From 01f3c9995d7a272b8eed642ad11cedd4e6dc57c5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 29 Jul 2020 13:56:45 +0200 Subject: [PATCH] 4.4-stable patches added patches: ax.25-fix-out-of-bounds-read-in-ax25_connect.patch ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch drivers-net-wan-x25_asy-fix-to-make-it-work.patch ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch tcp-allow-at-most-one-tlp-probe-per-flight.patch --- ...x-out-of-bounds-read-in-ax25_connect.patch | 43 ++++++ ...ger-overflows-in-connect-and-sendmsg.patch | 46 +++++++ ...t-out-of-bounds-read-in-ax25_sendmsg.patch | 36 +++++ ...-net-wan-x25_asy-fix-to-make-it-work.patch | 102 ++++++++++++++ ...ix-null-ptr-deref-in-ip6gre_init_net.patch | 81 ++++++++++++ ...r-prefix-for-clang-cross-compilation.patch | 58 ++++++++ ...ne-when-printing-tx_timeout-by-sysfs.patch | 33 +++++ ...-wrong-clean-up-for-is_udplite-macro.patch | 43 ++++++ ...ipe-due-to-recvmsg-returning-enodata.patch | 51 +++++++ queue-4.4/series | 10 ++ ...low-at-most-one-tlp-probe-per-flight.patch | 125 ++++++++++++++++++ 11 files changed, 628 insertions(+) create mode 100644 queue-4.4/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch create mode 100644 queue-4.4/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch create mode 100644 queue-4.4/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch create mode 100644 queue-4.4/drivers-net-wan-x25_asy-fix-to-make-it-work.patch create mode 100644 queue-4.4/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch create mode 100644 queue-4.4/makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch create mode 100644 queue-4.4/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch create mode 100644 queue-4.4/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch create mode 100644 queue-4.4/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch create mode 100644 queue-4.4/tcp-allow-at-most-one-tlp-probe-per-flight.patch diff --git a/queue-4.4/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch b/queue-4.4/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch new file mode 100644 index 00000000000..55e63a3deb5 --- /dev/null +++ b/queue-4.4/ax.25-fix-out-of-bounds-read-in-ax25_connect.patch @@ -0,0 +1,43 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: Peilin Ye +Date: Wed, 22 Jul 2020 11:19:01 -0400 +Subject: AX.25: Fix out-of-bounds read in ax25_connect() + +From: Peilin Ye + +[ Upstream commit 2f2a7ffad5c6cbf3d438e813cfdc88230e185ba6 ] + +Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient. +ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis` +equals to 7 or 8. Fix it. + +This issue has been reported as a KMSAN uninit-value bug, because in such +a case, ax25_connect() reaches into the uninitialized portion of the +`struct sockaddr_storage` statically allocated in __sys_connect(). + +It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because +`addr_len` is guaranteed to be less than or equal to +`sizeof(struct full_sockaddr_ax25)`. + +Reported-by: syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66 +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1191,7 +1191,9 @@ static int __must_check ax25_connect(str + if (addr_len > sizeof(struct sockaddr_ax25) && + fsa->fsa_ax25.sax25_ndigis != 0) { + /* Valid number of digipeaters ? */ +- if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) { ++ if (fsa->fsa_ax25.sax25_ndigis < 1 || ++ addr_len < sizeof(struct sockaddr_ax25) + ++ sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { + err = -EINVAL; + goto out_release; + } diff --git a/queue-4.4/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch b/queue-4.4/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch new file mode 100644 index 00000000000..7f977e7597d --- /dev/null +++ b/queue-4.4/ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: Dan Carpenter +Date: Thu, 23 Jul 2020 17:49:57 +0300 +Subject: AX.25: Prevent integer overflows in connect and sendmsg + +From: Dan Carpenter + +[ Upstream commit 17ad73e941b71f3bec7523ea4e9cbc3752461c2d ] + +We recently added some bounds checking in ax25_connect() and +ax25_sendmsg() and we so we removed the AX25_MAX_DIGIS checks because +they were no longer required. + +Unfortunately, I believe they are required to prevent integer overflows +so I have added them back. + +Fixes: 8885bb0621f0 ("AX.25: Prevent out-of-bounds read in ax25_sendmsg()") +Fixes: 2f2a7ffad5c6 ("AX.25: Fix out-of-bounds read in ax25_connect()") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1192,6 +1192,7 @@ static int __must_check ax25_connect(str + fsa->fsa_ax25.sax25_ndigis != 0) { + /* Valid number of digipeaters ? */ + if (fsa->fsa_ax25.sax25_ndigis < 1 || ++ fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS || + addr_len < sizeof(struct sockaddr_ax25) + + sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { + err = -EINVAL; +@@ -1512,7 +1513,9 @@ static int ax25_sendmsg(struct socket *s + struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax; + + /* Valid number of digipeaters ? */ +- if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) + ++ if (usax->sax25_ndigis < 1 || ++ usax->sax25_ndigis > AX25_MAX_DIGIS || ++ addr_len < sizeof(struct sockaddr_ax25) + + sizeof(ax25_address) * usax->sax25_ndigis) { + err = -EINVAL; + goto out; diff --git a/queue-4.4/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch b/queue-4.4/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch new file mode 100644 index 00000000000..2701a51e0fb --- /dev/null +++ b/queue-4.4/ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch @@ -0,0 +1,36 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: Peilin Ye +Date: Wed, 22 Jul 2020 12:05:12 -0400 +Subject: AX.25: Prevent out-of-bounds read in ax25_sendmsg() + +From: Peilin Ye + +[ Upstream commit 8885bb0621f01a6c82be60a91e5fc0f6e2f71186 ] + +Checks on `addr_len` and `usax->sax25_ndigis` are insufficient. +ax25_sendmsg() can go out of bounds when `usax->sax25_ndigis` equals to 7 +or 8. Fix it. + +It is safe to remove `usax->sax25_ndigis > AX25_MAX_DIGIS`, since +`addr_len` is guaranteed to be less than or equal to +`sizeof(struct full_sockaddr_ax25)` + +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1512,7 +1512,8 @@ static int ax25_sendmsg(struct socket *s + struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax; + + /* Valid number of digipeaters ? */ +- if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) { ++ if (usax->sax25_ndigis < 1 || addr_len < sizeof(struct sockaddr_ax25) + ++ sizeof(ax25_address) * usax->sax25_ndigis) { + err = -EINVAL; + goto out; + } diff --git a/queue-4.4/drivers-net-wan-x25_asy-fix-to-make-it-work.patch b/queue-4.4/drivers-net-wan-x25_asy-fix-to-make-it-work.patch new file mode 100644 index 00000000000..d27c87d1f1c --- /dev/null +++ b/queue-4.4/drivers-net-wan-x25_asy-fix-to-make-it-work.patch @@ -0,0 +1,102 @@ +From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST +From: Xie He +Date: Thu, 16 Jul 2020 16:44:33 -0700 +Subject: drivers/net/wan/x25_asy: Fix to make it work + +From: Xie He + +[ Upstream commit 8fdcabeac39824fe67480fd9508d80161c541854 ] + +This driver is not working because of problems of its receiving code. +This patch fixes it to make it work. + +When the driver receives an LAPB frame, it should first pass the frame +to the LAPB module to process. After processing, the LAPB module passes +the data (the packet) back to the driver, the driver should then add a +one-byte pseudo header and pass the data to upper layers. + +The changes to the "x25_asy_bump" function and the +"x25_asy_data_indication" function are to correctly implement this +procedure. + +Also, the "x25_asy_unesc" function ignores any frame that is shorter +than 3 bytes. However the shortest frames are 2-byte long. So we need +to change it to allow 2-byte frames to pass. + +Cc: Eric Dumazet +Cc: Martin Schiller +Signed-off-by: Xie He +Reviewed-by: Martin Schiller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/x25_asy.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -186,7 +186,7 @@ static inline void x25_asy_unlock(struct + netif_wake_queue(sl->dev); + } + +-/* Send one completely decapsulated IP datagram to the IP layer. */ ++/* Send an LAPB frame to the LAPB module to process. */ + + static void x25_asy_bump(struct x25_asy *sl) + { +@@ -198,13 +198,12 @@ static void x25_asy_bump(struct x25_asy + count = sl->rcount; + dev->stats.rx_bytes += count; + +- skb = dev_alloc_skb(count+1); ++ skb = dev_alloc_skb(count); + if (skb == NULL) { + netdev_warn(sl->dev, "memory squeeze, dropping packet\n"); + dev->stats.rx_dropped++; + return; + } +- skb_push(skb, 1); /* LAPB internal control */ + memcpy(skb_put(skb, count), sl->rbuff, count); + skb->protocol = x25_type_trans(skb, sl->dev); + err = lapb_data_received(skb->dev, skb); +@@ -212,7 +211,6 @@ static void x25_asy_bump(struct x25_asy + kfree_skb(skb); + printk(KERN_DEBUG "x25_asy: data received err - %d\n", err); + } else { +- netif_rx(skb); + dev->stats.rx_packets++; + } + } +@@ -358,12 +356,21 @@ static netdev_tx_t x25_asy_xmit(struct s + */ + + /* +- * Called when I frame data arrives. We did the work above - throw it +- * at the net layer. ++ * Called when I frame data arrive. We add a pseudo header for upper ++ * layers and pass it to upper layers. + */ + + static int x25_asy_data_indication(struct net_device *dev, struct sk_buff *skb) + { ++ if (skb_cow(skb, 1)) { ++ kfree_skb(skb); ++ return NET_RX_DROP; ++ } ++ skb_push(skb, 1); ++ skb->data[0] = X25_IFACE_DATA; ++ ++ skb->protocol = x25_type_trans(skb, dev); ++ + return netif_rx(skb); + } + +@@ -655,7 +662,7 @@ static void x25_asy_unesc(struct x25_asy + switch (s) { + case X25_END: + if (!test_and_clear_bit(SLF_ERROR, &sl->flags) && +- sl->rcount > 2) ++ sl->rcount >= 2) + x25_asy_bump(sl); + clear_bit(SLF_ESCAPE, &sl->flags); + sl->rcount = 0; diff --git a/queue-4.4/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch b/queue-4.4/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch new file mode 100644 index 00000000000..d4ff39902cd --- /dev/null +++ b/queue-4.4/ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch @@ -0,0 +1,81 @@ +From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST +From: Wei Yongjun +Date: Mon, 13 Jul 2020 23:59:50 +0800 +Subject: ip6_gre: fix null-ptr-deref in ip6gre_init_net() + +From: Wei Yongjun + +[ Upstream commit 46ef5b89ec0ecf290d74c4aee844f063933c4da4 ] + +KASAN report null-ptr-deref error when register_netdev() failed: + +KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7] +CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ #12 +Call Trace: + ip6gre_init_net+0x4ab/0x580 + ? ip6gre_tunnel_uninit+0x3f0/0x3f0 + ops_init+0xa8/0x3c0 + setup_net+0x2de/0x7e0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? ops_init+0x3c0/0x3c0 + ? kasan_unpoison_shadow+0x33/0x40 + ? __kasan_kmalloc.constprop.0+0xc2/0xd0 + copy_net_ns+0x27d/0x530 + create_new_namespaces+0x382/0xa30 + unshare_nsproxy_namespaces+0xa1/0x1d0 + ksys_unshare+0x39c/0x780 + ? walk_process_tree+0x2a0/0x2a0 + ? trace_hardirqs_on+0x4a/0x1b0 + ? _raw_spin_unlock_irq+0x1f/0x30 + ? syscall_trace_enter+0x1a7/0x330 + ? do_syscall_64+0x1c/0xa0 + __x64_sys_unshare+0x2d/0x40 + do_syscall_64+0x56/0xa0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later +access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving +'ign->fb_tunnel_dev' to local variable ndev. + +Fixes: dafabb6590cb ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1355,15 +1355,16 @@ static void ip6gre_destroy_tunnels(struc + static int __net_init ip6gre_init_net(struct net *net) + { + struct ip6gre_net *ign = net_generic(net, ip6gre_net_id); ++ struct net_device *ndev; + int err; + +- ign->fb_tunnel_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0", +- NET_NAME_UNKNOWN, +- ip6gre_tunnel_setup); +- if (!ign->fb_tunnel_dev) { ++ ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0", ++ NET_NAME_UNKNOWN, ip6gre_tunnel_setup); ++ if (!ndev) { + err = -ENOMEM; + goto err_alloc_dev; + } ++ ign->fb_tunnel_dev = ndev; + dev_net_set(ign->fb_tunnel_dev, net); + /* FB netdevice is special: we have one, and only one per netns. + * Allowing to move it to another netns is clearly unsafe. +@@ -1383,7 +1384,7 @@ static int __net_init ip6gre_init_net(st + return 0; + + err_reg_dev: +- ip6gre_dev_free(ign->fb_tunnel_dev); ++ ip6gre_dev_free(ndev); + err_alloc_dev: + return err; + } diff --git a/queue-4.4/makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch b/queue-4.4/makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch new file mode 100644 index 00000000000..2d5b09ecef9 --- /dev/null +++ b/queue-4.4/makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch @@ -0,0 +1,58 @@ +From ca9b31f6bb9c6aa9b4e5f0792f39a97bbffb8c51 Mon Sep 17 00:00:00 2001 +From: Fangrui Song +Date: Tue, 21 Jul 2020 10:31:23 -0700 +Subject: Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation + +From: Fangrui Song + +commit ca9b31f6bb9c6aa9b4e5f0792f39a97bbffb8c51 upstream. + +When CROSS_COMPILE is set (e.g. aarch64-linux-gnu-), if +$(CROSS_COMPILE)elfedit is found at /usr/bin/aarch64-linux-gnu-elfedit, +GCC_TOOLCHAIN_DIR will be set to /usr/bin/. --prefix= will be set to +/usr/bin/ and Clang as of 11 will search for both +$(prefix)aarch64-linux-gnu-$needle and $(prefix)$needle. + +GCC searchs for $(prefix)aarch64-linux-gnu/$version/$needle, +$(prefix)aarch64-linux-gnu/$needle and $(prefix)$needle. In practice, +$(prefix)aarch64-linux-gnu/$needle rarely contains executables. + +To better model how GCC's -B/--prefix takes in effect in practice, newer +Clang (since +https://github.com/llvm/llvm-project/commit/3452a0d8c17f7166f479706b293caf6ac76ffd90) +only searches for $(prefix)$needle. Currently it will find /usr/bin/as +instead of /usr/bin/aarch64-linux-gnu-as. + +Set --prefix= to $(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE)) +(/usr/bin/aarch64-linux-gnu-) so that newer Clang can find the +appropriate cross compiling GNU as (when -no-integrated-as is in +effect). + +Cc: stable@vger.kernel.org +Reported-by: Nathan Chancellor +Signed-off-by: Fangrui Song +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Tested-by: Nick Desaulniers +Link: https://github.com/ClangBuiltLinux/linux/issues/1099 +Reviewed-by: Nick Desaulniers +Signed-off-by: Masahiro Yamada +[nc: Adjust context, CLANG_FLAGS does not exist in 4.4] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -607,7 +607,7 @@ ifeq ($(cc-name),clang) + ifneq ($(CROSS_COMPILE),) + CLANG_TARGET := --target=$(notdir $(CROSS_COMPILE:%-=%)) + GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) +-CLANG_PREFIX := --prefix=$(GCC_TOOLCHAIN_DIR) ++CLANG_PREFIX := --prefix=$(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE)) + GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) + endif + ifneq ($(GCC_TOOLCHAIN),) diff --git a/queue-4.4/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch b/queue-4.4/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch new file mode 100644 index 00000000000..f46fa8ff966 --- /dev/null +++ b/queue-4.4/net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch @@ -0,0 +1,33 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: Xiongfeng Wang +Date: Tue, 21 Jul 2020 15:02:57 +0800 +Subject: net-sysfs: add a newline when printing 'tx_timeout' by sysfs + +From: Xiongfeng Wang + +[ Upstream commit 9bb5fbea59f36a589ef886292549ca4052fe676c ] + +When I cat 'tx_timeout' by sysfs, it displays as follows. It's better to +add a newline for easy reading. + +root@syzkaller:~# cat /sys/devices/virtual/net/lo/queues/tx-0/tx_timeout +0root@syzkaller:~# + +Signed-off-by: Xiongfeng Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -999,7 +999,7 @@ static ssize_t show_trans_timeout(struct + trans_timeout = queue->trans_timeout; + spin_unlock_irq(&queue->_xmit_lock); + +- return sprintf(buf, "%lu", trans_timeout); ++ return sprintf(buf, fmt_ulong, trans_timeout); + } + + #ifdef CONFIG_XPS diff --git a/queue-4.4/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch b/queue-4.4/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch new file mode 100644 index 00000000000..39870cdd17e --- /dev/null +++ b/queue-4.4/net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch @@ -0,0 +1,43 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: Miaohe Lin +Date: Tue, 21 Jul 2020 17:11:44 +0800 +Subject: net: udp: Fix wrong clean up for IS_UDPLITE macro + +From: Miaohe Lin + +[ Upstream commit b0a422772fec29811e293c7c0e6f991c0fd9241d ] + +We can't use IS_UDPLITE to replace udp_sk->pcflag when UDPLITE_RECV_CC is +checked. + +Fixes: b2bf1e2659b1 ("[UDP]: Clean up for IS_UDPLITE macro") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 2 +- + net/ipv6/udp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1558,7 +1558,7 @@ int udp_queue_rcv_skb(struct sock *sk, s + /* + * UDP-Lite specific tests, ignored on UDP sockets + */ +- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { ++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { + + /* + * MIB statistics other than incrementing the error count are +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -672,7 +672,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, + /* + * UDP-Lite specific tests, ignored on UDP sockets (see net/ipv4/udp.c). + */ +- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { ++ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) { + + if (up->pcrlen == 0) { /* full coverage was set */ + net_dbg_ratelimited("UDPLITE6: partial coverage %d while full coverage %d requested\n", diff --git a/queue-4.4/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch b/queue-4.4/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch new file mode 100644 index 00000000000..fad6eec8839 --- /dev/null +++ b/queue-4.4/rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch @@ -0,0 +1,51 @@ +From foo@baz Wed 29 Jul 2020 01:36:49 PM CEST +From: David Howells +Date: Mon, 20 Jul 2020 12:41:46 +0100 +Subject: rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA + +From: David Howells + +[ Upstream commit 639f181f0ee20d3249dbc55f740f0167267180f0 ] + +rxrpc_sendmsg() returns EPIPE if there's an outstanding error, such as if +rxrpc_recvmsg() indicating ENODATA if there's nothing for it to read. + +Change rxrpc_recvmsg() to return EAGAIN instead if there's nothing to read +as this particular error doesn't get stored in ->sk_err by the networking +core. + +Also change rxrpc_sendmsg() so that it doesn't fail with delayed receive +errors (there's no way for it to report which call, if any, the error was +caused by). + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/ar-output.c | 2 +- + net/rxrpc/ar-recvmsg.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/ar-output.c ++++ b/net/rxrpc/ar-output.c +@@ -533,7 +533,7 @@ static int rxrpc_send_data(struct rxrpc_ + /* this should be in poll */ + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk); + +- if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) ++ if (sk->sk_shutdown & SEND_SHUTDOWN) + return -EPIPE; + + more = msg->msg_flags & MSG_MORE; +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -78,7 +78,7 @@ int rxrpc_recvmsg(struct socket *sock, s + release_sock(&rx->sk); + if (continue_call) + rxrpc_put_call(continue_call); +- return -ENODATA; ++ return -EAGAIN; + } + } + diff --git a/queue-4.4/series b/queue-4.4/series index a77f1e09d4c..8bac81a4d0d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -35,3 +35,13 @@ mm-memcg-fix-refcount-error-while-moving-and-swapping.patch parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-regression-with-atheros-9271.patch +ax.25-fix-out-of-bounds-read-in-ax25_connect.patch +ax.25-prevent-out-of-bounds-read-in-ax25_sendmsg.patch +net-sysfs-add-a-newline-when-printing-tx_timeout-by-sysfs.patch +net-udp-fix-wrong-clean-up-for-is_udplite-macro.patch +ax.25-prevent-integer-overflows-in-connect-and-sendmsg.patch +tcp-allow-at-most-one-tlp-probe-per-flight.patch +rxrpc-fix-sendmsg-returning-epipe-due-to-recvmsg-returning-enodata.patch +ip6_gre-fix-null-ptr-deref-in-ip6gre_init_net.patch +drivers-net-wan-x25_asy-fix-to-make-it-work.patch +makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch diff --git a/queue-4.4/tcp-allow-at-most-one-tlp-probe-per-flight.patch b/queue-4.4/tcp-allow-at-most-one-tlp-probe-per-flight.patch new file mode 100644 index 00000000000..86d6adcdd7e --- /dev/null +++ b/queue-4.4/tcp-allow-at-most-one-tlp-probe-per-flight.patch @@ -0,0 +1,125 @@ +From foo@baz Wed 29 Jul 2020 12:20:23 PM CEST +From: Yuchung Cheng +Date: Thu, 23 Jul 2020 12:00:06 -0700 +Subject: tcp: allow at most one TLP probe per flight + +From: Yuchung Cheng + +[ Upstream commit 76be93fc0702322179bb0ea87295d820ee46ad14 ] + +Previously TLP may send multiple probes of new data in one +flight. This happens when the sender is cwnd limited. After the +initial TLP containing new data is sent, the sender receives another +ACK that acks partial inflight. It may re-arm another TLP timer +to send more, if no further ACK returns before the next TLP timeout +(PTO) expires. The sender may send in theory a large amount of TLP +until send queue is depleted. This only happens if the sender sees +such irregular uncommon ACK pattern. But it is generally undesirable +behavior during congestion especially. + +The original TLP design restrict only one TLP probe per inflight as +published in "Reducing Web Latency: the Virtue of Gentle Aggression", +SIGCOMM 2013. This patch changes TLP to send at most one probe +per inflight. + +Note that if the sender is app-limited, TLP retransmits old data +and did not have this issue. + +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tcp.h | 5 +++-- + net/ipv4/tcp_input.c | 11 ++++++----- + net/ipv4/tcp_output.c | 13 ++++++++----- + 3 files changed, 17 insertions(+), 12 deletions(-) + +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -211,7 +211,8 @@ struct tcp_sock { + u8 reord; /* reordering detected */ + } rack; + u16 advmss; /* Advertised MSS */ +- u8 unused; ++ u8 tlp_retrans:1, /* TLP is a retransmission */ ++ unused_1:7; + u8 nonagle : 4,/* Disable Nagle algorithm? */ + thin_lto : 1,/* Use linear timeouts for thin streams */ + thin_dupack : 1,/* Fast retransmit on first dupack */ +@@ -225,7 +226,7 @@ struct tcp_sock { + syn_data_acked:1,/* data in SYN is acked by SYN-ACK */ + save_syn:1, /* Save headers of SYN packet */ + is_cwnd_limited:1;/* forward progress limited by snd_cwnd? */ +- u32 tlp_high_seq; /* snd_nxt at the time of TLP retransmit. */ ++ u32 tlp_high_seq; /* snd_nxt at the time of TLP */ + + /* RTT measurement */ + u32 srtt_us; /* smoothed round trip time << 3 in usecs */ +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3517,10 +3517,8 @@ static void tcp_replace_ts_recent(struct + } + } + +-/* This routine deals with acks during a TLP episode. +- * We mark the end of a TLP episode on receiving TLP dupack or when +- * ack is after tlp_high_seq. +- * Ref: loss detection algorithm in draft-dukkipati-tcpm-tcp-loss-probe. ++/* This routine deals with acks during a TLP episode and ends an episode by ++ * resetting tlp_high_seq. Ref: TLP algorithm in draft-ietf-tcpm-rack + */ + static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) + { +@@ -3529,7 +3527,10 @@ static void tcp_process_tlp_ack(struct s + if (before(ack, tp->tlp_high_seq)) + return; + +- if (flag & FLAG_DSACKING_ACK) { ++ if (!tp->tlp_retrans) { ++ /* TLP of new data has been acknowledged */ ++ tp->tlp_high_seq = 0; ++ } else if (flag & FLAG_DSACKING_ACK) { + /* This DSACK means original and TLP probe arrived; no loss */ + tp->tlp_high_seq = 0; + } else if (after(ack, tp->tlp_high_seq)) { +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2271,6 +2271,11 @@ void tcp_send_loss_probe(struct sock *sk + int pcount; + int mss = tcp_current_mss(sk); + ++ /* At most one outstanding TLP */ ++ if (tp->tlp_high_seq) ++ goto rearm_timer; ++ ++ tp->tlp_retrans = 0; + skb = tcp_send_head(sk); + if (skb) { + if (tcp_snd_wnd_test(tp, skb, mss)) { +@@ -2293,10 +2298,6 @@ void tcp_send_loss_probe(struct sock *sk + return; + } + +- /* At most one outstanding TLP retransmission. */ +- if (tp->tlp_high_seq) +- goto rearm_timer; +- + if (skb_still_in_host_queue(sk, skb)) + goto rearm_timer; + +@@ -2317,10 +2318,12 @@ void tcp_send_loss_probe(struct sock *sk + if (__tcp_retransmit_skb(sk, skb)) + goto rearm_timer; + ++ tp->tlp_retrans = 1; ++ ++probe_sent: + /* Record snd_nxt for loss detection. */ + tp->tlp_high_seq = tp->snd_nxt; + +-probe_sent: + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSSPROBES); + /* Reset s.t. tcp_rearm_rto will restart timer from now */ + inet_csk(sk)->icsk_pending = 0; -- 2.47.3