER +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int __team_port_enable_netpoll(struct team_port *port) + { + struct netpoll *np; + int err; + +- if (!team->dev->npinfo) +- return 0; +- + np = kzalloc(sizeof(*np), GFP_KERNEL); + if (!np) + return -ENOMEM; +@@ -1093,6 +1090,14 @@ static int team_port_enable_netpoll(stru + return err; + } + ++static int team_port_enable_netpoll(struct team_port *port) ++{ ++ if (!port->team->dev->npinfo) ++ return 0; ++ ++ return __team_port_enable_netpoll(port); ++} ++ + static void team_port_disable_netpoll(struct team_port *port) + { + struct netpoll *np = port->np; +@@ -1107,7 +1112,7 @@ static void team_port_disable_netpoll(st + kfree(np); + } + #else +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int team_port_enable_netpoll(struct team_port *port) + { + return 0; + } +@@ -1215,7 +1220,7 @@ static int team_port_add(struct team *te + goto err_vids_add; + } + +- err = team_port_enable_netpoll(team, port); ++ err = team_port_enable_netpoll(port); + if (err) { + netdev_err(dev, "Failed to enable netpoll on device %s\n", + portname); +@@ -1912,7 +1917,7 @@ static int team_netpoll_setup(struct net + + mutex_lock(&team->lock); + list_for_each_entry(port, &team->port_list, list) { +- err = team_port_enable_netpoll(team, port); ++ err = __team_port_enable_netpoll(port); + if (err) { + __team_netpoll_cleanup(team); + break; diff --git a/queue-4.16/tipc-add-policy-for-tipc_nla_net_addr.patch b/queue-4.16/tipc-add-policy-for-tipc_nla_net_addr.patch new file mode 100644 index 00000000000..c29907eb9e2 --- /dev/null +++ b/queue-4.16/tipc-add-policy-for-tipc_nla_net_addr.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Eric Dumazet +Date: Mon, 16 Apr 2018 08:29:42 -0700 +Subject: tipc: add policy for TIPC_NLA_NET_ADDR + +From: Eric Dumazet + + +[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ] + +Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR + +Fixes: 27c21416727a ("tipc: add net set to new netlink api") +Signed-off-by: Eric Dumazet +Cc: Jon Maloy +Cc: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -79,7 +79,8 @@ const struct nla_policy tipc_nl_sock_pol + + const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_NET_ID] = { .type = NLA_U32 } ++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 }, ++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 }, + }; + + const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = { diff --git a/queue-4.16/tun-fix-vlan-packet-truncation.patch b/queue-4.16/tun-fix-vlan-packet-truncation.patch new file mode 100644 index 00000000000..afd2659519f --- /dev/null +++ b/queue-4.16/tun-fix-vlan-packet-truncation.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: "Bjørn Mork" +Date: Tue, 17 Apr 2018 22:46:38 +0200 +Subject: tun: fix vlan packet truncation + +From: "Bjørn Mork" + + +[ Upstream commit 81c895072d29cd70eea5be1a8587cd6461c3715a ] + +Bogus trimming in tun_net_xmit() causes truncated vlan packets. + +skb->len is correct whether or not skb_vlan_tag_present() is true. There +is no more reason to adjust the skb length on xmit in this driver than +any other driver. tun_put_user() adds 4 bytes to the total for tagged +packets because it transmits the tag inline to userspace. This is +similar to a nic transmitting the tag inline on the wire. + +Reproducing the bug by sending any tagged packet through back-to-back +connected tap interfaces: + + socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out & + ip link add link in name in.20 type vlan id 20 + ip addr add 10.9.9.9/24 dev in.20 + ip link set in.20 up + tshark -nxxi in -f arp -c1 2>/dev/null & + tshark -nxxi out -f arp -c1 2>/dev/null & + ping -c 1 10.9.9.5 >/dev/null 2>&1 + +The output from the 'in' and 'out' interfaces are different when the +bug is present: + + Capturing on 'in' + 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7...... + 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7.. + 0020 0a 09 09 09 00 00 00 00 00 00 0a 09 09 05 .............. + + Capturing on 'out' + 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7...... + 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7.. + 0020 0a 09 09 09 00 00 00 00 00 00 .......... + +Fixes: aff3d70a07ff ("tun: allow to attach ebpf socket filter") +Cc: Jason Wang +Signed-off-by: Bjørn Mork +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1094,12 +1094,7 @@ static netdev_tx_t tun_net_xmit(struct s + goto drop; + + len = run_ebpf_filter(tun, skb, len); +- +- /* Trim extra bytes since we may insert vlan proto & TCI +- * in tun_put_user(). +- */ +- len -= skb_vlan_tag_present(skb) ? sizeof(struct veth) : 0; +- if (len <= 0 || pskb_trim(skb, len)) ++ if (len == 0 || pskb_trim(skb, len)) + goto drop; + + if (unlikely(skb_orphan_frags_rx(skb, GFP_ATOMIC))) diff --git a/queue-4.16/virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch b/queue-4.16/virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch new file mode 100644 index 00000000000..cabe869dc4f --- /dev/null +++ b/queue-4.16/virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch @@ -0,0 +1,54 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Jason Wang +Date: Fri, 13 Apr 2018 14:58:25 +0800 +Subject: virtio-net: add missing virtqueue kick when flushing packets + +From: Jason Wang + + +[ Upstream commit 9267c430c6b6f4c0120e3c6bb847313d633f02a6 ] + +We tends to batch submitting packets during XDP_TX. This requires to +kick virtqueue after a batch, we tried to do it through +xdp_do_flush_map() which only makes sense for devmap not XDP_TX. So +explicitly kick the virtqueue in this case. + +Reported-by: Kimitoshi Takahashi +Tested-by: Kimitoshi Takahashi +Cc: Daniel Borkmann +Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1269,7 +1269,9 @@ static int virtnet_poll(struct napi_stru + { + struct receive_queue *rq = + container_of(napi, struct receive_queue, napi); +- unsigned int received; ++ struct virtnet_info *vi = rq->vq->vdev->priv; ++ struct send_queue *sq; ++ unsigned int received, qp; + bool xdp_xmit = false; + + virtnet_poll_cleantx(rq); +@@ -1280,8 +1282,13 @@ static int virtnet_poll(struct napi_stru + if (received < budget) + virtqueue_napi_complete(napi, rq->vq, received); + +- if (xdp_xmit) ++ if (xdp_xmit) { ++ qp = vi->curr_queue_pairs - vi->xdp_queue_pairs + ++ smp_processor_id(); ++ sq = &vi->sq[qp]; ++ virtqueue_kick(sq->vq); + xdp_do_flush_map(); ++ } + + return received; + } diff --git a/queue-4.16/virtio_net-fix-adding-vids-on-big-endian.patch b/queue-4.16/virtio_net-fix-adding-vids-on-big-endian.patch new file mode 100644 index 00000000000..e4a1df2a103 --- /dev/null +++ b/queue-4.16/virtio_net-fix-adding-vids-on-big-endian.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: "Michael S. Tsirkin" +Date: Thu, 19 Apr 2018 08:30:49 +0300 +Subject: virtio_net: fix adding vids on big-endian + +From: "Michael S. Tsirkin" + + +[ Upstream commit d7fad4c840f33a6bd333dd7fbb3006edbcf0017a ] + +Programming vids (adding or removing them) still passes +guest-endian values in the DMA buffer. That's wrong +if guest is big-endian and when virtio 1 is enabled. + +Note: this is on top of a previous patch: + virtio_net: split out ctrl buffer + +Fixes: 9465a7a6f ("virtio_net: enable v1.0 support") +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -154,7 +154,7 @@ struct control_buf { + struct virtio_net_ctrl_mq mq; + u8 promisc; + u8 allmulti; +- u16 vid; ++ __virtio16 vid; + u64 offloads; + }; + +@@ -1725,7 +1725,7 @@ static int virtnet_vlan_rx_add_vid(struc + struct virtnet_info *vi = netdev_priv(dev); + struct scatterlist sg; + +- vi->ctrl->vid = vid; ++ vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid); + sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN, +@@ -1740,7 +1740,7 @@ static int virtnet_vlan_rx_kill_vid(stru + struct virtnet_info *vi = netdev_priv(dev); + struct scatterlist sg; + +- vi->ctrl->vid = vid; ++ vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid); + sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN, diff --git a/queue-4.16/virtio_net-split-out-ctrl-buffer.patch b/queue-4.16/virtio_net-split-out-ctrl-buffer.patch new file mode 100644 index 00000000000..bbc29b74af3 --- /dev/null +++ b/queue-4.16/virtio_net-split-out-ctrl-buffer.patch @@ -0,0 +1,206 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: "Michael S. Tsirkin" +Date: Thu, 19 Apr 2018 08:30:48 +0300 +Subject: virtio_net: split out ctrl buffer + +From: "Michael S. Tsirkin" + + +[ Upstream commit 12e571693837d6164bda61e316b1944972ee0d97 ] + +When sending control commands, virtio net sets up several buffers for +DMA. The buffers are all part of the net device which means it's +actually allocated by kvmalloc so it's in theory (on extreme memory +pressure) possible to get a vmalloc'ed buffer which on some platforms +means we can't DMA there. + +Fix up by moving the DMA buffers into a separate structure. + +Reported-by: Mikulas Patocka +Suggested-by: Eric Dumazet +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 68 ++++++++++++++++++++++++++--------------------- + 1 file changed, 39 insertions(+), 29 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -147,6 +147,17 @@ struct receive_queue { + struct xdp_rxq_info xdp_rxq; + }; + ++/* Control VQ buffers: protected by the rtnl lock */ ++struct control_buf { ++ struct virtio_net_ctrl_hdr hdr; ++ virtio_net_ctrl_ack status; ++ struct virtio_net_ctrl_mq mq; ++ u8 promisc; ++ u8 allmulti; ++ u16 vid; ++ u64 offloads; ++}; ++ + struct virtnet_info { + struct virtio_device *vdev; + struct virtqueue *cvq; +@@ -192,14 +203,7 @@ struct virtnet_info { + struct hlist_node node; + struct hlist_node node_dead; + +- /* Control VQ buffers: protected by the rtnl lock */ +- struct virtio_net_ctrl_hdr ctrl_hdr; +- virtio_net_ctrl_ack ctrl_status; +- struct virtio_net_ctrl_mq ctrl_mq; +- u8 ctrl_promisc; +- u8 ctrl_allmulti; +- u16 ctrl_vid; +- u64 ctrl_offloads; ++ struct control_buf *ctrl; + + /* Ethtool settings */ + u8 duplex; +@@ -1461,25 +1465,25 @@ static bool virtnet_send_command(struct + /* Caller should know better */ + BUG_ON(!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_VQ)); + +- vi->ctrl_status = ~0; +- vi->ctrl_hdr.class = class; +- vi->ctrl_hdr.cmd = cmd; ++ vi->ctrl->status = ~0; ++ vi->ctrl->hdr.class = class; ++ vi->ctrl->hdr.cmd = cmd; + /* Add header */ +- sg_init_one(&hdr, &vi->ctrl_hdr, sizeof(vi->ctrl_hdr)); ++ sg_init_one(&hdr, &vi->ctrl->hdr, sizeof(vi->ctrl->hdr)); + sgs[out_num++] = &hdr; + + if (out) + sgs[out_num++] = out; + + /* Add return status. */ +- sg_init_one(&stat, &vi->ctrl_status, sizeof(vi->ctrl_status)); ++ sg_init_one(&stat, &vi->ctrl->status, sizeof(vi->ctrl->status)); + sgs[out_num] = &stat; + + BUG_ON(out_num + 1 > ARRAY_SIZE(sgs)); + virtqueue_add_sgs(vi->cvq, sgs, out_num, 1, vi, GFP_ATOMIC); + + if (unlikely(!virtqueue_kick(vi->cvq))) +- return vi->ctrl_status == VIRTIO_NET_OK; ++ return vi->ctrl->status == VIRTIO_NET_OK; + + /* Spin for a response, the kick causes an ioport write, trapping + * into the hypervisor, so the request should be handled immediately. +@@ -1488,7 +1492,7 @@ static bool virtnet_send_command(struct + !virtqueue_is_broken(vi->cvq)) + cpu_relax(); + +- return vi->ctrl_status == VIRTIO_NET_OK; ++ return vi->ctrl->status == VIRTIO_NET_OK; + } + + static int virtnet_set_mac_address(struct net_device *dev, void *p) +@@ -1600,8 +1604,8 @@ static int _virtnet_set_queues(struct vi + if (!vi->has_cvq || !virtio_has_feature(vi->vdev, VIRTIO_NET_F_MQ)) + return 0; + +- vi->ctrl_mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs); +- sg_init_one(&sg, &vi->ctrl_mq, sizeof(vi->ctrl_mq)); ++ vi->ctrl->mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs); ++ sg_init_one(&sg, &vi->ctrl->mq, sizeof(vi->ctrl->mq)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_MQ, + VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET, &sg)) { +@@ -1660,22 +1664,22 @@ static void virtnet_set_rx_mode(struct n + if (!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_RX)) + return; + +- vi->ctrl_promisc = ((dev->flags & IFF_PROMISC) != 0); +- vi->ctrl_allmulti = ((dev->flags & IFF_ALLMULTI) != 0); ++ vi->ctrl->promisc = ((dev->flags & IFF_PROMISC) != 0); ++ vi->ctrl->allmulti = ((dev->flags & IFF_ALLMULTI) != 0); + +- sg_init_one(sg, &vi->ctrl_promisc, sizeof(vi->ctrl_promisc)); ++ sg_init_one(sg, &vi->ctrl->promisc, sizeof(vi->ctrl->promisc)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX, + VIRTIO_NET_CTRL_RX_PROMISC, sg)) + dev_warn(&dev->dev, "Failed to %sable promisc mode.\n", +- vi->ctrl_promisc ? "en" : "dis"); ++ vi->ctrl->promisc ? "en" : "dis"); + +- sg_init_one(sg, &vi->ctrl_allmulti, sizeof(vi->ctrl_allmulti)); ++ sg_init_one(sg, &vi->ctrl->allmulti, sizeof(vi->ctrl->allmulti)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX, + VIRTIO_NET_CTRL_RX_ALLMULTI, sg)) + dev_warn(&dev->dev, "Failed to %sable allmulti mode.\n", +- vi->ctrl_allmulti ? "en" : "dis"); ++ vi->ctrl->allmulti ? "en" : "dis"); + + uc_count = netdev_uc_count(dev); + mc_count = netdev_mc_count(dev); +@@ -1721,8 +1725,8 @@ static int virtnet_vlan_rx_add_vid(struc + struct virtnet_info *vi = netdev_priv(dev); + struct scatterlist sg; + +- vi->ctrl_vid = vid; +- sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid)); ++ vi->ctrl->vid = vid; ++ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN, + VIRTIO_NET_CTRL_VLAN_ADD, &sg)) +@@ -1736,8 +1740,8 @@ static int virtnet_vlan_rx_kill_vid(stru + struct virtnet_info *vi = netdev_priv(dev); + struct scatterlist sg; + +- vi->ctrl_vid = vid; +- sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid)); ++ vi->ctrl->vid = vid; ++ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN, + VIRTIO_NET_CTRL_VLAN_DEL, &sg)) +@@ -2133,9 +2137,9 @@ static int virtnet_restore_up(struct vir + static int virtnet_set_guest_offloads(struct virtnet_info *vi, u64 offloads) + { + struct scatterlist sg; +- vi->ctrl_offloads = cpu_to_virtio64(vi->vdev, offloads); ++ vi->ctrl->offloads = cpu_to_virtio64(vi->vdev, offloads); + +- sg_init_one(&sg, &vi->ctrl_offloads, sizeof(vi->ctrl_offloads)); ++ sg_init_one(&sg, &vi->ctrl->offloads, sizeof(vi->ctrl->offloads)); + + if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_GUEST_OFFLOADS, + VIRTIO_NET_CTRL_GUEST_OFFLOADS_SET, &sg)) { +@@ -2358,6 +2362,7 @@ static void virtnet_free_queues(struct v + + kfree(vi->rq); + kfree(vi->sq); ++ kfree(vi->ctrl); + } + + static void _free_receive_bufs(struct virtnet_info *vi) +@@ -2550,6 +2555,9 @@ static int virtnet_alloc_queues(struct v + { + int i; + ++ vi->ctrl = kzalloc(sizeof(*vi->ctrl), GFP_KERNEL); ++ if (!vi->ctrl) ++ goto err_ctrl; + vi->sq = kzalloc(sizeof(*vi->sq) * vi->max_queue_pairs, GFP_KERNEL); + if (!vi->sq) + goto err_sq; +@@ -2578,6 +2586,8 @@ static int virtnet_alloc_queues(struct v + err_rq: + kfree(vi->sq); + err_sq: ++ kfree(vi->ctrl); ++err_ctrl: + return -ENOMEM; + } + diff --git a/queue-4.16/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch b/queue-4.16/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch new file mode 100644 index 00000000000..7a012038e23 --- /dev/null +++ b/queue-4.16/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch @@ -0,0 +1,135 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Toshiaki Makita +Date: Tue, 17 Apr 2018 18:46:14 +0900 +Subject: vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi + +From: Toshiaki Makita + + +[ Upstream commit 7ce2367254e84753bceb07327aaf5c953cfce117 ] + +Syzkaller spotted an old bug which leads to reading skb beyond tail by 4 +bytes on vlan tagged packets. +This is caused because skb_vlan_tagged_multi() did not check +skb_headlen. + +BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline] +BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] +BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline] +BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline] +BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 +CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + eth_type_vlan include/linux/if_vlan.h:283 [inline] + skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] + vlan_features_check include/linux/if_vlan.h:672 [inline] + dflt_features_check net/core/dev.c:2949 [inline] + netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 + validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084 + __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 + packet_snd net/packet/af_packet.c:2944 [inline] + packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + sock_write_iter+0x3b9/0x470 net/socket.c:909 + do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 + do_iter_write+0x30d/0xd40 fs/read_write.c:932 + vfs_writev fs/read_write.c:977 [inline] + do_writev+0x3c9/0x830 fs/read_write.c:1012 + SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 + SyS_writev+0x56/0x80 fs/read_write.c:1082 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43ffa9 +RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 +RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 +R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 + sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 + packet_alloc_skb net/packet/af_packet.c:2803 [inline] + packet_snd net/packet/af_packet.c:2894 [inline] + packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + sock_write_iter+0x3b9/0x470 net/socket.c:909 + do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 + do_iter_write+0x30d/0xd40 fs/read_write.c:932 + vfs_writev fs/read_write.c:977 [inline] + do_writev+0x3c9/0x830 fs/read_write.c:1012 + SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 + SyS_writev+0x56/0x80 fs/read_write.c:1082 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.") +Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_vlan.h | 7 +++++-- + net/core/dev.c | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -639,7 +639,7 @@ static inline bool skb_vlan_tagged(const + * Returns true if the skb is tagged with multiple vlan headers, regardless + * of whether it is hardware accelerated or not. + */ +-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) ++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb) + { + __be16 protocol = skb->protocol; + +@@ -649,6 +649,9 @@ static inline bool skb_vlan_tagged_multi + if (likely(!eth_type_vlan(protocol))) + return false; + ++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN))) ++ return false; ++ + veh = (struct vlan_ethhdr *)skb->data; + protocol = veh->h_vlan_encapsulated_proto; + } +@@ -666,7 +669,7 @@ static inline bool skb_vlan_tagged_multi + * + * Returns features without unsafe ones if the skb has multiple tags. + */ +-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb, ++static inline netdev_features_t vlan_features_check(struct sk_buff *skb, + netdev_features_t features) + { + if (skb_vlan_tagged_multi(skb)) { +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2942,7 +2942,7 @@ netdev_features_t passthru_features_chec + } + EXPORT_SYMBOL(passthru_features_check); + +-static netdev_features_t dflt_features_check(const struct sk_buff *skb, ++static netdev_features_t dflt_features_check(struct sk_buff *skb, + struct net_device *dev, + netdev_features_t features) + { diff --git a/queue-4.16/vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch b/queue-4.16/vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch new file mode 100644 index 00000000000..bc0003ab23d --- /dev/null +++ b/queue-4.16/vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch @@ -0,0 +1,82 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Ronak Doshi +Date: Wed, 18 Apr 2018 12:48:04 -0700 +Subject: vmxnet3: fix incorrect dereference when rxvlan is disabled + +From: Ronak Doshi + + +[ Upstream commit 65ec0bd1c7c14522670a5294de35710fb577a7fd ] + +vmxnet3_get_hdr_len() is used to calculate the header length which in +turn is used to calculate the gso_size for skb. When rxvlan offload is +disabled, vlan tag is present in the header and the function references +ip header from sizeof(ethhdr) and leads to incorrect pointer reference. + +This patch fixes this issue by taking sizeof(vlan_ethhdr) into account +if vlan tag is present and correctly references the ip hdr. + +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Acked-by: Louis Luo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 17 +++++++++++++---- + drivers/net/vmxnet3/vmxnet3_int.h | 4 ++-- + 2 files changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1218,6 +1218,7 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapt + union { + void *ptr; + struct ethhdr *eth; ++ struct vlan_ethhdr *veth; + struct iphdr *ipv4; + struct ipv6hdr *ipv6; + struct tcphdr *tcp; +@@ -1228,16 +1229,24 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapt + if (unlikely(sizeof(struct iphdr) + sizeof(struct tcphdr) > maplen)) + return 0; + ++ if (skb->protocol == cpu_to_be16(ETH_P_8021Q) || ++ skb->protocol == cpu_to_be16(ETH_P_8021AD)) ++ hlen = sizeof(struct vlan_ethhdr); ++ else ++ hlen = sizeof(struct ethhdr); ++ + hdr.eth = eth_hdr(skb); + if (gdesc->rcd.v4) { +- BUG_ON(hdr.eth->h_proto != htons(ETH_P_IP)); +- hdr.ptr += sizeof(struct ethhdr); ++ BUG_ON(hdr.eth->h_proto != htons(ETH_P_IP) && ++ hdr.veth->h_vlan_encapsulated_proto != htons(ETH_P_IP)); ++ hdr.ptr += hlen; + BUG_ON(hdr.ipv4->protocol != IPPROTO_TCP); + hlen = hdr.ipv4->ihl << 2; + hdr.ptr += hdr.ipv4->ihl << 2; + } else if (gdesc->rcd.v6) { +- BUG_ON(hdr.eth->h_proto != htons(ETH_P_IPV6)); +- hdr.ptr += sizeof(struct ethhdr); ++ BUG_ON(hdr.eth->h_proto != htons(ETH_P_IPV6) && ++ hdr.veth->h_vlan_encapsulated_proto != htons(ETH_P_IPV6)); ++ hdr.ptr += hlen; + /* Use an estimated value, since we also need to handle + * TSO case. + */ +--- a/drivers/net/vmxnet3/vmxnet3_int.h ++++ b/drivers/net/vmxnet3/vmxnet3_int.h +@@ -69,10 +69,10 @@ + /* + * Version numbers + */ +-#define VMXNET3_DRIVER_VERSION_STRING "1.4.13.0-k" ++#define VMXNET3_DRIVER_VERSION_STRING "1.4.14.0-k" + + /* a 32-bit int, each byte encode a verion number in VMXNET3_DRIVER_VERSION */ +-#define VMXNET3_DRIVER_VERSION_NUM 0x01040d00 ++#define VMXNET3_DRIVER_VERSION_NUM 0x01040e00 + + #if defined(CONFIG_PCI_MSI) + /* RSS only makes sense if MSI-X is supported. */ diff --git a/queue-4.16/vsock-make-af_vsock.ko-removable-again.patch b/queue-4.16/vsock-make-af_vsock.ko-removable-again.patch new file mode 100644 index 00000000000..11b1331e72b --- /dev/null +++ b/queue-4.16/vsock-make-af_vsock.ko-removable-again.patch @@ -0,0 +1,54 @@ +From foo@baz Thu Apr 26 20:46:44 CEST 2018 +From: Stefan Hajnoczi +Date: Tue, 17 Apr 2018 14:25:58 +0800 +Subject: VSOCK: make af_vsock.ko removable again + +From: Stefan Hajnoczi + + +[ Upstream commit 05e489b1596f0aa1025a1fa572676631cd9665da ] + +Commit c1eef220c1760762753b602c382127bfccee226d ("vsock: always call +vsock_init_tables()") introduced a module_init() function without a +corresponding module_exit() function. + +Modules with an init function can only be removed if they also have an +exit function. Therefore the vsock module was considered "permanent" +and could not be removed. + +This patch adds an empty module_exit() function so that "rmmod vsock" +works. No explicit cleanup is required because: + +1. Transports call vsock_core_exit() upon exit and cannot be removed + while sockets are still alive. +2. vsock_diag.ko does not perform any action that requires cleanup by + vsock.ko. + +Fixes: c1eef220c176 ("vsock: always call vsock_init_tables()") +Reported-by: Xiumei Mu +Cc: Cong Wang +Cc: Jorgen Hansen +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Jorgen Hansen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -2018,7 +2018,13 @@ const struct vsock_transport *vsock_core + } + EXPORT_SYMBOL_GPL(vsock_core_get_transport); + ++static void __exit vsock_exit(void) ++{ ++ /* Do nothing. This function makes this module removable. */ ++} ++ + module_init(vsock_init_tables); ++module_exit(vsock_exit); + + MODULE_AUTHOR("VMware, Inc."); + MODULE_DESCRIPTION("VMware Virtual Socket Family");