From: Greg Kroah-Hartman Date: Sat, 18 Feb 2023 11:27:10 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.306~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5568a71835402e4afc16bf324f0379ce7524e99;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch ipv6-fix-datagram-socket-connection-with-dscp.patch ipv6-fix-tcp-socket-connection-with-dscp.patch net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch --- diff --git a/queue-4.14/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch b/queue-4.14/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch new file mode 100644 index 00000000000..ff24a0d75b1 --- /dev/null +++ b/queue-4.14/dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch @@ -0,0 +1,125 @@ +From ca43ccf41224b023fc290073d5603a755fd12eed Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Thu, 9 Feb 2023 16:22:01 -0800 +Subject: dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + +From: Kuniyuki Iwashima + +commit ca43ccf41224b023fc290073d5603a755fd12eed upstream. + +Eric Dumazet pointed out [0] that when we call skb_set_owner_r() +for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called, +resulting in a negative sk_forward_alloc. + +We add a new helper which clones a skb and sets its owner only +when sk_rmem_schedule() succeeds. + +Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv() +because tcp_send_synack() can make sk_forward_alloc negative before +ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases. + +[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/ + +Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()") +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 13 +++++++++++++ + net/dccp/ipv6.c | 7 ++----- + net/ipv6/tcp_ipv6.c | 10 +++------- + 3 files changed, 18 insertions(+), 12 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2049,6 +2049,19 @@ static inline void skb_set_owner_r(struc + sk_mem_charge(sk, skb->truesize); + } + ++static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk) ++{ ++ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC)); ++ if (skb) { ++ if (sk_rmem_schedule(sk, skb, skb->truesize)) { ++ skb_set_owner_r(skb, sk); ++ return skb; ++ } ++ __kfree_skb(skb); ++ } ++ return NULL; ++} ++ + void sk_reset_timer(struct sock *sk, struct timer_list *timer, + unsigned long expires); + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -541,11 +541,9 @@ static struct sock *dccp_v6_request_recv + *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL); + /* Clone pktoptions received with SYN, if we own the req */ + if (*own_req && ireq->pktopts) { +- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC); ++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk); + consume_skb(ireq->pktopts); + ireq->pktopts = NULL; +- if (newnp->pktoptions) +- skb_set_owner_r(newnp->pktoptions, newsk); + } + + return newsk; +@@ -605,7 +603,7 @@ static int dccp_v6_do_rcv(struct sock *s + --ANK (980728) + */ + if (np->rxopt.all) +- opt_skb = skb_clone(skb, GFP_ATOMIC); ++ opt_skb = skb_clone_and_charge_r(skb, sk); + + if (sk->sk_state == DCCP_OPEN) { /* Fast path */ + if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len)) +@@ -669,7 +667,6 @@ ipv6_pktoptions: + np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb)); + if (ipv6_opt_accepted(sk, opt_skb, + &DCCP_SKB_CB(opt_skb)->header.h6)) { +- skb_set_owner_r(opt_skb, sk); + memmove(IP6CB(opt_skb), + &DCCP_SKB_CB(opt_skb)->header.h6, + sizeof(struct inet6_skb_parm)); +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1242,14 +1242,11 @@ static struct sock *tcp_v6_syn_recv_sock + + /* Clone pktoptions received with SYN, if we own the req */ + if (ireq->pktopts) { +- newnp->pktoptions = skb_clone(ireq->pktopts, +- sk_gfp_mask(sk, GFP_ATOMIC)); ++ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk); + consume_skb(ireq->pktopts); + ireq->pktopts = NULL; +- if (newnp->pktoptions) { ++ if (newnp->pktoptions) + tcp_v6_restore_cb(newnp->pktoptions); +- skb_set_owner_r(newnp->pktoptions, newsk); +- } + } + } else { + if (!req_unhash && found_dup_sk) { +@@ -1317,7 +1314,7 @@ static int tcp_v6_do_rcv(struct sock *sk + --ANK (980728) + */ + if (np->rxopt.all) +- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC)); ++ opt_skb = skb_clone_and_charge_r(skb, sk); + + if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ + struct dst_entry *dst; +@@ -1399,7 +1396,6 @@ ipv6_pktoptions: + if (np->repflow) + np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb)); + if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) { +- skb_set_owner_r(opt_skb, sk); + tcp_v6_restore_cb(opt_skb); + opt_skb = xchg(&np->pktoptions, opt_skb); + } else { diff --git a/queue-4.14/ipv6-fix-datagram-socket-connection-with-dscp.patch b/queue-4.14/ipv6-fix-datagram-socket-connection-with-dscp.patch new file mode 100644 index 00000000000..4fbf36e4fe1 --- /dev/null +++ b/queue-4.14/ipv6-fix-datagram-socket-connection-with-dscp.patch @@ -0,0 +1,47 @@ +From e010ae08c71fda8be3d6bda256837795a0b3ea41 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Wed, 8 Feb 2023 18:13:59 +0100 +Subject: ipv6: Fix datagram socket connection with DSCP. + +From: Guillaume Nault + +commit e010ae08c71fda8be3d6bda256837795a0b3ea41 upstream. + +Take into account the IPV6_TCLASS socket option (DSCP) in +ip6_datagram_flow_key_init(). Otherwise fib6_rule_match() can't +properly match the DSCP value, resulting in invalid route lookup. + +For example: + + ip route add unreachable table main 2001:db8::10/124 + + ip route add table 100 2001:db8::10/124 dev eth0 + ip -6 rule add dsfield 0x04 table 100 + + echo test | socat - UDP6:[2001:db8::11]:54321,ipv6-tclass=0x04 + +Without this patch, socat fails at connect() time ("No route to host") +because the fib-rule doesn't jump to table 100 and the lookup ends up +being done in the main table. + +Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") +Signed-off-by: Guillaume Nault +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -53,7 +53,7 @@ static void ip6_datagram_flow_key_init(s + fl6->flowi6_mark = sk->sk_mark; + fl6->fl6_dport = inet->inet_dport; + fl6->fl6_sport = inet->inet_sport; +- fl6->flowlabel = np->flow_label; ++ fl6->flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label); + fl6->flowi6_uid = sk->sk_uid; + + if (!fl6->flowi6_oif) diff --git a/queue-4.14/ipv6-fix-tcp-socket-connection-with-dscp.patch b/queue-4.14/ipv6-fix-tcp-socket-connection-with-dscp.patch new file mode 100644 index 00000000000..178689f2e43 --- /dev/null +++ b/queue-4.14/ipv6-fix-tcp-socket-connection-with-dscp.patch @@ -0,0 +1,46 @@ +From 8230680f36fd1525303d1117768c8852314c488c Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Wed, 8 Feb 2023 18:14:03 +0100 +Subject: ipv6: Fix tcp socket connection with DSCP. + +From: Guillaume Nault + +commit 8230680f36fd1525303d1117768c8852314c488c upstream. + +Take into account the IPV6_TCLASS socket option (DSCP) in +tcp_v6_connect(). Otherwise fib6_rule_match() can't properly +match the DSCP value, resulting in invalid route lookup. + +For example: + + ip route add unreachable table main 2001:db8::10/124 + + ip route add table 100 2001:db8::10/124 dev eth0 + ip -6 rule add dsfield 0x04 table 100 + + echo test | socat - TCP6:[2001:db8::11]:54321,ipv6-tclass=0x04 + +Without this patch, socat fails at connect() time ("No route to host") +because the fib-rule doesn't jump to table 100 and the lookup ends up +being done in the main table. + +Fixes: 2cc67cc731d9 ("[IPV6] ROUTE: Routing by Traffic Class.") +Signed-off-by: Guillaume Nault +Reviewed-by: Eric Dumazet +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -241,6 +241,7 @@ static int tcp_v6_connect(struct sock *s + fl6.flowi6_proto = IPPROTO_TCP; + fl6.daddr = sk->sk_v6_daddr; + fl6.saddr = saddr ? *saddr : np->saddr; ++ fl6.flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label); + fl6.flowi6_oif = sk->sk_bound_dev_if; + fl6.flowi6_mark = sk->sk_mark; + fl6.fl6_dport = usin->sin6_port; diff --git a/queue-4.14/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch b/queue-4.14/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch new file mode 100644 index 00000000000..b0477d6ebb7 --- /dev/null +++ b/queue-4.14/net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch @@ -0,0 +1,54 @@ +From fda6c89fe3d9aca073495a664e1d5aea28cd4377 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Mon, 13 Feb 2023 22:53:55 -0800 +Subject: net: mpls: fix stale pointer if allocation fails during device rename + +From: Jakub Kicinski + +commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. + +lianhui reports that when MPLS fails to register the sysctl table +under new location (during device rename) the old pointers won't +get overwritten and may be freed again (double free). + +Handle this gracefully. The best option would be unregistering +the MPLS from the device completely on failure, but unfortunately +mpls_ifdown() can fail. So failing fully is also unreliable. + +Another option is to register the new table first then only +remove old one if the new one succeeds. That requires more +code, changes order of notifications and two tables may be +visible at the same time. + +sysctl point is not used in the rest of the code - set to NULL +on failures and skip unregister if already NULL. + +Reported-by: lianhui tang +Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mpls/af_mpls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1344,6 +1344,7 @@ static int mpls_dev_sysctl_register(stru + free: + kfree(table); + out: ++ mdev->sysctl = NULL; + return -ENOBUFS; + } + +@@ -1353,6 +1354,9 @@ static void mpls_dev_sysctl_unregister(s + struct net *net = dev_net(dev); + struct ctl_table *table; + ++ if (!mdev->sysctl) ++ return; ++ + table = mdev->sysctl->ctl_table_arg; + unregister_net_sysctl_table(mdev->sysctl); + kfree(table); diff --git a/queue-4.14/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch b/queue-4.14/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch new file mode 100644 index 00000000000..ae80a8c5eae --- /dev/null +++ b/queue-4.14/net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch @@ -0,0 +1,37 @@ +From 05d7623a892a9da62da0e714428e38f09e4a64d8 Mon Sep 17 00:00:00 2001 +From: Cristian Ciocaltea +Date: Fri, 10 Feb 2023 22:21:26 +0200 +Subject: net: stmmac: Restrict warning on disabling DMA store and fwd mode + +From: Cristian Ciocaltea + +commit 05d7623a892a9da62da0e714428e38f09e4a64d8 upstream. + +When setting 'snps,force_thresh_dma_mode' DT property, the following +warning is always emitted, regardless the status of force_sf_dma_mode: + +dwmac-starfive 10020000.ethernet: force_sf_dma_mode is ignored if force_thresh_dma_mode is set. + +Do not print the rather misleading message when DMA store and forward +mode is already disabled. + +Fixes: e2a240c7d3bc ("driver:net:stmmac: Disable DMA store and forward mode if platform data force_thresh_dma_mode is set.") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230210202126.877548-1-cristian.ciocaltea@collabora.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -500,7 +500,7 @@ stmmac_probe_config_dt(struct platform_d + dma_cfg->mixed_burst = of_property_read_bool(np, "snps,mixed-burst"); + + plat->force_thresh_dma_mode = of_property_read_bool(np, "snps,force_thresh_dma_mode"); +- if (plat->force_thresh_dma_mode) { ++ if (plat->force_thresh_dma_mode && plat->force_sf_dma_mode) { + plat->force_sf_dma_mode = 0; + pr_warn("force_sf_dma_mode is ignored if force_thresh_dma_mode is set."); + } diff --git a/queue-4.14/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch b/queue-4.14/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch new file mode 100644 index 00000000000..8ff83ec8d0c --- /dev/null +++ b/queue-4.14/net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch @@ -0,0 +1,54 @@ +From c68f345b7c425b38656e1791a0486769a8797016 Mon Sep 17 00:00:00 2001 +From: Miko Larsson +Date: Fri, 10 Feb 2023 09:13:44 +0100 +Subject: net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + +From: Miko Larsson + +commit c68f345b7c425b38656e1791a0486769a8797016 upstream. + +syzbot reported that act_len in kalmia_send_init_packet() is +uninitialized when passing it to the first usb_bulk_msg error path. Jiri +Pirko noted that it's pointless to pass it in the error path, and that +the value that would be printed in the second error path would be the +value of act_len from the first call to usb_bulk_msg.[1] + +With this in mind, let's just not pass act_len to the usb_bulk_msg error +paths. + +1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ + +Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") +Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55@syzkaller.appspotmail.com +Signed-off-by: Miko Larsson +Reviewed-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/kalmia.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/kalmia.c ++++ b/drivers/net/usb/kalmia.c +@@ -69,8 +69,8 @@ kalmia_send_init_packet(struct usbnet *d + init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT); + if (status != 0) { + netdev_err(dev->net, +- "Error sending init packet. Status %i, length %i\n", +- status, act_len); ++ "Error sending init packet. Status %i\n", ++ status); + return status; + } + else if (act_len != init_msg_len) { +@@ -87,8 +87,8 @@ kalmia_send_init_packet(struct usbnet *d + + if (status != 0) + netdev_err(dev->net, +- "Error receiving init result. Status %i, length %i\n", +- status, act_len); ++ "Error receiving init result. Status %i\n", ++ status); + else if (act_len != expected_len) + netdev_err(dev->net, "Unexpected init result length: %i\n", + act_len); diff --git a/queue-4.14/series b/queue-4.14/series index 1866f8b9092..7fd47f476c4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,9 @@ hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch revert-squashfs-harden-sanity-check-in-squashfs_read_xattr_id_table.patch i40e-add-double-of-vlan-header-when-computing-the-max-mtu.patch net-bgmac-fix-bcm5358-support-by-setting-correct-flags.patch +dccp-tcp-avoid-negative-sk_forward_alloc-by-ipv6_pinfo.pktoptions.patch +net-usb-kalmia-don-t-pass-act_len-in-usb_bulk_msg-error-path.patch +net-stmmac-restrict-warning-on-disabling-dma-store-and-fwd-mode.patch +net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch +ipv6-fix-datagram-socket-connection-with-dscp.patch +ipv6-fix-tcp-socket-connection-with-dscp.patch