From: Greg Kroah-Hartman Date: Sat, 17 Oct 2020 06:55:33 +0000 (+0200) Subject: 5.9-stable patches X-Git-Tag: v5.8.16~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fa4514e648b328f74b625324791fa32fa777d913;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch cxgb4-handle-4-tuple-pedit-to-nat-mode-translation.patch ibmveth-identify-ingress-large-send-packets.patch ibmveth-switch-order-of-ibmveth_helper-calls.patch ipv4-restore-flowi4_oif-update-before-call-to-xfrm_lookup_route.patch mlx4-handle-non-napi-callers-to-napi_poll.patch mptcp-fix-fallback-for-mp_join-subflows.patch mptcp-subflows-garbage-collection.patch net-dsa-microchip-fix-race-condition.patch net-fec-fix-phy-init-after-phy_reset_after_clk_enable.patch net-fec-fix-phy_device-lookup-for-phy_reset_after_clk_enable.patch net-fix-pos-incrementment-in-ipv6_route_seq_next.patch net-ipa-skip-suspend-resume-activities-if-not-set-up.patch net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch net-mptcp-make-dack4-dack8-usage-consistent-among-all-subflows.patch net-sched-fix-suspicious-rcu-usage-while-accessing-tcf_tunnel_info.patch net-smc-fix-use-after-free-of-delayed-events.patch net-smc-fix-valid-dmbe-buffer-sizes.patch net-tls-sendfile-fails-with-ktls-offload.patch socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch socket-fix-option-so_timestamping_new.patch tipc-fix-null-pointer-dereference-in-tipc_named_rcv.patch tipc-fix-the-skb_unshare-in-tipc_buf_append.patch --- diff --git a/queue-5.9/can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch b/queue-5.9/can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch new file mode 100644 index 00000000000..d110d33d6ff --- /dev/null +++ b/queue-5.9/can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Cong Wang +Date: Wed, 7 Oct 2020 23:18:21 -0700 +Subject: [PATCH stable 5.9 23/24] can: j1935: j1939_tp_tx_dat_new(): fix missing initialization of skbcnt + +From: Cong Wang + +[ Upstream commit e009f95b1543e26606dca2f7e6e9f0f9174538e5 ] + +This fixes an uninit-value warning: +BUG: KMSAN: uninit-value in can_receive+0x26b/0x630 net/can/af_can.c:650 + +Reported-and-tested-by: syzbot+3f3837e61a48d32b495f@syzkaller.appspotmail.com +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Cc: Robin van der Gracht +Cc: Oleksij Rempel +Cc: Pengutronix Kernel Team +Cc: Oliver Hartkopp +Cc: Marc Kleine-Budde +Signed-off-by: Cong Wang +Link: https://lore.kernel.org/r/20201008061821.24663-1-xiyou.wangcong@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -580,6 +580,7 @@ sk_buff *j1939_tp_tx_dat_new(struct j193 + skb->dev = priv->ndev; + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = priv->ndev->ifindex; ++ can_skb_prv(skb)->skbcnt = 0; + /* reserve CAN header */ + skb_reserve(skb, offsetof(struct can_frame, data)); + diff --git a/queue-5.9/can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch b/queue-5.9/can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch new file mode 100644 index 00000000000..d5acd500397 --- /dev/null +++ b/queue-5.9/can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Lucas Stach +Date: Tue, 11 Aug 2020 10:15:44 +0200 +Subject: [PATCH stable 5.9 22/24] can: m_can_platform: don't call m_can_class_suspend in runtime suspend + +From: Lucas Stach + +[ Upstream commit 81f1f5ae8b3cbd54fdd994c9e9aacdb7b414a802 ] + + 0704c5743694 can: m_can_platform: remove unnecessary m_can_class_resume() call + +removed the m_can_class_resume() call in the runtime resume path to get +rid of a infinite recursion, so the runtime resume now only handles the device +clocks. + +Unfortunately it did not remove the complementary m_can_class_suspend() call in +the runtime suspend function, so those paths are now unbalanced, which causes +the pinctrl state to get stuck on the "sleep" state, which breaks all CAN +functionality on SoCs where this state is defined. Remove the +m_can_class_suspend() call to fix this. + +Fixes: 0704c5743694 can: m_can_platform: remove unnecessary m_can_class_resume() call +Signed-off-by: Lucas Stach +Link: https://lore.kernel.org/r/20200811081545.19921-1-l.stach@pengutronix.de +Acked-by: Dan Murphy +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can_platform.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/can/m_can/m_can_platform.c ++++ b/drivers/net/can/m_can/m_can_platform.c +@@ -144,8 +144,6 @@ static int __maybe_unused m_can_runtime_ + struct net_device *ndev = dev_get_drvdata(dev); + struct m_can_classdev *mcan_class = netdev_priv(ndev); + +- m_can_class_suspend(dev); +- + clk_disable_unprepare(mcan_class->cclk); + clk_disable_unprepare(mcan_class->hclk); + diff --git a/queue-5.9/cxgb4-handle-4-tuple-pedit-to-nat-mode-translation.patch b/queue-5.9/cxgb4-handle-4-tuple-pedit-to-nat-mode-translation.patch new file mode 100644 index 00000000000..a30a4f1a13d --- /dev/null +++ b/queue-5.9/cxgb4-handle-4-tuple-pedit-to-nat-mode-translation.patch @@ -0,0 +1,388 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Herat Ramani +Date: Tue, 13 Oct 2020 15:01:29 +0530 +Subject: [PATCH stable 5.9 03/24] cxgb4: handle 4-tuple PEDIT to NAT mode translation + +From: Herat Ramani + +[ Upstream commit 2ef813b8f405db3f72202b6fcae40a628ab80a53 ] + +The 4-tuple NAT offload via PEDIT always overwrites all the 4-tuple +fields even if they had not been explicitly enabled. If any fields in +the 4-tuple are not enabled, then the hardware overwrites the +disabled fields with zeros, instead of ignoring them. + +So, add a parser that can translate the enabled 4-tuple PEDIT fields +to one of the NAT mode combinations supported by the hardware and +hence avoid overwriting disabled fields to 0. Any rule with +unsupported NAT mode combination is rejected. + +Signed-off-by: Herat Ramani +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 175 +++++++++++++++++-- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h | 15 + + 2 files changed, 177 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c +@@ -60,6 +60,89 @@ static struct ch_tc_pedit_fields pedits[ + PEDIT_FIELDS(IP6_, DST_127_96, 4, nat_lip, 12), + }; + ++static const struct cxgb4_natmode_config cxgb4_natmode_config_array[] = { ++ /* Default supported NAT modes */ ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_NONE, ++ .natmode = NAT_MODE_NONE, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP, ++ .natmode = NAT_MODE_DIP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_DPORT, ++ .natmode = NAT_MODE_DIP_DP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_DPORT | ++ CXGB4_ACTION_NATMODE_SIP, ++ .natmode = NAT_MODE_DIP_DP_SIP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_DPORT | ++ CXGB4_ACTION_NATMODE_SPORT, ++ .natmode = NAT_MODE_DIP_DP_SP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_SIP | CXGB4_ACTION_NATMODE_SPORT, ++ .natmode = NAT_MODE_SIP_SP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_SIP | ++ CXGB4_ACTION_NATMODE_SPORT, ++ .natmode = NAT_MODE_DIP_SIP_SP, ++ }, ++ { ++ .chip = CHELSIO_T5, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_SIP | ++ CXGB4_ACTION_NATMODE_DPORT | ++ CXGB4_ACTION_NATMODE_SPORT, ++ .natmode = NAT_MODE_ALL, ++ }, ++ /* T6+ can ignore L4 ports when they're disabled. */ ++ { ++ .chip = CHELSIO_T6, ++ .flags = CXGB4_ACTION_NATMODE_SIP, ++ .natmode = NAT_MODE_SIP_SP, ++ }, ++ { ++ .chip = CHELSIO_T6, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_SPORT, ++ .natmode = NAT_MODE_DIP_DP_SP, ++ }, ++ { ++ .chip = CHELSIO_T6, ++ .flags = CXGB4_ACTION_NATMODE_DIP | CXGB4_ACTION_NATMODE_SIP, ++ .natmode = NAT_MODE_ALL, ++ }, ++}; ++ ++static void cxgb4_action_natmode_tweak(struct ch_filter_specification *fs, ++ u8 natmode_flags) ++{ ++ u8 i = 0; ++ ++ /* Translate the enabled NAT 4-tuple fields to one of the ++ * hardware supported NAT mode configurations. This ensures ++ * that we pick a valid combination, where the disabled fields ++ * do not get overwritten to 0. ++ */ ++ for (i = 0; i < ARRAY_SIZE(cxgb4_natmode_config_array); i++) { ++ if (cxgb4_natmode_config_array[i].flags == natmode_flags) { ++ fs->nat_mode = cxgb4_natmode_config_array[i].natmode; ++ return; ++ } ++ } ++} ++ + static struct ch_tc_flower_entry *allocate_flower_entry(void) + { + struct ch_tc_flower_entry *new = kzalloc(sizeof(*new), GFP_KERNEL); +@@ -289,7 +372,8 @@ static void offload_pedit(struct ch_filt + } + + static void process_pedit_field(struct ch_filter_specification *fs, u32 val, +- u32 mask, u32 offset, u8 htype) ++ u32 mask, u32 offset, u8 htype, ++ u8 *natmode_flags) + { + switch (htype) { + case FLOW_ACT_MANGLE_HDR_TYPE_ETH: +@@ -314,67 +398,102 @@ static void process_pedit_field(struct c + switch (offset) { + case PEDIT_IP4_SRC: + offload_pedit(fs, val, mask, IP4_SRC); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; + break; + case PEDIT_IP4_DST: + offload_pedit(fs, val, mask, IP4_DST); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + } +- fs->nat_mode = NAT_MODE_ALL; + break; + case FLOW_ACT_MANGLE_HDR_TYPE_IP6: + switch (offset) { + case PEDIT_IP6_SRC_31_0: + offload_pedit(fs, val, mask, IP6_SRC_31_0); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; + break; + case PEDIT_IP6_SRC_63_32: + offload_pedit(fs, val, mask, IP6_SRC_63_32); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; + break; + case PEDIT_IP6_SRC_95_64: + offload_pedit(fs, val, mask, IP6_SRC_95_64); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; + break; + case PEDIT_IP6_SRC_127_96: + offload_pedit(fs, val, mask, IP6_SRC_127_96); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; + break; + case PEDIT_IP6_DST_31_0: + offload_pedit(fs, val, mask, IP6_DST_31_0); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + break; + case PEDIT_IP6_DST_63_32: + offload_pedit(fs, val, mask, IP6_DST_63_32); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + break; + case PEDIT_IP6_DST_95_64: + offload_pedit(fs, val, mask, IP6_DST_95_64); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + break; + case PEDIT_IP6_DST_127_96: + offload_pedit(fs, val, mask, IP6_DST_127_96); ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + } +- fs->nat_mode = NAT_MODE_ALL; + break; + case FLOW_ACT_MANGLE_HDR_TYPE_TCP: + switch (offset) { + case PEDIT_TCP_SPORT_DPORT: +- if (~mask & PEDIT_TCP_UDP_SPORT_MASK) ++ if (~mask & PEDIT_TCP_UDP_SPORT_MASK) { + fs->nat_fport = val; +- else ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SPORT; ++ } else { + fs->nat_lport = val >> 16; ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DPORT; ++ } + } +- fs->nat_mode = NAT_MODE_ALL; + break; + case FLOW_ACT_MANGLE_HDR_TYPE_UDP: + switch (offset) { + case PEDIT_UDP_SPORT_DPORT: +- if (~mask & PEDIT_TCP_UDP_SPORT_MASK) ++ if (~mask & PEDIT_TCP_UDP_SPORT_MASK) { + fs->nat_fport = val; +- else ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SPORT; ++ } else { + fs->nat_lport = val >> 16; ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DPORT; ++ } + } +- fs->nat_mode = NAT_MODE_ALL; ++ break; + } + } + ++static int cxgb4_action_natmode_validate(struct adapter *adap, u8 natmode_flags, ++ struct netlink_ext_ack *extack) ++{ ++ u8 i = 0; ++ ++ /* Extract the NAT mode to enable based on what 4-tuple fields ++ * are enabled to be overwritten. This ensures that the ++ * disabled fields don't get overwritten to 0. ++ */ ++ for (i = 0; i < ARRAY_SIZE(cxgb4_natmode_config_array); i++) { ++ const struct cxgb4_natmode_config *c; ++ ++ c = &cxgb4_natmode_config_array[i]; ++ if (CHELSIO_CHIP_VERSION(adap->params.chip) >= c->chip && ++ natmode_flags == c->flags) ++ return 0; ++ } ++ NL_SET_ERR_MSG_MOD(extack, "Unsupported NAT mode 4-tuple combination"); ++ return -EOPNOTSUPP; ++} ++ + void cxgb4_process_flow_actions(struct net_device *in, + struct flow_action *actions, + struct ch_filter_specification *fs) + { + struct flow_action_entry *act; ++ u8 natmode_flags = 0; + int i; + + flow_action_for_each(i, act, actions) { +@@ -426,7 +545,8 @@ void cxgb4_process_flow_actions(struct n + val = act->mangle.val; + offset = act->mangle.offset; + +- process_pedit_field(fs, val, mask, offset, htype); ++ process_pedit_field(fs, val, mask, offset, htype, ++ &natmode_flags); + } + break; + case FLOW_ACTION_QUEUE: +@@ -438,6 +558,9 @@ void cxgb4_process_flow_actions(struct n + break; + } + } ++ if (natmode_flags) ++ cxgb4_action_natmode_tweak(fs, natmode_flags); ++ + } + + static bool valid_l4_mask(u32 mask) +@@ -454,7 +577,8 @@ static bool valid_l4_mask(u32 mask) + } + + static bool valid_pedit_action(struct net_device *dev, +- const struct flow_action_entry *act) ++ const struct flow_action_entry *act, ++ u8 *natmode_flags) + { + u32 mask, offset; + u8 htype; +@@ -479,7 +603,10 @@ static bool valid_pedit_action(struct ne + case FLOW_ACT_MANGLE_HDR_TYPE_IP4: + switch (offset) { + case PEDIT_IP4_SRC: ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; ++ break; + case PEDIT_IP4_DST: ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + break; + default: + netdev_err(dev, "%s: Unsupported pedit field\n", +@@ -493,10 +620,13 @@ static bool valid_pedit_action(struct ne + case PEDIT_IP6_SRC_63_32: + case PEDIT_IP6_SRC_95_64: + case PEDIT_IP6_SRC_127_96: ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SIP; ++ break; + case PEDIT_IP6_DST_31_0: + case PEDIT_IP6_DST_63_32: + case PEDIT_IP6_DST_95_64: + case PEDIT_IP6_DST_127_96: ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DIP; + break; + default: + netdev_err(dev, "%s: Unsupported pedit field\n", +@@ -512,6 +642,10 @@ static bool valid_pedit_action(struct ne + __func__); + return false; + } ++ if (~mask & PEDIT_TCP_UDP_SPORT_MASK) ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SPORT; ++ else ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DPORT; + break; + default: + netdev_err(dev, "%s: Unsupported pedit field\n", +@@ -527,6 +661,10 @@ static bool valid_pedit_action(struct ne + __func__); + return false; + } ++ if (~mask & PEDIT_TCP_UDP_SPORT_MASK) ++ *natmode_flags |= CXGB4_ACTION_NATMODE_SPORT; ++ else ++ *natmode_flags |= CXGB4_ACTION_NATMODE_DPORT; + break; + default: + netdev_err(dev, "%s: Unsupported pedit field\n", +@@ -546,10 +684,12 @@ int cxgb4_validate_flow_actions(struct n + struct netlink_ext_ack *extack, + u8 matchall_filter) + { ++ struct adapter *adap = netdev2adap(dev); + struct flow_action_entry *act; + bool act_redir = false; + bool act_pedit = false; + bool act_vlan = false; ++ u8 natmode_flags = 0; + int i; + + if (!flow_action_basic_hw_stats_check(actions, extack)) +@@ -563,7 +703,6 @@ int cxgb4_validate_flow_actions(struct n + break; + case FLOW_ACTION_MIRRED: + case FLOW_ACTION_REDIRECT: { +- struct adapter *adap = netdev2adap(dev); + struct net_device *n_dev, *target_dev; + bool found = false; + unsigned int i; +@@ -620,7 +759,8 @@ int cxgb4_validate_flow_actions(struct n + } + break; + case FLOW_ACTION_MANGLE: { +- bool pedit_valid = valid_pedit_action(dev, act); ++ bool pedit_valid = valid_pedit_action(dev, act, ++ &natmode_flags); + + if (!pedit_valid) + return -EOPNOTSUPP; +@@ -642,6 +782,15 @@ int cxgb4_validate_flow_actions(struct n + return -EINVAL; + } + ++ if (act_pedit) { ++ int ret; ++ ++ ret = cxgb4_action_natmode_validate(adap, natmode_flags, ++ extack); ++ if (ret) ++ return ret; ++ } ++ + return 0; + } + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.h +@@ -108,6 +108,21 @@ struct ch_tc_pedit_fields { + #define PEDIT_TCP_SPORT_DPORT 0x0 + #define PEDIT_UDP_SPORT_DPORT 0x0 + ++enum cxgb4_action_natmode_flags { ++ CXGB4_ACTION_NATMODE_NONE = 0, ++ CXGB4_ACTION_NATMODE_DIP = (1 << 0), ++ CXGB4_ACTION_NATMODE_SIP = (1 << 1), ++ CXGB4_ACTION_NATMODE_DPORT = (1 << 2), ++ CXGB4_ACTION_NATMODE_SPORT = (1 << 3), ++}; ++ ++/* TC PEDIT action to NATMODE translation entry */ ++struct cxgb4_natmode_config { ++ enum chip_type chip; ++ u8 flags; ++ u8 natmode; ++}; ++ + void cxgb4_process_flow_actions(struct net_device *in, + struct flow_action *actions, + struct ch_filter_specification *fs); diff --git a/queue-5.9/ibmveth-identify-ingress-large-send-packets.patch b/queue-5.9/ibmveth-identify-ingress-large-send-packets.patch new file mode 100644 index 00000000000..1baca398354 --- /dev/null +++ b/queue-5.9/ibmveth-identify-ingress-large-send-packets.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: David Wilder +Date: Tue, 13 Oct 2020 16:20:14 -0700 +Subject: [PATCH stable 5.9 02/24] ibmveth: Identify ingress large send packets. + +From: David Wilder + +[ Upstream commit 413f142cc05cb03f2d1ea83388e40c1ddc0d74e9 ] + +Ingress large send packets are identified by either: +The IBMVETH_RXQ_LRG_PKT flag in the receive buffer +or with a -1 placed in the ip header checksum. +The method used depends on firmware version. Frame +geometry and sufficient header validation is performed by the +hypervisor eliminating the need for further header checks here. + +Fixes: 7b5967389f5a ("ibmveth: set correct gso_size and gso_type") +Signed-off-by: David Wilder +Reviewed-by: Thomas Falcon +Reviewed-by: Cristobal Forno +Reviewed-by: Pradeep Satyanarayana +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmveth.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1349,6 +1349,7 @@ static int ibmveth_poll(struct napi_stru + int offset = ibmveth_rxq_frame_offset(adapter); + int csum_good = ibmveth_rxq_csum_good(adapter); + int lrg_pkt = ibmveth_rxq_large_packet(adapter); ++ __sum16 iph_check = 0; + + skb = ibmveth_rxq_get_buffer(adapter); + +@@ -1385,7 +1386,17 @@ static int ibmveth_poll(struct napi_stru + skb_put(skb, length); + skb->protocol = eth_type_trans(skb, netdev); + +- if (length > netdev->mtu + ETH_HLEN) { ++ /* PHYP without PLSO support places a -1 in the ip ++ * checksum for large send frames. ++ */ ++ if (skb->protocol == cpu_to_be16(ETH_P_IP)) { ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ iph_check = iph->check; ++ } ++ ++ if ((length > netdev->mtu + ETH_HLEN) || ++ lrg_pkt || iph_check == 0xffff) { + ibmveth_rx_mss_helper(skb, mss, lrg_pkt); + adapter->rx_large_packets++; + } diff --git a/queue-5.9/ibmveth-switch-order-of-ibmveth_helper-calls.patch b/queue-5.9/ibmveth-switch-order-of-ibmveth_helper-calls.patch new file mode 100644 index 00000000000..97b5784de55 --- /dev/null +++ b/queue-5.9/ibmveth-switch-order-of-ibmveth_helper-calls.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: David Wilder +Date: Tue, 13 Oct 2020 16:20:13 -0700 +Subject: [PATCH stable 5.9 01/24] ibmveth: Switch order of ibmveth_helper calls. + +From: David Wilder + +[ Upstream commit 5ce9ad815a296374ca21f43f3b1ab5083d202ee1 ] + +ibmveth_rx_csum_helper() must be called after ibmveth_rx_mss_helper() +as ibmveth_rx_csum_helper() may alter ip and tcp checksum values. + +Fixes: 66aa0678efc2 ("ibmveth: Support to enable LSO/CSO for Trunk VEA.") +Signed-off-by: David Wilder +Reviewed-by: Thomas Falcon +Reviewed-by: Cristobal Forno +Reviewed-by: Pradeep Satyanarayana +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmveth.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1385,16 +1385,16 @@ static int ibmveth_poll(struct napi_stru + skb_put(skb, length); + skb->protocol = eth_type_trans(skb, netdev); + +- if (csum_good) { +- skb->ip_summed = CHECKSUM_UNNECESSARY; +- ibmveth_rx_csum_helper(skb, adapter); +- } +- + if (length > netdev->mtu + ETH_HLEN) { + ibmveth_rx_mss_helper(skb, mss, lrg_pkt); + adapter->rx_large_packets++; + } + ++ if (csum_good) { ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ ibmveth_rx_csum_helper(skb, adapter); ++ } ++ + napi_gro_receive(napi, skb); /* send it up */ + + netdev->stats.rx_packets++; diff --git a/queue-5.9/ipv4-restore-flowi4_oif-update-before-call-to-xfrm_lookup_route.patch b/queue-5.9/ipv4-restore-flowi4_oif-update-before-call-to-xfrm_lookup_route.patch new file mode 100644 index 00000000000..12e05bf2153 --- /dev/null +++ b/queue-5.9/ipv4-restore-flowi4_oif-update-before-call-to-xfrm_lookup_route.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: David Ahern +Date: Fri, 9 Oct 2020 11:01:01 -0700 +Subject: [PATCH stable 5.9 04/24] ipv4: Restore flowi4_oif update before call to xfrm_lookup_route + +From: David Ahern + +[ Upstream commit 874fb9e2ca949b443cc419a4f2227cafd4381d39 ] + +Tobias reported regressions in IPsec tests following the patch +referenced by the Fixes tag below. The root cause is dropping the +reset of the flowi4_oif after the fib_lookup. Apparently it is +needed for xfrm cases, so restore the oif update to ip_route_output_flow +right before the call to xfrm_lookup_route. + +Fixes: 2fbc6e89b2f1 ("ipv4: Update exception handling for multipath routes via same device") +Reported-by: Tobias Brunner +Signed-off-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2769,10 +2769,12 @@ struct rtable *ip_route_output_flow(stru + if (IS_ERR(rt)) + return rt; + +- if (flp4->flowi4_proto) ++ if (flp4->flowi4_proto) { ++ flp4->flowi4_oif = rt->dst.dev->ifindex; + rt = (struct rtable *)xfrm_lookup_route(net, &rt->dst, + flowi4_to_flowi(flp4), + sk, 0); ++ } + + return rt; + } diff --git a/queue-5.9/mlx4-handle-non-napi-callers-to-napi_poll.patch b/queue-5.9/mlx4-handle-non-napi-callers-to-napi_poll.patch new file mode 100644 index 00000000000..5f9bc3db745 --- /dev/null +++ b/queue-5.9/mlx4-handle-non-napi-callers-to-napi_poll.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Jonathan Lemon +Date: Thu, 8 Oct 2020 11:45:26 -0700 +Subject: [PATCH stable 5.9 05/24] mlx4: handle non-napi callers to napi_poll + +From: Jonathan Lemon + +[ Upstream commit b2b8a92733b288128feb57ffa694758cf475106c ] + +netcons calls napi_poll with a budget of 0 to transmit packets. +Handle this by: + - skipping RX processing + - do not try to recycle TX packets to the RX cache + +Signed-off-by: Jonathan Lemon +Reviewed-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 +++ + drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -943,6 +943,9 @@ int mlx4_en_poll_rx_cq(struct napi_struc + bool clean_complete = true; + int done; + ++ if (!budget) ++ return 0; ++ + if (priv->tx_ring_num[TX_XDP]) { + xdp_tx_cq = priv->tx_cq[TX_XDP][cq->ring]; + if (xdp_tx_cq->xdp_busy) { +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -350,7 +350,7 @@ u32 mlx4_en_recycle_tx_desc(struct mlx4_ + .dma = tx_info->map0_dma, + }; + +- if (!mlx4_en_rx_recycle(ring->recycle_ring, &frame)) { ++ if (!napi_mode || !mlx4_en_rx_recycle(ring->recycle_ring, &frame)) { + dma_unmap_page(priv->ddev, tx_info->map0_dma, + PAGE_SIZE, priv->dma_dir); + put_page(tx_info->page); diff --git a/queue-5.9/mptcp-fix-fallback-for-mp_join-subflows.patch b/queue-5.9/mptcp-fix-fallback-for-mp_join-subflows.patch new file mode 100644 index 00000000000..d08039e2a38 --- /dev/null +++ b/queue-5.9/mptcp-fix-fallback-for-mp_join-subflows.patch @@ -0,0 +1,142 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Paolo Abeni +Date: Fri, 9 Oct 2020 19:00:00 +0200 +Subject: [PATCH stable 5.9 06/24] mptcp: fix fallback for MP_JOIN subflows + +From: Paolo Abeni + +[ Upstream commit d582484726c4c46c8580923e855665fb91e3463e ] + +Additional/MP_JOIN subflows that do not pass some initial handshake +tests currently causes fallback to TCP. That is an RFC violation: +we should instead reset the subflow and leave the the msk untouched. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/91 +Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 32 +++++++++++++++++++++++++------- + net/mptcp/protocol.h | 1 + + net/mptcp/subflow.c | 10 ++++++++-- + 3 files changed, 34 insertions(+), 9 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -626,6 +626,12 @@ bool mptcp_established_options(struct so + if (unlikely(mptcp_check_fallback(sk))) + return false; + ++ /* prevent adding of any MPTCP related options on reset packet ++ * until we support MP_TCPRST/MP_FASTCLOSE ++ */ ++ if (unlikely(skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_RST)) ++ return false; ++ + if (mptcp_established_options_mp(sk, skb, &opt_size, remaining, opts)) + ret = true; + else if (mptcp_established_options_dss(sk, skb, &opt_size, remaining, +@@ -676,7 +682,7 @@ bool mptcp_synack_options(const struct r + return false; + } + +-static bool check_fully_established(struct mptcp_sock *msk, struct sock *sk, ++static bool check_fully_established(struct mptcp_sock *msk, struct sock *ssk, + struct mptcp_subflow_context *subflow, + struct sk_buff *skb, + struct mptcp_options_received *mp_opt) +@@ -693,15 +699,20 @@ static bool check_fully_established(stru + TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq && + subflow->mp_join && mp_opt->mp_join && + READ_ONCE(msk->pm.server_side)) +- tcp_send_ack(sk); ++ tcp_send_ack(ssk); + goto fully_established; + } + +- /* we should process OoO packets before the first subflow is fully +- * established, but not expected for MP_JOIN subflows ++ /* we must process OoO packets before the first subflow is fully ++ * established. OoO packets are instead a protocol violation ++ * for MP_JOIN subflows as the peer must not send any data ++ * before receiving the forth ack - cfr. RFC 8684 section 3.2. + */ +- if (TCP_SKB_CB(skb)->seq != subflow->ssn_offset + 1) ++ if (TCP_SKB_CB(skb)->seq != subflow->ssn_offset + 1) { ++ if (subflow->mp_join) ++ goto reset; + return subflow->mp_capable; ++ } + + if (mp_opt->dss && mp_opt->use_ack) { + /* subflows are fully established as soon as we get any +@@ -713,9 +724,12 @@ static bool check_fully_established(stru + } + + /* If the first established packet does not contain MP_CAPABLE + data +- * then fallback to TCP ++ * then fallback to TCP. Fallback scenarios requires a reset for ++ * MP_JOIN subflows. + */ + if (!mp_opt->mp_capable) { ++ if (subflow->mp_join) ++ goto reset; + subflow->mp_capable = 0; + pr_fallback(msk); + __mptcp_do_fallback(msk); +@@ -732,12 +746,16 @@ fully_established: + + subflow->pm_notified = 1; + if (subflow->mp_join) { +- clear_3rdack_retransmission(sk); ++ clear_3rdack_retransmission(ssk); + mptcp_pm_subflow_established(msk, subflow); + } else { + mptcp_pm_fully_established(msk); + } + return true; ++ ++reset: ++ mptcp_subflow_reset(ssk); ++ return false; + } + + static u64 expand_ack(u64 old_ack, u64 cur_ack, bool use_64bit) +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -348,6 +348,7 @@ void mptcp_subflow_fully_established(str + struct mptcp_options_received *mp_opt); + bool mptcp_subflow_data_available(struct sock *sk); + void __init mptcp_subflow_init(void); ++void mptcp_subflow_reset(struct sock *ssk); + + /* called with sk socket lock held */ + int __mptcp_subflow_connect(struct sock *sk, int ifindex, +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -270,6 +270,13 @@ static bool subflow_thmac_valid(struct m + return thmac == subflow->thmac; + } + ++void mptcp_subflow_reset(struct sock *ssk) ++{ ++ tcp_set_state(ssk, TCP_CLOSE); ++ tcp_send_active_reset(ssk, GFP_ATOMIC); ++ tcp_done(ssk); ++} ++ + static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); +@@ -342,8 +349,7 @@ fallback: + return; + + do_reset: +- tcp_send_active_reset(sk, GFP_ATOMIC); +- tcp_done(sk); ++ mptcp_subflow_reset(sk); + } + + struct request_sock_ops mptcp_subflow_request_sock_ops; diff --git a/queue-5.9/mptcp-subflows-garbage-collection.patch b/queue-5.9/mptcp-subflows-garbage-collection.patch new file mode 100644 index 00000000000..5fd35ec1914 --- /dev/null +++ b/queue-5.9/mptcp-subflows-garbage-collection.patch @@ -0,0 +1,89 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Paolo Abeni +Date: Fri, 9 Oct 2020 19:00:01 +0200 +Subject: [PATCH stable 5.9 07/24] mptcp: subflows garbage collection + +From: Paolo Abeni + +[ Upstream commit 0e4f35d7880157ceccf0a58377d778b02762af82 ] + +The msk can close MP_JOIN subflows if the initial handshake +fails. Currently such subflows are kept alive in the +conn_list until the msk itself is closed. + +Beyond the wasted memory, we could end-up sending the +DATA_FIN and the DATA_FIN ack on such socket, even after a +reset. + +Fixes: 43b54c6ee382 ("mptcp: Use full MPTCP-level disconnect state machine") +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 17 +++++++++++++++++ + net/mptcp/protocol.h | 1 + + net/mptcp/subflow.c | 6 ++++++ + 3 files changed, 24 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1383,6 +1383,20 @@ static void pm_work(struct mptcp_sock *m + spin_unlock_bh(&msk->pm.lock); + } + ++static void __mptcp_close_subflow(struct mptcp_sock *msk) ++{ ++ struct mptcp_subflow_context *subflow, *tmp; ++ ++ list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) { ++ struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ ++ if (inet_sk_state_load(ssk) != TCP_CLOSE) ++ continue; ++ ++ __mptcp_close_ssk((struct sock *)msk, ssk, subflow, 0); ++ } ++} ++ + static void mptcp_worker(struct work_struct *work) + { + struct mptcp_sock *msk = container_of(work, struct mptcp_sock, work); +@@ -1400,6 +1414,9 @@ static void mptcp_worker(struct work_str + mptcp_clean_una(sk); + mptcp_check_data_fin_ack(sk); + __mptcp_flush_join_list(msk); ++ if (test_and_clear_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags)) ++ __mptcp_close_subflow(msk); ++ + __mptcp_move_skbs(msk); + + if (msk->pm.status) +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -90,6 +90,7 @@ + #define MPTCP_WORK_RTX 2 + #define MPTCP_WORK_EOF 3 + #define MPTCP_FALLBACK_DONE 4 ++#define MPTCP_WORK_CLOSE_SUBFLOW 5 + + struct mptcp_options_received { + u64 sndr_key; +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -272,9 +272,15 @@ static bool subflow_thmac_valid(struct m + + void mptcp_subflow_reset(struct sock *ssk) + { ++ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); ++ struct sock *sk = subflow->conn; ++ + tcp_set_state(ssk, TCP_CLOSE); + tcp_send_active_reset(ssk, GFP_ATOMIC); + tcp_done(ssk); ++ if (!test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &mptcp_sk(sk)->flags) && ++ schedule_work(&mptcp_sk(sk)->work)) ++ sock_hold(sk); + } + + static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) diff --git a/queue-5.9/net-dsa-microchip-fix-race-condition.patch b/queue-5.9/net-dsa-microchip-fix-race-condition.patch new file mode 100644 index 00000000000..635e7fb2181 --- /dev/null +++ b/queue-5.9/net-dsa-microchip-fix-race-condition.patch @@ -0,0 +1,112 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Christian Eggers +Date: Mon, 12 Oct 2020 10:39:42 +0200 +Subject: [PATCH stable 5.9 08/24] net: dsa: microchip: fix race condition + +From: Christian Eggers + +[ Upstream commit 8098bd69bc4e925070313b1b95d03510f4f24738 ] + +Between queuing the delayed work and finishing the setup of the dsa +ports, the process may sleep in request_module() (via +phy_device_create()) and the queued work may be executed prior to the +switch net devices being registered. In ksz_mib_read_work(), a NULL +dereference will happen within netof_carrier_ok(dp->slave). + +Not queuing the delayed work in ksz_init_mib_timer() makes things even +worse because the work will now be queued for immediate execution +(instead of 2000 ms) in ksz_mac_link_down() via +dsa_port_link_register_of(). + +Call tree: +ksz9477_i2c_probe() +\--ksz9477_switch_register() + \--ksz_switch_register() + +--dsa_register_switch() + | \--dsa_switch_probe() + | \--dsa_tree_setup() + | \--dsa_tree_setup_switches() + | +--dsa_switch_setup() + | | +--ksz9477_setup() + | | | \--ksz_init_mib_timer() + | | | |--/* Start the timer 2 seconds later. */ + | | | \--schedule_delayed_work(&dev->mib_read, msecs_to_jiffies(2000)); + | | \--__mdiobus_register() + | | \--mdiobus_scan() + | | \--get_phy_device() + | | +--get_phy_id() + | | \--phy_device_create() + | | |--/* sleeping, ksz_mib_read_work() can be called meanwhile */ + | | \--request_module() + | | + | \--dsa_port_setup() + | +--/* Called for non-CPU ports */ + | +--dsa_slave_create() + | | +--/* Too late, ksz_mib_read_work() may be called beforehand */ + | | \--port->slave = ... + | ... + | +--Called for CPU port */ + | \--dsa_port_link_register_of() + | \--ksz_mac_link_down() + | +--/* mib_read must be initialized here */ + | +--/* work is already scheduled, so it will be executed after 2000 ms */ + | \--schedule_delayed_work(&dev->mib_read, 0); + \-- /* here port->slave is setup properly, scheduling the delayed work should be safe */ + +Solution: +1. Do not queue (only initialize) delayed work in ksz_init_mib_timer(). +2. Only queue delayed work in ksz_mac_link_down() if init is completed. +3. Queue work once in ksz_switch_register(), after dsa_register_switch() +has completed. + +Fixes: 7c6ff470aa86 ("net: dsa: microchip: add MIB counter reading support") +Signed-off-by: Christian Eggers +Reviewed-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -103,14 +103,8 @@ void ksz_init_mib_timer(struct ksz_devic + + INIT_DELAYED_WORK(&dev->mib_read, ksz_mib_read_work); + +- /* Read MIB counters every 30 seconds to avoid overflow. */ +- dev->mib_read_interval = msecs_to_jiffies(30000); +- + for (i = 0; i < dev->mib_port_cnt; i++) + dev->dev_ops->port_init_cnt(dev, i); +- +- /* Start the timer 2 seconds later. */ +- schedule_delayed_work(&dev->mib_read, msecs_to_jiffies(2000)); + } + EXPORT_SYMBOL_GPL(ksz_init_mib_timer); + +@@ -143,7 +137,9 @@ void ksz_mac_link_down(struct dsa_switch + + /* Read all MIB counters when the link is going down. */ + p->read = true; +- schedule_delayed_work(&dev->mib_read, 0); ++ /* timer started */ ++ if (dev->mib_read_interval) ++ schedule_delayed_work(&dev->mib_read, 0); + } + EXPORT_SYMBOL_GPL(ksz_mac_link_down); + +@@ -450,6 +446,12 @@ int ksz_switch_register(struct ksz_devic + return ret; + } + ++ /* Read MIB counters every 30 seconds to avoid overflow. */ ++ dev->mib_read_interval = msecs_to_jiffies(30000); ++ ++ /* Start the MIB timer. */ ++ schedule_delayed_work(&dev->mib_read, 0); ++ + return 0; + } + EXPORT_SYMBOL(ksz_switch_register); diff --git a/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enable.patch b/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enable.patch new file mode 100644 index 00000000000..414fe2478ef --- /dev/null +++ b/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enable.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Marek Vasut +Date: Tue, 6 Oct 2020 15:52:53 +0200 +Subject: [PATCH stable 5.9 10/24] net: fec: Fix PHY init after phy_reset_after_clk_enable() + +From: Marek Vasut + +[ Upstream commit 0da1ccbbefb662915228bc17e1c7d4ad28b3ddab ] + +The phy_reset_after_clk_enable() does a PHY reset, which means the PHY +loses its register settings. The fec_enet_mii_probe() starts the PHY +and does the necessary calls to configure the PHY via PHY framework, +and loads the correct register settings into the PHY. Therefore, +fec_enet_mii_probe() should be called only after the PHY has been +reset, not before as it is now. + +Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support") +Reviewed-by: Andrew Lunn +Tested-by: Richard Leitner +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: David S. Miller +Cc: NXP Linux Team +Cc: Shawn Guo +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3005,17 +3005,17 @@ fec_enet_open(struct net_device *ndev) + /* Init MAC prior to mii bus probe */ + fec_restart(ndev); + +- /* Probe and connect to PHY when open the interface */ +- ret = fec_enet_mii_probe(ndev); +- if (ret) +- goto err_enet_mii_probe; +- + /* Call phy_reset_after_clk_enable() again if it failed during + * phy_reset_after_clk_enable() before because the PHY wasn't probed. + */ + if (reset_again) + fec_enet_phy_reset_after_clk_enable(ndev); + ++ /* Probe and connect to PHY when open the interface */ ++ ret = fec_enet_mii_probe(ndev); ++ if (ret) ++ goto err_enet_mii_probe; ++ + if (fep->quirks & FEC_QUIRK_ERR006687) + imx6q_cpuidle_fec_irqs_used(); + diff --git a/queue-5.9/net-fec-fix-phy_device-lookup-for-phy_reset_after_clk_enable.patch b/queue-5.9/net-fec-fix-phy_device-lookup-for-phy_reset_after_clk_enable.patch new file mode 100644 index 00000000000..81ced8f30a4 --- /dev/null +++ b/queue-5.9/net-fec-fix-phy_device-lookup-for-phy_reset_after_clk_enable.patch @@ -0,0 +1,83 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Marek Vasut +Date: Sat, 10 Oct 2020 11:10:00 +0200 +Subject: [PATCH stable 5.9 09/24] net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() + +From: Marek Vasut + +[ Upstream commit 64a632da538a6827fad0ea461925cedb9899ebe2 ] + +The phy_reset_after_clk_enable() is always called with ndev->phydev, +however that pointer may be NULL even though the PHY device instance +already exists and is sufficient to perform the PHY reset. + +This condition happens in fec_open(), where the clock must be enabled +first, then the PHY must be reset, and then the PHY IDs can be read +out of the PHY. + +If the PHY still is not bound to the MAC, but there is OF PHY node +and a matching PHY device instance already, use the OF PHY node to +obtain the PHY device instance, and then use that PHY device instance +when triggering the PHY reset. + +Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support") +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: David S. Miller +Cc: NXP Linux Team +Cc: Richard Leitner +Cc: Shawn Guo +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1912,6 +1912,27 @@ out: + return ret; + } + ++static void fec_enet_phy_reset_after_clk_enable(struct net_device *ndev) ++{ ++ struct fec_enet_private *fep = netdev_priv(ndev); ++ struct phy_device *phy_dev = ndev->phydev; ++ ++ if (phy_dev) { ++ phy_reset_after_clk_enable(phy_dev); ++ } else if (fep->phy_node) { ++ /* ++ * If the PHY still is not bound to the MAC, but there is ++ * OF PHY node and a matching PHY device instance already, ++ * use the OF PHY node to obtain the PHY device instance, ++ * and then use that PHY device instance when triggering ++ * the PHY reset. ++ */ ++ phy_dev = of_phy_find_device(fep->phy_node); ++ phy_reset_after_clk_enable(phy_dev); ++ put_device(&phy_dev->mdio.dev); ++ } ++} ++ + static int fec_enet_clk_enable(struct net_device *ndev, bool enable) + { + struct fec_enet_private *fep = netdev_priv(ndev); +@@ -1938,7 +1959,7 @@ static int fec_enet_clk_enable(struct ne + if (ret) + goto failed_clk_ref; + +- phy_reset_after_clk_enable(ndev->phydev); ++ fec_enet_phy_reset_after_clk_enable(ndev); + } else { + clk_disable_unprepare(fep->clk_enet_out); + if (fep->clk_ptp) { +@@ -2993,7 +3014,7 @@ fec_enet_open(struct net_device *ndev) + * phy_reset_after_clk_enable() before because the PHY wasn't probed. + */ + if (reset_again) +- phy_reset_after_clk_enable(ndev->phydev); ++ fec_enet_phy_reset_after_clk_enable(ndev); + + if (fep->quirks & FEC_QUIRK_ERR006687) + imx6q_cpuidle_fec_irqs_used(); diff --git a/queue-5.9/net-fix-pos-incrementment-in-ipv6_route_seq_next.patch b/queue-5.9/net-fix-pos-incrementment-in-ipv6_route_seq_next.patch new file mode 100644 index 00000000000..98b37542f61 --- /dev/null +++ b/queue-5.9/net-fix-pos-incrementment-in-ipv6_route_seq_next.patch @@ -0,0 +1,90 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Yonghong Song +Date: Wed, 14 Oct 2020 07:46:12 -0700 +Subject: [PATCH stable 5.9 11/24] net: fix pos incrementment in ipv6_route_seq_next + +From: Yonghong Song + +[ Upstream commit 6617dfd440149e42ce4d2be615eb31a4755f4d30 ] + +Commit 4fc427e05158 ("ipv6_route_seq_next should increase position index") +tried to fix the issue where seq_file pos is not increased +if a NULL element is returned with seq_ops->next(). See bug + https://bugzilla.kernel.org/show_bug.cgi?id=206283 +The commit effectively does: + - increase pos for all seq_ops->start() + - increase pos for all seq_ops->next() + +For ipv6_route, increasing pos for all seq_ops->next() is correct. +But increasing pos for seq_ops->start() is not correct +since pos is used to determine how many items to skip during +seq_ops->start(): + iter->skip = *pos; +seq_ops->start() just fetches the *current* pos item. +The item can be skipped only after seq_ops->show() which essentially +is the beginning of seq_ops->next(). + +For example, I have 7 ipv6 route entries, + root@arch-fb-vm1:~/net-next dd if=/proc/net/ipv6_route bs=4096 + 00000000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000400 00000001 00000000 00000001 eth0 + fe800000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000001 00000000 00000001 eth0 + 00000000000000000000000000000000 00 00000000000000000000000000000000 00 00000000000000000000000000000000 ffffffff 00000001 00000000 00200200 lo + 00000000000000000000000000000001 80 00000000000000000000000000000000 00 00000000000000000000000000000000 00000000 00000003 00000000 80200001 lo + fe800000000000002050e3fffebd3be8 80 00000000000000000000000000000000 00 00000000000000000000000000000000 00000000 00000002 00000000 80200001 eth0 + ff000000000000000000000000000000 08 00000000000000000000000000000000 00 00000000000000000000000000000000 00000100 00000004 00000000 00000001 eth0 + 00000000000000000000000000000000 00 00000000000000000000000000000000 00 00000000000000000000000000000000 ffffffff 00000001 00000000 00200200 lo + 0+1 records in + 0+1 records out + 1050 bytes (1.0 kB, 1.0 KiB) copied, 0.00707908 s, 148 kB/s + root@arch-fb-vm1:~/net-next + +In the above, I specify buffer size 4096, so all records can be returned +to user space with a single trip to the kernel. + +If I use buffer size 128, since each record size is 149, internally +kernel seq_read() will read 149 into its internal buffer and return the data +to user space in two read() syscalls. Then user read() syscall will trigger +next seq_ops->start(). Since the current implementation increased pos even +for seq_ops->start(), it will skip record #2, #4 and #6, assuming the first +record is #1. + + root@arch-fb-vm1:~/net-next dd if=/proc/net/ipv6_route bs=128 + 00000000000000000000000000000000 40 00000000000000000000000000000000 00 00000000000000000000000000000000 00000400 00000001 00000000 00000001 eth0 + 00000000000000000000000000000000 00 00000000000000000000000000000000 00 00000000000000000000000000000000 ffffffff 00000001 00000000 00200200 lo + fe800000000000002050e3fffebd3be8 80 00000000000000000000000000000000 00 00000000000000000000000000000000 00000000 00000002 00000000 80200001 eth0 + 00000000000000000000000000000000 00 00000000000000000000000000000000 00 00000000000000000000000000000000 ffffffff 00000001 00000000 00200200 lo +4+1 records in +4+1 records out +600 bytes copied, 0.00127758 s, 470 kB/s + +To fix the problem, create a fake pos pointer so seq_ops->start() +won't actually increase seq_file pos. With this fix, the +above `dd` command with `bs=128` will show correct result. + +Fixes: 4fc427e05158 ("ipv6_route_seq_next should increase position index") +Cc: Alexei Starovoitov +Suggested-by: Vasily Averin +Reviewed-by: Vasily Averin +Signed-off-by: Yonghong Song +Acked-by: Martin KaFai Lau +Acked-by: Andrii Nakryiko +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -2618,8 +2618,10 @@ static void *ipv6_route_seq_start(struct + iter->skip = *pos; + + if (iter->tbl) { ++ loff_t p = 0; ++ + ipv6_route_seq_setup_walk(iter, net); +- return ipv6_route_seq_next(seq, NULL, pos); ++ return ipv6_route_seq_next(seq, NULL, &p); + } else { + return NULL; + } diff --git a/queue-5.9/net-ipa-skip-suspend-resume-activities-if-not-set-up.patch b/queue-5.9/net-ipa-skip-suspend-resume-activities-if-not-set-up.patch new file mode 100644 index 00000000000..4a7ad01172c --- /dev/null +++ b/queue-5.9/net-ipa-skip-suspend-resume-activities-if-not-set-up.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Alex Elder +Date: Fri, 9 Oct 2020 15:28:48 -0500 +Subject: [PATCH stable 5.9 12/24] net: ipa: skip suspend/resume activities if not set up + +From: Alex Elder + +[ Upstream commit d1704382821032fede445b816f4296fd379baacf ] + +When processing a system suspend request we suspend modem endpoints +if they are enabled, and call ipa_cmd_tag_process() (which issues +IPA commands) to ensure the IPA pipeline is cleared. It is an error +to attempt to issue an IPA command before setup is complete, so this +is clearly a bug. But we also shouldn't suspend or resume any +endpoints that have not been set up. + +Have ipa_endpoint_suspend() and ipa_endpoint_resume() immediately +return if setup hasn't completed, to avoid any attempt to configure +endpoints or issue IPA commands in that case. + +Fixes: 84f9bd12d46d ("soc: qcom: ipa: IPA endpoints") +Tested-by: Matthias Kaehlcke +Signed-off-by: Alex Elder +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipa/ipa_endpoint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ipa/ipa_endpoint.c ++++ b/drivers/net/ipa/ipa_endpoint.c +@@ -1471,6 +1471,9 @@ void ipa_endpoint_resume_one(struct ipa_ + + void ipa_endpoint_suspend(struct ipa *ipa) + { ++ if (!ipa->setup_complete) ++ return; ++ + if (ipa->modem_netdev) + ipa_modem_suspend(ipa->modem_netdev); + +@@ -1482,6 +1485,9 @@ void ipa_endpoint_suspend(struct ipa *ip + + void ipa_endpoint_resume(struct ipa *ipa) + { ++ if (!ipa->setup_complete) ++ return; ++ + ipa_endpoint_resume_one(ipa->name_map[IPA_ENDPOINT_AP_COMMAND_TX]); + ipa_endpoint_resume_one(ipa->name_map[IPA_ENDPOINT_AP_LAN_RX]); + diff --git a/queue-5.9/net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch b/queue-5.9/net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch new file mode 100644 index 00000000000..e26c4c32672 --- /dev/null +++ b/queue-5.9/net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Marc Kleine-Budde +Date: Thu, 8 Oct 2020 23:23:10 +0200 +Subject: [PATCH stable 5.9 24/24] net: j1939: j1939_session_fresh_new(): fix missing initialization of skbcnt + +From: Marc Kleine-Budde + +[ Upstream commit 13ba4c434422837d7c8c163f9c8d854e67bf3c99 ] + +This patch add the initialization of skbcnt, similar to: + + e009f95b1543 can: j1935: j1939_tp_tx_dat_new(): fix missing initialization of skbcnt + +Let's play save and initialize this skbcnt as well. + +Suggested-by: Jakub Kicinski +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1488,6 +1488,7 @@ j1939_session *j1939_session_fresh_new(s + skb->dev = priv->ndev; + can_skb_reserve(skb); + can_skb_prv(skb)->ifindex = priv->ndev->ifindex; ++ can_skb_prv(skb)->skbcnt = 0; + skcb = j1939_skb_to_cb(skb); + memcpy(skcb, rel_skcb, sizeof(*skcb)); + diff --git a/queue-5.9/net-mptcp-make-dack4-dack8-usage-consistent-among-all-subflows.patch b/queue-5.9/net-mptcp-make-dack4-dack8-usage-consistent-among-all-subflows.patch new file mode 100644 index 00000000000..1fd77b6276b --- /dev/null +++ b/queue-5.9/net-mptcp-make-dack4-dack8-usage-consistent-among-all-subflows.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Davide Caratti +Date: Tue, 6 Oct 2020 18:26:17 +0200 +Subject: [PATCH stable 5.9 13/24] net: mptcp: make DACK4/DACK8 usage consistent among all subflows + +From: Davide Caratti + +[ Upstream commit 37198e93ced70733f0b993dff28b7c33857e254f ] + +using packetdrill it's possible to observe the same MPTCP DSN being acked +by different subflows with DACK4 and DACK8. This is in contrast with what +specified in RFC8684 §3.3.2: if an MPTCP endpoint transmits a 64-bit wide +DSN, it MUST be acknowledged with a 64-bit wide DACK. Fix 'use_64bit_ack' +variable to make it a property of MPTCP sockets, not TCP subflows. + +Fixes: a0c1d0eafd1e ("mptcp: Use 32-bit DATA_ACK when possible") +Acked-by: Paolo Abeni +Signed-off-by: Davide Caratti +Reviewed-by: Mat Martineau +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 2 +- + net/mptcp/protocol.h | 2 +- + net/mptcp/subflow.c | 3 +-- + 3 files changed, 3 insertions(+), 4 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -516,7 +516,7 @@ static bool mptcp_established_options_ds + return ret; + } + +- if (subflow->use_64bit_ack) { ++ if (READ_ONCE(msk->use_64bit_ack)) { + ack_size = TCPOLEN_MPTCP_DSS_ACK64; + opts->ext_copy.data_ack = READ_ONCE(msk->ack_seq); + opts->ext_copy.ack64 = 1; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -203,6 +203,7 @@ struct mptcp_sock { + bool fully_established; + bool rcv_data_fin; + bool snd_data_fin_enable; ++ bool use_64bit_ack; /* Set when we received a 64-bit DSN */ + spinlock_t join_list_lock; + struct work_struct work; + struct list_head conn_list; +@@ -295,7 +296,6 @@ struct mptcp_subflow_context { + backup : 1, + data_avail : 1, + rx_eof : 1, +- use_64bit_ack : 1, /* Set when we received a 64-bit DSN */ + can_ack : 1; /* only after processing the remote a key */ + u32 remote_nonce; + u64 thmac; +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -781,12 +781,11 @@ static enum mapping_status get_mapping_s + if (!mpext->dsn64) { + map_seq = expand_seq(subflow->map_seq, subflow->map_data_len, + mpext->data_seq); +- subflow->use_64bit_ack = 0; + pr_debug("expanded seq=%llu", subflow->map_seq); + } else { + map_seq = mpext->data_seq; +- subflow->use_64bit_ack = 1; + } ++ WRITE_ONCE(mptcp_sk(subflow->conn)->use_64bit_ack, !!mpext->dsn64); + + if (subflow->map_valid) { + /* Allow replacing only with an identical map */ diff --git a/queue-5.9/net-sched-fix-suspicious-rcu-usage-while-accessing-tcf_tunnel_info.patch b/queue-5.9/net-sched-fix-suspicious-rcu-usage-while-accessing-tcf_tunnel_info.patch new file mode 100644 index 00000000000..384b52780e9 --- /dev/null +++ b/queue-5.9/net-sched-fix-suspicious-rcu-usage-while-accessing-tcf_tunnel_info.patch @@ -0,0 +1,75 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Leon Romanovsky +Date: Wed, 14 Oct 2020 11:56:42 +0300 +Subject: [PATCH stable 5.9 14/24] net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info + +From: Leon Romanovsky + +[ Upstream commit d086a1c65aabb5a4e1edc580ca583e2964c62b44 ] + +The access of tcf_tunnel_info() produces the following splat, so fix it +by dereferencing the tcf_tunnel_key_params pointer with marker that +internal tcfa_liock is held. + + ============================= + WARNING: suspicious RCU usage + 5.9.0+ #1 Not tainted + ----------------------------- + include/net/tc_act/tc_tunnel_key.h:59 suspicious rcu_dereference_protected() usage! + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by tc/34839: + #0: ffff88828572c2a0 (&p->tcfa_lock){+...}-{2:2}, at: tc_setup_flow_action+0xb3/0x48b5 + stack backtrace: + CPU: 1 PID: 34839 Comm: tc Not tainted 5.9.0+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack+0x9a/0xd0 + tc_setup_flow_action+0x14cb/0x48b5 + fl_hw_replace_filter+0x347/0x690 [cls_flower] + fl_change+0x2bad/0x4875 [cls_flower] + tc_new_tfilter+0xf6f/0x1ba0 + rtnetlink_rcv_msg+0x5f2/0x870 + netlink_rcv_skb+0x124/0x350 + netlink_unicast+0x433/0x700 + netlink_sendmsg+0x6f1/0xbd0 + sock_sendmsg+0xb0/0xe0 + ____sys_sendmsg+0x4fa/0x6d0 + ___sys_sendmsg+0x12e/0x1b0 + __sys_sendmsg+0xa4/0x120 + do_syscall_64+0x2d/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f1f8cd4fe57 + Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RSP: 002b:00007ffdc1e193b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f8cd4fe57 + RDX: 0000000000000000 RSI: 00007ffdc1e19420 RDI: 0000000000000003 + RBP: 000000005f85aafa R08: 0000000000000001 R09: 00007ffdc1e1936c + R10: 000000000040522d R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000000000 R14: 00007ffdc1e1d6f0 R15: 0000000000482420 + +Fixes: 3ebaf6da0716 ("net: sched: Do not assume RTNL is held in tunnel key action helpers") +Fixes: 7a47281439ba ("net: sched: lock action when translating it to flow_action infra") +Signed-off-by: Leon Romanovsky +Acked-by: Cong Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tc_act/tc_tunnel_key.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/net/tc_act/tc_tunnel_key.h ++++ b/include/net/tc_act/tc_tunnel_key.h +@@ -56,7 +56,10 @@ static inline struct ip_tunnel_info *tcf + { + #ifdef CONFIG_NET_CLS_ACT + struct tcf_tunnel_key *t = to_tunnel_key(a); +- struct tcf_tunnel_key_params *params = rtnl_dereference(t->params); ++ struct tcf_tunnel_key_params *params; ++ ++ params = rcu_dereference_protected(t->params, ++ lockdep_is_held(&a->tcfa_lock)); + + return ¶ms->tcft_enc_metadata->u.tun_info; + #else diff --git a/queue-5.9/net-smc-fix-use-after-free-of-delayed-events.patch b/queue-5.9/net-smc-fix-use-after-free-of-delayed-events.patch new file mode 100644 index 00000000000..01cbbfc0ab3 --- /dev/null +++ b/queue-5.9/net-smc-fix-use-after-free-of-delayed-events.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Karsten Graul +Date: Wed, 14 Oct 2020 19:43:27 +0200 +Subject: [PATCH stable 5.9 15/24] net/smc: fix use-after-free of delayed events + +From: Karsten Graul + +[ Upstream commit d535ca1367787ddc8bff22d679a11f864c8228bc ] + +When a delayed event is enqueued then the event worker will send this +event the next time it is running and no other flow is currently +active. The event handler is called for the delayed event, and the +pointer to the event keeps set in lgr->delayed_event. This pointer is +cleared later in the processing by smc_llc_flow_start(). +This can lead to a use-after-free condition when the processing does not +reach smc_llc_flow_start(), but frees the event because of an error +situation. Then the delayed_event pointer is still set but the event is +freed. +Fix this by always clearing the delayed event pointer when the event is +provided to the event handler for processing, and remove the code to +clear it in smc_llc_flow_start(). + +Fixes: 555da9af827d ("net/smc: add event-based llc_flow framework") +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_llc.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/net/smc/smc_llc.c ++++ b/net/smc/smc_llc.c +@@ -233,8 +233,6 @@ static bool smc_llc_flow_start(struct sm + default: + flow->type = SMC_LLC_FLOW_NONE; + } +- if (qentry == lgr->delayed_event) +- lgr->delayed_event = NULL; + smc_llc_flow_qentry_set(flow, qentry); + spin_unlock_bh(&lgr->llc_flow_lock); + return true; +@@ -1603,13 +1601,12 @@ static void smc_llc_event_work(struct wo + struct smc_llc_qentry *qentry; + + if (!lgr->llc_flow_lcl.type && lgr->delayed_event) { +- if (smc_link_usable(lgr->delayed_event->link)) { +- smc_llc_event_handler(lgr->delayed_event); +- } else { +- qentry = lgr->delayed_event; +- lgr->delayed_event = NULL; ++ qentry = lgr->delayed_event; ++ lgr->delayed_event = NULL; ++ if (smc_link_usable(qentry->link)) ++ smc_llc_event_handler(qentry); ++ else + kfree(qentry); +- } + } + + again: diff --git a/queue-5.9/net-smc-fix-valid-dmbe-buffer-sizes.patch b/queue-5.9/net-smc-fix-valid-dmbe-buffer-sizes.patch new file mode 100644 index 00000000000..3016a549be9 --- /dev/null +++ b/queue-5.9/net-smc-fix-valid-dmbe-buffer-sizes.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Karsten Graul +Date: Wed, 14 Oct 2020 19:43:28 +0200 +Subject: [PATCH stable 5.9 16/24] net/smc: fix valid DMBE buffer sizes + +From: Karsten Graul + +[ Upstream commit ef12ad45880b696eb993d86c481ca891836ab593 ] + +The SMCD_DMBE_SIZES should include all valid DMBE buffer sizes, so the +correct value is 6 which means 1MB. With 7 the registration of an ISM +buffer would always fail because of the invalid size requested. +Fix that and set the value to 6. + +Fixes: c6ba7c9ba43d ("net/smc: add base infrastructure for SMC-D and ISM") +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -1597,7 +1597,7 @@ out: + return rc; + } + +-#define SMCD_DMBE_SIZES 7 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */ ++#define SMCD_DMBE_SIZES 6 /* 0 -> 16KB, 1 -> 32KB, .. 6 -> 1MB */ + + static struct smc_buf_desc *smcd_new_buf_create(struct smc_link_group *lgr, + bool is_dmb, int bufsize) diff --git a/queue-5.9/net-tls-sendfile-fails-with-ktls-offload.patch b/queue-5.9/net-tls-sendfile-fails-with-ktls-offload.patch new file mode 100644 index 00000000000..dffce686a94 --- /dev/null +++ b/queue-5.9/net-tls-sendfile-fails-with-ktls-offload.patch @@ -0,0 +1,67 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Rohit Maheshwari +Date: Thu, 8 Oct 2020 00:10:21 +0530 +Subject: [PATCH stable 5.9 17/24] net/tls: sendfile fails with ktls offload + +From: Rohit Maheshwari + +[ Upstream commit ea1dd3e9d080c961b9a451130b61c72dc9a5397b ] + +At first when sendpage gets called, if there is more data, 'more' in +tls_push_data() gets set which later sets pending_open_record_frags, but +when there is no more data in file left, and last time tls_push_data() +gets called, pending_open_record_frags doesn't get reset. And later when +2 bytes of encrypted alert comes as sendmsg, it first checks for +pending_open_record_frags, and since this is set, it creates a record with +0 data bytes to encrypt, meaning record length is prepend_size + tag_size +only, which causes problem. + We should set/reset pending_open_record_frags based on more bit. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Rohit Maheshwari +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -418,14 +418,14 @@ static int tls_push_data(struct sock *sk + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_prot_info *prot = &tls_ctx->prot_info; + struct tls_offload_context_tx *ctx = tls_offload_ctx_tx(tls_ctx); +- int more = flags & (MSG_SENDPAGE_NOTLAST | MSG_MORE); + struct tls_record_info *record = ctx->open_record; + int tls_push_record_flags; + struct page_frag *pfrag; + size_t orig_size = size; + u32 max_open_record_len; +- int copy, rc = 0; ++ bool more = false; + bool done = false; ++ int copy, rc = 0; + long timeo; + + if (flags & +@@ -492,9 +492,8 @@ handle_error: + if (!size) { + last_record: + tls_push_record_flags = flags; +- if (more) { +- tls_ctx->pending_open_record_frags = +- !!record->num_frags; ++ if (flags & (MSG_SENDPAGE_NOTLAST | MSG_MORE)) { ++ more = true; + break; + } + +@@ -526,6 +525,8 @@ last_record: + } + } while (!done); + ++ tls_ctx->pending_open_record_frags = more; ++ + if (orig_size - size > 0) + rc = orig_size - size; + diff --git a/queue-5.9/series b/queue-5.9/series new file mode 100644 index 00000000000..3a69c271a1b --- /dev/null +++ b/queue-5.9/series @@ -0,0 +1,24 @@ +ibmveth-switch-order-of-ibmveth_helper-calls.patch +ibmveth-identify-ingress-large-send-packets.patch +cxgb4-handle-4-tuple-pedit-to-nat-mode-translation.patch +ipv4-restore-flowi4_oif-update-before-call-to-xfrm_lookup_route.patch +mlx4-handle-non-napi-callers-to-napi_poll.patch +mptcp-fix-fallback-for-mp_join-subflows.patch +mptcp-subflows-garbage-collection.patch +net-dsa-microchip-fix-race-condition.patch +net-fec-fix-phy_device-lookup-for-phy_reset_after_clk_enable.patch +net-fec-fix-phy-init-after-phy_reset_after_clk_enable.patch +net-fix-pos-incrementment-in-ipv6_route_seq_next.patch +net-ipa-skip-suspend-resume-activities-if-not-set-up.patch +net-mptcp-make-dack4-dack8-usage-consistent-among-all-subflows.patch +net-sched-fix-suspicious-rcu-usage-while-accessing-tcf_tunnel_info.patch +net-smc-fix-use-after-free-of-delayed-events.patch +net-smc-fix-valid-dmbe-buffer-sizes.patch +net-tls-sendfile-fails-with-ktls-offload.patch +tipc-fix-null-pointer-dereference-in-tipc_named_rcv.patch +tipc-fix-the-skb_unshare-in-tipc_buf_append.patch +socket-fix-option-so_timestamping_new.patch +socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch +can-m_can_platform-don-t-call-m_can_class_suspend-in-runtime-suspend.patch +can-j1935-j1939_tp_tx_dat_new-fix-missing-initialization-of-skbcnt.patch +net-j1939-j1939_session_fresh_new-fix-missing-initialization-of-skbcnt.patch diff --git a/queue-5.9/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch b/queue-5.9/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch new file mode 100644 index 00000000000..2da06c7c1e8 --- /dev/null +++ b/queue-5.9/socket-don-t-clear-sock_tstamp_new-when-so_timestampns-is-disabled.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Christian Eggers +Date: Mon, 12 Oct 2020 11:35:42 +0200 +Subject: [PATCH stable 5.9 21/24] socket: don't clear SOCK_TSTAMP_NEW when SO_TIMESTAMPNS is disabled + +From: Christian Eggers + +[ Upstream commit 4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69 ] + +SOCK_TSTAMP_NEW (timespec64 instead of timespec) is also used for +hardware time stamps (configured via SO_TIMESTAMPING_NEW). + +User space (ptp4l) first configures hardware time stamping via +SO_TIMESTAMPING_NEW which sets SOCK_TSTAMP_NEW. In the next step, ptp4l +disables SO_TIMESTAMPNS(_NEW) (software time stamps), but this must not +switch hardware time stamps back to "32 bit mode". + +This problem happens on 32 bit platforms were the libc has already +switched to struct timespec64 (from SO_TIMExxx_OLD to SO_TIMExxx_NEW +socket options). ptp4l complains with "missing timestamp on transmitted +peer delay request" because the wrong format is received (and +discarded). + +Fixes: 887feae36aee ("socket: Add SO_TIMESTAMP[NS]_NEW") +Fixes: 783da70e8396 ("net: add sock_enable_timestamps") +Signed-off-by: Christian Eggers +Acked-by: Willem de Bruijn +Acked-by: Deepa Dinamani +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -769,7 +769,6 @@ static void __sock_set_timestamps(struct + } else { + sock_reset_flag(sk, SOCK_RCVTSTAMP); + sock_reset_flag(sk, SOCK_RCVTSTAMPNS); +- sock_reset_flag(sk, SOCK_TSTAMP_NEW); + } + } + diff --git a/queue-5.9/socket-fix-option-so_timestamping_new.patch b/queue-5.9/socket-fix-option-so_timestamping_new.patch new file mode 100644 index 00000000000..571ca849561 --- /dev/null +++ b/queue-5.9/socket-fix-option-so_timestamping_new.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Christian Eggers +Date: Mon, 12 Oct 2020 11:35:41 +0200 +Subject: [PATCH stable 5.9 20/24] socket: fix option SO_TIMESTAMPING_NEW + +From: Christian Eggers + +[ Upstream commit 59e611a566e7cd48cf54b6777a11fe3f9c2f9db5 ] + +The comparison of optname with SO_TIMESTAMPING_NEW is wrong way around, +so SOCK_TSTAMP_NEW will first be set and than reset again. Additionally +move it out of the test for SOF_TIMESTAMPING_RX_SOFTWARE as this seems +unrelated. + +This problem happens on 32 bit platforms were the libc has already +switched to struct timespec64 (from SO_TIMExxx_OLD to SO_TIMExxx_NEW +socket options). ptp4l complains with "missing timestamp on transmitted +peer delay request" because the wrong format is received (and +discarded). + +Fixes: 9718475e6908 ("socket: Add SO_TIMESTAMPING_NEW") +Signed-off-by: Christian Eggers +Reviewed-by: Willem de Bruijn +Reviewed-by: Deepa Dinamani +Acked-by: Willem de Bruijn +Acked-by: Deepa Dinamani +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1007,8 +1007,6 @@ set_sndbuf: + __sock_set_timestamps(sk, valbool, true, true); + break; + case SO_TIMESTAMPING_NEW: +- sock_set_flag(sk, SOCK_TSTAMP_NEW); +- fallthrough; + case SO_TIMESTAMPING_OLD: + if (val & ~SOF_TIMESTAMPING_MASK) { + ret = -EINVAL; +@@ -1037,16 +1035,14 @@ set_sndbuf: + } + + sk->sk_tsflags = val; ++ sock_valbool_flag(sk, SOCK_TSTAMP_NEW, optname == SO_TIMESTAMPING_NEW); ++ + if (val & SOF_TIMESTAMPING_RX_SOFTWARE) + sock_enable_timestamp(sk, + SOCK_TIMESTAMPING_RX_SOFTWARE); +- else { +- if (optname == SO_TIMESTAMPING_NEW) +- sock_reset_flag(sk, SOCK_TSTAMP_NEW); +- ++ else + sock_disable_timestamp(sk, + (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)); +- } + break; + + case SO_RCVLOWAT: diff --git a/queue-5.9/tipc-fix-null-pointer-dereference-in-tipc_named_rcv.patch b/queue-5.9/tipc-fix-null-pointer-dereference-in-tipc_named_rcv.patch new file mode 100644 index 00000000000..817a0f3309a --- /dev/null +++ b/queue-5.9/tipc-fix-null-pointer-dereference-in-tipc_named_rcv.patch @@ -0,0 +1,117 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Hoang Huu Le +Date: Thu, 8 Oct 2020 14:31:56 +0700 +Subject: [PATCH stable 5.9 18/24] tipc: fix NULL pointer dereference in tipc_named_rcv + +From: Hoang Huu Le + +[ Upstream commit 7b50ee3dad2581dc022b4e32e55964d4fcdccf20 ] + +In the function node_lost_contact(), we call __skb_queue_purge() without +grabbing the list->lock. This can cause to a race-condition why processing +the list 'namedq' in calling path tipc_named_rcv()->tipc_named_dequeue(). + + [] BUG: kernel NULL pointer dereference, address: 0000000000000000 + [] #PF: supervisor read access in kernel mode + [] #PF: error_code(0x0000) - not-present page + [] PGD 7ca63067 P4D 7ca63067 PUD 6c553067 PMD 0 + [] Oops: 0000 [#1] SMP NOPTI + [] CPU: 1 PID: 15 Comm: ksoftirqd/1 Tainted: G O 5.9.0-rc6+ #2 + [] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS [...] + [] RIP: 0010:tipc_named_rcv+0x103/0x320 [tipc] + [] Code: 41 89 44 24 10 49 8b 16 49 8b 46 08 49 c7 06 00 00 00 [...] + [] RSP: 0018:ffffc900000a7c58 EFLAGS: 00000282 + [] RAX: 00000000000012ec RBX: 0000000000000000 RCX: ffff88807bde1270 + [] RDX: 0000000000002c7c RSI: 0000000000002c7c RDI: ffff88807b38f1a8 + [] RBP: ffff88807b006288 R08: ffff88806a367800 R09: ffff88806a367900 + [] R10: ffff88806a367a00 R11: ffff88806a367b00 R12: ffff88807b006258 + [] R13: ffff88807b00628a R14: ffff888069334d00 R15: ffff88806a434600 + [] FS: 0000000000000000(0000) GS:ffff888079480000(0000) knlGS:0[...] + [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [] CR2: 0000000000000000 CR3: 0000000077320000 CR4: 00000000000006e0 + [] Call Trace: + [] ? tipc_bcast_rcv+0x9a/0x1a0 [tipc] + [] tipc_rcv+0x40d/0x670 [tipc] + [] ? _raw_spin_unlock+0xa/0x20 + [] tipc_l2_rcv_msg+0x55/0x80 [tipc] + [] __netif_receive_skb_one_core+0x8c/0xa0 + [] process_backlog+0x98/0x140 + [] net_rx_action+0x13a/0x420 + [] __do_softirq+0xdb/0x316 + [] ? smpboot_thread_fn+0x2f/0x1e0 + [] ? smpboot_thread_fn+0x74/0x1e0 + [] ? smpboot_thread_fn+0x14e/0x1e0 + [] run_ksoftirqd+0x1a/0x40 + [] smpboot_thread_fn+0x149/0x1e0 + [] ? sort_range+0x20/0x20 + [] kthread+0x131/0x150 + [] ? kthread_unuse_mm+0xa0/0xa0 + [] ret_from_fork+0x22/0x30 + [] Modules linked in: veth tipc(O) ip6_udp_tunnel udp_tunnel [...] + [] CR2: 0000000000000000 + [] ---[ end trace 65c276a8e2e2f310 ]--- + +To fix this, we need to grab the lock of the 'namedq' list on both +path calling. + +Fixes: cad2929dc432 ("tipc: update a binding service via broadcast") +Acked-by: Jon Maloy +Signed-off-by: Hoang Huu Le +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/name_distr.c | 10 +++++++++- + net/tipc/node.c | 2 +- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/net/tipc/name_distr.c ++++ b/net/tipc/name_distr.c +@@ -327,8 +327,13 @@ static struct sk_buff *tipc_named_dequeu + struct tipc_msg *hdr; + u16 seqno; + ++ spin_lock_bh(&namedq->lock); + skb_queue_walk_safe(namedq, skb, tmp) { +- skb_linearize(skb); ++ if (unlikely(skb_linearize(skb))) { ++ __skb_unlink(skb, namedq); ++ kfree_skb(skb); ++ continue; ++ } + hdr = buf_msg(skb); + seqno = msg_named_seqno(hdr); + if (msg_is_last_bulk(hdr)) { +@@ -338,12 +343,14 @@ static struct sk_buff *tipc_named_dequeu + + if (msg_is_bulk(hdr) || msg_is_legacy(hdr)) { + __skb_unlink(skb, namedq); ++ spin_unlock_bh(&namedq->lock); + return skb; + } + + if (*open && (*rcv_nxt == seqno)) { + (*rcv_nxt)++; + __skb_unlink(skb, namedq); ++ spin_unlock_bh(&namedq->lock); + return skb; + } + +@@ -353,6 +360,7 @@ static struct sk_buff *tipc_named_dequeu + continue; + } + } ++ spin_unlock_bh(&namedq->lock); + return NULL; + } + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1485,7 +1485,7 @@ static void node_lost_contact(struct tip + + /* Clean up broadcast state */ + tipc_bcast_remove_peer(n->net, n->bc_entry.link); +- __skb_queue_purge(&n->bc_entry.namedq); ++ skb_queue_purge(&n->bc_entry.namedq); + + /* Abort any ongoing link failover */ + for (i = 0; i < MAX_BEARERS; i++) { diff --git a/queue-5.9/tipc-fix-the-skb_unshare-in-tipc_buf_append.patch b/queue-5.9/tipc-fix-the-skb_unshare-in-tipc_buf_append.patch new file mode 100644 index 00000000000..455066fa603 --- /dev/null +++ b/queue-5.9/tipc-fix-the-skb_unshare-in-tipc_buf_append.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Oct 17 08:52:03 AM CEST 2020 +From: Cong Wang +Date: Wed, 7 Oct 2020 21:12:50 -0700 +Subject: [PATCH stable 5.9 19/24] tipc: fix the skb_unshare() in tipc_buf_append() + +From: Cong Wang + +[ Upstream commit ed42989eab57d619667d7e87dfbd8fe207db54fe ] + +skb_unshare() drops a reference count on the old skb unconditionally, +so in the failure case, we end up freeing the skb twice here. +And because the skb is allocated in fclone and cloned by caller +tipc_msg_reassemble(), the consequence is actually freeing the +original skb too, thus triggered the UAF by syzbot. + +Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy(). + +Fixes: ff48b6222e65 ("tipc: use skb_unshare() instead in tipc_buf_append()") +Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com +Cc: Jon Maloy +Cc: Ying Xue +Signed-off-by: Cong Wang +Reviewed-by: Xin Long +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -150,7 +150,8 @@ int tipc_buf_append(struct sk_buff **hea + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- frag = skb_unshare(frag, GFP_ATOMIC); ++ if (skb_cloned(frag)) ++ frag = skb_copy(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; + head = *headbuf = frag;