From 5edc7307eace8ce5c86d7139e84508acedbb35e0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 6 Nov 2019 17:36:26 +0100 Subject: [PATCH] 4.14-stable patches added patches: cxgb4-fix-panic-when-attaching-to-uld-fail.patch dccp-do-not-leak-jiffies-on-the-wire.patch erspan-fix-the-tun_info-options_len-check-for-erspan.patch inet-stop-leaking-jiffies-on-the-wire.patch net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch net-add-skb_queue_empty_lockless.patch net-annotate-accesses-to-sk-sk_incoming_cpu.patch net-annotate-lockless-accesses-to-sk-sk_napi_id.patch net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch net-dsa-fix-switch-tree-list.patch net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch net-fix-sk_page_frag-recursion-from-memory-reclaim.patch net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch net-usb-lan78xx-connect-phy-before-registering-mac.patch net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch net-use-skb_queue_empty_lockless-in-poll-handlers.patch net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch udp-fix-data-race-in-udp_set_dev_scratch.patch udp-use-skb_queue_empty_lockless.patch vxlan-check-tun_info-options_len-properly.patch --- ...fix-panic-when-attaching-to-uld-fail.patch | 98 ++++++++ ...dccp-do-not-leak-jiffies-on-the-wire.patch | 32 +++ ...un_info-options_len-check-for-erspan.patch | 34 +++ ...net-stop-leaking-jiffies-on-the-wire.patch | 94 +++++++ ...ation-in-__skb_wait_for_more_packets.patch | 79 ++++++ .../net-add-skb_queue_empty_lockless.patch | 93 +++++++ ...otate-accesses-to-sk-sk_incoming_cpu.patch | 158 ++++++++++++ ...e-lockless-accesses-to-sk-sk_napi_id.patch | 98 ++++++++ ...net-reset-40nm-ephy-on-energy-detect.patch | 62 +++++ ...ot-clear-existing-mirrored-port-mask.patch | 33 +++ ...-imp-setup-for-port-different-than-8.patch | 80 ++++++ queue-4.14/net-dsa-fix-switch-tree-list.patch | 32 +++ ...dma-coherency-issue-with-sw-checksum.patch | 73 ++++++ ...e_frag-recursion-from-memory-reclaim.patch | 160 ++++++++++++ ...tency-when-deal-with-high-throughput.patch | 76 ++++++ ...guaranteed-amount-of-counters-per-vf.patch | 94 +++++++ ...ssed-cqes-in-case-of-low-napi-budget.patch | 57 +++++ ...x-connect-phy-before-registering-mac.patch | 60 +++++ ...empty_lockless-in-busy-poll-contexts.patch | 69 +++++ ...ueue_empty_lockless-in-poll-handlers.patch | 235 ++++++++++++++++++ ...e-ethtool_wolinfo-in-ethtool_get_wol.patch | 36 +++ ...for-lenovo-thinkpad-usb-c-dock-gen-2.patch | 48 ++++ ...dualstack-fix-uninitalized-parameter.patch | 44 ++++ queue-4.14/series | 26 ++ ...fix-data-race-in-udp_set_dev_scratch.patch | 102 ++++++++ .../udp-use-skb_queue_empty_lockless.patch | 98 ++++++++ ...-check-tun_info-options_len-properly.patch | 37 +++ 27 files changed, 2108 insertions(+) create mode 100644 queue-4.14/cxgb4-fix-panic-when-attaching-to-uld-fail.patch create mode 100644 queue-4.14/dccp-do-not-leak-jiffies-on-the-wire.patch create mode 100644 queue-4.14/erspan-fix-the-tun_info-options_len-check-for-erspan.patch create mode 100644 queue-4.14/inet-stop-leaking-jiffies-on-the-wire.patch create mode 100644 queue-4.14/net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch create mode 100644 queue-4.14/net-add-skb_queue_empty_lockless.patch create mode 100644 queue-4.14/net-annotate-accesses-to-sk-sk_incoming_cpu.patch create mode 100644 queue-4.14/net-annotate-lockless-accesses-to-sk-sk_napi_id.patch create mode 100644 queue-4.14/net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch create mode 100644 queue-4.14/net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch create mode 100644 queue-4.14/net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch create mode 100644 queue-4.14/net-dsa-fix-switch-tree-list.patch create mode 100644 queue-4.14/net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch create mode 100644 queue-4.14/net-fix-sk_page_frag-recursion-from-memory-reclaim.patch create mode 100644 queue-4.14/net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch create mode 100644 queue-4.14/net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch create mode 100644 queue-4.14/net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch create mode 100644 queue-4.14/net-usb-lan78xx-connect-phy-before-registering-mac.patch create mode 100644 queue-4.14/net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch create mode 100644 queue-4.14/net-use-skb_queue_empty_lockless-in-poll-handlers.patch create mode 100644 queue-4.14/net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch create mode 100644 queue-4.14/r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch create mode 100644 queue-4.14/selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch create mode 100644 queue-4.14/udp-fix-data-race-in-udp_set_dev_scratch.patch create mode 100644 queue-4.14/udp-use-skb_queue_empty_lockless.patch create mode 100644 queue-4.14/vxlan-check-tun_info-options_len-properly.patch diff --git a/queue-4.14/cxgb4-fix-panic-when-attaching-to-uld-fail.patch b/queue-4.14/cxgb4-fix-panic-when-attaching-to-uld-fail.patch new file mode 100644 index 00000000000..4aaf5bb81e4 --- /dev/null +++ b/queue-4.14/cxgb4-fix-panic-when-attaching-to-uld-fail.patch @@ -0,0 +1,98 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Vishal Kulkarni +Date: Wed, 30 Oct 2019 20:17:57 +0530 +Subject: cxgb4: fix panic when attaching to ULD fail + +From: Vishal Kulkarni + +[ Upstream commit fc89cc358fb64e2429aeae0f37906126636507ec ] + +Release resources when attaching to ULD fail. Otherwise, data +mismatch is seen between LLD and ULD later on, which lead to +kernel panic when accessing resources that should not even +exist in the first place. + +Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of resources for ULD") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Vishal Kulkarni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 29 ++++++++++++++----------- + 1 file changed, 17 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -670,10 +670,10 @@ static void uld_init(struct adapter *ada + lld->fr_nsmr_tpte_wr_support = adap->params.fr_nsmr_tpte_wr_support; + } + +-static void uld_attach(struct adapter *adap, unsigned int uld) ++static int uld_attach(struct adapter *adap, unsigned int uld) + { +- void *handle; + struct cxgb4_lld_info lli; ++ void *handle; + + uld_init(adap, &lli); + uld_queue_init(adap, uld, &lli); +@@ -683,7 +683,7 @@ static void uld_attach(struct adapter *a + dev_warn(adap->pdev_dev, + "could not attach to the %s driver, error %ld\n", + adap->uld[uld].name, PTR_ERR(handle)); +- return; ++ return PTR_ERR(handle); + } + + adap->uld[uld].handle = handle; +@@ -691,23 +691,24 @@ static void uld_attach(struct adapter *a + + if (adap->flags & FULL_INIT_DONE) + adap->uld[uld].state_change(handle, CXGB4_STATE_UP); ++ ++ return 0; + } + +-/** +- * cxgb4_register_uld - register an upper-layer driver +- * @type: the ULD type +- * @p: the ULD methods ++/* cxgb4_register_uld - register an upper-layer driver ++ * @type: the ULD type ++ * @p: the ULD methods + * +- * Registers an upper-layer driver with this driver and notifies the ULD +- * about any presently available devices that support its type. Returns +- * %-EBUSY if a ULD of the same type is already registered. ++ * Registers an upper-layer driver with this driver and notifies the ULD ++ * about any presently available devices that support its type. Returns ++ * %-EBUSY if a ULD of the same type is already registered. + */ + int cxgb4_register_uld(enum cxgb4_uld type, + const struct cxgb4_uld_info *p) + { +- int ret = 0; + unsigned int adap_idx = 0; + struct adapter *adap; ++ int ret = 0; + + if (type >= CXGB4_ULD_MAX) + return -EINVAL; +@@ -741,12 +742,16 @@ int cxgb4_register_uld(enum cxgb4_uld ty + if (ret) + goto free_irq; + adap->uld[type] = *p; +- uld_attach(adap, type); ++ ret = uld_attach(adap, type); ++ if (ret) ++ goto free_txq; + adap_idx++; + } + mutex_unlock(&uld_mutex); + return 0; + ++free_txq: ++ release_sge_txq_uld(adap, type); + free_irq: + if (adap->flags & FULL_INIT_DONE) + quiesce_rx_uld(adap, type); diff --git a/queue-4.14/dccp-do-not-leak-jiffies-on-the-wire.patch b/queue-4.14/dccp-do-not-leak-jiffies-on-the-wire.patch new file mode 100644 index 00000000000..a8c5082c226 --- /dev/null +++ b/queue-4.14/dccp-do-not-leak-jiffies-on-the-wire.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Mon, 4 Nov 2019 07:57:55 -0800 +Subject: dccp: do not leak jiffies on the wire + +From: Eric Dumazet + +[ Upstream commit 3d1e5039f5f87a8731202ceca08764ee7cb010d3 ] + +For some reason I missed the case of DCCP passive +flows in my previous patch. + +Fixes: a904a0693c18 ("inet: stop leaking jiffies on the wire") +Signed-off-by: Eric Dumazet +Reported-by: Thiemo Nagel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -417,7 +417,7 @@ struct sock *dccp_v4_request_recv_sock(c + RCU_INIT_POINTER(newinet->inet_opt, rcu_dereference(ireq->ireq_opt)); + newinet->mc_index = inet_iif(skb); + newinet->mc_ttl = ip_hdr(skb)->ttl; +- newinet->inet_id = jiffies; ++ newinet->inet_id = prandom_u32(); + + if (dst == NULL && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL) + goto put_and_exit; diff --git a/queue-4.14/erspan-fix-the-tun_info-options_len-check-for-erspan.patch b/queue-4.14/erspan-fix-the-tun_info-options_len-check-for-erspan.patch new file mode 100644 index 00000000000..f30d06c8624 --- /dev/null +++ b/queue-4.14/erspan-fix-the-tun_info-options_len-check-for-erspan.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Xin Long +Date: Mon, 28 Oct 2019 23:19:35 +0800 +Subject: erspan: fix the tun_info options_len check for erspan + +From: Xin Long + +[ Upstream commit 2eb8d6d2910cfe3dc67dc056f26f3dd9c63d47cd ] + +The check for !md doens't really work for ip_tunnel_info_opts(info) which +only does info + 1. Also to avoid out-of-bounds access on info, it should +ensure options_len is not less than erspan_metadata in both erspan_xmit() +and ip6erspan_tunnel_xmit(). + +Fixes: 1a66a836da ("gre: add collect_md mode to ERSPAN tunnel") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -592,6 +592,9 @@ static void erspan_fb_xmit(struct sk_buf + truncate = true; + } + ++ if (tun_info->options_len < sizeof(*md)) ++ goto err_free_rt; ++ + md = ip_tunnel_info_opts(tun_info); + if (!md) + goto err_free_rt; diff --git a/queue-4.14/inet-stop-leaking-jiffies-on-the-wire.patch b/queue-4.14/inet-stop-leaking-jiffies-on-the-wire.patch new file mode 100644 index 00000000000..0b81102a282 --- /dev/null +++ b/queue-4.14/inet-stop-leaking-jiffies-on-the-wire.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Fri, 1 Nov 2019 10:32:19 -0700 +Subject: inet: stop leaking jiffies on the wire + +From: Eric Dumazet + +[ Upstream commit a904a0693c189691eeee64f6c6b188bd7dc244e9 ] + +Historically linux tried to stick to RFC 791, 1122, 2003 +for IPv4 ID field generation. + +RFC 6864 made clear that no matter how hard we try, +we can not ensure unicity of IP ID within maximum +lifetime for all datagrams with a given source +address/destination address/protocol tuple. + +Linux uses a per socket inet generator (inet_id), initialized +at connection startup with a XOR of 'jiffies' and other +fields that appear clear on the wire. + +Thiemo Nagel pointed that this strategy is a privacy +concern as this provides 16 bits of entropy to fingerprint +devices. + +Let's switch to a random starting point, this is just as +good as far as RFC 6864 is concerned and does not leak +anything critical. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: Thiemo Nagel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv4.c | 2 +- + net/ipv4/datagram.c | 2 +- + net/ipv4/tcp_ipv4.c | 4 ++-- + net/sctp/socket.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -121,7 +121,7 @@ int dccp_v4_connect(struct sock *sk, str + inet->inet_daddr, + inet->inet_sport, + inet->inet_dport); +- inet->inet_id = dp->dccps_iss ^ jiffies; ++ inet->inet_id = prandom_u32(); + + err = dccp_connect(sk); + rt = NULL; +--- a/net/ipv4/datagram.c ++++ b/net/ipv4/datagram.c +@@ -75,7 +75,7 @@ int __ip4_datagram_connect(struct sock * + inet->inet_dport = usin->sin_port; + sk->sk_state = TCP_ESTABLISHED; + sk_set_txhash(sk); +- inet->inet_id = jiffies; ++ inet->inet_id = prandom_u32(); + + sk_dst_set(sk, &rt->dst); + err = 0; +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -245,7 +245,7 @@ int tcp_v4_connect(struct sock *sk, stru + inet->inet_daddr); + } + +- inet->inet_id = tp->write_seq ^ jiffies; ++ inet->inet_id = prandom_u32(); + + if (tcp_fastopen_defer_connect(sk, &err)) + return err; +@@ -1368,7 +1368,7 @@ struct sock *tcp_v4_syn_recv_sock(const + inet_csk(newsk)->icsk_ext_hdr_len = 0; + if (inet_opt) + inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen; +- newinet->inet_id = newtp->write_seq ^ jiffies; ++ newinet->inet_id = prandom_u32(); + + if (!dst) { + dst = inet_csk_route_child_sock(sk, newsk, req); +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8136,7 +8136,7 @@ void sctp_copy_sock(struct sock *newsk, + newinet->inet_rcv_saddr = inet->inet_rcv_saddr; + newinet->inet_dport = htons(asoc->peer.port); + newinet->pmtudisc = inet->pmtudisc; +- newinet->inet_id = asoc->next_tsn ^ jiffies; ++ newinet->inet_id = prandom_u32(); + + newinet->uc_ttl = inet->uc_ttl; + newinet->mc_loop = 1; diff --git a/queue-4.14/net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch b/queue-4.14/net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch new file mode 100644 index 00000000000..6260e75fb3b --- /dev/null +++ b/queue-4.14/net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch @@ -0,0 +1,79 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 23 Oct 2019 22:44:52 -0700 +Subject: net: add READ_ONCE() annotation in __skb_wait_for_more_packets() + +From: Eric Dumazet + +[ Upstream commit 7c422d0ce97552dde4a97e6290de70ec6efb0fc6 ] + +__skb_wait_for_more_packets() can be called while other cpus +can feed packets to the socket receive queue. + +KCSAN reported : + +BUG: KCSAN: data-race in __skb_wait_for_more_packets / __udp_enqueue_schedule_skb + +write to 0xffff888102e40b58 of 8 bytes by interrupt on cpu 0: + __skb_insert include/linux/skbuff.h:1852 [inline] + __skb_queue_before include/linux/skbuff.h:1958 [inline] + __skb_queue_tail include/linux/skbuff.h:1991 [inline] + __udp_enqueue_schedule_skb+0x2d7/0x410 net/ipv4/udp.c:1470 + __udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline] + udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057 + udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074 + udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233 + __udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300 + udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470 + ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 + ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:442 [inline] + ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + +read to 0xffff888102e40b58 of 8 bytes by task 13035 on cpu 1: + __skb_wait_for_more_packets+0xfa/0x320 net/core/datagram.c:100 + __skb_recv_udp+0x374/0x500 net/ipv4/udp.c:1683 + udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712 + inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 + sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 + ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 + do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 + __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 + __do_sys_recvmmsg net/socket.c:2703 [inline] + __se_sys_recvmmsg net/socket.c:2696 [inline] + __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 13035 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -97,7 +97,7 @@ int __skb_wait_for_more_packets(struct s + if (error) + goto out_err; + +- if (sk->sk_receive_queue.prev != skb) ++ if (READ_ONCE(sk->sk_receive_queue.prev) != skb) + goto out; + + /* Socket shut down? */ diff --git a/queue-4.14/net-add-skb_queue_empty_lockless.patch b/queue-4.14/net-add-skb_queue_empty_lockless.patch new file mode 100644 index 00000000000..0fc9b9d54d6 --- /dev/null +++ b/queue-4.14/net-add-skb_queue_empty_lockless.patch @@ -0,0 +1,93 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 23 Oct 2019 22:44:48 -0700 +Subject: net: add skb_queue_empty_lockless() + +From: Eric Dumazet + +[ Upstream commit d7d16a89350ab263484c0aa2b523dd3a234e4a80 ] + +Some paths call skb_queue_empty() without holding +the queue lock. We must use a barrier in order +to not let the compiler do strange things, and avoid +KCSAN splats. + +Adding a barrier in skb_queue_empty() might be overkill, +I prefer adding a new helper to clearly identify +points where the callers might be lockless. This might +help us finding real bugs. + +The corresponding WRITE_ONCE() should add zero cost +for current compilers. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1346,6 +1346,19 @@ static inline int skb_queue_empty(const + } + + /** ++ * skb_queue_empty_lockless - check if a queue is empty ++ * @list: queue head ++ * ++ * Returns true if the queue is empty, false otherwise. ++ * This variant can be used in lockless contexts. ++ */ ++static inline bool skb_queue_empty_lockless(const struct sk_buff_head *list) ++{ ++ return READ_ONCE(list->next) == (const struct sk_buff *) list; ++} ++ ++ ++/** + * skb_queue_is_last - check if skb is the last entry in the queue + * @list: queue head + * @skb: buffer +@@ -1709,9 +1722,11 @@ static inline void __skb_insert(struct s + struct sk_buff *prev, struct sk_buff *next, + struct sk_buff_head *list) + { +- newsk->next = next; +- newsk->prev = prev; +- next->prev = prev->next = newsk; ++ /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */ ++ WRITE_ONCE(newsk->next, next); ++ WRITE_ONCE(newsk->prev, prev); ++ WRITE_ONCE(next->prev, newsk); ++ WRITE_ONCE(prev->next, newsk); + list->qlen++; + } + +@@ -1722,11 +1737,11 @@ static inline void __skb_queue_splice(co + struct sk_buff *first = list->next; + struct sk_buff *last = list->prev; + +- first->prev = prev; +- prev->next = first; ++ WRITE_ONCE(first->prev, prev); ++ WRITE_ONCE(prev->next, first); + +- last->next = next; +- next->prev = last; ++ WRITE_ONCE(last->next, next); ++ WRITE_ONCE(next->prev, last); + } + + /** +@@ -1867,8 +1882,8 @@ static inline void __skb_unlink(struct s + next = skb->next; + prev = skb->prev; + skb->next = skb->prev = NULL; +- next->prev = prev; +- prev->next = next; ++ WRITE_ONCE(next->prev, prev); ++ WRITE_ONCE(prev->next, next); + } + + /** diff --git a/queue-4.14/net-annotate-accesses-to-sk-sk_incoming_cpu.patch b/queue-4.14/net-annotate-accesses-to-sk-sk_incoming_cpu.patch new file mode 100644 index 00000000000..4aa445b2643 --- /dev/null +++ b/queue-4.14/net-annotate-accesses-to-sk-sk_incoming_cpu.patch @@ -0,0 +1,158 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 30 Oct 2019 13:00:04 -0700 +Subject: net: annotate accesses to sk->sk_incoming_cpu + +From: Eric Dumazet + +[ Upstream commit 7170a977743b72cf3eb46ef6ef89885dc7ad3621 ] + +This socket field can be read and written by concurrent cpus. + +Use READ_ONCE() and WRITE_ONCE() annotations to document this, +and avoid some compiler 'optimizations'. + +KCSAN reported : + +BUG: KCSAN: data-race in tcp_v4_rcv / tcp_v4_rcv + +write to 0xffff88812220763c of 4 bytes by interrupt on cpu 0: + sk_incoming_cpu_update include/net/sock.h:953 [inline] + tcp_v4_rcv+0x1b3c/0x1bb0 net/ipv4/tcp_ipv4.c:1934 + ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 + ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:442 [inline] + ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + napi_poll net/core/dev.c:6392 [inline] + net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082 + do_softirq.part.0+0x6b/0x80 kernel/softirq.c:337 + do_softirq kernel/softirq.c:329 [inline] + __local_bh_enable_ip+0x76/0x80 kernel/softirq.c:189 + +read to 0xffff88812220763c of 4 bytes by interrupt on cpu 1: + sk_incoming_cpu_update include/net/sock.h:952 [inline] + tcp_v4_rcv+0x181a/0x1bb0 net/ipv4/tcp_ipv4.c:1934 + ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 + ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:442 [inline] + ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + napi_poll net/core/dev.c:6392 [inline] + net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 + smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 4 ++-- + net/core/sock.c | 4 ++-- + net/ipv4/inet_hashtables.c | 2 +- + net/ipv4/udp.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + net/ipv6/udp.c | 2 +- + 6 files changed, 8 insertions(+), 8 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -916,8 +916,8 @@ static inline void sk_incoming_cpu_updat + { + int cpu = raw_smp_processor_id(); + +- if (unlikely(sk->sk_incoming_cpu != cpu)) +- sk->sk_incoming_cpu = cpu; ++ if (unlikely(READ_ONCE(sk->sk_incoming_cpu) != cpu)) ++ WRITE_ONCE(sk->sk_incoming_cpu, cpu); + } + + static inline void sock_rps_record_flow_hash(__u32 hash) +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1039,7 +1039,7 @@ set_rcvbuf: + break; + + case SO_INCOMING_CPU: +- sk->sk_incoming_cpu = val; ++ WRITE_ONCE(sk->sk_incoming_cpu, val); + break; + + case SO_CNX_ADVICE: +@@ -1351,7 +1351,7 @@ int sock_getsockopt(struct socket *sock, + break; + + case SO_INCOMING_CPU: +- v.val = sk->sk_incoming_cpu; ++ v.val = READ_ONCE(sk->sk_incoming_cpu); + break; + + case SO_MEMINFO: +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -193,7 +193,7 @@ static inline int compute_score(struct s + if (sk->sk_bound_dev_if) + score += 4; + } +- if (sk->sk_incoming_cpu == raw_smp_processor_id()) ++ if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id()) + score++; + } + return score; +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -419,7 +419,7 @@ static int compute_score(struct sock *sk + score += 4; + } + +- if (sk->sk_incoming_cpu == raw_smp_processor_id()) ++ if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id()) + score++; + return score; + } +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -118,7 +118,7 @@ static inline int compute_score(struct s + if (sk->sk_bound_dev_if) + score++; + } +- if (sk->sk_incoming_cpu == raw_smp_processor_id()) ++ if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id()) + score++; + } + return score; +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -170,7 +170,7 @@ static int compute_score(struct sock *sk + score++; + } + +- if (sk->sk_incoming_cpu == raw_smp_processor_id()) ++ if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id()) + score++; + + return score; diff --git a/queue-4.14/net-annotate-lockless-accesses-to-sk-sk_napi_id.patch b/queue-4.14/net-annotate-lockless-accesses-to-sk-sk_napi_id.patch new file mode 100644 index 00000000000..63ccc19a3f8 --- /dev/null +++ b/queue-4.14/net-annotate-lockless-accesses-to-sk-sk_napi_id.patch @@ -0,0 +1,98 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Tue, 29 Oct 2019 10:54:44 -0700 +Subject: net: annotate lockless accesses to sk->sk_napi_id + +From: Eric Dumazet + +[ Upstream commit ee8d153d46a3b98c064ee15c0c0a3bbf1450e5a1 ] + +We already annotated most accesses to sk->sk_napi_id + +We missed sk_mark_napi_id() and sk_mark_napi_id_once() +which might be called without socket lock held in UDP stack. + +KCSAN reported : +BUG: KCSAN: data-race in udpv6_queue_rcv_one_skb / udpv6_queue_rcv_one_skb + +write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 0: + sk_mark_napi_id include/net/busy_poll.h:125 [inline] + __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline] + udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672 + udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689 + udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832 + __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913 + udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015 + ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409 + ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459 + dst_input include/net/dst.h:442 [inline] + ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + napi_poll net/core/dev.c:6392 [inline] + net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 + +write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 1: + sk_mark_napi_id include/net/busy_poll.h:125 [inline] + __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline] + udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672 + udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689 + udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832 + __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913 + udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015 + ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409 + ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459 + dst_input include/net/dst.h:442 [inline] + ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 10890 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: e68b6e50fa35 ("udp: enable busy polling for all sockets") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/busy_poll.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -134,7 +134,7 @@ static inline void skb_mark_napi_id(stru + static inline void sk_mark_napi_id(struct sock *sk, const struct sk_buff *skb) + { + #ifdef CONFIG_NET_RX_BUSY_POLL +- sk->sk_napi_id = skb->napi_id; ++ WRITE_ONCE(sk->sk_napi_id, skb->napi_id); + #endif + } + +@@ -143,8 +143,8 @@ static inline void sk_mark_napi_id_once( + const struct sk_buff *skb) + { + #ifdef CONFIG_NET_RX_BUSY_POLL +- if (!sk->sk_napi_id) +- sk->sk_napi_id = skb->napi_id; ++ if (!READ_ONCE(sk->sk_napi_id)) ++ WRITE_ONCE(sk->sk_napi_id, skb->napi_id); + #endif + } + diff --git a/queue-4.14/net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch b/queue-4.14/net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch new file mode 100644 index 00000000000..4e7905ce718 --- /dev/null +++ b/queue-4.14/net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch @@ -0,0 +1,62 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Doug Berger +Date: Wed, 16 Oct 2019 16:06:32 -0700 +Subject: net: bcmgenet: reset 40nm EPHY on energy detect + +From: Doug Berger + +[ Upstream commit 25382b991d252aed961cd434176240f9de6bb15f ] + +The EPHY integrated into the 40nm Set-Top Box devices can falsely +detect energy when connected to a disabled peer interface. When the +peer interface is enabled the EPHY will detect and report the link +as active, but on occasion may get into a state where it is not +able to exchange data with the connected GENET MAC. This issue has +not been observed when the link parameters are auto-negotiated; +however, it has been observed with a manually configured link. + +It has been empirically determined that issuing a soft reset to the +EPHY when energy is detected prevents it from getting into this bad +state. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1985,6 +1985,8 @@ static void bcmgenet_link_intr_enable(st + */ + if (priv->internal_phy) { + int0_enable |= UMAC_IRQ_LINK_EVENT; ++ if (GENET_IS_V1(priv) || GENET_IS_V2(priv) || GENET_IS_V3(priv)) ++ int0_enable |= UMAC_IRQ_PHY_DET_R; + } else if (priv->ext_phy) { + int0_enable |= UMAC_IRQ_LINK_EVENT; + } else if (priv->phy_interface == PHY_INTERFACE_MODE_MOCA) { +@@ -2608,6 +2610,10 @@ static void bcmgenet_irq_task(struct wor + bcmgenet_power_up(priv, GENET_POWER_WOL_MAGIC); + } + ++ if (status & UMAC_IRQ_PHY_DET_R && ++ priv->dev->phydev->autoneg != AUTONEG_ENABLE) ++ phy_init_hw(priv->dev->phydev); ++ + /* Link UP/DOWN event */ + if (status & UMAC_IRQ_LINK_EVENT) + phy_mac_interrupt(priv->phydev, +@@ -2713,8 +2719,7 @@ static irqreturn_t bcmgenet_isr0(int irq + } + + /* all other interested interrupts handled in bottom half */ +- status &= (UMAC_IRQ_LINK_EVENT | +- UMAC_IRQ_MPD_R); ++ status &= (UMAC_IRQ_LINK_EVENT | UMAC_IRQ_MPD_R | UMAC_IRQ_PHY_DET_R); + if (status) { + /* Save irq status for bottom-half processing. */ + spin_lock_irqsave(&priv->lock, flags); diff --git a/queue-4.14/net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch b/queue-4.14/net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch new file mode 100644 index 00000000000..1d29beece4d --- /dev/null +++ b/queue-4.14/net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch @@ -0,0 +1,33 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Florian Fainelli +Date: Sat, 5 Oct 2019 15:05:18 -0700 +Subject: net: dsa: b53: Do not clear existing mirrored port mask + +From: Florian Fainelli + +[ Upstream commit c763ac436b668d7417f0979430ec0312ede4093d ] + +Clearing the existing bitmask of mirrored ports essentially prevents us +from capturing more than one port at any given time. This is clearly +wrong, do not clear the bitmask prior to setting up the new port. + +Reported-by: Hubert Feurstein +Fixes: ed3af5fd08eb ("net: dsa: b53: Add support for port mirroring") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1431,7 +1431,6 @@ int b53_mirror_add(struct dsa_switch *ds + loc = B53_EG_MIR_CTL; + + b53_read16(dev, B53_MGMT_PAGE, loc, ®); +- reg &= ~MIRROR_MASK; + reg |= BIT(port); + b53_write16(dev, B53_MGMT_PAGE, loc, reg); + diff --git a/queue-4.14/net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch b/queue-4.14/net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch new file mode 100644 index 00000000000..cda747ea604 --- /dev/null +++ b/queue-4.14/net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch @@ -0,0 +1,80 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Florian Fainelli +Date: Thu, 31 Oct 2019 15:54:05 -0700 +Subject: net: dsa: bcm_sf2: Fix IMP setup for port different than 8 + +From: Florian Fainelli + +[ Upstream commit 5fc0f21246e50afdf318b5a3a941f7f4f57b8947 ] + +Since it became possible for the DSA core to use a CPU port different +than 8, our bcm_sf2_imp_setup() function was broken because it assumes +that registers are applicable to port 8. In particular, the port's MAC +is going to stay disabled, so make sure we clear the RX_DIS and TX_DIS +bits if we are not configured for port 8. + +Fixes: 9f91484f6fcc ("net: dsa: make "label" property optional for dsa2") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -106,22 +106,11 @@ static void bcm_sf2_imp_setup(struct dsa + unsigned int i; + u32 reg, offset; + +- if (priv->type == BCM7445_DEVICE_ID) +- offset = CORE_STS_OVERRIDE_IMP; +- else +- offset = CORE_STS_OVERRIDE_IMP2; +- + /* Enable the port memories */ + reg = core_readl(priv, CORE_MEM_PSM_VDD_CTRL); + reg &= ~P_TXQ_PSM_VDD(port); + core_writel(priv, reg, CORE_MEM_PSM_VDD_CTRL); + +- /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */ +- reg = core_readl(priv, CORE_IMP_CTL); +- reg |= (RX_BCST_EN | RX_MCST_EN | RX_UCST_EN); +- reg &= ~(RX_DIS | TX_DIS); +- core_writel(priv, reg, CORE_IMP_CTL); +- + /* Enable forwarding */ + core_writel(priv, SW_FWDG_EN, CORE_SWMODE); + +@@ -140,10 +129,27 @@ static void bcm_sf2_imp_setup(struct dsa + + bcm_sf2_brcm_hdr_setup(priv, port); + +- /* Force link status for IMP port */ +- reg = core_readl(priv, offset); +- reg |= (MII_SW_OR | LINK_STS); +- core_writel(priv, reg, offset); ++ if (port == 8) { ++ if (priv->type == BCM7445_DEVICE_ID) ++ offset = CORE_STS_OVERRIDE_IMP; ++ else ++ offset = CORE_STS_OVERRIDE_IMP2; ++ ++ /* Force link status for IMP port */ ++ reg = core_readl(priv, offset); ++ reg |= (MII_SW_OR | LINK_STS); ++ core_writel(priv, reg, offset); ++ ++ /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */ ++ reg = core_readl(priv, CORE_IMP_CTL); ++ reg |= (RX_BCST_EN | RX_MCST_EN | RX_UCST_EN); ++ reg &= ~(RX_DIS | TX_DIS); ++ core_writel(priv, reg, CORE_IMP_CTL); ++ } else { ++ reg = core_readl(priv, CORE_G_PCTL_PORT(port)); ++ reg &= ~(RX_DIS | TX_DIS); ++ core_writel(priv, reg, CORE_G_PCTL_PORT(port)); ++ } + } + + static void bcm_sf2_eee_enable_set(struct dsa_switch *ds, int port, bool enable) diff --git a/queue-4.14/net-dsa-fix-switch-tree-list.patch b/queue-4.14/net-dsa-fix-switch-tree-list.patch new file mode 100644 index 00000000000..48243e1fffb --- /dev/null +++ b/queue-4.14/net-dsa-fix-switch-tree-list.patch @@ -0,0 +1,32 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Vivien Didelot +Date: Fri, 18 Oct 2019 17:02:46 -0400 +Subject: net: dsa: fix switch tree list + +From: Vivien Didelot + +[ Upstream commit 50c7d2ba9de20f60a2d527ad6928209ef67e4cdd ] + +If there are multiple switch trees on the device, only the last one +will be listed, because the arguments of list_add_tail are swapped. + +Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation") +Signed-off-by: Vivien Didelot +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -62,7 +62,7 @@ static struct dsa_switch_tree *dsa_add_d + return NULL; + dst->tree = tree; + INIT_LIST_HEAD(&dst->list); +- list_add_tail(&dsa_switch_trees, &dst->list); ++ list_add_tail(&dst->list, &dsa_switch_trees); + kref_init(&dst->refcount); + + return dst; diff --git a/queue-4.14/net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch b/queue-4.14/net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch new file mode 100644 index 00000000000..aabebbe97fb --- /dev/null +++ b/queue-4.14/net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch @@ -0,0 +1,73 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Benjamin Herrenschmidt +Date: Fri, 25 Oct 2019 13:47:24 +1100 +Subject: net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum + +From: Benjamin Herrenschmidt + +[ Upstream commit 88824e3bf29a2fcacfd9ebbfe03063649f0f3254 ] + +We are calling the checksum helper after the dma_map_single() +call to map the packet. This is incorrect as the checksumming +code will touch the packet from the CPU. This means the cache +won't be properly flushes (or the bounce buffering will leave +us with the unmodified packet to DMA). + +This moves the calculation of the checksum & vlan tags to +before the DMA mapping. + +This also has the side effect of fixing another bug: If the +checksum helper fails, we goto "drop" to drop the packet, which +will not unmap the DMA mapping. + +Signed-off-by: Benjamin Herrenschmidt +Fixes: 05690d633f30 ("ftgmac100: Upgrade to NETIF_F_HW_CSUM") +Reviewed-by: Vijay Khemka +Tested-by: Vijay Khemka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/faraday/ftgmac100.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -734,6 +734,18 @@ static int ftgmac100_hard_start_xmit(str + */ + nfrags = skb_shinfo(skb)->nr_frags; + ++ /* Setup HW checksumming */ ++ csum_vlan = 0; ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ !ftgmac100_prep_tx_csum(skb, &csum_vlan)) ++ goto drop; ++ ++ /* Add VLAN tag */ ++ if (skb_vlan_tag_present(skb)) { ++ csum_vlan |= FTGMAC100_TXDES1_INS_VLANTAG; ++ csum_vlan |= skb_vlan_tag_get(skb) & 0xffff; ++ } ++ + /* Get header len */ + len = skb_headlen(skb); + +@@ -760,19 +772,6 @@ static int ftgmac100_hard_start_xmit(str + if (nfrags == 0) + f_ctl_stat |= FTGMAC100_TXDES0_LTS; + txdes->txdes3 = cpu_to_le32(map); +- +- /* Setup HW checksumming */ +- csum_vlan = 0; +- if (skb->ip_summed == CHECKSUM_PARTIAL && +- !ftgmac100_prep_tx_csum(skb, &csum_vlan)) +- goto drop; +- +- /* Add VLAN tag */ +- if (skb_vlan_tag_present(skb)) { +- csum_vlan |= FTGMAC100_TXDES1_INS_VLANTAG; +- csum_vlan |= skb_vlan_tag_get(skb) & 0xffff; +- } +- + txdes->txdes1 = cpu_to_le32(csum_vlan); + + /* Next descriptor */ diff --git a/queue-4.14/net-fix-sk_page_frag-recursion-from-memory-reclaim.patch b/queue-4.14/net-fix-sk_page_frag-recursion-from-memory-reclaim.patch new file mode 100644 index 00000000000..33827c50ce1 --- /dev/null +++ b/queue-4.14/net-fix-sk_page_frag-recursion-from-memory-reclaim.patch @@ -0,0 +1,160 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Tejun Heo +Date: Thu, 24 Oct 2019 13:50:27 -0700 +Subject: net: fix sk_page_frag() recursion from memory reclaim + +From: Tejun Heo + +[ Upstream commit 20eb4f29b60286e0d6dc01d9c260b4bd383c58fb ] + +sk_page_frag() optimizes skb_frag allocations by using per-task +skb_frag cache when it knows it's the only user. The condition is +determined by seeing whether the socket allocation mask allows +blocking - if the allocation may block, it obviously owns the task's +context and ergo exclusively owns current->task_frag. + +Unfortunately, this misses recursion through memory reclaim path. +Please take a look at the following backtrace. + + [2] RIP: 0010:tcp_sendmsg_locked+0xccf/0xe10 + ... + tcp_sendmsg+0x27/0x40 + sock_sendmsg+0x30/0x40 + sock_xmit.isra.24+0xa1/0x170 [nbd] + nbd_send_cmd+0x1d2/0x690 [nbd] + nbd_queue_rq+0x1b5/0x3b0 [nbd] + __blk_mq_try_issue_directly+0x108/0x1b0 + blk_mq_request_issue_directly+0xbd/0xe0 + blk_mq_try_issue_list_directly+0x41/0xb0 + blk_mq_sched_insert_requests+0xa2/0xe0 + blk_mq_flush_plug_list+0x205/0x2a0 + blk_flush_plug_list+0xc3/0xf0 + [1] blk_finish_plug+0x21/0x2e + _xfs_buf_ioapply+0x313/0x460 + __xfs_buf_submit+0x67/0x220 + xfs_buf_read_map+0x113/0x1a0 + xfs_trans_read_buf_map+0xbf/0x330 + xfs_btree_read_buf_block.constprop.42+0x95/0xd0 + xfs_btree_lookup_get_block+0x95/0x170 + xfs_btree_lookup+0xcc/0x470 + xfs_bmap_del_extent_real+0x254/0x9a0 + __xfs_bunmapi+0x45c/0xab0 + xfs_bunmapi+0x15/0x30 + xfs_itruncate_extents_flags+0xca/0x250 + xfs_free_eofblocks+0x181/0x1e0 + xfs_fs_destroy_inode+0xa8/0x1b0 + destroy_inode+0x38/0x70 + dispose_list+0x35/0x50 + prune_icache_sb+0x52/0x70 + super_cache_scan+0x120/0x1a0 + do_shrink_slab+0x120/0x290 + shrink_slab+0x216/0x2b0 + shrink_node+0x1b6/0x4a0 + do_try_to_free_pages+0xc6/0x370 + try_to_free_mem_cgroup_pages+0xe3/0x1e0 + try_charge+0x29e/0x790 + mem_cgroup_charge_skmem+0x6a/0x100 + __sk_mem_raise_allocated+0x18e/0x390 + __sk_mem_schedule+0x2a/0x40 + [0] tcp_sendmsg_locked+0x8eb/0xe10 + tcp_sendmsg+0x27/0x40 + sock_sendmsg+0x30/0x40 + ___sys_sendmsg+0x26d/0x2b0 + __sys_sendmsg+0x57/0xa0 + do_syscall_64+0x42/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +In [0], tcp_send_msg_locked() was using current->page_frag when it +called sk_wmem_schedule(). It already calculated how many bytes can +be fit into current->page_frag. Due to memory pressure, +sk_wmem_schedule() called into memory reclaim path which called into +xfs and then IO issue path. Because the filesystem in question is +backed by nbd, the control goes back into the tcp layer - back into +tcp_sendmsg_locked(). + +nbd sets sk_allocation to (GFP_NOIO | __GFP_MEMALLOC) which makes +sense - it's in the process of freeing memory and wants to be able to, +e.g., drop clean pages to make forward progress. However, this +confused sk_page_frag() called from [2]. Because it only tests +whether the allocation allows blocking which it does, it now thinks +current->page_frag can be used again although it already was being +used in [0]. + +After [2] used current->page_frag, the offset would be increased by +the used amount. When the control returns to [0], +current->page_frag's offset is increased and the previously calculated +number of bytes now may overrun the end of allocated memory leading to +silent memory corruptions. + +Fix it by adding gfpflags_normal_context() which tests sleepable && +!reclaim and use it to determine whether to use current->task_frag. + +v2: Eric didn't like gfp flags being tested twice. Introduce a new + helper gfpflags_normal_context() and combine the two tests. + +Signed-off-by: Tejun Heo +Cc: Josef Bacik +Cc: Eric Dumazet +Cc: stable@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/gfp.h | 23 +++++++++++++++++++++++ + include/net/sock.h | 11 ++++++++--- + 2 files changed, 31 insertions(+), 3 deletions(-) + +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -313,6 +313,29 @@ static inline bool gfpflags_allow_blocki + return !!(gfp_flags & __GFP_DIRECT_RECLAIM); + } + ++/** ++ * gfpflags_normal_context - is gfp_flags a normal sleepable context? ++ * @gfp_flags: gfp_flags to test ++ * ++ * Test whether @gfp_flags indicates that the allocation is from the ++ * %current context and allowed to sleep. ++ * ++ * An allocation being allowed to block doesn't mean it owns the %current ++ * context. When direct reclaim path tries to allocate memory, the ++ * allocation context is nested inside whatever %current was doing at the ++ * time of the original allocation. The nested allocation may be allowed ++ * to block but modifying anything %current owns can corrupt the outer ++ * context's expectations. ++ * ++ * %true result from this function indicates that the allocation context ++ * can sleep and use anything that's associated with %current. ++ */ ++static inline bool gfpflags_normal_context(const gfp_t gfp_flags) ++{ ++ return (gfp_flags & (__GFP_DIRECT_RECLAIM | __GFP_MEMALLOC)) == ++ __GFP_DIRECT_RECLAIM; ++} ++ + #ifdef CONFIG_HIGHMEM + #define OPT_ZONE_HIGHMEM ZONE_HIGHMEM + #else +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2131,12 +2131,17 @@ struct sk_buff *sk_stream_alloc_skb(stru + * sk_page_frag - return an appropriate page_frag + * @sk: socket + * +- * If socket allocation mode allows current thread to sleep, it means its +- * safe to use the per task page_frag instead of the per socket one. ++ * Use the per task page_frag instead of the per socket one for ++ * optimization when we know that we're in the normal context and owns ++ * everything that's associated with %current. ++ * ++ * gfpflags_allow_blocking() isn't enough here as direct reclaim may nest ++ * inside other socket operations and end up recursing into sk_page_frag() ++ * while it's already in use. + */ + static inline struct page_frag *sk_page_frag(struct sock *sk) + { +- if (gfpflags_allow_blocking(sk->sk_allocation)) ++ if (gfpflags_normal_context(sk->sk_allocation)) + return ¤t->task_frag; + + return &sk->sk_frag; diff --git a/queue-4.14/net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch b/queue-4.14/net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch new file mode 100644 index 00000000000..94ac4d97a20 --- /dev/null +++ b/queue-4.14/net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch @@ -0,0 +1,76 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Jiangfeng Xiao +Date: Mon, 28 Oct 2019 13:09:46 +0800 +Subject: net: hisilicon: Fix ping latency when deal with high throughput + +From: Jiangfeng Xiao + +[ Upstream commit e56bd641ca61beb92b135298d5046905f920b734 ] + +This is due to error in over budget processing. +When dealing with high throughput, the used buffers +that exceeds the budget is not cleaned up. In addition, +it takes a lot of cycles to clean up the used buffer, +and then the buffer where the valid data is located can take effect. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -174,6 +174,7 @@ struct hip04_priv { + dma_addr_t rx_phys[RX_DESC_NUM]; + unsigned int rx_head; + unsigned int rx_buf_size; ++ unsigned int rx_cnt_remaining; + + struct device_node *phy_node; + struct phy_device *phy; +@@ -487,7 +488,6 @@ static int hip04_rx_poll(struct napi_str + struct hip04_priv *priv = container_of(napi, struct hip04_priv, napi); + struct net_device *ndev = priv->ndev; + struct net_device_stats *stats = &ndev->stats; +- unsigned int cnt = hip04_recv_cnt(priv); + struct rx_desc *desc; + struct sk_buff *skb; + unsigned char *buf; +@@ -500,8 +500,8 @@ static int hip04_rx_poll(struct napi_str + + /* clean up tx descriptors */ + tx_remaining = hip04_tx_reclaim(ndev, false); +- +- while (cnt && !last) { ++ priv->rx_cnt_remaining += hip04_recv_cnt(priv); ++ while (priv->rx_cnt_remaining && !last) { + buf = priv->rx_buf[priv->rx_head]; + skb = build_skb(buf, priv->rx_buf_size); + if (unlikely(!skb)) { +@@ -547,11 +547,13 @@ refill: + hip04_set_recv_desc(priv, phys); + + priv->rx_head = RX_NEXT(priv->rx_head); +- if (rx >= budget) ++ if (rx >= budget) { ++ --priv->rx_cnt_remaining; + goto done; ++ } + +- if (--cnt == 0) +- cnt = hip04_recv_cnt(priv); ++ if (--priv->rx_cnt_remaining == 0) ++ priv->rx_cnt_remaining += hip04_recv_cnt(priv); + } + + if (!(priv->reg_inten & RCV_INT)) { +@@ -636,6 +638,7 @@ static int hip04_mac_open(struct net_dev + int i; + + priv->rx_head = 0; ++ priv->rx_cnt_remaining = 0; + priv->tx_head = 0; + priv->tx_tail = 0; + hip04_reset_ppe(priv); diff --git a/queue-4.14/net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch b/queue-4.14/net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch new file mode 100644 index 00000000000..b596b6d242b --- /dev/null +++ b/queue-4.14/net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eran Ben Elisha +Date: Sun, 27 Oct 2019 16:39:15 +0200 +Subject: net/mlx4_core: Dynamically set guaranteed amount of counters per VF + +From: Eran Ben Elisha + +[ Upstream commit e19868efea0c103f23b4b7e986fd0a703822111f ] + +Prior to this patch, the amount of counters guaranteed per VF in the +resource tracker was MLX4_VF_COUNTERS_PER_PORT * MLX4_MAX_PORTS. It was +set regardless if the VF was single or dual port. +This caused several VFs to have no guaranteed counters although the +system could satisfy their request. + +The fix is to dynamically guarantee counters, based on each VF +specification. + +Fixes: 9de92c60beaa ("net/mlx4_core: Adjust counter grant policy in the resource tracker") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Jack Morgenstein +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 42 +++++++++++------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -471,12 +471,31 @@ void mlx4_init_quotas(struct mlx4_dev *d + priv->mfunc.master.res_tracker.res_alloc[RES_MPT].quota[pf]; + } + +-static int get_max_gauranteed_vfs_counter(struct mlx4_dev *dev) ++static int ++mlx4_calc_res_counter_guaranteed(struct mlx4_dev *dev, ++ struct resource_allocator *res_alloc, ++ int vf) + { +- /* reduce the sink counter */ +- return (dev->caps.max_counters - 1 - +- (MLX4_PF_COUNTERS_PER_PORT * MLX4_MAX_PORTS)) +- / MLX4_MAX_PORTS; ++ struct mlx4_active_ports actv_ports; ++ int ports, counters_guaranteed; ++ ++ /* For master, only allocate according to the number of phys ports */ ++ if (vf == mlx4_master_func_num(dev)) ++ return MLX4_PF_COUNTERS_PER_PORT * dev->caps.num_ports; ++ ++ /* calculate real number of ports for the VF */ ++ actv_ports = mlx4_get_active_ports(dev, vf); ++ ports = bitmap_weight(actv_ports.ports, dev->caps.num_ports); ++ counters_guaranteed = ports * MLX4_VF_COUNTERS_PER_PORT; ++ ++ /* If we do not have enough counters for this VF, do not ++ * allocate any for it. '-1' to reduce the sink counter. ++ */ ++ if ((res_alloc->res_reserved + counters_guaranteed) > ++ (dev->caps.max_counters - 1)) ++ return 0; ++ ++ return counters_guaranteed; + } + + int mlx4_init_resource_tracker(struct mlx4_dev *dev) +@@ -484,7 +503,6 @@ int mlx4_init_resource_tracker(struct ml + struct mlx4_priv *priv = mlx4_priv(dev); + int i, j; + int t; +- int max_vfs_guarantee_counter = get_max_gauranteed_vfs_counter(dev); + + priv->mfunc.master.res_tracker.slave_list = + kzalloc(dev->num_slaves * sizeof(struct slave_list), +@@ -601,16 +619,8 @@ int mlx4_init_resource_tracker(struct ml + break; + case RES_COUNTER: + res_alloc->quota[t] = dev->caps.max_counters; +- if (t == mlx4_master_func_num(dev)) +- res_alloc->guaranteed[t] = +- MLX4_PF_COUNTERS_PER_PORT * +- MLX4_MAX_PORTS; +- else if (t <= max_vfs_guarantee_counter) +- res_alloc->guaranteed[t] = +- MLX4_VF_COUNTERS_PER_PORT * +- MLX4_MAX_PORTS; +- else +- res_alloc->guaranteed[t] = 0; ++ res_alloc->guaranteed[t] = ++ mlx4_calc_res_counter_guaranteed(dev, res_alloc, t); + break; + default: + break; diff --git a/queue-4.14/net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch b/queue-4.14/net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch new file mode 100644 index 00000000000..d0c47340afa --- /dev/null +++ b/queue-4.14/net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch @@ -0,0 +1,57 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Maxim Mikityanskiy +Date: Mon, 16 Sep 2019 14:54:20 +0300 +Subject: net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget + +From: Maxim Mikityanskiy + +[ Upstream commit 9df86bdb6746d7fcfc2fda715f7a7c3d0ddb2654 ] + +When CQE compression is enabled, compressed CQEs use the following +structure: a title is followed by one or many blocks, each containing 8 +mini CQEs (except the last, which may contain fewer mini CQEs). + +Due to NAPI budget restriction, a complete structure is not always +parsed in one NAPI run, and some blocks with mini CQEs may be deferred +to the next NAPI poll call - we have the mlx5e_decompress_cqes_cont call +in the beginning of mlx5e_poll_rx_cq. However, if the budget is +extremely low, some blocks may be left even after that, but the code +that follows the mlx5e_decompress_cqes_cont call doesn't check it and +assumes that a new CQE begins, which may not be the case. In such cases, +random memory corruptions occur. + +An extremely low NAPI budget of 8 is used when busy_poll or busy_read is +active. + +This commit adds a check to make sure that the previous compressed CQE +has been completely parsed after mlx5e_decompress_cqes_cont, otherwise +it prevents a new CQE from being fetched in the middle of a compressed +CQE. + +This commit fixes random crashes in __build_skb, __page_pool_put_page +and other not-related-directly places, that used to happen when both CQE +compression and busy_poll/busy_read were enabled. + +Fixes: 7219ab34f184 ("net/mlx5e: CQE compression") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1093,8 +1093,11 @@ int mlx5e_poll_rx_cq(struct mlx5e_cq *cq + if (unlikely(!MLX5E_TEST_BIT(rq->state, MLX5E_RQ_STATE_ENABLED))) + return 0; + +- if (cq->decmprs_left) ++ if (cq->decmprs_left) { + work_done += mlx5e_decompress_cqes_cont(rq, cq, 0, budget); ++ if (cq->decmprs_left || work_done >= budget) ++ goto out; ++ } + + cqe = mlx5_cqwq_get_cqe(&cq->wq); + if (!cqe) { diff --git a/queue-4.14/net-usb-lan78xx-connect-phy-before-registering-mac.patch b/queue-4.14/net-usb-lan78xx-connect-phy-before-registering-mac.patch new file mode 100644 index 00000000000..63e9d7c1fa8 --- /dev/null +++ b/queue-4.14/net-usb-lan78xx-connect-phy-before-registering-mac.patch @@ -0,0 +1,60 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Andrew Lunn +Date: Thu, 17 Oct 2019 21:29:26 +0200 +Subject: net: usb: lan78xx: Connect PHY before registering MAC + +From: Andrew Lunn + +[ Upstream commit 38b4fe320119859c11b1dc06f6b4987a16344fa1 ] + +As soon as the netdev is registers, the kernel can start using the +interface. If the driver connects the MAC to the PHY after the netdev +is registered, there is a race condition where the interface can be +opened without having the PHY connected. + +Change the order to close this race condition. + +Fixes: 92571a1aae40 ("lan78xx: Connect phy early") +Reported-by: Daniel Wagner +Signed-off-by: Andrew Lunn +Tested-by: Daniel Wagner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3642,10 +3642,14 @@ static int lan78xx_probe(struct usb_inte + /* driver requires remote-wakeup capability during autosuspend. */ + intf->needs_remote_wakeup = 1; + ++ ret = lan78xx_phy_init(dev); ++ if (ret < 0) ++ goto out4; ++ + ret = register_netdev(netdev); + if (ret != 0) { + netif_err(dev, probe, netdev, "couldn't register the device\n"); +- goto out4; ++ goto out5; + } + + usb_set_intfdata(intf, dev); +@@ -3658,14 +3662,10 @@ static int lan78xx_probe(struct usb_inte + pm_runtime_set_autosuspend_delay(&udev->dev, + DEFAULT_AUTOSUSPEND_DELAY); + +- ret = lan78xx_phy_init(dev); +- if (ret < 0) +- goto out5; +- + return 0; + + out5: +- unregister_netdev(netdev); ++ phy_disconnect(netdev->phydev); + out4: + usb_free_urb(dev->urb_intr); + out3: diff --git a/queue-4.14/net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch b/queue-4.14/net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch new file mode 100644 index 00000000000..5001df14760 --- /dev/null +++ b/queue-4.14/net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch @@ -0,0 +1,69 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 23 Oct 2019 22:44:51 -0700 +Subject: net: use skb_queue_empty_lockless() in busy poll contexts + +From: Eric Dumazet + +[ Upstream commit 3f926af3f4d688e2e11e7f8ed04e277a14d4d4a4 ] + +Busy polling usually runs without locks. +Let's use skb_queue_empty_lockless() instead of skb_queue_empty() + +Also uses READ_ONCE() in __skb_try_recv_datagram() to address +a similar potential problem. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/datagram.c | 2 +- + net/core/sock.c | 2 +- + net/ipv4/tcp.c | 2 +- + net/sctp/socket.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -281,7 +281,7 @@ struct sk_buff *__skb_try_recv_datagram( + break; + + sk_busy_loop(sk, flags & MSG_DONTWAIT); +- } while (sk->sk_receive_queue.prev != *last); ++ } while (READ_ONCE(sk->sk_receive_queue.prev) != *last); + + error = -EAGAIN; + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3381,7 +3381,7 @@ bool sk_busy_loop_end(void *p, unsigned + { + struct sock *sk = p; + +- return !skb_queue_empty(&sk->sk_receive_queue) || ++ return !skb_queue_empty_lockless(&sk->sk_receive_queue) || + sk_busy_loop_timeout(sk, start_time); + } + EXPORT_SYMBOL(sk_busy_loop_end); +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1787,7 +1787,7 @@ int tcp_recvmsg(struct sock *sk, struct + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); + +- if (sk_can_busy_loop(sk) && skb_queue_empty(&sk->sk_receive_queue) && ++ if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue) && + (sk->sk_state == TCP_ESTABLISHED)) + sk_busy_loop(sk, nonblock); + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7716,7 +7716,7 @@ struct sk_buff *sctp_skb_recv_datagram(s + if (sk_can_busy_loop(sk)) { + sk_busy_loop(sk, noblock); + +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + continue; + } + diff --git a/queue-4.14/net-use-skb_queue_empty_lockless-in-poll-handlers.patch b/queue-4.14/net-use-skb_queue_empty_lockless-in-poll-handlers.patch new file mode 100644 index 00000000000..2328f0dffbc --- /dev/null +++ b/queue-4.14/net-use-skb_queue_empty_lockless-in-poll-handlers.patch @@ -0,0 +1,235 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 23 Oct 2019 22:44:50 -0700 +Subject: net: use skb_queue_empty_lockless() in poll() handlers + +From: Eric Dumazet + +[ Upstream commit 3ef7cf57c72f32f61e97f8fa401bc39ea1f1a5d4 ] + +Many poll() handlers are lockless. Using skb_queue_empty_lockless() +instead of skb_queue_empty() is more appropriate. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/capi/capi.c | 2 +- + net/atm/common.c | 2 +- + net/bluetooth/af_bluetooth.c | 4 ++-- + net/caif/caif_socket.c | 2 +- + net/core/datagram.c | 4 ++-- + net/ipv4/tcp.c | 2 +- + net/ipv4/udp.c | 2 +- + net/nfc/llcp_sock.c | 4 ++-- + net/phonet/socket.c | 4 ++-- + net/sctp/socket.c | 4 ++-- + net/tipc/socket.c | 4 ++-- + net/unix/af_unix.c | 6 +++--- + net/vmw_vsock/af_vsock.c | 2 +- + 13 files changed, 21 insertions(+), 21 deletions(-) + +--- a/drivers/isdn/capi/capi.c ++++ b/drivers/isdn/capi/capi.c +@@ -743,7 +743,7 @@ capi_poll(struct file *file, poll_table + + poll_wait(file, &(cdev->recvwait), wait); + mask = POLLOUT | POLLWRNORM; +- if (!skb_queue_empty(&cdev->recvqueue)) ++ if (!skb_queue_empty_lockless(&cdev->recvqueue)) + mask |= POLLIN | POLLRDNORM; + return mask; + } +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -667,7 +667,7 @@ unsigned int vcc_poll(struct file *file, + mask |= POLLHUP; + + /* readable? */ +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + /* writable? */ +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -460,7 +460,7 @@ unsigned int bt_sock_poll(struct file *f + if (sk->sk_state == BT_LISTEN) + return bt_accept_poll(sk); + +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); + +@@ -470,7 +470,7 @@ unsigned int bt_sock_poll(struct file *f + if (sk->sk_shutdown == SHUTDOWN_MASK) + mask |= POLLHUP; + +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + if (sk->sk_state == BT_CLOSED) +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -953,7 +953,7 @@ static unsigned int caif_poll(struct fil + mask |= POLLRDHUP; + + /* readable? */ +- if (!skb_queue_empty(&sk->sk_receive_queue) || ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || + (sk->sk_shutdown & RCV_SHUTDOWN)) + mask |= POLLIN | POLLRDNORM; + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -844,7 +844,7 @@ unsigned int datagram_poll(struct file * + mask = 0; + + /* exceptional events? */ +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); + +@@ -854,7 +854,7 @@ unsigned int datagram_poll(struct file * + mask |= POLLHUP; + + /* readable? */ +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + /* Connection-based need to check for termination and startup */ +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -574,7 +574,7 @@ unsigned int tcp_poll(struct file *file, + } + /* This barrier is coupled with smp_wmb() in tcp_reset() */ + smp_rmb(); +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR; + + return mask; +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2550,7 +2550,7 @@ unsigned int udp_poll(struct file *file, + unsigned int mask = datagram_poll(file, sock, wait); + struct sock *sk = sock->sk; + +- if (!skb_queue_empty(&udp_sk(sk)->reader_queue)) ++ if (!skb_queue_empty_lockless(&udp_sk(sk)->reader_queue)) + mask |= POLLIN | POLLRDNORM; + + sock_rps_record_flow(sk); +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -567,11 +567,11 @@ static unsigned int llcp_sock_poll(struc + if (sk->sk_state == LLCP_LISTEN) + return llcp_accept_poll(sk); + +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); + +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + if (sk->sk_state == LLCP_CLOSED) +--- a/net/phonet/socket.c ++++ b/net/phonet/socket.c +@@ -352,9 +352,9 @@ static unsigned int pn_socket_poll(struc + + if (sk->sk_state == TCP_CLOSE) + return POLLERR; +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; +- if (!skb_queue_empty(&pn->ctrlreq_queue)) ++ if (!skb_queue_empty_lockless(&pn->ctrlreq_queue)) + mask |= POLLPRI; + if (!mask && sk->sk_state == TCP_CLOSE_WAIT) + return POLLHUP; +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7371,7 +7371,7 @@ unsigned int sctp_poll(struct file *file + mask = 0; + + /* Is there any exceptional events? */ +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); + if (sk->sk_shutdown & RCV_SHUTDOWN) +@@ -7380,7 +7380,7 @@ unsigned int sctp_poll(struct file *file + mask |= POLLHUP; + + /* Is it readable? Reconsider this code with TCP-style support. */ +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + /* The association is either gone or not ready. */ +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -714,14 +714,14 @@ static unsigned int tipc_poll(struct fil + /* fall thru' */ + case TIPC_LISTEN: + case TIPC_CONNECTING: +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= (POLLIN | POLLRDNORM); + break; + case TIPC_OPEN: + if (!tsk->cong_link_cnt) + mask |= POLLOUT; + if (tipc_sk_type_connectionless(sk) && +- (!skb_queue_empty(&sk->sk_receive_queue))) ++ (!skb_queue_empty_lockless(&sk->sk_receive_queue))) + mask |= (POLLIN | POLLRDNORM); + break; + case TIPC_DISCONNECTING: +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2665,7 +2665,7 @@ static unsigned int unix_poll(struct fil + mask |= POLLRDHUP | POLLIN | POLLRDNORM; + + /* readable? */ +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + /* Connection-based need to check for termination and startup */ +@@ -2693,7 +2693,7 @@ static unsigned int unix_dgram_poll(stru + mask = 0; + + /* exceptional events? */ +- if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) ++ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue)) + mask |= POLLERR | + (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); + +@@ -2703,7 +2703,7 @@ static unsigned int unix_dgram_poll(stru + mask |= POLLHUP; + + /* readable? */ +- if (!skb_queue_empty(&sk->sk_receive_queue)) ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue)) + mask |= POLLIN | POLLRDNORM; + + /* Connection-based need to check for termination and startup */ +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -880,7 +880,7 @@ static unsigned int vsock_poll(struct fi + * the queue and write as long as the socket isn't shutdown for + * sending. + */ +- if (!skb_queue_empty(&sk->sk_receive_queue) || ++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || + (sk->sk_shutdown & RCV_SHUTDOWN)) { + mask |= POLLIN | POLLRDNORM; + } diff --git a/queue-4.14/net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch b/queue-4.14/net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch new file mode 100644 index 00000000000..3df248b307e --- /dev/null +++ b/queue-4.14/net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch @@ -0,0 +1,36 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: zhanglin +Date: Sat, 26 Oct 2019 15:54:16 +0800 +Subject: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() + +From: zhanglin + +[ Upstream commit 5ff223e86f5addbfae26419cbb5d61d98f6fbf7d ] + +memset() the structure ethtool_wolinfo that has padded bytes +but the padded bytes have not been zeroed out. + +Signed-off-by: zhanglin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1450,11 +1450,13 @@ static int ethtool_reset(struct net_devi + + static int ethtool_get_wol(struct net_device *dev, char __user *useraddr) + { +- struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL }; ++ struct ethtool_wolinfo wol; + + if (!dev->ethtool_ops->get_wol) + return -EOPNOTSUPP; + ++ memset(&wol, 0, sizeof(struct ethtool_wolinfo)); ++ wol.cmd = ETHTOOL_GWOL; + dev->ethtool_ops->get_wol(dev, &wol); + + if (copy_to_user(useraddr, &wol, sizeof(wol))) diff --git a/queue-4.14/r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch b/queue-4.14/r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch new file mode 100644 index 00000000000..fffc8e5c493 --- /dev/null +++ b/queue-4.14/r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch @@ -0,0 +1,48 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Kazutoshi Noguchi +Date: Mon, 21 Oct 2019 00:03:07 +0900 +Subject: r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 + +From: Kazutoshi Noguchi + +[ Upstream commit b3060531979422d5bb18d80226f978910284dc70 ] + +This device is sold as 'ThinkPad USB-C Dock Gen 2 (40AS)'. +Chipset is RTL8153 and works with r8152. +Without this, the generic cdc_ether grabs the device, and the device jam +connected networks up when the machine suspends. + +Signed-off-by: Kazutoshi Noguchi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 7 +++++++ + drivers/net/usb/r8152.c | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -800,6 +800,13 @@ static const struct usb_device_id produc + .driver_info = 0, + }, + ++/* ThinkPad USB-C Dock Gen 2 (based on Realtek RTL8153) */ ++{ ++ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0xa387, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), ++ .driver_info = 0, ++}, ++ + /* NVIDIA Tegra USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(NVIDIA_VENDOR_ID, 0x09ff, USB_CLASS_COMM, +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5324,6 +5324,7 @@ static const struct usb_device_id rtl815 + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7205)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x720c)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7214)}, ++ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0xa387)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)}, + {REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA, 0x09ff)}, + {REALTEK_USB_DEVICE(VENDOR_ID_TPLINK, 0x0601)}, diff --git a/queue-4.14/selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch b/queue-4.14/selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch new file mode 100644 index 00000000000..a17874b30a8 --- /dev/null +++ b/queue-4.14/selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch @@ -0,0 +1,44 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Wei Wang +Date: Thu, 31 Oct 2019 16:24:36 -0700 +Subject: selftests: net: reuseport_dualstack: fix uninitalized parameter + +From: Wei Wang + +[ Upstream commit d64479a3e3f9924074ca7b50bd72fa5211dca9c1 ] + +This test reports EINVAL for getsockopt(SOL_SOCKET, SO_DOMAIN) +occasionally due to the uninitialized length parameter. +Initialize it to fix this, and also use int for "test_family" to comply +with the API standard. + +Fixes: d6a61f80b871 ("soreuseport: test mixed v4/v6 sockets") +Reported-by: Maciej Å»enczykowski +Signed-off-by: Eric Dumazet +Signed-off-by: Wei Wang +Cc: Craig Gallek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/reuseport_dualstack.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/reuseport_dualstack.c ++++ b/tools/testing/selftests/net/reuseport_dualstack.c +@@ -129,7 +129,7 @@ static void test(int *rcv_fds, int count + { + struct epoll_event ev; + int epfd, i, test_fd; +- uint16_t test_family; ++ int test_family; + socklen_t len; + + epfd = epoll_create(1); +@@ -146,6 +146,7 @@ static void test(int *rcv_fds, int count + send_from_v4(proto); + + test_fd = receive_once(epfd, proto); ++ len = sizeof(test_family); + if (getsockopt(test_fd, SOL_SOCKET, SO_DOMAIN, &test_family, &len)) + error(1, errno, "failed to read socket domain"); + if (test_family != AF_INET) diff --git a/queue-4.14/series b/queue-4.14/series index 68d215df81e..1b2e31425ac 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -20,3 +20,29 @@ mips-bmips-mark-exception-vectors-as-char-arrays.patch i2c-stm32f7-remove-warning-when-compiling-with-w-1.patch cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconn.patch nbd-handle-racing-with-error-ed-out-commands.patch +cxgb4-fix-panic-when-attaching-to-uld-fail.patch +dccp-do-not-leak-jiffies-on-the-wire.patch +net-annotate-accesses-to-sk-sk_incoming_cpu.patch +net-annotate-lockless-accesses-to-sk-sk_napi_id.patch +net-dsa-bcm_sf2-fix-imp-setup-for-port-different-than-8.patch +net-ethernet-ftgmac100-fix-dma-coherency-issue-with-sw-checksum.patch +net-fix-sk_page_frag-recursion-from-memory-reclaim.patch +net-hisilicon-fix-ping-latency-when-deal-with-high-throughput.patch +net-mlx4_core-dynamically-set-guaranteed-amount-of-counters-per-vf.patch +net-zeroing-the-structure-ethtool_wolinfo-in-ethtool_get_wol.patch +selftests-net-reuseport_dualstack-fix-uninitalized-parameter.patch +udp-fix-data-race-in-udp_set_dev_scratch.patch +net-add-read_once-annotation-in-__skb_wait_for_more_packets.patch +net-mlx5e-fix-handling-of-compressed-cqes-in-case-of-low-napi-budget.patch +net-dsa-b53-do-not-clear-existing-mirrored-port-mask.patch +net-usb-lan78xx-connect-phy-before-registering-mac.patch +r8152-add-device-id-for-lenovo-thinkpad-usb-c-dock-gen-2.patch +net-dsa-fix-switch-tree-list.patch +net-bcmgenet-reset-40nm-ephy-on-energy-detect.patch +net-add-skb_queue_empty_lockless.patch +udp-use-skb_queue_empty_lockless.patch +net-use-skb_queue_empty_lockless-in-poll-handlers.patch +net-use-skb_queue_empty_lockless-in-busy-poll-contexts.patch +vxlan-check-tun_info-options_len-properly.patch +erspan-fix-the-tun_info-options_len-check-for-erspan.patch +inet-stop-leaking-jiffies-on-the-wire.patch diff --git a/queue-4.14/udp-fix-data-race-in-udp_set_dev_scratch.patch b/queue-4.14/udp-fix-data-race-in-udp_set_dev_scratch.patch new file mode 100644 index 00000000000..560cdab9db1 --- /dev/null +++ b/queue-4.14/udp-fix-data-race-in-udp_set_dev_scratch.patch @@ -0,0 +1,102 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Thu, 24 Oct 2019 11:43:31 -0700 +Subject: udp: fix data-race in udp_set_dev_scratch() + +From: Eric Dumazet + +[ Upstream commit a793183caa9afae907a0d7ddd2ffd57329369bf5 ] + +KCSAN reported a data-race in udp_set_dev_scratch() [1] + +The issue here is that we must not write over skb fields +if skb is shared. A similar issue has been fixed in commit +89c22d8c3b27 ("net: Fix skb csum races when peeking") + +While we are at it, use a helper only dealing with +udp_skb_scratch(skb)->csum_unnecessary, as this allows +udp_set_dev_scratch() to be called once and thus inlined. + +[1] +BUG: KCSAN: data-race in udp_set_dev_scratch / udpv6_recvmsg + +write to 0xffff888120278317 of 1 bytes by task 10411 on cpu 1: + udp_set_dev_scratch+0xea/0x200 net/ipv4/udp.c:1308 + __first_packet_length+0x147/0x420 net/ipv4/udp.c:1556 + first_packet_length+0x68/0x2a0 net/ipv4/udp.c:1579 + udp_poll+0xea/0x110 net/ipv4/udp.c:2720 + sock_poll+0xed/0x250 net/socket.c:1256 + vfs_poll include/linux/poll.h:90 [inline] + do_select+0x7d0/0x1020 fs/select.c:534 + core_sys_select+0x381/0x550 fs/select.c:677 + do_pselect.constprop.0+0x11d/0x160 fs/select.c:759 + __do_sys_pselect6 fs/select.c:784 [inline] + __se_sys_pselect6 fs/select.c:769 [inline] + __x64_sys_pselect6+0x12e/0x170 fs/select.c:769 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +read to 0xffff888120278317 of 1 bytes by task 10413 on cpu 0: + udp_skb_csum_unnecessary include/net/udp.h:358 [inline] + udpv6_recvmsg+0x43e/0xe90 net/ipv6/udp.c:310 + inet6_recvmsg+0xbb/0x240 net/ipv6/af_inet6.c:592 + sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 + ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 + do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 + __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 + __do_sys_recvmmsg net/socket.c:2703 [inline] + __se_sys_recvmmsg net/socket.c:2696 [inline] + __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 10413 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 2276f58ac589 ("udp: use a separate rx queue for packet reception") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Paolo Abeni +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1195,6 +1195,20 @@ static void udp_set_dev_scratch(struct s + scratch->_tsize_state |= UDP_SKB_IS_STATELESS; + } + ++static void udp_skb_csum_unnecessary_set(struct sk_buff *skb) ++{ ++ /* We come here after udp_lib_checksum_complete() returned 0. ++ * This means that __skb_checksum_complete() might have ++ * set skb->csum_valid to 1. ++ * On 64bit platforms, we can set csum_unnecessary ++ * to true, but only if the skb is not shared. ++ */ ++#if BITS_PER_LONG == 64 ++ if (!skb_shared(skb)) ++ udp_skb_scratch(skb)->csum_unnecessary = true; ++#endif ++} ++ + static int udp_skb_truesize(struct sk_buff *skb) + { + return udp_skb_scratch(skb)->_tsize_state & ~UDP_SKB_IS_STATELESS; +@@ -1430,10 +1444,7 @@ static struct sk_buff *__first_packet_le + *total += skb->truesize; + kfree_skb(skb); + } else { +- /* the csum related bits could be changed, refresh +- * the scratch area +- */ +- udp_set_dev_scratch(skb); ++ udp_skb_csum_unnecessary_set(skb); + break; + } + } diff --git a/queue-4.14/udp-use-skb_queue_empty_lockless.patch b/queue-4.14/udp-use-skb_queue_empty_lockless.patch new file mode 100644 index 00000000000..c757c1fe784 --- /dev/null +++ b/queue-4.14/udp-use-skb_queue_empty_lockless.patch @@ -0,0 +1,98 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Eric Dumazet +Date: Wed, 23 Oct 2019 22:44:49 -0700 +Subject: udp: use skb_queue_empty_lockless() + +From: Eric Dumazet + +[ Upstream commit 137a0dbe3426fd7bcfe3f8117b36a87b3590e4eb ] + +syzbot reported a data-race [1]. + +We should use skb_queue_empty_lockless() to document that we are +not ensuring a mutual exclusion and silence KCSAN. + +[1] +BUG: KCSAN: data-race in __skb_recv_udp / __udp_enqueue_schedule_skb + +write to 0xffff888122474b50 of 8 bytes by interrupt on cpu 0: + __skb_insert include/linux/skbuff.h:1852 [inline] + __skb_queue_before include/linux/skbuff.h:1958 [inline] + __skb_queue_tail include/linux/skbuff.h:1991 [inline] + __udp_enqueue_schedule_skb+0x2c1/0x410 net/ipv4/udp.c:1470 + __udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline] + udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057 + udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074 + udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233 + __udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300 + udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470 + ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 + ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:442 [inline] + ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 + __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 + process_backlog+0x1d3/0x420 net/core/dev.c:5955 + +read to 0xffff888122474b50 of 8 bytes by task 8921 on cpu 1: + skb_queue_empty include/linux/skbuff.h:1494 [inline] + __skb_recv_udp+0x18d/0x500 net/ipv4/udp.c:1653 + udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712 + inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 + sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 + ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 + do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 + __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 + __do_sys_recvmmsg net/socket.c:2703 [inline] + __se_sys_recvmmsg net/socket.c:2696 [inline] + __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 8921 Comm: syz-executor.4 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1468,7 +1468,7 @@ static int first_packet_length(struct so + + spin_lock_bh(&rcvq->lock); + skb = __first_packet_length(sk, rcvq, &total); +- if (!skb && !skb_queue_empty(sk_queue)) { ++ if (!skb && !skb_queue_empty_lockless(sk_queue)) { + spin_lock(&sk_queue->lock); + skb_queue_splice_tail_init(sk_queue, rcvq); + spin_unlock(&sk_queue->lock); +@@ -1543,7 +1543,7 @@ struct sk_buff *__skb_recv_udp(struct so + return skb; + } + +- if (skb_queue_empty(sk_queue)) { ++ if (skb_queue_empty_lockless(sk_queue)) { + spin_unlock_bh(&queue->lock); + goto busy_check; + } +@@ -1570,7 +1570,7 @@ busy_check: + break; + + sk_busy_loop(sk, flags & MSG_DONTWAIT); +- } while (!skb_queue_empty(sk_queue)); ++ } while (!skb_queue_empty_lockless(sk_queue)); + + /* sk_queue is empty, reader_queue may contain peeked packets */ + } while (timeo && diff --git a/queue-4.14/vxlan-check-tun_info-options_len-properly.patch b/queue-4.14/vxlan-check-tun_info-options_len-properly.patch new file mode 100644 index 00000000000..45156a174f2 --- /dev/null +++ b/queue-4.14/vxlan-check-tun_info-options_len-properly.patch @@ -0,0 +1,37 @@ +From foo@baz Wed 06 Nov 2019 04:08:37 PM CET +From: Xin Long +Date: Tue, 29 Oct 2019 01:24:32 +0800 +Subject: vxlan: check tun_info options_len properly + +From: Xin Long + +[ Upstream commit eadf52cf1852196a1363044dcda22fa5d7f296f7 ] + +This patch is to improve the tun_info options_len by dropping +the skb when TUNNEL_VXLAN_OPT is set but options_len is less +than vxlan_metadata. This can void a potential out-of-bounds +access on ip_tun_info. + +Fixes: ee122c79d422 ("vxlan: Flow based tunneling") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2169,8 +2169,11 @@ static void vxlan_xmit_one(struct sk_buf + vni = tunnel_id_to_key32(info->key.tun_id); + ifindex = 0; + dst_cache = &info->dst_cache; +- if (info->options_len) ++ if (info->options_len) { ++ if (info->options_len < sizeof(*md)) ++ goto drop; + md = ip_tunnel_info_opts(info); ++ } + ttl = info->key.ttl; + tos = info->key.tos; + label = info->key.label; -- 2.47.2