From 1448afe125f329450dff33cf7611763881987142 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Aug 2018 07:27:46 +0200 Subject: [PATCH] 4.17-stable patches added patches: bluetooth-avoid-killing-an-already-killed-socket.patch cls_matchall-fix-tcf_unbind_filter-missing.patch ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch isdn-disable-iiocdbgvar.patch net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch r8169-don-t-use-msi-x-on-rtl8106e.patch --- ...oid-killing-an-already-killed-socket.patch | 195 ++++++++++++++++++ ...tchall-fix-tcf_unbind_filter-missing.patch | 33 +++ ...ence-when-create-vti-fallback-tunnel.patch | 65 ++++++ queue-4.17/isdn-disable-iiocdbgvar.patch | 41 ++++ ...-napi-structure-mixup-on-armada-3700.patch | 107 ++++++++++ ...fix-mvneta_config_rss-on-armada-3700.patch | 79 +++++++ ...spectre-v1-gadget-in-__sock_diag_cmd.patch | 60 ++++++ .../r8169-don-t-use-msi-x-on-rtl8106e.patch | 74 +++++++ queue-4.17/series | 8 + 9 files changed, 662 insertions(+) create mode 100644 queue-4.17/bluetooth-avoid-killing-an-already-killed-socket.patch create mode 100644 queue-4.17/cls_matchall-fix-tcf_unbind_filter-missing.patch create mode 100644 queue-4.17/ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch create mode 100644 queue-4.17/isdn-disable-iiocdbgvar.patch create mode 100644 queue-4.17/net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch create mode 100644 queue-4.17/net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch create mode 100644 queue-4.17/net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch create mode 100644 queue-4.17/r8169-don-t-use-msi-x-on-rtl8106e.patch diff --git a/queue-4.17/bluetooth-avoid-killing-an-already-killed-socket.patch b/queue-4.17/bluetooth-avoid-killing-an-already-killed-socket.patch new file mode 100644 index 00000000000..b8c5afaca90 --- /dev/null +++ b/queue-4.17/bluetooth-avoid-killing-an-already-killed-socket.patch @@ -0,0 +1,195 @@ +From 4e1a720d0312fd510699032c7694a362a010170f Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Sun, 15 Jul 2018 20:36:50 +0100 +Subject: Bluetooth: avoid killing an already killed socket + +From: Sudip Mukherjee + +commit 4e1a720d0312fd510699032c7694a362a010170f upstream. + +slub debug reported: + +[ 440.648642] ============================================================================= +[ 440.648649] BUG kmalloc-1024 (Tainted: G BU O ): Poison overwritten +[ 440.648651] ----------------------------------------------------------------------------- + +[ 440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b +[ 440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047 +[ 440.648671] ___slab_alloc.constprop.24+0x1fc/0x292 +[ 440.648675] __slab_alloc.isra.18.constprop.23+0x1c/0x25 +[ 440.648677] __kmalloc+0xb6/0x17f +[ 440.648680] sk_prot_alloc+0x6b/0xc6 +[ 440.648683] sk_alloc+0x1e/0xa1 +[ 440.648700] sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth] +[ 440.648716] sco_connect_cfm+0x166/0x281 [bluetooth] +[ 440.648731] hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth] +[ 440.648746] hci_event_packet+0x28b/0x2326 [bluetooth] +[ 440.648759] hci_rx_work+0x161/0x291 [bluetooth] +[ 440.648764] process_one_work+0x163/0x2b2 +[ 440.648767] worker_thread+0x1a9/0x25c +[ 440.648770] kthread+0xf8/0xfd +[ 440.648774] ret_from_fork+0x2e/0x38 +[ 440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047 +[ 440.648782] __slab_free+0x4b/0x27a +[ 440.648784] kfree+0x12e/0x155 +[ 440.648787] __sk_destruct+0xd3/0xdf +[ 440.648790] sk_destruct+0x27/0x29 +[ 440.648793] __sk_free+0x75/0x91 +[ 440.648795] sk_free+0x1c/0x1e +[ 440.648810] sco_sock_kill+0x5a/0x5f [bluetooth] +[ 440.648825] sco_conn_del+0x8e/0xba [bluetooth] +[ 440.648840] sco_disconn_cfm+0x3a/0x41 [bluetooth] +[ 440.648855] hci_event_packet+0x45e/0x2326 [bluetooth] +[ 440.648868] hci_rx_work+0x161/0x291 [bluetooth] +[ 440.648872] process_one_work+0x163/0x2b2 +[ 440.648875] worker_thread+0x1a9/0x25c +[ 440.648877] kthread+0xf8/0xfd +[ 440.648880] ret_from_fork+0x2e/0x38 +[ 440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x (null) flags=0x40008100 +[ 440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8 + +When KASAN was enabled, it reported: + +[ 210.096613] ================================================================== +[ 210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127 +[ 210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040 + +[ 210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G U O 4.14.47-20180606+ #2 +[ 210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017 +[ 210.096693] Workqueue: hci0 hci_rx_work [bluetooth] +[ 210.096698] Call Trace: +[ 210.096711] dump_stack+0x46/0x59 +[ 210.096722] print_address_description+0x6b/0x23b +[ 210.096729] ? ex_handler_refcount+0x5b/0x127 +[ 210.096736] kasan_report+0x220/0x246 +[ 210.096744] ex_handler_refcount+0x5b/0x127 +[ 210.096751] ? ex_handler_clear_fs+0x85/0x85 +[ 210.096757] fixup_exception+0x8c/0x96 +[ 210.096766] do_trap+0x66/0x2c1 +[ 210.096773] do_error_trap+0x152/0x180 +[ 210.096781] ? fixup_bug+0x78/0x78 +[ 210.096817] ? hci_debugfs_create_conn+0x244/0x26a [bluetooth] +[ 210.096824] ? __schedule+0x113b/0x1453 +[ 210.096830] ? sysctl_net_exit+0xe/0xe +[ 210.096837] ? __wake_up_common+0x343/0x343 +[ 210.096843] ? insert_work+0x107/0x163 +[ 210.096850] invalid_op+0x1b/0x40 +[ 210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth] +[ 210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296 +[ 210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160 +[ 210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940 +[ 210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b +[ 210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488 +[ 210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008 +[ 210.096920] ? __sk_destruct+0x2c6/0x2d4 +[ 210.096959] hci_event_packet+0xff5/0x7de2 [bluetooth] +[ 210.096969] ? __local_bh_enable_ip+0x43/0x5b +[ 210.097004] ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth] +[ 210.097039] ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth] +[ 210.097075] ? l2cap_ertm_init+0x94e/0x94e [bluetooth] +[ 210.097093] ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd] +[ 210.097102] ? __accumulate_pelt_segments+0x24/0x33 +[ 210.097109] ? __accumulate_pelt_segments+0x24/0x33 +[ 210.097115] ? __update_load_avg_se.isra.2+0x217/0x3a4 +[ 210.097122] ? set_next_entity+0x7c3/0x12cd +[ 210.097128] ? pick_next_entity+0x25e/0x26c +[ 210.097135] ? pick_next_task_fair+0x2ca/0xc1a +[ 210.097141] ? switch_mm_irqs_off+0x346/0xb4f +[ 210.097147] ? __switch_to+0x769/0xbc4 +[ 210.097153] ? compat_start_thread+0x66/0x66 +[ 210.097188] ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth] +[ 210.097195] ? finish_task_switch+0x392/0x431 +[ 210.097228] ? hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097260] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097269] process_one_work+0x579/0x9e9 +[ 210.097277] worker_thread+0x68f/0x804 +[ 210.097285] kthread+0x31c/0x32b +[ 210.097292] ? rescuer_thread+0x70c/0x70c +[ 210.097299] ? kthread_create_on_node+0xa3/0xa3 +[ 210.097306] ret_from_fork+0x35/0x40 + +[ 210.097314] Allocated by task 2040: +[ 210.097323] kasan_kmalloc.part.1+0x51/0xc7 +[ 210.097328] __kmalloc+0x17f/0x1b6 +[ 210.097335] sk_prot_alloc+0xf2/0x1a3 +[ 210.097340] sk_alloc+0x22/0x297 +[ 210.097375] sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth] +[ 210.097410] sco_connect_cfm+0x2d0/0x566 [bluetooth] +[ 210.097443] hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth] +[ 210.097476] hci_event_packet+0x85e/0x7de2 [bluetooth] +[ 210.097507] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097512] process_one_work+0x579/0x9e9 +[ 210.097517] worker_thread+0x68f/0x804 +[ 210.097523] kthread+0x31c/0x32b +[ 210.097529] ret_from_fork+0x35/0x40 + +[ 210.097533] Freed by task 2040: +[ 210.097539] kasan_slab_free+0xb3/0x15e +[ 210.097544] kfree+0x103/0x1a9 +[ 210.097549] __sk_destruct+0x2c6/0x2d4 +[ 210.097584] sco_conn_del.isra.1+0xba/0x10e [bluetooth] +[ 210.097617] hci_event_packet+0xff5/0x7de2 [bluetooth] +[ 210.097648] hci_rx_work+0x154/0x487 [bluetooth] +[ 210.097653] process_one_work+0x579/0x9e9 +[ 210.097658] worker_thread+0x68f/0x804 +[ 210.097663] kthread+0x31c/0x32b +[ 210.097670] ret_from_fork+0x35/0x40 + +[ 210.097676] The buggy address belongs to the object at ffff880107e170e8 + which belongs to the cache kmalloc-1024 of size 1024 +[ 210.097681] The buggy address is located 120 bytes inside of + 1024-byte region [ffff880107e170e8, ffff880107e174e8) +[ 210.097683] The buggy address belongs to the page: +[ 210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping: (null) index:0xffff880107e15b68 compound_mapcount: 0 +[ 210.110194] flags: 0x8000000000008100(slab|head) +[ 210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016 +[ 210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000 +[ 210.115451] page dumped because: kasan: bad access detected + +[ 210.115454] Memory state around the buggy address: +[ 210.115460] ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 210.115465] ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb +[ 210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115472] ^ +[ 210.115477] ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115481] ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 210.115483] ================================================================== + +And finally when BT_DBG() and ftrace was enabled it showed: + + <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_close + <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_release + <...>-14979 [001] .... 186.104192: sco_sock_kill: sk ef0497a0 state 9 + <...>-14979 [001] .... 186.104193: bt_sock_unlink <-sco_sock_kill +kworker/u9:2-792 [001] .... 186.104246: sco_sock_kill <-sco_conn_del +kworker/u9:2-792 [001] .... 186.104248: sco_sock_kill: sk ef0497a0 state 9 +kworker/u9:2-792 [001] .... 186.104249: bt_sock_unlink <-sco_sock_kill +kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct <-__sk_destruct +kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct: sk ef0497a0 +kworker/u9:2-792 [001] .... 186.104860: hci_conn_del <-hci_event_packet +kworker/u9:2-792 [001] .... 186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266 + +Only in the failed case, sco_sock_kill() gets called with the same sock +pointer two times. Add a check for SOCK_DEAD to avoid continue killing +a socket which has already been killed. + +Signed-off-by: Sudip Mukherjee +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/sco.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -393,7 +393,8 @@ static void sco_sock_cleanup_listen(stru + */ + static void sco_sock_kill(struct sock *sk) + { +- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) ++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || ++ sock_flag(sk, SOCK_DEAD)) + return; + + BT_DBG("sk %p state %d", sk, sk->sk_state); diff --git a/queue-4.17/cls_matchall-fix-tcf_unbind_filter-missing.patch b/queue-4.17/cls_matchall-fix-tcf_unbind_filter-missing.patch new file mode 100644 index 00000000000..f73667156b4 --- /dev/null +++ b/queue-4.17/cls_matchall-fix-tcf_unbind_filter-missing.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Hangbin Liu +Date: Tue, 14 Aug 2018 17:28:26 +0800 +Subject: cls_matchall: fix tcf_unbind_filter missing + +From: Hangbin Liu + +[ Upstream commit a51c76b4dfb30496dc65396a957ef0f06af7fb22 ] + +Fix tcf_unbind_filter missing in cls_matchall as this will trigger +WARN_ON() in cbq_destroy_class(). + +Fixes: fd62d9f5c575f ("net/sched: matchall: Fix configuration race") +Reported-by: Li Shuang +Signed-off-by: Hangbin Liu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_matchall.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -122,6 +122,8 @@ static void mall_destroy(struct tcf_prot + if (!head) + return; + ++ tcf_unbind_filter(tp, &head->res); ++ + if (!tc_skip_hw(head->flags)) + mall_destroy_hw_filter(tp, head, (unsigned long) head, extack); + diff --git a/queue-4.17/ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch b/queue-4.17/ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch new file mode 100644 index 00000000000..233b1276fab --- /dev/null +++ b/queue-4.17/ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Haishuang Yan +Date: Sun, 19 Aug 2018 15:05:04 +0800 +Subject: ip_vti: fix a null pointer deferrence when create vti fallback tunnel + +From: Haishuang Yan + +[ Upstream commit cd1aa9c2c665cafbd05b83507d3f1096f3912aa4 ] + +After set fb_tunnels_only_for_init_net to 1, the itn->fb_tunnel_dev will +be NULL and will cause following crash: + +[ 2742.849298] BUG: unable to handle kernel NULL pointer dereference at 0000000000000941 +[ 2742.851380] PGD 800000042c21a067 P4D 800000042c21a067 PUD 42aaed067 PMD 0 +[ 2742.852818] Oops: 0002 [#1] SMP PTI +[ 2742.853570] CPU: 7 PID: 2484 Comm: unshare Kdump: loaded Not tainted 4.18.0-rc8+ #2 +[ 2742.855163] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014 +[ 2742.856970] RIP: 0010:vti_init_net+0x3a/0x50 [ip_vti] +[ 2742.858034] Code: 90 83 c0 48 c7 c2 20 a1 83 c0 48 89 fb e8 6e 3b f6 ff 85 c0 75 22 8b 0d f4 19 00 00 48 8b 93 00 14 00 00 48 8b 14 ca 48 8b 12 82 41 09 00 00 04 c6 82 38 09 00 00 45 5b c3 66 0f 1f 44 00 00 +[ 2742.861940] RSP: 0018:ffff9be28207fde0 EFLAGS: 00010246 +[ 2742.863044] RAX: 0000000000000000 RBX: ffff8a71ebed4980 RCX: 0000000000000013 +[ 2742.864540] RDX: 0000000000000000 RSI: 0000000000000013 RDI: ffff8a71ebed4980 +[ 2742.866020] RBP: ffff8a71ea717000 R08: ffffffffc083903c R09: ffff8a71ea717000 +[ 2742.867505] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a71ebed4980 +[ 2742.868987] R13: 0000000000000013 R14: ffff8a71ea5b49c0 R15: 0000000000000000 +[ 2742.870473] FS: 00007f02266c9740(0000) GS:ffff8a71ffdc0000(0000) knlGS:0000000000000000 +[ 2742.872143] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2742.873340] CR2: 0000000000000941 CR3: 000000042bc20006 CR4: 00000000001606e0 +[ 2742.874821] Call Trace: +[ 2742.875358] ops_init+0x38/0xf0 +[ 2742.876078] setup_net+0xd9/0x1f0 +[ 2742.876789] copy_net_ns+0xb7/0x130 +[ 2742.877538] create_new_namespaces+0x11a/0x1d0 +[ 2742.878525] unshare_nsproxy_namespaces+0x55/0xa0 +[ 2742.879526] ksys_unshare+0x1a7/0x330 +[ 2742.880313] __x64_sys_unshare+0xe/0x20 +[ 2742.881131] do_syscall_64+0x5b/0x180 +[ 2742.881933] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reproduce: +echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net +modprobe ip_vti +unshare -n + +Fixes: 79134e6ce2c9 ("net: do not create fallback tunnels for non-default namespaces") +Cc: Eric Dumazet +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -438,7 +438,8 @@ static int __net_init vti_init_net(struc + if (err) + return err; + itn = net_generic(net, vti_net_id); +- vti_fb_tunnel_init(itn->fb_tunnel_dev); ++ if (itn->fb_tunnel_dev) ++ vti_fb_tunnel_init(itn->fb_tunnel_dev); + return 0; + } + diff --git a/queue-4.17/isdn-disable-iiocdbgvar.patch b/queue-4.17/isdn-disable-iiocdbgvar.patch new file mode 100644 index 00000000000..3104a20ccee --- /dev/null +++ b/queue-4.17/isdn-disable-iiocdbgvar.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Kees Cook +Date: Wed, 15 Aug 2018 12:14:05 -0700 +Subject: isdn: Disable IIOCDBGVAR + +From: Kees Cook + +[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ] + +It was possible to directly leak the kernel address where the isdn_dev +structure pointer was stored. This is a kernel ASLR bypass for anyone +with access to the ioctl. The code had been present since the beginning +of git history, though this shouldn't ever be needed for normal operation, +therefore remove it. + +Reported-by: Al Viro +Cc: Karsten Keil +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/i4l/isdn_common.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, + } else + return -EINVAL; + case IIOCDBGVAR: +- if (arg) { +- if (copy_to_user(argp, &dev, sizeof(ulong))) +- return -EFAULT; +- return 0; +- } else +- return -EINVAL; +- break; ++ return -EINVAL; + default: + if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) + cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK; diff --git a/queue-4.17/net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch b/queue-4.17/net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch new file mode 100644 index 00000000000..c7d6258b72f --- /dev/null +++ b/queue-4.17/net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch @@ -0,0 +1,107 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Andrew Lunn +Date: Wed, 18 Jul 2018 18:10:50 +0200 +Subject: net: ethernet: mvneta: Fix napi structure mixup on armada 3700 + +From: Andrew Lunn + +[ Upstream commit 7a86f05faf112463cfbbdfd222012e247de461a1 ] + +The mvneta Ethernet driver is used on a few different Marvell SoCs. +Some SoCs have per cpu interrupts for Ethernet events. Some SoCs have +a single interrupt, independent of the CPU. The driver handles this by +having a per CPU napi structure when there are per CPU interrupts, and +a global napi structure when there is a single interrupt. + +When the napi core calls mvneta_poll(), it passes the napi +instance. This was not being propagated through the call chain, and +instead the per-cpu napi instance was passed to napi_gro_receive() +call. This breaks when there is a single global napi instance. + +Signed-off-by: Andrew Lunn +Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC") +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1901,10 +1901,10 @@ static void mvneta_rxq_drop_pkts(struct + } + + /* Main rx processing when using software buffer management */ +-static int mvneta_rx_swbm(struct mvneta_port *pp, int rx_todo, ++static int mvneta_rx_swbm(struct napi_struct *napi, ++ struct mvneta_port *pp, int rx_todo, + struct mvneta_rx_queue *rxq) + { +- struct mvneta_pcpu_port *port = this_cpu_ptr(pp->ports); + struct net_device *dev = pp->dev; + int rx_done; + u32 rcvd_pkts = 0; +@@ -1959,7 +1959,7 @@ err_drop_frame: + + skb->protocol = eth_type_trans(skb, dev); + mvneta_rx_csum(pp, rx_status, skb); +- napi_gro_receive(&port->napi, skb); ++ napi_gro_receive(napi, skb); + + rcvd_pkts++; + rcvd_bytes += rx_bytes; +@@ -2001,7 +2001,7 @@ err_drop_frame: + + mvneta_rx_csum(pp, rx_status, skb); + +- napi_gro_receive(&port->napi, skb); ++ napi_gro_receive(napi, skb); + } + + if (rcvd_pkts) { +@@ -2020,10 +2020,10 @@ err_drop_frame: + } + + /* Main rx processing when using hardware buffer management */ +-static int mvneta_rx_hwbm(struct mvneta_port *pp, int rx_todo, ++static int mvneta_rx_hwbm(struct napi_struct *napi, ++ struct mvneta_port *pp, int rx_todo, + struct mvneta_rx_queue *rxq) + { +- struct mvneta_pcpu_port *port = this_cpu_ptr(pp->ports); + struct net_device *dev = pp->dev; + int rx_done; + u32 rcvd_pkts = 0; +@@ -2085,7 +2085,7 @@ err_drop_frame: + + skb->protocol = eth_type_trans(skb, dev); + mvneta_rx_csum(pp, rx_status, skb); +- napi_gro_receive(&port->napi, skb); ++ napi_gro_receive(napi, skb); + + rcvd_pkts++; + rcvd_bytes += rx_bytes; +@@ -2129,7 +2129,7 @@ err_drop_frame: + + mvneta_rx_csum(pp, rx_status, skb); + +- napi_gro_receive(&port->napi, skb); ++ napi_gro_receive(napi, skb); + } + + if (rcvd_pkts) { +@@ -2722,9 +2722,11 @@ static int mvneta_poll(struct napi_struc + if (rx_queue) { + rx_queue = rx_queue - 1; + if (pp->bm_priv) +- rx_done = mvneta_rx_hwbm(pp, budget, &pp->rxqs[rx_queue]); ++ rx_done = mvneta_rx_hwbm(napi, pp, budget, ++ &pp->rxqs[rx_queue]); + else +- rx_done = mvneta_rx_swbm(pp, budget, &pp->rxqs[rx_queue]); ++ rx_done = mvneta_rx_swbm(napi, pp, budget, ++ &pp->rxqs[rx_queue]); + } + + if (rx_done < budget) { diff --git a/queue-4.17/net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch b/queue-4.17/net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch new file mode 100644 index 00000000000..7434d3be1c6 --- /dev/null +++ b/queue-4.17/net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch @@ -0,0 +1,79 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Jisheng Zhang +Date: Fri, 10 Aug 2018 11:36:27 +0800 +Subject: net: mvneta: fix mvneta_config_rss on armada 3700 + +From: Jisheng Zhang + +[ Upstream commit 0f5c6c30a0f8c629b92ecdaef61b315c43fde10a ] + +The mvneta Ethernet driver is used on a few different Marvell SoCs. +Some SoCs have per cpu interrupts for Ethernet events, the driver uses +a per CPU napi structure for this case. Some SoCs such as armada 3700 +have a single interrupt for Ethernet events, the driver uses a global +napi structure for this case. + +Current mvneta_config_rss() always operates the per cpu napi structure. +Fix it by operating a global napi for "single interrupt" case, and per +cpu napi structure for remaining cases. + +Signed-off-by: Jisheng Zhang +Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 35 +++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -4020,13 +4020,18 @@ static int mvneta_config_rss(struct mvn + + on_each_cpu(mvneta_percpu_mask_interrupt, pp, true); + +- /* We have to synchronise on the napi of each CPU */ +- for_each_online_cpu(cpu) { +- struct mvneta_pcpu_port *pcpu_port = +- per_cpu_ptr(pp->ports, cpu); +- +- napi_synchronize(&pcpu_port->napi); +- napi_disable(&pcpu_port->napi); ++ if (!pp->neta_armada3700) { ++ /* We have to synchronise on the napi of each CPU */ ++ for_each_online_cpu(cpu) { ++ struct mvneta_pcpu_port *pcpu_port = ++ per_cpu_ptr(pp->ports, cpu); ++ ++ napi_synchronize(&pcpu_port->napi); ++ napi_disable(&pcpu_port->napi); ++ } ++ } else { ++ napi_synchronize(&pp->napi); ++ napi_disable(&pp->napi); + } + + pp->rxq_def = pp->indir[0]; +@@ -4043,12 +4048,16 @@ static int mvneta_config_rss(struct mvn + mvneta_percpu_elect(pp); + spin_unlock(&pp->lock); + +- /* We have to synchronise on the napi of each CPU */ +- for_each_online_cpu(cpu) { +- struct mvneta_pcpu_port *pcpu_port = +- per_cpu_ptr(pp->ports, cpu); +- +- napi_enable(&pcpu_port->napi); ++ if (!pp->neta_armada3700) { ++ /* We have to synchronise on the napi of each CPU */ ++ for_each_online_cpu(cpu) { ++ struct mvneta_pcpu_port *pcpu_port = ++ per_cpu_ptr(pp->ports, cpu); ++ ++ napi_enable(&pcpu_port->napi); ++ } ++ } else { ++ napi_enable(&pp->napi); + } + + netif_tx_start_all_queues(pp->dev); diff --git a/queue-4.17/net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch b/queue-4.17/net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch new file mode 100644 index 00000000000..ee8907a2d56 --- /dev/null +++ b/queue-4.17/net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Jeremy Cline +Date: Mon, 13 Aug 2018 22:23:13 +0000 +Subject: net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() + +From: Jeremy Cline + +[ Upstream commit 66b51b0a0341fd42ce657739bdae0561b0410a85 ] + +req->sdiag_family is a user-controlled value that's used as an array +index. Sanitize it after the bounds check to avoid speculative +out-of-bounds array access. + +This also protects the sock_is_registered() call, so this removes the +sanitize call there. + +Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered") +Cc: Josh Poimboeuf +Cc: konrad.wilk@oracle.com +Cc: jamie.iles@oracle.com +Cc: liran.alon@oracle.com +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_diag.c | 2 ++ + net/socket.c | 3 +-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buf + + if (req->sdiag_family >= AF_MAX) + return -EINVAL; ++ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX); + + if (sock_diag_handlers[req->sdiag_family] == NULL) + sock_load_diag_module(req->sdiag_family, 0); +--- a/net/socket.c ++++ b/net/socket.c +@@ -2694,8 +2694,7 @@ EXPORT_SYMBOL(sock_unregister); + + bool sock_is_registered(int family) + { +- return family < NPROTO && +- rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); ++ return family < NPROTO && rcu_access_pointer(net_families[family]); + } + + static int __init sock_init(void) diff --git a/queue-4.17/r8169-don-t-use-msi-x-on-rtl8106e.patch b/queue-4.17/r8169-don-t-use-msi-x-on-rtl8106e.patch new file mode 100644 index 00000000000..325cab757e2 --- /dev/null +++ b/queue-4.17/r8169-don-t-use-msi-x-on-rtl8106e.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Aug 21 07:23:34 CEST 2018 +From: Jian-Hong Pan +Date: Fri, 17 Aug 2018 13:07:35 +0800 +Subject: r8169: don't use MSI-X on RTL8106e + +From: Jian-Hong Pan + +[ Upstream commit 7bb05b85bc2d1a1b647b91424b2ed4a18e6ecd81 ] + +Found the ethernet network on ASUS X441UAR doesn't come back on resume +from suspend when using MSI-X. The chip is RTL8106e - version 39. + +[ 21.848357] libphy: r8169: probed +[ 21.848473] r8169 0000:02:00.0 eth0: RTL8106e, 0c:9d:92:32:67:b4, XID +44900000, IRQ 127 +[ 22.518860] r8169 0000:02:00.0 enp2s0: renamed from eth0 +[ 29.458041] Generic PHY r8169-200:00: attached PHY driver [Generic +PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE) +[ 63.227398] r8169 0000:02:00.0 enp2s0: Link is Up - 100Mbps/Full - +flow control off +[ 124.514648] Generic PHY r8169-200:00: attached PHY driver [Generic +PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE) + +Here is the ethernet controller in detail: + +02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. +RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller [10ec:8136] +(rev 07) + Subsystem: ASUSTeK Computer Inc. RTL810xE PCI Express Fast +Ethernet controller [1043:200f] + Flags: bus master, fast devsel, latency 0, IRQ 16 + I/O ports at e000 [size=256] + Memory at ef100000 (64-bit, non-prefetchable) [size=4K] + Memory at e0000000 (64-bit, prefetchable) [size=16K] + Capabilities: + Kernel driver in use: r8169 + Kernel modules: r8169 + +Falling back to MSI fixes the issue. + +Fixes: 6c6aa15fdea5 ("r8169: improve interrupt handling") +Signed-off-by: Jian-Hong Pan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -8061,17 +8061,20 @@ static int rtl_alloc_irq(struct rtl8169_ + { + unsigned int flags; + +- if (tp->mac_version <= RTL_GIGA_MAC_VER_06) { ++ switch (tp->mac_version) { ++ case RTL_GIGA_MAC_VER_01 ... RTL_GIGA_MAC_VER_06: + RTL_W8(tp, Cfg9346, Cfg9346_Unlock); + RTL_W8(tp, Config2, RTL_R8(tp, Config2) & ~MSIEnable); + RTL_W8(tp, Cfg9346, Cfg9346_Lock); + flags = PCI_IRQ_LEGACY; +- } else if (tp->mac_version == RTL_GIGA_MAC_VER_40) { ++ break; ++ case RTL_GIGA_MAC_VER_39 ... RTL_GIGA_MAC_VER_40: + /* This version was reported to have issues with resume + * from suspend when using MSI-X + */ + flags = PCI_IRQ_LEGACY | PCI_IRQ_MSI; +- } else { ++ break; ++ default: + flags = PCI_IRQ_ALL_TYPES; + } + diff --git a/queue-4.17/series b/queue-4.17/series index 42fb04ae361..f3605a05ffc 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -32,3 +32,11 @@ serial-8250_exar-read-int0-from-slave-device-too.patch serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch serial-8250_dw-add-acpi-support-for-uart-on-broadcom-soc.patch misc-sram-fix-resource-leaks-in-probe-error-path.patch +bluetooth-avoid-killing-an-already-killed-socket.patch +isdn-disable-iiocdbgvar.patch +net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch +r8169-don-t-use-msi-x-on-rtl8106e.patch +ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch +cls_matchall-fix-tcf_unbind_filter-missing.patch +net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch +net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch -- 2.47.3