From 14f950d0f5ba97329cafd5ca4a68d7e7ea7e04ee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 28 Jul 2019 11:16:31 +0200 Subject: [PATCH] 4.4-stable patches added patches: bnx2x-prevent-load-reordering-in-tx-completion-processing.patch bonding-validate-ip-header-before-check-ipproto_igmp.patch caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch net-bcmgenet-use-promisc-for-unsupported-filters.patch net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch net-neigh-fix-multiple-neigh-timer-scheduling.patch netrom-fix-a-memory-leak-in-nr_rx_frame.patch netrom-hold-sock-when-setting-skb-destructor.patch nfc-fix-potential-illegal-memory-access.patch sky2-disable-msi-on-asus-p6t.patch tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch --- ...ordering-in-tx-completion-processing.patch | 33 ++++ ...-ip-header-before-check-ipproto_igmp.patch | 85 +++++++++ ...ssible-deadlock-in-cfhsi_exit_module.patch | 32 ++++ ...et-ipv6-only-flags-to-ipv4-addresses.patch | 56 ++++++ ...-use-promisc-for-unsupported-filters.patch | 126 +++++++++++++ ...6-hdr-pointer-when-handling-v6-query.patch | 41 +++++ ...ointer-in-igmp3-mld2-report-handling.patch | 173 ++++++++++++++++++ ...che-eth-dest-pointer-before-skb-pull.patch | 38 ++++ ...e-return-true-when-dst-is-refcounted.patch | 90 +++++++++ ...-fix-multiple-neigh-timer-scheduling.patch | 92 ++++++++++ ...rom-fix-a-memory-leak-in-nr_rx_frame.patch | 40 ++++ ...old-sock-when-setting-skb-destructor.patch | 39 ++++ ...-fix-potential-illegal-memory-access.patch | 31 ++++ queue-4.4/series | 15 ++ queue-4.4/sky2-disable-msi-on-asus-p6t.patch | 41 +++++ ...nd-bytes_received-when-disconnecting.patch | 35 ++++ 16 files changed, 967 insertions(+) create mode 100644 queue-4.4/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch create mode 100644 queue-4.4/bonding-validate-ip-header-before-check-ipproto_igmp.patch create mode 100644 queue-4.4/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch create mode 100644 queue-4.4/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch create mode 100644 queue-4.4/net-bcmgenet-use-promisc-for-unsupported-filters.patch create mode 100644 queue-4.4/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch create mode 100644 queue-4.4/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch create mode 100644 queue-4.4/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch create mode 100644 queue-4.4/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch create mode 100644 queue-4.4/net-neigh-fix-multiple-neigh-timer-scheduling.patch create mode 100644 queue-4.4/netrom-fix-a-memory-leak-in-nr_rx_frame.patch create mode 100644 queue-4.4/netrom-hold-sock-when-setting-skb-destructor.patch create mode 100644 queue-4.4/nfc-fix-potential-illegal-memory-access.patch create mode 100644 queue-4.4/sky2-disable-msi-on-asus-p6t.patch create mode 100644 queue-4.4/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch diff --git a/queue-4.4/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch b/queue-4.4/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch new file mode 100644 index 00000000000..2aa5d73546d --- /dev/null +++ b/queue-4.4/bnx2x-prevent-load-reordering-in-tx-completion-processing.patch @@ -0,0 +1,33 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Brian King +Date: Mon, 15 Jul 2019 16:41:50 -0500 +Subject: bnx2x: Prevent load reordering in tx completion processing + +From: Brian King + +[ Upstream commit ea811b795df24644a8eb760b493c43fba4450677 ] + +This patch fixes an issue seen on Power systems with bnx2x which results +in the skb is NULL WARN_ON in bnx2x_free_tx_pkt firing due to the skb +pointer getting loaded in bnx2x_free_tx_pkt prior to the hw_cons +load in bnx2x_tx_int. Adding a read memory barrier resolves the issue. + +Signed-off-by: Brian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -288,6 +288,9 @@ int bnx2x_tx_int(struct bnx2x *bp, struc + hw_cons = le16_to_cpu(*txdata->tx_cons_sb); + sw_cons = txdata->tx_pkt_cons; + ++ /* Ensure subsequent loads occur after hw_cons */ ++ smp_rmb(); ++ + while (sw_cons != hw_cons) { + u16 pkt_cons; + diff --git a/queue-4.4/bonding-validate-ip-header-before-check-ipproto_igmp.patch b/queue-4.4/bonding-validate-ip-header-before-check-ipproto_igmp.patch new file mode 100644 index 00000000000..e8c63bf2d17 --- /dev/null +++ b/queue-4.4/bonding-validate-ip-header-before-check-ipproto_igmp.patch @@ -0,0 +1,85 @@ +From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST +From: Cong Wang +Date: Mon, 1 Jul 2019 20:40:24 -0700 +Subject: bonding: validate ip header before check IPPROTO_IGMP + +From: Cong Wang + +[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ] + +bond_xmit_roundrobin() checks for IGMP packets but it parses +the IP header even before checking skb->protocol. + +We should validate the IP header with pskb_may_pull() before +using iph->protocol. + +Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com +Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode") +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3714,8 +3714,8 @@ static u32 bond_rr_gen_slave_id(struct b + static int bond_xmit_roundrobin(struct sk_buff *skb, struct net_device *bond_dev) + { + struct bonding *bond = netdev_priv(bond_dev); +- struct iphdr *iph = ip_hdr(skb); + struct slave *slave; ++ int slave_cnt; + u32 slave_id; + + /* Start with the curr_active_slave that joined the bond as the +@@ -3724,23 +3724,32 @@ static int bond_xmit_roundrobin(struct s + * send the join/membership reports. The curr_active_slave found + * will send all of this type of traffic. + */ +- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) { +- slave = rcu_dereference(bond->curr_active_slave); +- if (slave) +- bond_dev_queue_xmit(bond, skb, slave->dev); +- else +- bond_xmit_slave_id(bond, skb, 0); +- } else { +- int slave_cnt = ACCESS_ONCE(bond->slave_cnt); ++ if (skb->protocol == htons(ETH_P_IP)) { ++ int noff = skb_network_offset(skb); ++ struct iphdr *iph; ++ ++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph)))) ++ goto non_igmp; + +- if (likely(slave_cnt)) { +- slave_id = bond_rr_gen_slave_id(bond); +- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt); +- } else { +- bond_tx_drop(bond_dev, skb); ++ iph = ip_hdr(skb); ++ if (iph->protocol == IPPROTO_IGMP) { ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) ++ bond_dev_queue_xmit(bond, skb, slave->dev); ++ else ++ bond_xmit_slave_id(bond, skb, 0); ++ return NETDEV_TX_OK; + } + } + ++non_igmp: ++ slave_cnt = ACCESS_ONCE(bond->slave_cnt); ++ if (likely(slave_cnt)) { ++ slave_id = bond_rr_gen_slave_id(bond); ++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt); ++ } else { ++ bond_tx_drop(bond_dev, skb); ++ } + return NETDEV_TX_OK; + } + diff --git a/queue-4.4/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch b/queue-4.4/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch new file mode 100644 index 00000000000..3ec2c6d425c --- /dev/null +++ b/queue-4.4/caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch @@ -0,0 +1,32 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Taehee Yoo +Date: Mon, 15 Jul 2019 14:10:17 +0900 +Subject: caif-hsi: fix possible deadlock in cfhsi_exit_module() + +From: Taehee Yoo + +[ Upstream commit fdd258d49e88a9e0b49ef04a506a796f1c768a8e ] + +cfhsi_exit_module() calls unregister_netdev() under rtnl_lock(). +but unregister_netdev() internally calls rtnl_lock(). +So deadlock would occur. + +Fixes: c41254006377 ("caif-hsi: Add rtnl support") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/caif/caif_hsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/caif/caif_hsi.c ++++ b/drivers/net/caif/caif_hsi.c +@@ -1467,7 +1467,7 @@ static void __exit cfhsi_exit_module(voi + rtnl_lock(); + list_for_each_safe(list_node, n, &cfhsi_list) { + cfhsi = list_entry(list_node, struct cfhsi, list); +- unregister_netdev(cfhsi->ndev); ++ unregister_netdevice(cfhsi->ndev); + } + rtnl_unlock(); + } diff --git a/queue-4.4/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch b/queue-4.4/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch new file mode 100644 index 00000000000..fc92bc15aeb --- /dev/null +++ b/queue-4.4/ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch @@ -0,0 +1,56 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Matteo Croce +Date: Mon, 1 Jul 2019 19:01:55 +0200 +Subject: ipv4: don't set IPv6 only flags to IPv4 addresses + +From: Matteo Croce + +[ Upstream commit 2e60546368165c2449564d71f6005dda9205b5fb ] + +Avoid the situation where an IPV6 only flag is applied to an IPv4 address: + + # ip addr add 192.0.2.1/24 dev dummy0 nodad home mngtmpaddr noprefixroute + # ip -4 addr show dev dummy0 + 2: dummy0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet 192.0.2.1/24 scope global noprefixroute dummy0 + valid_lft forever preferred_lft forever + +Or worse, by sending a malicious netlink command: + + # ip -4 addr show dev dummy0 + 2: dummy0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + inet 192.0.2.1/24 scope global nodad optimistic dadfailed home tentative mngtmpaddr noprefixroute stable-privacy dummy0 + valid_lft forever preferred_lft forever + +Signed-off-by: Matteo Croce +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/devinet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -67,6 +67,11 @@ + + #include "fib_lookup.h" + ++#define IPV6ONLY_FLAGS \ ++ (IFA_F_NODAD | IFA_F_OPTIMISTIC | IFA_F_DADFAILED | \ ++ IFA_F_HOMEADDRESS | IFA_F_TENTATIVE | \ ++ IFA_F_MANAGETEMPADDR | IFA_F_STABLE_PRIVACY) ++ + static struct ipv4_devconf ipv4_devconf = { + .data = { + [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, +@@ -453,6 +458,9 @@ static int __inet_insert_ifa(struct in_i + ifa->ifa_flags &= ~IFA_F_SECONDARY; + last_primary = &in_dev->ifa_list; + ++ /* Don't set IPv6 only flags to IPv4 addresses */ ++ ifa->ifa_flags &= ~IPV6ONLY_FLAGS; ++ + for (ifap = &in_dev->ifa_list; (ifa1 = *ifap) != NULL; + ifap = &ifa1->ifa_next) { + if (!(ifa1->ifa_flags & IFA_F_SECONDARY) && diff --git a/queue-4.4/net-bcmgenet-use-promisc-for-unsupported-filters.patch b/queue-4.4/net-bcmgenet-use-promisc-for-unsupported-filters.patch new file mode 100644 index 00000000000..a8b020cf5a5 --- /dev/null +++ b/queue-4.4/net-bcmgenet-use-promisc-for-unsupported-filters.patch @@ -0,0 +1,126 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Justin Chen +Date: Wed, 17 Jul 2019 14:58:53 -0700 +Subject: net: bcmgenet: use promisc for unsupported filters + +From: Justin Chen + +[ Upstream commit 35cbef9863640f06107144687bd13151bc2e8ce3 ] + +Currently we silently ignore filters if we cannot meet the filter +requirements. This will lead to the MAC dropping packets that are +expected to pass. A better solution would be to set the NIC to promisc +mode when the required filters cannot be met. + +Also correct the number of MDF filters supported. It should be 17, +not 16. + +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 57 +++++++++++-------------- + 1 file changed, 26 insertions(+), 31 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3090,39 +3090,42 @@ static void bcmgenet_timeout(struct net_ + netif_tx_wake_all_queues(dev); + } + +-#define MAX_MC_COUNT 16 ++#define MAX_MDF_FILTER 17 + + static inline void bcmgenet_set_mdf_addr(struct bcmgenet_priv *priv, + unsigned char *addr, +- int *i, +- int *mc) ++ int *i) + { +- u32 reg; +- + bcmgenet_umac_writel(priv, addr[0] << 8 | addr[1], + UMAC_MDF_ADDR + (*i * 4)); + bcmgenet_umac_writel(priv, addr[2] << 24 | addr[3] << 16 | + addr[4] << 8 | addr[5], + UMAC_MDF_ADDR + ((*i + 1) * 4)); +- reg = bcmgenet_umac_readl(priv, UMAC_MDF_CTRL); +- reg |= (1 << (MAX_MC_COUNT - *mc)); +- bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL); + *i += 2; +- (*mc)++; + } + + static void bcmgenet_set_rx_mode(struct net_device *dev) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + struct netdev_hw_addr *ha; +- int i, mc; ++ int i, nfilter; + u32 reg; + + netif_dbg(priv, hw, dev, "%s: %08X\n", __func__, dev->flags); + +- /* Promiscuous mode */ ++ /* Number of filters needed */ ++ nfilter = netdev_uc_count(dev) + netdev_mc_count(dev) + 2; ++ ++ /* ++ * Turn on promicuous mode for three scenarios ++ * 1. IFF_PROMISC flag is set ++ * 2. IFF_ALLMULTI flag is set ++ * 3. The number of filters needed exceeds the number filters ++ * supported by the hardware. ++ */ + reg = bcmgenet_umac_readl(priv, UMAC_CMD); +- if (dev->flags & IFF_PROMISC) { ++ if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) || ++ (nfilter > MAX_MDF_FILTER)) { + reg |= CMD_PROMISC; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL); +@@ -3132,32 +3135,24 @@ static void bcmgenet_set_rx_mode(struct + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + } + +- /* UniMac doesn't support ALLMULTI */ +- if (dev->flags & IFF_ALLMULTI) { +- netdev_warn(dev, "ALLMULTI is not supported\n"); +- return; +- } +- + /* update MDF filter */ + i = 0; +- mc = 0; + /* Broadcast */ +- bcmgenet_set_mdf_addr(priv, dev->broadcast, &i, &mc); ++ bcmgenet_set_mdf_addr(priv, dev->broadcast, &i); + /* my own address.*/ +- bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i, &mc); +- /* Unicast list*/ +- if (netdev_uc_count(dev) > (MAX_MC_COUNT - mc)) +- return; ++ bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i); + +- if (!netdev_uc_empty(dev)) +- netdev_for_each_uc_addr(ha, dev) +- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc); +- /* Multicast */ +- if (netdev_mc_empty(dev) || netdev_mc_count(dev) >= (MAX_MC_COUNT - mc)) +- return; ++ /* Unicast */ ++ netdev_for_each_uc_addr(ha, dev) ++ bcmgenet_set_mdf_addr(priv, ha->addr, &i); + ++ /* Multicast */ + netdev_for_each_mc_addr(ha, dev) +- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc); ++ bcmgenet_set_mdf_addr(priv, ha->addr, &i); ++ ++ /* Enable filters */ ++ reg = GENMASK(MAX_MDF_FILTER - 1, MAX_MDF_FILTER - nfilter); ++ bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL); + } + + /* Set the hardware MAC address. */ diff --git a/queue-4.4/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch b/queue-4.4/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch new file mode 100644 index 00000000000..e05a5af1de6 --- /dev/null +++ b/queue-4.4/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch @@ -0,0 +1,41 @@ +From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:19 +0300 +Subject: net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query + +From: Nikolay Aleksandrov + +[ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ] + +We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may +call pskb_may_pull afterwards and end up using a stale pointer. +So use the header directly, it's just 1 place where it's needed. + +Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.") +Signed-off-by: Nikolay Aleksandrov +Tested-by: Martin Weinelt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1353,7 +1353,6 @@ static int br_ip6_multicast_query(struct + struct sk_buff *skb, + u16 vid) + { +- const struct ipv6hdr *ip6h = ipv6_hdr(skb); + struct mld_msg *mld; + struct net_bridge_mdb_entry *mp; + struct mld2_query *mld2q; +@@ -1397,7 +1396,7 @@ static int br_ip6_multicast_query(struct + + if (is_general_query) { + saddr.proto = htons(ETH_P_IPV6); +- saddr.u.ip6 = ip6h->saddr; ++ saddr.u.ip6 = ipv6_hdr(skb)->saddr; + + br_multicast_query_received(br, port, &br->ip6_other_query, + &saddr, max_delay); diff --git a/queue-4.4/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch b/queue-4.4/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch new file mode 100644 index 00000000000..c2323754925 --- /dev/null +++ b/queue-4.4/net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch @@ -0,0 +1,173 @@ +From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:18 +0300 +Subject: net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling + +From: Nikolay Aleksandrov + +[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ] + +We take a pointer to grec prior to calling pskb_may_pull and use it +afterwards to get nsrcs so record nsrcs before the pull when handling +igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling +mld2 which again could lead to reading 2 bytes out-of-bounds. + + ================================================================== + BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge] + Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16 + + CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + Call Trace: + dump_stack+0x71/0xab + print_address_description+0x6a/0x280 + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + __kasan_report+0x152/0x1aa + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + ? br_multicast_rcv+0x480c/0x4ad0 [bridge] + kasan_report+0xe/0x20 + br_multicast_rcv+0x480c/0x4ad0 [bridge] + ? br_multicast_disable_port+0x150/0x150 [bridge] + ? ktime_get_with_offset+0xb4/0x150 + ? __kasan_kmalloc.constprop.6+0xa6/0xf0 + ? __netif_receive_skb+0x1b0/0x1b0 + ? br_fdb_update+0x10e/0x6e0 [bridge] + ? br_handle_frame_finish+0x3c6/0x11d0 [bridge] + br_handle_frame_finish+0x3c6/0x11d0 [bridge] + ? br_pass_frame_up+0x3a0/0x3a0 [bridge] + ? virtnet_probe+0x1c80/0x1c80 [virtio_net] + br_handle_frame+0x731/0xd90 [bridge] + ? select_idle_sibling+0x25/0x7d0 + ? br_handle_frame_finish+0x11d0/0x11d0 [bridge] + __netif_receive_skb_core+0xced/0x2d70 + ? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring] + ? do_xdp_generic+0x20/0x20 + ? virtqueue_napi_complete+0x39/0x70 [virtio_net] + ? virtnet_poll+0x94d/0xc78 [virtio_net] + ? receive_buf+0x5120/0x5120 [virtio_net] + ? __netif_receive_skb_one_core+0x97/0x1d0 + __netif_receive_skb_one_core+0x97/0x1d0 + ? __netif_receive_skb_core+0x2d70/0x2d70 + ? _raw_write_trylock+0x100/0x100 + ? __queue_work+0x41e/0xbe0 + process_backlog+0x19c/0x650 + ? _raw_read_lock_irq+0x40/0x40 + net_rx_action+0x71e/0xbc0 + ? __switch_to_asm+0x40/0x70 + ? napi_complete_done+0x360/0x360 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __schedule+0x85e/0x14d0 + __do_softirq+0x1db/0x5f9 + ? takeover_tasklets+0x5f0/0x5f0 + run_ksoftirqd+0x26/0x40 + smpboot_thread_fn+0x443/0x680 + ? sort_range+0x20/0x20 + ? schedule+0x94/0x210 + ? __kthread_parkme+0x78/0xf0 + ? sort_range+0x20/0x20 + kthread+0x2ae/0x3a0 + ? kthread_create_worker_on_cpu+0xc0/0xc0 + ret_from_fork+0x35/0x40 + + The buggy address belongs to the page: + page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 + flags: 0xffffc000000000() + raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000 + raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + > ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ================================================================== + Disabling lock debugging due to kernel taint + +Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") +Reported-by: Martin Weinelt +Signed-off-by: Nikolay Aleksandrov +Tested-by: Martin Weinelt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1011,6 +1011,7 @@ static int br_ip4_multicast_igmp3_report + int type; + int err = 0; + __be32 group; ++ u16 nsrcs; + + ih = igmpv3_report_hdr(skb); + num = ntohs(ih->ngrec); +@@ -1024,8 +1025,9 @@ static int br_ip4_multicast_igmp3_report + grec = (void *)(skb->data + len - sizeof(*grec)); + group = grec->grec_mca; + type = grec->grec_type; ++ nsrcs = ntohs(grec->grec_nsrcs); + +- len += ntohs(grec->grec_nsrcs) * 4; ++ len += nsrcs * 4; + if (!pskb_may_pull(skb, len)) + return -EINVAL; + +@@ -1045,7 +1047,7 @@ static int br_ip4_multicast_igmp3_report + + if ((type == IGMPV3_CHANGE_TO_INCLUDE || + type == IGMPV3_MODE_IS_INCLUDE) && +- ntohs(grec->grec_nsrcs) == 0) { ++ nsrcs == 0) { + br_ip4_multicast_leave_group(br, port, group, vid); + } else { + err = br_ip4_multicast_add_group(br, port, group, vid); +@@ -1078,23 +1080,26 @@ static int br_ip6_multicast_mld2_report( + len = skb_transport_offset(skb) + sizeof(*icmp6h); + + for (i = 0; i < num; i++) { +- __be16 *nsrcs, _nsrcs; ++ __be16 *_nsrcs, __nsrcs; ++ u16 nsrcs; + +- nsrcs = skb_header_pointer(skb, +- len + offsetof(struct mld2_grec, +- grec_nsrcs), +- sizeof(_nsrcs), &_nsrcs); +- if (!nsrcs) ++ _nsrcs = skb_header_pointer(skb, ++ len + offsetof(struct mld2_grec, ++ grec_nsrcs), ++ sizeof(__nsrcs), &__nsrcs); ++ if (!_nsrcs) + return -EINVAL; + ++ nsrcs = ntohs(*_nsrcs); ++ + if (!pskb_may_pull(skb, + len + sizeof(*grec) + +- sizeof(struct in6_addr) * ntohs(*nsrcs))) ++ sizeof(struct in6_addr) * nsrcs)) + return -EINVAL; + + grec = (struct mld2_grec *)(skb->data + len); + len += sizeof(*grec) + +- sizeof(struct in6_addr) * ntohs(*nsrcs); ++ sizeof(struct in6_addr) * nsrcs; + + /* We treat these as MLDv1 reports for now. */ + switch (grec->grec_type) { +@@ -1112,7 +1117,7 @@ static int br_ip6_multicast_mld2_report( + + if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE || + grec->grec_type == MLD2_MODE_IS_INCLUDE) && +- ntohs(*nsrcs) == 0) { ++ nsrcs == 0) { + br_ip6_multicast_leave_group(br, port, &grec->grec_mca, + vid); + } else { diff --git a/queue-4.4/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch b/queue-4.4/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch new file mode 100644 index 00000000000..a4365d47db4 --- /dev/null +++ b/queue-4.4/net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch @@ -0,0 +1,38 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Nikolay Aleksandrov +Date: Tue, 2 Jul 2019 15:00:21 +0300 +Subject: net: bridge: stp: don't cache eth dest pointer before skb pull + +From: Nikolay Aleksandrov + +[ Upstream commit 2446a68ae6a8cee6d480e2f5b52f5007c7c41312 ] + +Don't cache eth dest pointer before calling pskb_may_pull. + +Fixes: cf0f02d04a83 ("[BRIDGE]: use llc for receiving STP packets") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_stp_bpdu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -147,7 +147,6 @@ void br_send_tcn_bpdu(struct net_bridge_ + void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb, + struct net_device *dev) + { +- const unsigned char *dest = eth_hdr(skb)->h_dest; + struct net_bridge_port *p; + struct net_bridge *br; + const unsigned char *buf; +@@ -176,7 +175,7 @@ void br_stp_rcv(const struct stp_proto * + if (p->state == BR_STATE_DISABLED) + goto out; + +- if (!ether_addr_equal(dest, br->group_addr)) ++ if (!ether_addr_equal(eth_hdr(skb)->h_dest, br->group_addr)) + goto out; + + if (p->flags & BR_BPDU_GUARD) { diff --git a/queue-4.4/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch b/queue-4.4/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch new file mode 100644 index 00000000000..556ae465357 --- /dev/null +++ b/queue-4.4/net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch @@ -0,0 +1,90 @@ +From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST +From: Florian Westphal +Date: Wed, 26 Jun 2019 20:40:45 +0200 +Subject: net: make skb_dst_force return true when dst is refcounted + +From: Florian Westphal + +[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ] + +netfilter did not expect that skb_dst_force() can cause skb to lose its +dst entry. + +I got a bug report with a skb->dst NULL dereference in netfilter +output path. The backtrace contains nf_reinject(), so the dst might have +been cleared when skb got queued to userspace. + +Other users were fixed via +if (skb_dst(skb)) { + skb_dst_force(skb); + if (!skb_dst(skb)) + goto handle_err; +} + +But I think its preferable to make the 'dst might be cleared' part +of the function explicit. + +In netfilter case, skb with a null dst is expected when queueing in +prerouting hook, so drop skb for the other hooks. + +v2: + v1 of this patch returned true in case skb had no dst entry. + Eric said: + Say if we have two skb_dst_force() calls for some reason + on the same skb, only the first one will return false. + + This now returns false even when skb had no dst, as per Erics + suggestion, so callers might need to check skb_dst() first before + skb_dst_force(). + +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst.h | 5 ++++- + net/netfilter/nf_queue.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -318,14 +318,17 @@ static inline void skb_dst_copy(struct s + * @skb: buffer + * + * If dst is not yet refcounted, let's do it ++ * Returns true if dst is refcounted. + */ +-static inline void skb_dst_force(struct sk_buff *skb) ++static inline bool skb_dst_force(struct sk_buff *skb) + { + if (skb_dst_is_noref(skb)) { + WARN_ON(!rcu_read_lock_held()); + skb->_skb_refdst &= ~SKB_DST_NOREF; + dst_clone(skb_dst(skb)); + } ++ ++ return skb->_skb_refdst != 0UL; + } + + /** +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -139,6 +139,11 @@ int nf_queue(struct sk_buff *skb, + goto err; + } + ++ if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) { ++ status = -ENETDOWN; ++ goto err; ++ } ++ + *entry = (struct nf_queue_entry) { + .skb = skb, + .elem = elem, +@@ -147,7 +152,6 @@ int nf_queue(struct sk_buff *skb, + }; + + nf_queue_entry_get_refs(entry); +- skb_dst_force(skb); + afinfo->saveroute(skb, entry); + status = qh->outfn(entry, queuenum); + diff --git a/queue-4.4/net-neigh-fix-multiple-neigh-timer-scheduling.patch b/queue-4.4/net-neigh-fix-multiple-neigh-timer-scheduling.patch new file mode 100644 index 00000000000..338dcc1dd9b --- /dev/null +++ b/queue-4.4/net-neigh-fix-multiple-neigh-timer-scheduling.patch @@ -0,0 +1,92 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Lorenzo Bianconi +Date: Sun, 14 Jul 2019 23:36:11 +0200 +Subject: net: neigh: fix multiple neigh timer scheduling + +From: Lorenzo Bianconi + +[ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ] + +Neigh timer can be scheduled multiple times from userspace adding +multiple neigh entries and forcing the neigh timer scheduling passing +NTF_USE in the netlink requests. +This will result in a refcount leak and in the following dump stack: + +[ 32.465295] NEIGH: BUG, double timer add, state is 8 +[ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65 +[ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 +[ 32.465313] Call Trace: +[ 32.465318] dump_stack+0x7c/0xc0 +[ 32.465323] __neigh_event_send+0x20c/0x880 +[ 32.465326] ? ___neigh_create+0x846/0xfb0 +[ 32.465329] ? neigh_lookup+0x2a9/0x410 +[ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800 +[ 32.465334] neigh_add+0x4f8/0x5e0 +[ 32.465337] ? neigh_xmit+0x620/0x620 +[ 32.465341] ? find_held_lock+0x85/0xa0 +[ 32.465345] rtnetlink_rcv_msg+0x204/0x570 +[ 32.465348] ? rtnl_dellink+0x450/0x450 +[ 32.465351] ? mark_held_locks+0x90/0x90 +[ 32.465354] ? match_held_lock+0x1b/0x230 +[ 32.465357] netlink_rcv_skb+0xc4/0x1d0 +[ 32.465360] ? rtnl_dellink+0x450/0x450 +[ 32.465363] ? netlink_ack+0x420/0x420 +[ 32.465366] ? netlink_deliver_tap+0x115/0x560 +[ 32.465369] ? __alloc_skb+0xc9/0x2f0 +[ 32.465372] netlink_unicast+0x270/0x330 +[ 32.465375] ? netlink_attachskb+0x2f0/0x2f0 +[ 32.465378] netlink_sendmsg+0x34f/0x5a0 +[ 32.465381] ? netlink_unicast+0x330/0x330 +[ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20 +[ 32.465388] ? netlink_unicast+0x330/0x330 +[ 32.465391] sock_sendmsg+0x91/0xa0 +[ 32.465394] ___sys_sendmsg+0x407/0x480 +[ 32.465397] ? copy_msghdr_from_user+0x200/0x200 +[ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40 +[ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250 +[ 32.465407] ? __wake_up_common_lock+0xcb/0x110 +[ 32.465410] ? __wake_up_common+0x230/0x230 +[ 32.465413] ? netlink_bind+0x3e1/0x490 +[ 32.465416] ? netlink_setsockopt+0x540/0x540 +[ 32.465420] ? __fget_light+0x9c/0xf0 +[ 32.465423] ? sockfd_lookup_light+0x8c/0xb0 +[ 32.465426] __sys_sendmsg+0xa5/0x110 +[ 32.465429] ? __ia32_sys_shutdown+0x30/0x30 +[ 32.465432] ? __fd_install+0xe1/0x2c0 +[ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100 +[ 32.465438] ? mark_held_locks+0x24/0x90 +[ 32.465441] ? do_syscall_64+0xf/0x270 +[ 32.465444] do_syscall_64+0x63/0x270 +[ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER' +receiving a netlink request with NTF_USE flag set + +Reported-by: Marek Majkowski +Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -982,6 +982,7 @@ int __neigh_event_send(struct neighbour + + atomic_set(&neigh->probes, + NEIGH_VAR(neigh->parms, UCAST_PROBES)); ++ neigh_del_timer(neigh); + neigh->nud_state = NUD_INCOMPLETE; + neigh->updated = now; + next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), +@@ -998,6 +999,7 @@ int __neigh_event_send(struct neighbour + } + } else if (neigh->nud_state & NUD_STALE) { + neigh_dbg(2, "neigh %p is delayed\n", neigh); ++ neigh_del_timer(neigh); + neigh->nud_state = NUD_DELAY; + neigh->updated = jiffies; + neigh_add_timer(neigh, jiffies + diff --git a/queue-4.4/netrom-fix-a-memory-leak-in-nr_rx_frame.patch b/queue-4.4/netrom-fix-a-memory-leak-in-nr_rx_frame.patch new file mode 100644 index 00000000000..5af27d8d057 --- /dev/null +++ b/queue-4.4/netrom-fix-a-memory-leak-in-nr_rx_frame.patch @@ -0,0 +1,40 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Cong Wang +Date: Thu, 27 Jun 2019 14:30:58 -0700 +Subject: netrom: fix a memory leak in nr_rx_frame() + +From: Cong Wang + +[ Upstream commit c8c8218ec5af5d2598381883acbefbf604e56b5e ] + +When the skb is associated with a new sock, just assigning +it to skb->sk is not sufficient, we have to set its destructor +to free the sock properly too. + +Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -870,7 +870,7 @@ int nr_rx_frame(struct sk_buff *skb, str + unsigned short frametype, flags, window, timeout; + int ret; + +- skb->sk = NULL; /* Initially we don't know who it's for */ ++ skb_orphan(skb); + + /* + * skb->data points to the netrom frame start +@@ -969,6 +969,7 @@ int nr_rx_frame(struct sk_buff *skb, str + window = skb->data[20]; + + skb->sk = make; ++ skb->destructor = sock_efree; + make->sk_state = TCP_ESTABLISHED; + + /* Fill in his circuit details */ diff --git a/queue-4.4/netrom-hold-sock-when-setting-skb-destructor.patch b/queue-4.4/netrom-hold-sock-when-setting-skb-destructor.patch new file mode 100644 index 00000000000..19c9a45e97b --- /dev/null +++ b/queue-4.4/netrom-hold-sock-when-setting-skb-destructor.patch @@ -0,0 +1,39 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Cong Wang +Date: Mon, 22 Jul 2019 20:41:22 -0700 +Subject: netrom: hold sock when setting skb->destructor + +From: Cong Wang + +[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ] + +sock_efree() releases the sock refcnt, if we don't hold this refcnt +when setting skb->destructor to it, the refcnt would not be balanced. +This leads to several bug reports from syzbot. + +I have checked other users of sock_efree(), all of them hold the +sock refcnt. + +Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()") +Reported-and-tested-by: +Reported-and-tested-by: +Reported-and-tested-by: +Reported-and-tested-by: +Cc: Ralf Baechle +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, str + + window = skb->data[20]; + ++ sock_hold(make); + skb->sk = make; + skb->destructor = sock_efree; + make->sk_state = TCP_ESTABLISHED; diff --git a/queue-4.4/nfc-fix-potential-illegal-memory-access.patch b/queue-4.4/nfc-fix-potential-illegal-memory-access.patch new file mode 100644 index 00000000000..39d1045cdbb --- /dev/null +++ b/queue-4.4/nfc-fix-potential-illegal-memory-access.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Yang Wei +Date: Mon, 8 Jul 2019 22:57:39 +0800 +Subject: nfc: fix potential illegal memory access + +From: Yang Wei + +[ Upstream commit dd006fc434e107ef90f7de0db9907cbc1c521645 ] + +The frags_q is not properly initialized, it may result in illegal memory +access when conn_info is NULL. +The "goto free_exit" should be replaced by "goto exit". + +Signed-off-by: Yang Wei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -119,7 +119,7 @@ static int nci_queue_tx_data_frags(struc + conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id); + if (!conn_info) { + rc = -EPROTO; +- goto free_exit; ++ goto exit; + } + + __skb_queue_head_init(&frags_q); diff --git a/queue-4.4/series b/queue-4.4/series index 5f50e8a50dd..69e3f09a356 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -83,3 +83,18 @@ intel_th-msu-fix-single-mode-with-disabled-iommu.patch bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch usb-handle-usb3-remote-wakeup-for-lpm-enabled-devices-correctly.patch dm-bufio-fix-deadlock-with-loop-device.patch +bnx2x-prevent-load-reordering-in-tx-completion-processing.patch +caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch +ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch +net-bcmgenet-use-promisc-for-unsupported-filters.patch +net-neigh-fix-multiple-neigh-timer-scheduling.patch +nfc-fix-potential-illegal-memory-access.patch +sky2-disable-msi-on-asus-p6t.patch +netrom-fix-a-memory-leak-in-nr_rx_frame.patch +netrom-hold-sock-when-setting-skb-destructor.patch +tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch +net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch +bonding-validate-ip-header-before-check-ipproto_igmp.patch +net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch +net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch +net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch diff --git a/queue-4.4/sky2-disable-msi-on-asus-p6t.patch b/queue-4.4/sky2-disable-msi-on-asus-p6t.patch new file mode 100644 index 00000000000..d18789cbcd1 --- /dev/null +++ b/queue-4.4/sky2-disable-msi-on-asus-p6t.patch @@ -0,0 +1,41 @@ +From foo@baz Sun 28 Jul 2019 11:11:16 AM CEST +From: Takashi Iwai +Date: Tue, 23 Jul 2019 17:15:25 +0200 +Subject: sky2: Disable MSI on ASUS P6T + +From: Takashi Iwai + +[ Upstream commit a261e3797506bd561700be643fe1a85bf81e9661 ] + +The onboard sky2 NIC on ASUS P6T WS PRO doesn't work after PM resume +due to the infamous IRQ problem. Disabling MSI works around it, so +let's add it to the blacklist. + +Unfortunately the BIOS on the machine doesn't fill the standard +DMI_SYS_* entry, so we pick up DMI_BOARD_* entries instead. + +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1142496 +Reported-and-tested-by: Marcus Seyfarth +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4939,6 +4939,13 @@ static const struct dmi_system_id msi_bl + DMI_MATCH(DMI_PRODUCT_NAME, "P-79"), + }, + }, ++ { ++ .ident = "ASUS P6T", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6T"), ++ }, ++ }, + {} + }; + diff --git a/queue-4.4/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch b/queue-4.4/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch new file mode 100644 index 00000000000..110358bd0b4 --- /dev/null +++ b/queue-4.4/tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch @@ -0,0 +1,35 @@ +From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST +From: Christoph Paasch +Date: Sat, 6 Jul 2019 16:13:07 -0700 +Subject: tcp: Reset bytes_acked and bytes_received when disconnecting + +From: Christoph Paasch + +[ Upstream commit e858faf556d4e14c750ba1e8852783c6f9520a0e ] + +If an app is playing tricks to reuse a socket via tcp_disconnect(), +bytes_acked/received needs to be reset to 0. Otherwise tcp_info will +report the sum of the current and the old connection.. + +Cc: Eric Dumazet +Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info") +Fixes: bdd1f9edacb5 ("tcp: add tcpi_bytes_received to tcp_info") +Signed-off-by: Christoph Paasch +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2272,6 +2272,8 @@ int tcp_disconnect(struct sock *sk, int + dst_release(sk->sk_rx_dst); + sk->sk_rx_dst = NULL; + tcp_saved_syn_free(tp); ++ tp->bytes_acked = 0; ++ tp->bytes_received = 0; + + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash); + -- 2.47.3