From: Greg Kroah-Hartman Date: Sun, 10 Feb 2019 12:17:37 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.9.156~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8ac20b0a6014befd94dcde4696b3d544f469481;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: dccp-fool-proof-ccid_hc_x_parse_options.patch enic-fix-checksum-validation-for-ipv6.patch lib-test_rhashtable-make-test_insert_dup-allocate-its-hash-table-dynamically.patch net-dp83640-expire-old-tx-skb.patch net-dsa-fix-lockdep-false-positive-splat.patch net-dsa-fix-null-checking-in-dsa_slave_set_eee.patch net-dsa-mv88e6xxx-fix-counting-of-atu-violations.patch net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch net-mlx5e-force-checksum_unnecessary-for-short-ethernet-frames.patch net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch net-systemport-fix-wol-with-password-after-deep-sleep.patch rds-fix-refcount-bug-in-rds_sock_addref.patch revert-net-phy-marvell-avoid-pause-mode-on-sgmii-to-copper-for-88e151x.patch rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch sctp-check-and-update-stream-out_curr-when-allocating-stream_out.patch sctp-walk-the-list-of-asoc-safely.patch skge-potential-memory-corruption-in-skge_get_regs.patch virtio_net-account-for-tx-bytes-and-packets-on-sending-xdp_frames.patch --- diff --git a/queue-4.19/dccp-fool-proof-ccid_hc_x_parse_options.patch b/queue-4.19/dccp-fool-proof-ccid_hc_x_parse_options.patch new file mode 100644 index 00000000000..062e147db22 --- /dev/null +++ b/queue-4.19/dccp-fool-proof-ccid_hc_x_parse_options.patch @@ -0,0 +1,106 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Eric Dumazet +Date: Wed, 30 Jan 2019 11:39:41 -0800 +Subject: dccp: fool proof ccid_hc_[rt]x_parse_options() + +From: Eric Dumazet + +[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ] + +Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing") +it is wise to test for a NULL ccid. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0 +kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5' +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654 + dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688 + sk_backlog_rcv include/net/sock.h:936 [inline] + __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473 + dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880 + ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208 + ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524 + __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973 + __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 + process_backlog+0x206/0x750 net/core/dev.c:5923 + napi_poll net/core/dev.c:6346 [inline] + net_rx_action+0x76d/0x1930 net/core/dev.c:6412 + __do_softirq+0x30b/0xb11 kernel/softirq.c:292 + run_ksoftirqd kernel/softirq.c:654 [inline] + run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646 + smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 + kthread+0x357/0x430 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 +Modules linked in: +---[ end trace 58a0ba03bea2c376 ]--- +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Gerrit Renker +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ccid.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_rec + static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len); + } +@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_optio + static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len); + } diff --git a/queue-4.19/enic-fix-checksum-validation-for-ipv6.patch b/queue-4.19/enic-fix-checksum-validation-for-ipv6.patch new file mode 100644 index 00000000000..7da256376fe --- /dev/null +++ b/queue-4.19/enic-fix-checksum-validation-for-ipv6.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Govindarajulu Varadarajan +Date: Wed, 30 Jan 2019 06:59:00 -0800 +Subject: enic: fix checksum validation for IPv6 + +From: Govindarajulu Varadarajan + +[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ] + +In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does +not set skb->ip_summed. So IPv6 rx checksum is not offloaded. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1434,7 +1434,8 @@ static void enic_rq_indicate_buf(struct + * csum is correct or is zero. + */ + if ((netdev->features & NETIF_F_RXCSUM) && !csum_not_calc && +- tcp_udp_csum_ok && ipv4_csum_ok && outer_csum_ok) { ++ tcp_udp_csum_ok && outer_csum_ok && ++ (ipv4_csum_ok || ipv6)) { + skb->ip_summed = CHECKSUM_UNNECESSARY; + skb->csum_level = encap; + } diff --git a/queue-4.19/lib-test_rhashtable-make-test_insert_dup-allocate-its-hash-table-dynamically.patch b/queue-4.19/lib-test_rhashtable-make-test_insert_dup-allocate-its-hash-table-dynamically.patch new file mode 100644 index 00000000000..e5c44c664ba --- /dev/null +++ b/queue-4.19/lib-test_rhashtable-make-test_insert_dup-allocate-its-hash-table-dynamically.patch @@ -0,0 +1,111 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Bart Van Assche +Date: Wed, 30 Jan 2019 10:42:30 -0800 +Subject: lib/test_rhashtable: Make test_insert_dup() allocate its hash table dynamically + +From: Bart Van Assche + +[ Upstream commit fc42a689c4c097859e5bd37b5ea11b60dc426df6 ] + +The test_insert_dup() function from lib/test_rhashtable.c passes a +pointer to a stack object to rhltable_init(). Allocate the hash table +dynamically to avoid that the following is reported with object +debugging enabled: + +ODEBUG: object (ptrval) is on stack (ptrval), but NOT annotated. +WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:368 __debug_object_init+0x312/0x480 +Modules linked in: +EIP: __debug_object_init+0x312/0x480 +Call Trace: + ? debug_object_init+0x1a/0x20 + ? __init_work+0x16/0x30 + ? rhashtable_init+0x1e1/0x460 + ? sched_clock_cpu+0x57/0xe0 + ? rhltable_init+0xb/0x20 + ? test_insert_dup+0x32/0x20f + ? trace_hardirqs_on+0x38/0xf0 + ? ida_dump+0x10/0x10 + ? jhash+0x130/0x130 + ? my_hashfn+0x30/0x30 + ? test_rht_init+0x6aa/0xab4 + ? ida_dump+0x10/0x10 + ? test_rhltable+0xc5c/0xc5c + ? do_one_initcall+0x67/0x28e + ? trace_hardirqs_off+0x22/0xe0 + ? restore_all_kernel+0xf/0x70 + ? trace_hardirqs_on_thunk+0xc/0x10 + ? restore_all_kernel+0xf/0x70 + ? kernel_init_freeable+0x142/0x213 + ? rest_init+0x230/0x230 + ? kernel_init+0x10/0x110 + ? schedule_tail_wrapper+0x9/0xc + ? ret_from_fork+0x19/0x24 + +Cc: Thomas Graf +Cc: Herbert Xu +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bart Van Assche +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_rhashtable.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/lib/test_rhashtable.c ++++ b/lib/test_rhashtable.c +@@ -541,38 +541,45 @@ static unsigned int __init print_ht(stru + static int __init test_insert_dup(struct test_obj_rhl *rhl_test_objects, + int cnt, bool slow) + { +- struct rhltable rhlt; ++ struct rhltable *rhlt; + unsigned int i, ret; + const char *key; + int err = 0; + +- err = rhltable_init(&rhlt, &test_rht_params_dup); +- if (WARN_ON(err)) ++ rhlt = kmalloc(sizeof(*rhlt), GFP_KERNEL); ++ if (WARN_ON(!rhlt)) ++ return -EINVAL; ++ ++ err = rhltable_init(rhlt, &test_rht_params_dup); ++ if (WARN_ON(err)) { ++ kfree(rhlt); + return err; ++ } + + for (i = 0; i < cnt; i++) { + rhl_test_objects[i].value.tid = i; +- key = rht_obj(&rhlt.ht, &rhl_test_objects[i].list_node.rhead); ++ key = rht_obj(&rhlt->ht, &rhl_test_objects[i].list_node.rhead); + key += test_rht_params_dup.key_offset; + + if (slow) { +- err = PTR_ERR(rhashtable_insert_slow(&rhlt.ht, key, ++ err = PTR_ERR(rhashtable_insert_slow(&rhlt->ht, key, + &rhl_test_objects[i].list_node.rhead)); + if (err == -EAGAIN) + err = 0; + } else +- err = rhltable_insert(&rhlt, ++ err = rhltable_insert(rhlt, + &rhl_test_objects[i].list_node, + test_rht_params_dup); + if (WARN(err, "error %d on element %d/%d (%s)\n", err, i, cnt, slow? "slow" : "fast")) + goto skip_print; + } + +- ret = print_ht(&rhlt); ++ ret = print_ht(rhlt); + WARN(ret != cnt, "missing rhltable elements (%d != %d, %s)\n", ret, cnt, slow? "slow" : "fast"); + + skip_print: +- rhltable_destroy(&rhlt); ++ rhltable_destroy(rhlt); ++ kfree(rhlt); + + return 0; + } diff --git a/queue-4.19/net-dp83640-expire-old-tx-skb.patch b/queue-4.19/net-dp83640-expire-old-tx-skb.patch new file mode 100644 index 00000000000..46b57b31a27 --- /dev/null +++ b/queue-4.19/net-dp83640-expire-old-tx-skb.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Sebastian Andrzej Siewior +Date: Mon, 4 Feb 2019 11:20:29 +0100 +Subject: net: dp83640: expire old TX-skb + +From: Sebastian Andrzej Siewior + +[ Upstream commit 53bc8d2af08654659abfadfd3e98eb9922ff787c ] + +During sendmsg() a cloned skb is saved via dp83640_txtstamp() in +->tx_queue. After the NIC sends this packet, the PHY will reply with a +timestamp for that TX packet. If the cable is pulled at the right time I +don't see that packet. It might gets flushed as part of queue shutdown +on NIC's side. +Once the link is up again then after the next sendmsg() we enqueue +another skb in dp83640_txtstamp() and have two on the list. Then the PHY +will send a reply and decode_txts() attaches it to the first skb on the +list. +No crash occurs since refcounting works but we are one packet behind. +linuxptp/ptp4l usually closes the socket and opens a new one (in such a +timeout case) so those "stale" replies never get there. However it does +not resume normal operation anymore. + +Purge old skbs in decode_txts(). + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Kurt Kanzenbach +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -896,14 +896,14 @@ static void decode_txts(struct dp83640_p + struct phy_txts *phy_txts) + { + struct skb_shared_hwtstamps shhwtstamps; ++ struct dp83640_skb_info *skb_info; + struct sk_buff *skb; +- u64 ns; + u8 overflow; ++ u64 ns; + + /* We must already have the skb that triggered this. */ +- ++again: + skb = skb_dequeue(&dp83640->tx_queue); +- + if (!skb) { + pr_debug("have timestamp but tx_queue empty\n"); + return; +@@ -918,6 +918,11 @@ static void decode_txts(struct dp83640_p + } + return; + } ++ skb_info = (struct dp83640_skb_info *)skb->cb; ++ if (time_after(jiffies, skb_info->tmo)) { ++ kfree_skb(skb); ++ goto again; ++ } + + ns = phy2txts(phy_txts); + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); +@@ -1470,6 +1475,7 @@ static bool dp83640_rxtstamp(struct phy_ + static void dp83640_txtstamp(struct phy_device *phydev, + struct sk_buff *skb, int type) + { ++ struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb; + struct dp83640_private *dp83640 = phydev->priv; + + switch (dp83640->hwts_tx_en) { +@@ -1482,6 +1488,7 @@ static void dp83640_txtstamp(struct phy_ + /* fall through */ + case HWTSTAMP_TX_ON: + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; ++ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT; + skb_queue_tail(&dp83640->tx_queue, skb); + break; + diff --git a/queue-4.19/net-dsa-fix-lockdep-false-positive-splat.patch b/queue-4.19/net-dsa-fix-lockdep-false-positive-splat.patch new file mode 100644 index 00000000000..46f5b6d9e7c --- /dev/null +++ b/queue-4.19/net-dsa-fix-lockdep-false-positive-splat.patch @@ -0,0 +1,111 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Marc Zyngier +Date: Sat, 2 Feb 2019 17:53:29 +0000 +Subject: net: dsa: Fix lockdep false positive splat + +From: Marc Zyngier + +[ Upstream commit c8101f7729daee251f4f6505f9d135ec08e1342f ] + +Creating a macvtap on a DSA-backed interface results in the following +splat when lockdep is enabled: + +[ 19.638080] IPv6: ADDRCONF(NETDEV_CHANGE): lan0: link becomes ready +[ 23.041198] device lan0 entered promiscuous mode +[ 23.043445] device eth0 entered promiscuous mode +[ 23.049255] +[ 23.049557] ============================================ +[ 23.055021] WARNING: possible recursive locking detected +[ 23.060490] 5.0.0-rc3-00013-g56c857a1b8d3 #118 Not tainted +[ 23.066132] -------------------------------------------- +[ 23.071598] ip/2861 is trying to acquire lock: +[ 23.076171] 00000000f61990cb (_xmit_ETHER){+...}, at: dev_set_rx_mode+0x1c/0x38 +[ 23.083693] +[ 23.083693] but task is already holding lock: +[ 23.089696] 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70 +[ 23.096774] +[ 23.096774] other info that might help us debug this: +[ 23.103494] Possible unsafe locking scenario: +[ 23.103494] +[ 23.109584] CPU0 +[ 23.112093] ---- +[ 23.114601] lock(_xmit_ETHER); +[ 23.117917] lock(_xmit_ETHER); +[ 23.121233] +[ 23.121233] *** DEADLOCK *** +[ 23.121233] +[ 23.127325] May be due to missing lock nesting notation +[ 23.127325] +[ 23.134315] 2 locks held by ip/2861: +[ 23.137987] #0: 000000003b766c72 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x338/0x4e0 +[ 23.146231] #1: 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70 +[ 23.153757] +[ 23.153757] stack backtrace: +[ 23.158243] CPU: 0 PID: 2861 Comm: ip Not tainted 5.0.0-rc3-00013-g56c857a1b8d3 #118 +[ 23.166212] Hardware name: Globalscale Marvell ESPRESSOBin Board (DT) +[ 23.172843] Call trace: +[ 23.175358] dump_backtrace+0x0/0x188 +[ 23.179116] show_stack+0x14/0x20 +[ 23.182524] dump_stack+0xb4/0xec +[ 23.185928] __lock_acquire+0x123c/0x1860 +[ 23.190048] lock_acquire+0xc8/0x248 +[ 23.193724] _raw_spin_lock_bh+0x40/0x58 +[ 23.197755] dev_set_rx_mode+0x1c/0x38 +[ 23.201607] dev_set_promiscuity+0x3c/0x50 +[ 23.205820] dsa_slave_change_rx_flags+0x5c/0x70 +[ 23.210567] __dev_set_promiscuity+0x148/0x1e0 +[ 23.215136] __dev_set_rx_mode+0x74/0x98 +[ 23.219167] dev_uc_add+0x54/0x70 +[ 23.222575] macvlan_open+0x170/0x1d0 +[ 23.226336] __dev_open+0xe0/0x160 +[ 23.229830] __dev_change_flags+0x16c/0x1b8 +[ 23.234132] dev_change_flags+0x20/0x60 +[ 23.238074] do_setlink+0x2d0/0xc50 +[ 23.241658] __rtnl_newlink+0x5f8/0x6e8 +[ 23.245601] rtnl_newlink+0x50/0x78 +[ 23.249184] rtnetlink_rcv_msg+0x360/0x4e0 +[ 23.253397] netlink_rcv_skb+0xe8/0x130 +[ 23.257338] rtnetlink_rcv+0x14/0x20 +[ 23.261012] netlink_unicast+0x190/0x210 +[ 23.265043] netlink_sendmsg+0x288/0x350 +[ 23.269075] sock_sendmsg+0x18/0x30 +[ 23.272659] ___sys_sendmsg+0x29c/0x2c8 +[ 23.276602] __sys_sendmsg+0x60/0xb8 +[ 23.280276] __arm64_sys_sendmsg+0x1c/0x28 +[ 23.284488] el0_svc_common+0xd8/0x138 +[ 23.288340] el0_svc_handler+0x24/0x80 +[ 23.292192] el0_svc+0x8/0xc + +This looks fairly harmless (no actual deadlock occurs), and is +fixed in a similar way to c6894dec8ea9 ("bridge: fix lockdep +addr_list_lock false positive splat") by putting the addr_list_lock +in its own lockdep class. + +Signed-off-by: Marc Zyngier +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/master.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/dsa/master.c ++++ b/net/dsa/master.c +@@ -158,6 +158,8 @@ static void dsa_master_ethtool_teardown( + cpu_dp->orig_ethtool_ops = NULL; + } + ++static struct lock_class_key dsa_master_addr_list_lock_key; ++ + int dsa_master_setup(struct net_device *dev, struct dsa_port *cpu_dp) + { + /* If we use a tagging format that doesn't have an ethertype +@@ -167,6 +169,8 @@ int dsa_master_setup(struct net_device * + wmb(); + + dev->dsa_ptr = cpu_dp; ++ lockdep_set_class(&dev->addr_list_lock, ++ &dsa_master_addr_list_lock_key); + + return dsa_master_ethtool_setup(dev); + } diff --git a/queue-4.19/net-dsa-fix-null-checking-in-dsa_slave_set_eee.patch b/queue-4.19/net-dsa-fix-null-checking-in-dsa_slave_set_eee.patch new file mode 100644 index 00000000000..33b3b815344 --- /dev/null +++ b/queue-4.19/net-dsa-fix-null-checking-in-dsa_slave_set_eee.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Dan Carpenter +Date: Wed, 6 Feb 2019 18:35:15 +0300 +Subject: net: dsa: Fix NULL checking in dsa_slave_set_eee() + +From: Dan Carpenter + +[ Upstream commit 00670cb8a73b10b10d3c40f045c15411715e4465 ] + +This function can't succeed if dp->pl is NULL. It will Oops inside the +call to return phylink_ethtool_get_eee(dp->pl, e); + +Fixes: 1be52e97ed3e ("dsa: slave: eee: Allow ports to use phylink") +Signed-off-by: Dan Carpenter +Reviewed-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -639,7 +639,7 @@ static int dsa_slave_set_eee(struct net_ + int ret; + + /* Port's PHY and MAC both need to be EEE capable */ +- if (!dev->phydev && !dp->pl) ++ if (!dev->phydev || !dp->pl) + return -ENODEV; + + if (!ds->ops->set_mac_eee) +@@ -659,7 +659,7 @@ static int dsa_slave_get_eee(struct net_ + int ret; + + /* Port's PHY and MAC both need to be EEE capable */ +- if (!dev->phydev && !dp->pl) ++ if (!dev->phydev || !dp->pl) + return -ENODEV; + + if (!ds->ops->get_mac_eee) diff --git a/queue-4.19/net-dsa-mv88e6xxx-fix-counting-of-atu-violations.patch b/queue-4.19/net-dsa-mv88e6xxx-fix-counting-of-atu-violations.patch new file mode 100644 index 00000000000..e61fc649cbe --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-fix-counting-of-atu-violations.patch @@ -0,0 +1,79 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Andrew Lunn +Date: Wed, 6 Feb 2019 00:02:58 +0100 +Subject: net: dsa: mv88e6xxx: Fix counting of ATU violations + +From: Andrew Lunn + +[ Upstream commit 75c05a74e745ae7d663b04d75777af80ada2233c ] + +The ATU port vector contains a bit per port of the switch. The code +wrongly used it as a port number, and incremented a port counter. This +resulted in the wrong interfaces counter being incremented, and +potentially going off the end of the array of ports. + +Fix this by using the source port ID for the violation, which really +is a port number. + +Reported-by: Chris Healy +Tested-by: Chris Healy +Fixes: 65f60e4582bd ("net: dsa: mv88e6xxx: Keep ATU/VTU violation statistics") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/global1_atu.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/global1_atu.c ++++ b/drivers/net/dsa/mv88e6xxx/global1_atu.c +@@ -314,6 +314,7 @@ static irqreturn_t mv88e6xxx_g1_atu_prob + { + struct mv88e6xxx_chip *chip = dev_id; + struct mv88e6xxx_atu_entry entry; ++ int spid; + int err; + u16 val; + +@@ -336,6 +337,8 @@ static irqreturn_t mv88e6xxx_g1_atu_prob + if (err) + goto out; + ++ spid = entry.state; ++ + if (val & MV88E6XXX_G1_ATU_OP_AGE_OUT_VIOLATION) { + dev_err_ratelimited(chip->dev, + "ATU age out violation for %pM\n", +@@ -344,23 +347,23 @@ static irqreturn_t mv88e6xxx_g1_atu_prob + + if (val & MV88E6XXX_G1_ATU_OP_MEMBER_VIOLATION) { + dev_err_ratelimited(chip->dev, +- "ATU member violation for %pM portvec %x\n", +- entry.mac, entry.portvec); +- chip->ports[entry.portvec].atu_member_violation++; ++ "ATU member violation for %pM portvec %x spid %d\n", ++ entry.mac, entry.portvec, spid); ++ chip->ports[spid].atu_member_violation++; + } + + if (val & MV88E6XXX_G1_ATU_OP_MISS_VIOLATION) { + dev_err_ratelimited(chip->dev, +- "ATU miss violation for %pM portvec %x\n", +- entry.mac, entry.portvec); +- chip->ports[entry.portvec].atu_miss_violation++; ++ "ATU miss violation for %pM portvec %x spid %d\n", ++ entry.mac, entry.portvec, spid); ++ chip->ports[spid].atu_miss_violation++; + } + + if (val & MV88E6XXX_G1_ATU_OP_FULL_VIOLATION) { + dev_err_ratelimited(chip->dev, +- "ATU full violation for %pM portvec %x\n", +- entry.mac, entry.portvec); +- chip->ports[entry.portvec].atu_full_violation++; ++ "ATU full violation for %pM portvec %x spid %d\n", ++ entry.mac, entry.portvec, spid); ++ chip->ports[spid].atu_full_violation++; + } + mutex_unlock(&chip->reg_lock); + diff --git a/queue-4.19/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch b/queue-4.19/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch new file mode 100644 index 00000000000..6747a187e94 --- /dev/null +++ b/queue-4.19/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Rundong Ge +Date: Sat, 2 Feb 2019 14:29:35 +0000 +Subject: net: dsa: slave: Don't propagate flag changes on down slave interfaces + +From: Rundong Ge + +[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ] + +The unbalance of master's promiscuity or allmulti will happen after ifdown +and ifup a slave interface which is in a bridge. + +When we ifdown a slave interface , both the 'dsa_slave_close' and +'dsa_slave_change_rx_flags' will clear the master's flags. The flags +of master will be decrease twice. +In the other hand, if we ifup the slave interface again, since the +slave's flags were cleared the 'dsa_slave_open' won't set the master's +flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if' +will set the master's flags. The flags of master is increase once. + +Only propagating flag changes when a slave interface is up makes +sure this does not happen. The 'vlan_dev_change_rx_flags' had the +same problem and was fixed, and changes here follows that fix. + +Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") +Signed-off-by: Rundong Ge +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -140,11 +140,14 @@ static int dsa_slave_close(struct net_de + static void dsa_slave_change_rx_flags(struct net_device *dev, int change) + { + struct net_device *master = dsa_slave_to_master(dev); +- +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1); +- if (change & IFF_PROMISC) +- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1); ++ if (dev->flags & IFF_UP) { ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(master, ++ dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (change & IFF_PROMISC) ++ dev_set_promiscuity(master, ++ dev->flags & IFF_PROMISC ? 1 : -1); ++ } + } + + static void dsa_slave_set_rx_mode(struct net_device *dev) diff --git a/queue-4.19/net-mlx5e-force-checksum_unnecessary-for-short-ethernet-frames.patch b/queue-4.19/net-mlx5e-force-checksum_unnecessary-for-short-ethernet-frames.patch new file mode 100644 index 00000000000..36d1beef8ef --- /dev/null +++ b/queue-4.19/net-mlx5e-force-checksum_unnecessary-for-short-ethernet-frames.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Cong Wang +Date: Mon, 3 Dec 2018 22:14:04 -0800 +Subject: net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames + +From: Cong Wang + +[ Upstream commit e8c8b53ccaff568fef4c13a6ccaf08bf241aa01a ] + +When an ethernet frame is padded to meet the minimum ethernet frame +size, the padding octets are not covered by the hardware checksum. +Fortunately the padding octets are usually zero's, which don't affect +checksum. However, we have a switch which pads non-zero octets, this +causes kernel hardware checksum fault repeatedly. + +Prior to: +commit '88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE ...")' +skb checksum was forced to be CHECKSUM_NONE when padding is detected. +After it, we need to keep skb->csum updated, like what we do for RXFCS. +However, fixing up CHECKSUM_COMPLETE requires to verify and parse IP +headers, it is not worthy the effort as the packets are so small that +CHECKSUM_COMPLETE can't save anything. + +Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"), +Cc: Eric Dumazet +Cc: Tariq Toukan +Cc: Nikola Ciprich +Signed-off-by: Cong Wang +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -707,6 +707,8 @@ static u32 mlx5e_get_fcs(const struct sk + return __get_unaligned_cpu32(fcs_bytes); + } + ++#define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN) ++ + static inline void mlx5e_handle_csum(struct net_device *netdev, + struct mlx5_cqe64 *cqe, + struct mlx5e_rq *rq, +@@ -725,6 +727,17 @@ static inline void mlx5e_handle_csum(str + return; + } + ++ /* CQE csum doesn't cover padding octets in short ethernet ++ * frames. And the pad field is appended prior to calculating ++ * and appending the FCS field. ++ * ++ * Detecting these padded frames requires to verify and parse ++ * IP headers, so we simply force all those small frames to be ++ * CHECKSUM_UNNECESSARY even if they are not padded. ++ */ ++ if (short_frame(skb->len)) ++ goto csum_unnecessary; ++ + if (likely(is_last_ethertype_ip(skb, &network_depth))) { + skb->ip_summed = CHECKSUM_COMPLETE; + skb->csum = csum_unfold((__force __sum16)cqe->check_sum); +@@ -744,6 +757,7 @@ static inline void mlx5e_handle_csum(str + return; + } + ++csum_unnecessary: + if (likely((cqe->hds_ip_ext & CQE_L3_OK) && + (cqe->hds_ip_ext & CQE_L4_OK))) { + skb->ip_summed = CHECKSUM_UNNECESSARY; diff --git a/queue-4.19/net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch b/queue-4.19/net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch new file mode 100644 index 00000000000..b0e6f2ae1b8 --- /dev/null +++ b/queue-4.19/net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Raed Salem +Date: Mon, 17 Dec 2018 11:40:06 +0200 +Subject: net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance + +From: Raed Salem + +[ Upstream commit 82eaa1fa0448da1852d7b80832e67e80a08dcc27 ] + +At Innova IPsec TX offload data path a special software parser metadata +is used to pass some packet attributes to the hardware, this metadata +is passed using the Ethernet control segment of a WQE (a HW descriptor) +header. + +The cited commit might nullify this header, hence the metadata is lost, +this caused a significant performance drop during hw offloading +operation. + +Fix by restoring the metadata at the Ethernet control segment in case +it was nullified. + +Fixes: 37fdffb217a4 ("net/mlx5: WQ, fixes for fragmented WQ buffers API") +Signed-off-by: Raed Salem +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -387,8 +387,14 @@ netdev_tx_t mlx5e_sq_xmit(struct mlx5e_t + num_wqebbs = DIV_ROUND_UP(ds_cnt, MLX5_SEND_WQEBB_NUM_DS); + contig_wqebbs_room = mlx5_wq_cyc_get_contig_wqebbs(wq, pi); + if (unlikely(contig_wqebbs_room < num_wqebbs)) { ++#ifdef CONFIG_MLX5_EN_IPSEC ++ struct mlx5_wqe_eth_seg cur_eth = wqe->eth; ++#endif + mlx5e_fill_sq_frag_edge(sq, wq, pi, contig_wqebbs_room); + mlx5e_sq_fetch_wqe(sq, &wqe, &pi); ++#ifdef CONFIG_MLX5_EN_IPSEC ++ wqe->eth = cur_eth; ++#endif + } + + /* fill wqe */ diff --git a/queue-4.19/net-systemport-fix-wol-with-password-after-deep-sleep.patch b/queue-4.19/net-systemport-fix-wol-with-password-after-deep-sleep.patch new file mode 100644 index 00000000000..84c2e21246d --- /dev/null +++ b/queue-4.19/net-systemport-fix-wol-with-password-after-deep-sleep.patch @@ -0,0 +1,105 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Florian Fainelli +Date: Fri, 1 Feb 2019 13:23:38 -0800 +Subject: net: systemport: Fix WoL with password after deep sleep + +From: Florian Fainelli + +[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ] + +Broadcom STB chips support a deep sleep mode where all register +contents are lost. Because we were stashing the MagicPacket password +into some of these registers a suspend into that deep sleep then a +resumption would not lead to being able to wake-up from MagicPacket with +password again. + +Fix this by keeping a software copy of the password and program it +during suspend. + +Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 25 ++++++++++--------------- + drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++ + 2 files changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -519,7 +519,6 @@ static void bcm_sysport_get_wol(struct n + struct ethtool_wolinfo *wol) + { + struct bcm_sysport_priv *priv = netdev_priv(dev); +- u32 reg; + + wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE | WAKE_FILTER; + wol->wolopts = priv->wolopts; +@@ -527,11 +526,7 @@ static void bcm_sysport_get_wol(struct n + if (!(priv->wolopts & WAKE_MAGICSECURE)) + return; + +- /* Return the programmed SecureOn password */ +- reg = umac_readl(priv, UMAC_PSW_MS); +- put_unaligned_be16(reg, &wol->sopass[0]); +- reg = umac_readl(priv, UMAC_PSW_LS); +- put_unaligned_be32(reg, &wol->sopass[2]); ++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass)); + } + + static int bcm_sysport_set_wol(struct net_device *dev, +@@ -547,13 +542,8 @@ static int bcm_sysport_set_wol(struct ne + if (wol->wolopts & ~supported) + return -EINVAL; + +- /* Program the SecureOn password */ +- if (wol->wolopts & WAKE_MAGICSECURE) { +- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]), +- UMAC_PSW_MS); +- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]), +- UMAC_PSW_LS); +- } ++ if (wol->wolopts & WAKE_MAGICSECURE) ++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass)); + + /* Flag the device and relevant IRQ as wakeup capable */ + if (wol->wolopts) { +@@ -2588,13 +2578,18 @@ static int bcm_sysport_suspend_to_wol(st + unsigned int index, i = 0; + u32 reg; + +- /* Password has already been programmed */ + reg = umac_readl(priv, UMAC_MPD_CTRL); + if (priv->wolopts & (WAKE_MAGIC | WAKE_MAGICSECURE)) + reg |= MPD_EN; + reg &= ~PSW_EN; +- if (priv->wolopts & WAKE_MAGICSECURE) ++ if (priv->wolopts & WAKE_MAGICSECURE) { ++ /* Program the SecureOn password */ ++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]), ++ UMAC_PSW_MS); ++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]), ++ UMAC_PSW_LS); + reg |= PSW_EN; ++ } + umac_writel(priv, reg, UMAC_MPD_CTRL); + + if (priv->wolopts & WAKE_FILTER) { +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -12,6 +12,7 @@ + #define __BCM_SYSPORT_H + + #include ++#include + #include + #include + +@@ -776,6 +777,7 @@ struct bcm_sysport_priv { + unsigned int crc_fwd:1; + u16 rev; + u32 wolopts; ++ u8 sopass[SOPASS_MAX]; + unsigned int wol_irq_disabled:1; + + /* MIB related fields */ diff --git a/queue-4.19/rds-fix-refcount-bug-in-rds_sock_addref.patch b/queue-4.19/rds-fix-refcount-bug-in-rds_sock_addref.patch new file mode 100644 index 00000000000..50fe66eb157 --- /dev/null +++ b/queue-4.19/rds-fix-refcount-bug-in-rds_sock_addref.patch @@ -0,0 +1,98 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Eric Dumazet +Date: Thu, 31 Jan 2019 08:47:10 -0800 +Subject: rds: fix refcount bug in rds_sock_addref + +From: Eric Dumazet + +[ Upstream commit 6fa19f5637a6c22bc0999596bcc83bdcac8a4fa6 ] + +syzbot was able to catch a bug in rds [1] + +The issue here is that the socket might be found in a hash table +but that its refcount has already be set to 0 by another cpu. + +We need to use refcount_inc_not_zero() to be safe here. + +[1] + +refcount_t: increment on 0; use-after-free. +WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline] +WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 + panic+0x2cb/0x65c kernel/panic.c:214 + __warn.cold+0x20/0x48 kernel/panic.c:571 + report_bug+0x263/0x2b0 lib/bug.c:186 + fixup_bug arch/x86/kernel/traps.c:178 [inline] + fixup_bug arch/x86/kernel/traps.c:173 [inline] + do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 + do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290 + invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 +RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline] +RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151 +Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49 +RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000 +RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005 +RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021 +R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0 +R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64 + sock_hold include/net/sock.h:647 [inline] + rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675 + rds_find_bound+0x97c/0x1080 net/rds/bind.c:82 + rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362 + rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96 + rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355 + rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg+0xdd/0x130 net/socket.c:631 + __sys_sendto+0x387/0x5f0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto net/socket.c:1796 [inline] + __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796 + do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458089 +Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089 +RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005 +RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4 +R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff + +Fixes: cc4dfb7f70a3 ("rds: fix two RCU related problems") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Sowmini Varadhan +Cc: Santosh Shilimkar +Cc: rds-devel@oss.oracle.com +Cc: Cong Wang +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/bind.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -78,10 +78,10 @@ struct rds_sock *rds_find_bound(const st + __rds_create_bind_key(key, addr, port, scope_id); + rcu_read_lock(); + rs = rhashtable_lookup(&bind_hash_table, key, ht_parms); +- if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD)) +- rds_sock_addref(rs); +- else ++ if (rs && (sock_flag(rds_rs_to_sk(rs), SOCK_DEAD) || ++ !refcount_inc_not_zero(&rds_rs_to_sk(rs)->sk_refcnt))) + rs = NULL; ++ + rcu_read_unlock(); + + rdsdebug("returning rs %p for %pI6c:%u\n", rs, addr, diff --git a/queue-4.19/revert-net-phy-marvell-avoid-pause-mode-on-sgmii-to-copper-for-88e151x.patch b/queue-4.19/revert-net-phy-marvell-avoid-pause-mode-on-sgmii-to-copper-for-88e151x.patch new file mode 100644 index 00000000000..d35a5ce2b2e --- /dev/null +++ b/queue-4.19/revert-net-phy-marvell-avoid-pause-mode-on-sgmii-to-copper-for-88e151x.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Russell King +Date: Thu, 31 Jan 2019 16:59:46 +0000 +Subject: Revert "net: phy: marvell: avoid pause mode on SGMII-to-Copper for 88e151x" + +From: Russell King + +[ Upstream commit c14f07c6211cc01d52ed92cce1fade5071b8d197 ] + +This reverts commit 6623c0fba10ef45b64ca213ad5dec926f37fa9a0. + +The original diagnosis was incorrect: it appears that the NIC had +PHY polling mode enabled, which meant that it overwrote the PHYs +advertisement register during negotiation. + +Signed-off-by: Russell King +Tested-by: Yonglong Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -868,8 +868,6 @@ static int m88e1510_config_init(struct p + + /* SGMII-to-Copper mode initialization */ + if (phydev->interface == PHY_INTERFACE_MODE_SGMII) { +- u32 pause; +- + /* Select page 18 */ + err = marvell_set_page(phydev, 18); + if (err < 0) +@@ -892,16 +890,6 @@ static int m88e1510_config_init(struct p + err = marvell_set_page(phydev, MII_MARVELL_COPPER_PAGE); + if (err < 0) + return err; +- +- /* There appears to be a bug in the 88e1512 when used in +- * SGMII to copper mode, where the AN advertisement register +- * clears the pause bits each time a negotiation occurs. +- * This means we can never be truely sure what was advertised, +- * so disable Pause support. +- */ +- pause = SUPPORTED_Pause | SUPPORTED_Asym_Pause; +- phydev->supported &= ~pause; +- phydev->advertising &= ~pause; + } + + return m88e1318_config_init(phydev); diff --git a/queue-4.19/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch b/queue-4.19/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch new file mode 100644 index 00000000000..2d0988f1695 --- /dev/null +++ b/queue-4.19/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch @@ -0,0 +1,86 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Eric Dumazet +Date: Mon, 4 Feb 2019 08:36:06 -0800 +Subject: rxrpc: bad unlock balance in rxrpc_recvmsg + +From: Eric Dumazet + +[ Upstream commit 6dce3c20ac429e7a651d728e375853370c796e8d ] + +When either "goto wait_interrupted;" or "goto wait_error;" +paths are taken, socket lock has already been released. + +This patch fixes following syzbot splat : + +WARNING: bad unlock balance detected! +5.0.0-rc4+ #59 Not tainted +------------------------------------- +syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at: +[] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598 +but there are no more locks to release! + +other info that might help us debug this: +1 lock held by syz-executor223/8256: + #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline] + #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798 + +stack backtrace: +CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline] + print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368 + __lock_release kernel/locking/lockdep.c:3601 [inline] + lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860 + sock_release_ownership include/net/sock.h:1471 [inline] + release_sock+0x183/0x1c0 net/core/sock.c:2808 + rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598 + sock_recvmsg_nosec net/socket.c:794 [inline] + sock_recvmsg net/socket.c:801 [inline] + sock_recvmsg+0xd0/0x110 net/socket.c:797 + __sys_recvfrom+0x1ff/0x350 net/socket.c:1845 + __do_sys_recvfrom net/socket.c:1863 [inline] + __se_sys_recvfrom net/socket.c:1859 [inline] + __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x446379 +Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d +RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c +R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: Eric Dumazet +Cc: David Howells +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/recvmsg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -596,6 +596,7 @@ error_requeue_call: + } + error_no_call: + release_sock(&rx->sk); ++error_trace: + trace_rxrpc_recvmsg(call, rxrpc_recvmsg_return, 0, 0, 0, ret); + return ret; + +@@ -604,7 +605,7 @@ wait_interrupted: + wait_error: + finish_wait(sk_sleep(&rx->sk), &wait); + call = NULL; +- goto error_no_call; ++ goto error_trace; + } + + /** diff --git a/queue-4.19/sctp-check-and-update-stream-out_curr-when-allocating-stream_out.patch b/queue-4.19/sctp-check-and-update-stream-out_curr-when-allocating-stream_out.patch new file mode 100644 index 00000000000..175d3f7143f --- /dev/null +++ b/queue-4.19/sctp-check-and-update-stream-out_curr-when-allocating-stream_out.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Xin Long +Date: Mon, 4 Feb 2019 03:27:58 +0800 +Subject: sctp: check and update stream->out_curr when allocating stream_out + +From: Xin Long + +[ Upstream commit cfe4bd7a257f6d6f81d3458d8c9d9ec4957539e6 ] + +Now when using stream reconfig to add out streams, stream->out +will get re-allocated, and all old streams' information will +be copied to the new ones and the old ones will be freed. + +So without stream->out_curr updated, next time when trying to +send from stream->out_curr stream, a panic would be caused. + +This patch is to check and update stream->out_curr when +allocating stream_out. + +v1->v2: + - define fa_index() to get elem index from stream->out_curr. +v2->v3: + - repost with no change. + +Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") +Reported-by: Ying Xu +Reported-by: syzbot+e33a3a138267ca119c7d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/stream.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -84,6 +84,19 @@ static void fa_zero(struct flex_array *f + } + } + ++static size_t fa_index(struct flex_array *fa, void *elem, size_t count) ++{ ++ size_t index = 0; ++ ++ while (count--) { ++ if (elem == flex_array_get(fa, index)) ++ break; ++ index++; ++ } ++ ++ return index; ++} ++ + /* Migrates chunks from stream queues to new stream queues if needed, + * but not across associations. Also, removes those chunks to streams + * higher than the new max. +@@ -147,6 +160,13 @@ static int sctp_stream_alloc_out(struct + + if (stream->out) { + fa_copy(out, stream->out, 0, min(outcnt, stream->outcnt)); ++ if (stream->out_curr) { ++ size_t index = fa_index(stream->out, stream->out_curr, ++ stream->outcnt); ++ ++ BUG_ON(index == stream->outcnt); ++ stream->out_curr = flex_array_get(out, index); ++ } + fa_free(stream->out); + } + diff --git a/queue-4.19/sctp-walk-the-list-of-asoc-safely.patch b/queue-4.19/sctp-walk-the-list-of-asoc-safely.patch new file mode 100644 index 00000000000..235fe76b57e --- /dev/null +++ b/queue-4.19/sctp-walk-the-list-of-asoc-safely.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Greg Kroah-Hartman +Date: Fri, 1 Feb 2019 15:15:22 +0100 +Subject: sctp: walk the list of asoc safely + +From: Greg Kroah-Hartman + +[ Upstream commit ba59fb0273076637f0add4311faa990a5eec27c0 ] + +In sctp_sendmesg(), when walking the list of endpoint associations, the +association can be dropped from the list, making the list corrupt. +Properly handle this by using list_for_each_entry_safe() + +Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") +Reported-by: Secunia Research +Tested-by: Secunia Research +Signed-off-by: Greg Kroah-Hartman +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -2045,7 +2045,7 @@ static int sctp_sendmsg(struct sock *sk, + struct sctp_endpoint *ep = sctp_sk(sk)->ep; + struct sctp_transport *transport = NULL; + struct sctp_sndrcvinfo _sinfo, *sinfo; +- struct sctp_association *asoc; ++ struct sctp_association *asoc, *tmp; + struct sctp_cmsgs cmsgs; + union sctp_addr *daddr; + bool new = false; +@@ -2071,7 +2071,7 @@ static int sctp_sendmsg(struct sock *sk, + + /* SCTP_SENDALL process */ + if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) { +- list_for_each_entry(asoc, &ep->asocs, asocs) { ++ list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) { + err = sctp_sendmsg_check_sflags(asoc, sflags, msg, + msg_len); + if (err == 0) diff --git a/queue-4.19/series b/queue-4.19/series index ef5a2e9fcc9..82f05fd64f7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -256,3 +256,21 @@ fs-xfs-fix-f_ffree-value-for-statfs-when-project-quo.patch xfs-fix-page_mask-usage-in-xfs_free_file_space.patch xfs-fix-inverted-return-from-xfs_btree_sblock_verify.patch thermal-hwmon-inline-helpers-when-config_thermal_hwmon-is-not-set.patch +dccp-fool-proof-ccid_hc_x_parse_options.patch +enic-fix-checksum-validation-for-ipv6.patch +lib-test_rhashtable-make-test_insert_dup-allocate-its-hash-table-dynamically.patch +net-dp83640-expire-old-tx-skb.patch +net-dsa-fix-lockdep-false-positive-splat.patch +net-dsa-fix-null-checking-in-dsa_slave_set_eee.patch +net-dsa-mv88e6xxx-fix-counting-of-atu-violations.patch +net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch +net-mlx5e-force-checksum_unnecessary-for-short-ethernet-frames.patch +net-systemport-fix-wol-with-password-after-deep-sleep.patch +rds-fix-refcount-bug-in-rds_sock_addref.patch +revert-net-phy-marvell-avoid-pause-mode-on-sgmii-to-copper-for-88e151x.patch +rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch +sctp-check-and-update-stream-out_curr-when-allocating-stream_out.patch +sctp-walk-the-list-of-asoc-safely.patch +skge-potential-memory-corruption-in-skge_get_regs.patch +virtio_net-account-for-tx-bytes-and-packets-on-sending-xdp_frames.patch +net-mlx5e-fpga-fix-innova-ipsec-tx-offload-data-path-performance.patch diff --git a/queue-4.19/skge-potential-memory-corruption-in-skge_get_regs.patch b/queue-4.19/skge-potential-memory-corruption-in-skge_get_regs.patch new file mode 100644 index 00000000000..6db10d3cdbf --- /dev/null +++ b/queue-4.19/skge-potential-memory-corruption-in-skge_get_regs.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Dan Carpenter +Date: Fri, 1 Feb 2019 11:28:16 +0300 +Subject: skge: potential memory corruption in skge_get_regs() + +From: Dan Carpenter + +[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ] + +The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value +of "regs->len" is in the 1-0x4000 range. The bug here is that +"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to +memory corruption and an abrupt crash. + +Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/skge.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev + memset(p, 0, regs->len); + memcpy_fromio(p, io, B3_RAM_ADDR); + +- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, +- regs->len - B3_RI_WTO_R1); ++ if (regs->len > B3_RI_WTO_R1) { ++ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, ++ regs->len - B3_RI_WTO_R1); ++ } + } + + /* Wake on Lan only supported on Yukon chips with rev 1 or above */ diff --git a/queue-4.19/virtio_net-account-for-tx-bytes-and-packets-on-sending-xdp_frames.patch b/queue-4.19/virtio_net-account-for-tx-bytes-and-packets-on-sending-xdp_frames.patch new file mode 100644 index 00000000000..23593e83a68 --- /dev/null +++ b/queue-4.19/virtio_net-account-for-tx-bytes-and-packets-on-sending-xdp_frames.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Feb 10 12:45:09 CET 2019 +From: Toshiaki Makita +Date: Thu, 31 Jan 2019 20:40:30 +0900 +Subject: virtio_net: Account for tx bytes and packets on sending xdp_frames + +From: Toshiaki Makita + +[ Upstream commit 546f28974d771b124fb0bf7b551b343888cf0419 ] + +Previously virtnet_xdp_xmit() did not account for device tx counters, +which caused confusions. +To be consistent with SKBs, account them on freeing xdp_frames. + +Reported-by: David Ahern +Signed-off-by: Toshiaki Makita +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -502,6 +502,8 @@ static int virtnet_xdp_xmit(struct net_d + struct bpf_prog *xdp_prog; + struct send_queue *sq; + unsigned int len; ++ int packets = 0; ++ int bytes = 0; + int drops = 0; + int kicks = 0; + int ret, err; +@@ -525,10 +527,18 @@ static int virtnet_xdp_xmit(struct net_d + + /* Free up any pending old buffers before queueing new ones. */ + while ((ptr = virtqueue_get_buf(sq->vq, &len)) != NULL) { +- if (likely(is_xdp_frame(ptr))) +- xdp_return_frame(ptr_to_xdp(ptr)); +- else +- napi_consume_skb(ptr, false); ++ if (likely(is_xdp_frame(ptr))) { ++ struct xdp_frame *frame = ptr_to_xdp(ptr); ++ ++ bytes += frame->len; ++ xdp_return_frame(frame); ++ } else { ++ struct sk_buff *skb = ptr; ++ ++ bytes += skb->len; ++ napi_consume_skb(skb, false); ++ } ++ packets++; + } + + for (i = 0; i < n; i++) { +@@ -548,6 +558,8 @@ static int virtnet_xdp_xmit(struct net_d + } + out: + u64_stats_update_begin(&sq->stats.syncp); ++ sq->stats.bytes += bytes; ++ sq->stats.packets += packets; + sq->stats.xdp_tx += n; + sq->stats.xdp_tx_drops += drops; + sq->stats.kicks += kicks;