From: Greg Kroah-Hartman Date: Mon, 17 Aug 2020 09:44:47 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.140~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f926215428fbe8a5d4bba85fbd095d5a6cb54c21;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch net-fix-potential-memory-leak-in-proto_register.patch net-initialize-fastreuse-on-inet_inherit_port.patch net-nfc-rawsock.c-add-cap_net_raw-check.patch net-phy-fix-memory-leak-in-device-create-error-path.patch net-refactor-bind_bucket-fastreuse-into-helper.patch net-set-fput_needed-iff-fdput_fput-is-set.patch net-tls-fix-kmap-usage.patch tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch --- diff --git a/queue-5.4/af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch b/queue-5.4/af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch new file mode 100644 index 00000000000..448ab68641c --- /dev/null +++ b/queue-5.4/af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch @@ -0,0 +1,72 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: John Ogness +Date: Thu, 13 Aug 2020 21:45:25 +0206 +Subject: af_packet: TPACKET_V3: fix fill status rwlock imbalance + +From: John Ogness + +[ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ] + +After @blk_fill_in_prog_lock is acquired there is an early out vnet +situation that can occur. In that case, the rwlock needs to be +released. + +Also, since @blk_fill_in_prog_lock is only acquired when @tp_version +is exactly TPACKET_V3, only release it on that exact condition as +well. + +And finally, add sparse annotation so that it is clearer that +prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring +and releasing @blk_fill_in_prog_lock, respectively. sparse is still +unable to understand the balance, but the warnings are now on a +higher level that make more sense. + +Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop") +Signed-off-by: John Ogness +Reported-by: kernel test robot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -941,6 +941,7 @@ static int prb_queue_frozen(struct tpack + } + + static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb) ++ __releases(&pkc->blk_fill_in_prog_lock) + { + struct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb); + atomic_dec(&pkc->blk_fill_in_prog); +@@ -988,6 +989,7 @@ static void prb_fill_curr_block(char *cu + struct tpacket_kbdq_core *pkc, + struct tpacket_block_desc *pbd, + unsigned int len) ++ __acquires(&pkc->blk_fill_in_prog_lock) + { + struct tpacket3_hdr *ppd; + +@@ -2285,8 +2287,11 @@ static int tpacket_rcv(struct sk_buff *s + if (do_vnet && + virtio_net_hdr_from_skb(skb, h.raw + macoff - + sizeof(struct virtio_net_hdr), +- vio_le(), true, 0)) ++ vio_le(), true, 0)) { ++ if (po->tp_version == TPACKET_V3) ++ prb_clear_blk_fill_status(&po->rx_ring); + goto drop_n_account; ++ } + + if (po->tp_version <= TPACKET_V2) { + packet_increment_rx_head(po, &po->rx_ring); +@@ -2392,7 +2397,7 @@ static int tpacket_rcv(struct sk_buff *s + __clear_bit(slot_id, po->rx_ring.rx_owner_map); + spin_unlock(&sk->sk_receive_queue.lock); + sk->sk_data_ready(sk); +- } else { ++ } else if (po->tp_version == TPACKET_V3) { + prb_clear_blk_fill_status(&po->rx_ring); + } + diff --git a/queue-5.4/drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch b/queue-5.4/drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch new file mode 100644 index 00000000000..d784ab25c72 --- /dev/null +++ b/queue-5.4/drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch @@ -0,0 +1,107 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Xie He +Date: Wed, 5 Aug 2020 18:50:40 -0700 +Subject: drivers/net/wan/lapbether: Added needed_headroom and a skb->len check + +From: Xie He + +[ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ] + +1. Added a skb->len check + +This driver expects upper layers to include a pseudo header of 1 byte +when passing down a skb for transmission. This driver will read this +1-byte header. This patch added a skb->len check before reading the +header to make sure the header exists. + +2. Changed to use needed_headroom instead of hard_header_len to request +necessary headroom to be allocated + +In net/packet/af_packet.c, the function packet_snd first reserves a +headroom of length (dev->hard_header_len + dev->needed_headroom). +Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header, +which calls dev->header_ops->create, to create the link layer header. +If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of +length (dev->hard_header_len), and assumes the user to provide the +appropriate link layer header. + +So according to the logic of af_packet.c, dev->hard_header_len should +be the length of the header that would be created by +dev->header_ops->create. + +However, this driver doesn't provide dev->header_ops, so logically +dev->hard_header_len should be 0. + +So we should use dev->needed_headroom instead of dev->hard_header_len +to request necessary headroom to be allocated. + +This change fixes kernel panic when this driver is used with AF_PACKET +SOCK_RAW sockets. + +Call stack when panic: + +[ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20 +put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0 +dev:veth0 +... +[ 168.399255] Call Trace: +[ 168.399259] skb_push.cold+0x14/0x24 +[ 168.399262] eth_header+0x2b/0xc0 +[ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether] +[ 168.399275] lapb_data_transmit+0x22/0x2c [lapb] +[ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb] +[ 168.399279] lapb_kick+0xe3/0x1c0 [lapb] +[ 168.399281] lapb_data_request+0x76/0xc0 [lapb] +[ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether] +[ 168.399286] dev_hard_start_xmit+0x91/0x1f0 +[ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100 +[ 168.399291] __dev_queue_xmit+0x721/0x8e0 +[ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110 +[ 168.399297] dev_queue_xmit+0x10/0x20 +[ 168.399298] packet_sendmsg+0xbf0/0x19b0 +...... + +Cc: Willem de Bruijn +Cc: Martin Schiller +Cc: Brian Norris +Signed-off-by: Xie He +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/lapbether.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -157,6 +157,12 @@ static netdev_tx_t lapbeth_xmit(struct s + if (!netif_running(dev)) + goto drop; + ++ /* There should be a pseudo header of 1 byte added by upper layers. ++ * Check to make sure it is there before reading it. ++ */ ++ if (skb->len < 1) ++ goto drop; ++ + switch (skb->data[0]) { + case X25_IFACE_DATA: + break; +@@ -305,6 +311,7 @@ static void lapbeth_setup(struct net_dev + dev->netdev_ops = &lapbeth_netdev_ops; + dev->needs_free_netdev = true; + dev->type = ARPHRD_X25; ++ dev->hard_header_len = 0; + dev->mtu = 1000; + dev->addr_len = 0; + } +@@ -331,7 +338,8 @@ static int lapbeth_new_device(struct net + * then this driver prepends a length field of 2 bytes, + * then the underlying Ethernet device prepends its own header. + */ +- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len; ++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len ++ + dev->needed_headroom; + + lapbeth = netdev_priv(ndev); + lapbeth->axdev = ndev; diff --git a/queue-5.4/net-fix-potential-memory-leak-in-proto_register.patch b/queue-5.4/net-fix-potential-memory-leak-in-proto_register.patch new file mode 100644 index 00000000000..f1a30d35619 --- /dev/null +++ b/queue-5.4/net-fix-potential-memory-leak-in-proto_register.patch @@ -0,0 +1,82 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Miaohe Lin +Date: Mon, 10 Aug 2020 08:16:58 -0400 +Subject: net: Fix potential memory leak in proto_register() + +From: Miaohe Lin + +[ Upstream commit 0f5907af39137f8183ed536aaa00f322d7365130 ] + +If we failed to assign proto idx, we free the twsk_slab_name but forget to +free the twsk_slab. Add a helper function tw_prot_cleanup() to free these +together and also use this helper function in proto_unregister(). + +Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3337,6 +3337,16 @@ static void sock_inuse_add(struct net *n + } + #endif + ++static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) ++{ ++ if (!twsk_prot) ++ return; ++ kfree(twsk_prot->twsk_slab_name); ++ twsk_prot->twsk_slab_name = NULL; ++ kmem_cache_destroy(twsk_prot->twsk_slab); ++ twsk_prot->twsk_slab = NULL; ++} ++ + static void req_prot_cleanup(struct request_sock_ops *rsk_prot) + { + if (!rsk_prot) +@@ -3407,7 +3417,7 @@ int proto_register(struct proto *prot, i + prot->slab_flags, + NULL); + if (prot->twsk_prot->twsk_slab == NULL) +- goto out_free_timewait_sock_slab_name; ++ goto out_free_timewait_sock_slab; + } + } + +@@ -3415,15 +3425,15 @@ int proto_register(struct proto *prot, i + ret = assign_proto_idx(prot); + if (ret) { + mutex_unlock(&proto_list_mutex); +- goto out_free_timewait_sock_slab_name; ++ goto out_free_timewait_sock_slab; + } + list_add(&prot->node, &proto_list); + mutex_unlock(&proto_list_mutex); + return ret; + +-out_free_timewait_sock_slab_name: ++out_free_timewait_sock_slab: + if (alloc_slab && prot->twsk_prot) +- kfree(prot->twsk_prot->twsk_slab_name); ++ tw_prot_cleanup(prot->twsk_prot); + out_free_request_sock_slab: + if (alloc_slab) { + req_prot_cleanup(prot->rsk_prot); +@@ -3447,12 +3457,7 @@ void proto_unregister(struct proto *prot + prot->slab = NULL; + + req_prot_cleanup(prot->rsk_prot); +- +- if (prot->twsk_prot != NULL && prot->twsk_prot->twsk_slab != NULL) { +- kmem_cache_destroy(prot->twsk_prot->twsk_slab); +- kfree(prot->twsk_prot->twsk_slab_name); +- prot->twsk_prot->twsk_slab = NULL; +- } ++ tw_prot_cleanup(prot->twsk_prot); + } + EXPORT_SYMBOL(proto_unregister); + diff --git a/queue-5.4/net-initialize-fastreuse-on-inet_inherit_port.patch b/queue-5.4/net-initialize-fastreuse-on-inet_inherit_port.patch new file mode 100644 index 00000000000..8032783759d --- /dev/null +++ b/queue-5.4/net-initialize-fastreuse-on-inet_inherit_port.patch @@ -0,0 +1,60 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Tim Froidcoeur +Date: Tue, 11 Aug 2020 20:33:24 +0200 +Subject: net: initialize fastreuse on inet_inherit_port + +From: Tim Froidcoeur + +[ Upstream commit d76f3351cea2d927fdf70dd7c06898235035e84e ] + +In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or +SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind +behaviour or in the incorrect reuse of a bind. + +the kernel keeps track for each bind_bucket if all sockets in the +bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags. +These flags allow skipping the costly bind_conflict check when possible +(meaning when all sockets have the proper SO_REUSE option). + +For every socket added to a bind_bucket, these flags need to be updated. +As soon as a socket that does not support reuse is added, the flag is +set to false and will never go back to true, unless the bind_bucket is +deleted. + +Note that there is no mechanism to re-evaluate these flags when a socket +is removed (this might make sense when removing a socket that would not +allow reuse; this leaves room for a future patch). + +For this optimization to work, it is mandatory that these flags are +properly initialized and updated. + +When a child socket is created from a listen socket in +__inet_inherit_port, the TPROXY case could create a new bind bucket +without properly initializing these flags, thus preventing the +optimization to work. Alternatively, a socket not allowing reuse could +be added to an existing bind bucket without updating the flags, causing +bind_conflict to never be called as it should. + +Call inet_csk_update_fastreuse when __inet_inherit_port decides to create +a new bind_bucket or use a different bind_bucket than the one of the +listen socket. + +Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()") +Acked-by: Matthieu Baerts +Signed-off-by: Tim Froidcoeur +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_hashtables.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -163,6 +163,7 @@ int __inet_inherit_port(const struct soc + return -ENOMEM; + } + } ++ inet_csk_update_fastreuse(tb, child); + } + inet_bind_hash(child, tb, port); + spin_unlock(&head->lock); diff --git a/queue-5.4/net-nfc-rawsock.c-add-cap_net_raw-check.patch b/queue-5.4/net-nfc-rawsock.c-add-cap_net_raw-check.patch new file mode 100644 index 00000000000..34a8d8ad96f --- /dev/null +++ b/queue-5.4/net-nfc-rawsock.c-add-cap_net_raw-check.patch @@ -0,0 +1,36 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Qingyu Li +Date: Mon, 10 Aug 2020 09:51:00 +0800 +Subject: net/nfc/rawsock.c: add CAP_NET_RAW check. + +From: Qingyu Li + +[ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ] + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. + +Signed-off-by: Qingyu Li +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/rawsock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -332,10 +332,13 @@ static int rawsock_create(struct net *ne + if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &rawsock_raw_ops; +- else ++ } else { + sock->ops = &rawsock_ops; ++ } + + sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); + if (!sk) diff --git a/queue-5.4/net-phy-fix-memory-leak-in-device-create-error-path.patch b/queue-5.4/net-phy-fix-memory-leak-in-device-create-error-path.patch new file mode 100644 index 00000000000..f47b6c285c2 --- /dev/null +++ b/queue-5.4/net-phy-fix-memory-leak-in-device-create-error-path.patch @@ -0,0 +1,46 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Johan Hovold +Date: Thu, 6 Aug 2020 17:37:53 +0200 +Subject: net: phy: fix memory leak in device-create error path + +From: Johan Hovold + +[ Upstream commit d02cbc46136105cf86f84ac355e16f04696f538d ] + +A recent commit introduced a late error path in phy_device_create() +which fails to release the device name allocated by dev_set_name(). + +Fixes: 13d0ab6750b2 ("net: phy: check return code when requesting PHY driver module") +Cc: Heiner Kallweit +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -615,7 +615,9 @@ struct phy_device *phy_device_create(str + if (c45_ids) + dev->c45_ids = *c45_ids; + dev->irq = bus->irq[addr]; ++ + dev_set_name(&mdiodev->dev, PHY_ID_FMT, bus->id, addr); ++ device_initialize(&mdiodev->dev); + + dev->state = PHY_DOWN; + +@@ -649,10 +651,8 @@ struct phy_device *phy_device_create(str + ret = phy_request_driver_module(dev, phy_id); + } + +- if (!ret) { +- device_initialize(&mdiodev->dev); +- } else { +- kfree(dev); ++ if (ret) { ++ put_device(&mdiodev->dev); + dev = ERR_PTR(ret); + } + diff --git a/queue-5.4/net-refactor-bind_bucket-fastreuse-into-helper.patch b/queue-5.4/net-refactor-bind_bucket-fastreuse-into-helper.patch new file mode 100644 index 00000000000..d208f97eb32 --- /dev/null +++ b/queue-5.4/net-refactor-bind_bucket-fastreuse-into-helper.patch @@ -0,0 +1,154 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Tim Froidcoeur +Date: Tue, 11 Aug 2020 20:33:23 +0200 +Subject: net: refactor bind_bucket fastreuse into helper + +From: Tim Froidcoeur + +[ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ] + +Refactor the fastreuse update code in inet_csk_get_port into a small +helper function that can be called from other places. + +Acked-by: Matthieu Baerts +Signed-off-by: Tim Froidcoeur +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_connection_sock.h | 4 + + net/ipv4/inet_connection_sock.c | 97 ++++++++++++++++++++----------------- + 2 files changed, 57 insertions(+), 44 deletions(-) + +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -309,6 +309,10 @@ int inet_csk_compat_getsockopt(struct so + int inet_csk_compat_setsockopt(struct sock *sk, int level, int optname, + char __user *optval, unsigned int optlen); + ++/* update the fast reuse flag when adding a socket */ ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk); ++ + struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); + + #define TCP_PINGPONG_THRESH 3 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -284,6 +284,57 @@ static inline int sk_reuseport_match(str + ipv6_only_sock(sk), true, false); + } + ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk) ++{ ++ kuid_t uid = sock_i_uid(sk); ++ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; ++ ++ if (hlist_empty(&tb->owners)) { ++ tb->fastreuse = reuse; ++ if (sk->sk_reuseport) { ++ tb->fastreuseport = FASTREUSEPORT_ANY; ++ tb->fastuid = uid; ++ tb->fast_rcv_saddr = sk->sk_rcv_saddr; ++ tb->fast_ipv6_only = ipv6_only_sock(sk); ++ tb->fast_sk_family = sk->sk_family; ++#if IS_ENABLED(CONFIG_IPV6) ++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; ++#endif ++ } else { ++ tb->fastreuseport = 0; ++ } ++ } else { ++ if (!reuse) ++ tb->fastreuse = 0; ++ if (sk->sk_reuseport) { ++ /* We didn't match or we don't have fastreuseport set on ++ * the tb, but we have sk_reuseport set on this socket ++ * and we know that there are no bind conflicts with ++ * this socket in this tb, so reset our tb's reuseport ++ * settings so that any subsequent sockets that match ++ * our current socket will be put on the fast path. ++ * ++ * If we reset we need to set FASTREUSEPORT_STRICT so we ++ * do extra checking for all subsequent sk_reuseport ++ * socks. ++ */ ++ if (!sk_reuseport_match(tb, sk)) { ++ tb->fastreuseport = FASTREUSEPORT_STRICT; ++ tb->fastuid = uid; ++ tb->fast_rcv_saddr = sk->sk_rcv_saddr; ++ tb->fast_ipv6_only = ipv6_only_sock(sk); ++ tb->fast_sk_family = sk->sk_family; ++#if IS_ENABLED(CONFIG_IPV6) ++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; ++#endif ++ } ++ } else { ++ tb->fastreuseport = 0; ++ } ++ } ++} ++ + /* Obtain a reference to a local port for the given sock, + * if snum is zero it means select any available local port. + * We try to allocate an odd port (and leave even ports for connect()) +@@ -296,7 +347,6 @@ int inet_csk_get_port(struct sock *sk, u + struct inet_bind_hashbucket *head; + struct net *net = sock_net(sk); + struct inet_bind_bucket *tb = NULL; +- kuid_t uid = sock_i_uid(sk); + int l3mdev; + + l3mdev = inet_sk_bound_l3mdev(sk); +@@ -333,49 +383,8 @@ tb_found: + goto fail_unlock; + } + success: +- if (hlist_empty(&tb->owners)) { +- tb->fastreuse = reuse; +- if (sk->sk_reuseport) { +- tb->fastreuseport = FASTREUSEPORT_ANY; +- tb->fastuid = uid; +- tb->fast_rcv_saddr = sk->sk_rcv_saddr; +- tb->fast_ipv6_only = ipv6_only_sock(sk); +- tb->fast_sk_family = sk->sk_family; +-#if IS_ENABLED(CONFIG_IPV6) +- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; +-#endif +- } else { +- tb->fastreuseport = 0; +- } +- } else { +- if (!reuse) +- tb->fastreuse = 0; +- if (sk->sk_reuseport) { +- /* We didn't match or we don't have fastreuseport set on +- * the tb, but we have sk_reuseport set on this socket +- * and we know that there are no bind conflicts with +- * this socket in this tb, so reset our tb's reuseport +- * settings so that any subsequent sockets that match +- * our current socket will be put on the fast path. +- * +- * If we reset we need to set FASTREUSEPORT_STRICT so we +- * do extra checking for all subsequent sk_reuseport +- * socks. +- */ +- if (!sk_reuseport_match(tb, sk)) { +- tb->fastreuseport = FASTREUSEPORT_STRICT; +- tb->fastuid = uid; +- tb->fast_rcv_saddr = sk->sk_rcv_saddr; +- tb->fast_ipv6_only = ipv6_only_sock(sk); +- tb->fast_sk_family = sk->sk_family; +-#if IS_ENABLED(CONFIG_IPV6) +- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; +-#endif +- } +- } else { +- tb->fastreuseport = 0; +- } +- } ++ inet_csk_update_fastreuse(tb, sk); ++ + if (!inet_csk(sk)->icsk_bind_hash) + inet_bind_hash(sk, tb, port); + WARN_ON(inet_csk(sk)->icsk_bind_hash != tb); diff --git a/queue-5.4/net-set-fput_needed-iff-fdput_fput-is-set.patch b/queue-5.4/net-set-fput_needed-iff-fdput_fput-is-set.patch new file mode 100644 index 00000000000..cbe0308db6b --- /dev/null +++ b/queue-5.4/net-set-fput_needed-iff-fdput_fput-is-set.patch @@ -0,0 +1,31 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Miaohe Lin +Date: Thu, 6 Aug 2020 19:53:16 +0800 +Subject: net: Set fput_needed iff FDPUT_FPUT is set + +From: Miaohe Lin + +[ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ] + +We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed +accordingly. + +Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -485,7 +485,7 @@ static struct socket *sockfd_lookup_ligh + if (f.file) { + sock = sock_from_file(f.file, err); + if (likely(sock)) { +- *fput_needed = f.flags; ++ *fput_needed = f.flags & FDPUT_FPUT; + return sock; + } + fdput(f); diff --git a/queue-5.4/net-tls-fix-kmap-usage.patch b/queue-5.4/net-tls-fix-kmap-usage.patch new file mode 100644 index 00000000000..f4e32022212 --- /dev/null +++ b/queue-5.4/net-tls-fix-kmap-usage.patch @@ -0,0 +1,43 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Ira Weiny +Date: Mon, 10 Aug 2020 17:02:58 -0700 +Subject: net/tls: Fix kmap usage + +From: Ira Weiny + +[ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ] + +When MSG_OOB is specified to tls_device_sendpage() the mapped page is +never unmapped. + +Hold off mapping the page until after the flags are checked and the page +is actually needed. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Ira Weiny +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -549,7 +549,7 @@ int tls_device_sendpage(struct sock *sk, + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct iov_iter msg_iter; +- char *kaddr = kmap(page); ++ char *kaddr; + struct kvec iov; + int rc; + +@@ -564,6 +564,7 @@ int tls_device_sendpage(struct sock *sk, + goto out; + } + ++ kaddr = kmap(page); + iov.iov_base = kaddr + offset; + iov.iov_len = size; + iov_iter_kvec(&msg_iter, WRITE, &iov, 1, size); diff --git a/queue-5.4/series b/queue-5.4/series index f99c5ef0891..a2b39e6229b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -214,3 +214,14 @@ svcrdma-fix-page-leak-in-svc_rdma_recv_read_chunk.patch sunrpc-fix-sunrpc-add-len-parameter-to-gss_unwrap.patch x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch crypto-aesni-add-compatibility-with-ias.patch +af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch +drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch +net-fix-potential-memory-leak-in-proto_register.patch +net-nfc-rawsock.c-add-cap_net_raw-check.patch +net-phy-fix-memory-leak-in-device-create-error-path.patch +net-set-fput_needed-iff-fdput_fput-is-set.patch +net-tls-fix-kmap-usage.patch +tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch +vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch +net-refactor-bind_bucket-fastreuse-into-helper.patch +net-initialize-fastreuse-on-inet_inherit_port.patch diff --git a/queue-5.4/tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch b/queue-5.4/tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch new file mode 100644 index 00000000000..eb8e3e93b4c --- /dev/null +++ b/queue-5.4/tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch @@ -0,0 +1,147 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Jason Baron +Date: Mon, 10 Aug 2020 13:38:39 -0400 +Subject: tcp: correct read of TFO keys on big endian systems + +From: Jason Baron + +[ Upstream commit f19008e676366c44e9241af57f331b6c6edf9552 ] + +When TFO keys are read back on big endian systems either via the global +sysctl interface or via getsockopt() using TCP_FASTOPEN_KEY, the values +don't match what was written. + +For example, on s390x: + +# echo "1-2-3-4" > /proc/sys/net/ipv4/tcp_fastopen_key +# cat /proc/sys/net/ipv4/tcp_fastopen_key +02000000-01000000-04000000-03000000 + +Instead of: + +# cat /proc/sys/net/ipv4/tcp_fastopen_key +00000001-00000002-00000003-00000004 + +Fix this by converting to the correct endianness on read. This was +reported by Colin Ian King when running the 'tcp_fastopen_backup_key' net +selftest on s390x, which depends on the read value matching what was +written. I've confirmed that the test now passes on big and little endian +systems. + +Signed-off-by: Jason Baron +Fixes: 438ac88009bc ("net: fastopen: robustness and endianness fixes for SipHash") +Cc: Ard Biesheuvel +Cc: Eric Dumazet +Reported-and-tested-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 2 ++ + net/ipv4/sysctl_net_ipv4.c | 16 ++++------------ + net/ipv4/tcp.c | 16 ++++------------ + net/ipv4/tcp_fastopen.c | 23 +++++++++++++++++++++++ + 4 files changed, 33 insertions(+), 24 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1650,6 +1650,8 @@ void tcp_fastopen_destroy_cipher(struct + void tcp_fastopen_ctx_destroy(struct net *net); + int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, + void *primary_key, void *backup_key); ++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk, ++ u64 *key); + void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb); + struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, + struct request_sock *req, +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -307,24 +307,16 @@ static int proc_tcp_fastopen_key(struct + struct ctl_table tbl = { .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * + 2 * TCP_FASTOPEN_KEY_MAX) + + (TCP_FASTOPEN_KEY_MAX * 5)) }; +- struct tcp_fastopen_context *ctx; +- u32 user_key[TCP_FASTOPEN_KEY_MAX * 4]; +- __le32 key[TCP_FASTOPEN_KEY_MAX * 4]; ++ u32 user_key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u32)]; ++ __le32 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(__le32)]; + char *backup_data; +- int ret, i = 0, off = 0, n_keys = 0; ++ int ret, i = 0, off = 0, n_keys; + + tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); + if (!tbl.data) + return -ENOMEM; + +- rcu_read_lock(); +- ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx); +- if (ctx) { +- n_keys = tcp_fastopen_context_len(ctx); +- memcpy(&key[0], &ctx->key[0], TCP_FASTOPEN_KEY_LENGTH * n_keys); +- } +- rcu_read_unlock(); +- ++ n_keys = tcp_fastopen_get_cipher(net, NULL, (u64 *)key); + if (!n_keys) { + memset(&key[0], 0, TCP_FASTOPEN_KEY_LENGTH); + n_keys = 1; +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3527,22 +3527,14 @@ static int do_tcp_getsockopt(struct sock + return 0; + + case TCP_FASTOPEN_KEY: { +- __u8 key[TCP_FASTOPEN_KEY_BUF_LENGTH]; +- struct tcp_fastopen_context *ctx; +- unsigned int key_len = 0; ++ u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)]; ++ unsigned int key_len; + + if (get_user(len, optlen)) + return -EFAULT; + +- rcu_read_lock(); +- ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx); +- if (ctx) { +- key_len = tcp_fastopen_context_len(ctx) * +- TCP_FASTOPEN_KEY_LENGTH; +- memcpy(&key[0], &ctx->key[0], key_len); +- } +- rcu_read_unlock(); +- ++ key_len = tcp_fastopen_get_cipher(net, icsk, key) * ++ TCP_FASTOPEN_KEY_LENGTH; + len = min_t(unsigned int, len, key_len); + if (put_user(len, optlen)) + return -EFAULT; +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -108,6 +108,29 @@ out: + return err; + } + ++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk, ++ u64 *key) ++{ ++ struct tcp_fastopen_context *ctx; ++ int n_keys = 0, i; ++ ++ rcu_read_lock(); ++ if (icsk) ++ ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx); ++ else ++ ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx); ++ if (ctx) { ++ n_keys = tcp_fastopen_context_len(ctx); ++ for (i = 0; i < n_keys; i++) { ++ put_unaligned_le64(ctx->key[i].key[0], key + (i * 2)); ++ put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1); ++ } ++ } ++ rcu_read_unlock(); ++ ++ return n_keys; ++} ++ + static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req, + struct sk_buff *syn, + const siphash_key_t *key, diff --git a/queue-5.4/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch b/queue-5.4/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch new file mode 100644 index 00000000000..14271be7473 --- /dev/null +++ b/queue-5.4/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch @@ -0,0 +1,38 @@ +From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST +From: Ronak Doshi +Date: Mon, 10 Aug 2020 09:55:55 -0700 +Subject: vmxnet3: use correct tcp hdr length when packet is encapsulated + +From: Ronak Doshi + +[ Upstream commit 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe ] + +Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload +support") added support for encapsulation offload. However, while +calculating tcp hdr length, it does not take into account if the +packet is encapsulated or not. + +This patch fixes this issue by using correct reference for inner +tcp header. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -861,7 +861,8 @@ vmxnet3_parse_hdr(struct sk_buff *skb, s + + switch (protocol) { + case IPPROTO_TCP: +- ctx->l4_hdr_size = tcp_hdrlen(skb); ++ ctx->l4_hdr_size = skb->encapsulation ? inner_tcp_hdrlen(skb) : ++ tcp_hdrlen(skb); + break; + case IPPROTO_UDP: + ctx->l4_hdr_size = sizeof(struct udphdr);