From 98f49fb0d0893e97a819fdb963c370787050c8a2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 11 Jan 2020 09:23:49 +0100 Subject: [PATCH] 4.14-stable patches added patches: gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch net-sch_prio-when-ungrafting-replace-with-fifo.patch net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch net-usb-lan78xx-fix-possible-skb-leak.patch pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch vlan-vlan_changelink-should-propagate-errors.patch vxlan-fix-tos-value-before-xmit.patch --- ...k-balance-in-gtp_encap_enable_socket.patch | 97 ++++++++++ ...c_header-is-set-in-macvlan_broadcast.patch | 170 ++++++++++++++++++ ...serve-priority-when-setting-cpu-port.patch | 50 ++++++ ...io-when-ungrafting-replace-with-fifo.patch | 48 +++++ ...ac-dwmac-sun8i-allow-all-rgmii-modes.patch | 33 ++++ ...ac-dwmac-sunxi-allow-all-rgmii-modes.patch | 32 ++++ ...et-usb-lan78xx-fix-possible-skb-leak.patch | 52 ++++++ ...q-do-not-accept-silly-tca_fq_quantum.patch | 52 ++++++ ...k-for-the-unprocessed-sctp_cmd_reply.patch | 94 ++++++++++ queue-4.14/series | 13 ++ ...causing-sack-to-be-treated-as-d-sack.patch | 46 +++++ ...leak-in-vlan_dev_set_egress_priority.patch | 100 +++++++++++ ...n_changelink-should-propagate-errors.patch | 49 +++++ .../vxlan-fix-tos-value-before-xmit.patch | 45 +++++ 14 files changed, 881 insertions(+) create mode 100644 queue-4.14/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch create mode 100644 queue-4.14/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch create mode 100644 queue-4.14/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch create mode 100644 queue-4.14/net-sch_prio-when-ungrafting-replace-with-fifo.patch create mode 100644 queue-4.14/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch create mode 100644 queue-4.14/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch create mode 100644 queue-4.14/net-usb-lan78xx-fix-possible-skb-leak.patch create mode 100644 queue-4.14/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch create mode 100644 queue-4.14/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch create mode 100644 queue-4.14/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch create mode 100644 queue-4.14/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch create mode 100644 queue-4.14/vlan-vlan_changelink-should-propagate-errors.patch create mode 100644 queue-4.14/vxlan-fix-tos-value-before-xmit.patch diff --git a/queue-4.14/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch b/queue-4.14/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch new file mode 100644 index 00000000000..e00c259c914 --- /dev/null +++ b/queue-4.14/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch @@ -0,0 +1,97 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 06:45:37 -0800 +Subject: gtp: fix bad unlock balance in gtp_encap_enable_socket + +From: Eric Dumazet + +[ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ] + +WARNING: bad unlock balance detected! +5.5.0-rc5-syzkaller #0 Not tainted +------------------------------------- +syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at: +[] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 +but there are no more locks to release! + +other info that might help us debug this: +2 locks held by syz-executor921/9688: + #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] + #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421 + #1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline] + #1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951 + +stack backtrace: +CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline] + print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984 + __lock_release kernel/locking/lockdep.c:4242 [inline] + lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503 + sock_release_ownership include/net/sock.h:1496 [inline] + release_sock+0x17c/0x1c0 net/core/sock.c:2961 + gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 + gtp_encap_enable drivers/net/gtp.c:852 [inline] + gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666 + __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305 + rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363 + rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + ____sys_sendmsg+0x753/0x880 net/socket.c:2330 + ___sys_sendmsg+0x100/0x170 net/socket.c:2384 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg net/socket.c:2424 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x445d49 +Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000 +R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c +R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -816,7 +816,7 @@ static struct sock *gtp_encap_enable_soc + lock_sock(sock->sk); + if (sock->sk->sk_user_data) { + sk = ERR_PTR(-EBUSY); +- goto out_sock; ++ goto out_rel_sock; + } + + sk = sock->sk; +@@ -829,8 +829,9 @@ static struct sock *gtp_encap_enable_soc + + setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); + +-out_sock: ++out_rel_sock: + release_sock(sock->sk); ++out_sock: + sockfd_put(sock); + return sk; + } diff --git a/queue-4.14/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/queue-4.14/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch new file mode 100644 index 00000000000..a0d8569face --- /dev/null +++ b/queue-4.14/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch @@ -0,0 +1,170 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 12:30:48 -0800 +Subject: macvlan: do not assume mac_header is set in macvlan_broadcast() + +From: Eric Dumazet + +[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] + +Use of eth_hdr() in tx path is error prone. + +Many drivers call skb_reset_mac_header() before using it, +but others do not. + +Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") +attempted to fix this generically, but commit d346a3fae3ff +("packet: introduce PACKET_QDISC_BYPASS socket option") brought +back the macvlan bug. + +Lets add a new helper, so that tx paths no longer have +to call skb_reset_mac_header() only to get a pointer +to skb->data. + +Hopefully we will be able to revert 6d1ccff62780 +("net: reset mac header in dev_start_xmit()") and save few cycles +in transmit fast path. + +BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] +BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] +BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 +Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 + +CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:639 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 + __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] + mc_hash drivers/net/macvlan.c:251 [inline] + macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 + macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] + macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 + __netdev_start_xmit include/linux/netdevice.h:4447 [inline] + netdev_start_xmit include/linux/netdevice.h:4461 [inline] + dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 + packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 + packet_snd net/packet/af_packet.c:2966 [inline] + packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + __sys_sendto+0x262/0x380 net/socket.c:1985 + __do_sys_sendto net/socket.c:1997 [inline] + __se_sys_sendto net/socket.c:1993 [inline] + __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x442639 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 +RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc mm/kasan/common.c:513 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 + __do_kmalloc mm/slab.c:3656 [inline] + __kmalloc+0x163/0x770 mm/slab.c:3665 + kmalloc include/linux/slab.h:561 [inline] + tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:335 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10a/0x2c0 mm/slab.c:3757 + tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880a4932000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 1025 bytes inside of + 4096-byte region [ffff8880a4932000, ffff8880a4933000) +The buggy address belongs to the page: +page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 +raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 +raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + include/linux/if_ether.h | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -263,7 +263,7 @@ static void macvlan_broadcast(struct sk_ + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = eth_hdr(skb); ++ const struct ethhdr *eth = skb_eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con + return (struct ethhdr *)skb_mac_header(skb); + } + ++/* Prefer this version in TX path, instead of ++ * skb_reset_mac_header() + eth_hdr() ++ */ ++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) ++{ ++ return (struct ethhdr *)skb->data; ++} ++ + static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + { + return (struct ethhdr *)skb_inner_mac_header(skb); diff --git a/queue-4.14/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch b/queue-4.14/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch new file mode 100644 index 00000000000..a5462265e47 --- /dev/null +++ b/queue-4.14/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch @@ -0,0 +1,50 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Andrew Lunn +Date: Sat, 4 Jan 2020 23:14:51 +0100 +Subject: net: dsa: mv88e6xxx: Preserve priority when setting CPU port. + +From: Andrew Lunn + +[ Upstream commit d8dc2c9676e614ef62f54a155b50076888c8a29a ] + +The 6390 family uses an extended register to set the port connected to +the CPU. The lower 5 bits indicate the port, the upper three bits are +the priority of the frames as they pass through the switch, what +egress queue they should use, etc. Since frames being set to the CPU +are typically management frames, BPDU, IGMP, ARP, etc set the priority +to 7, the reset default, and the highest. + +Fixes: 33641994a676 ("net: dsa: mv88e6xxx: Monitor and Management tables") +Signed-off-by: Andrew Lunn +Tested-by: Chris Healy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/global1.c | 5 +++++ + drivers/net/dsa/mv88e6xxx/global1.h | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/global1.c ++++ b/drivers/net/dsa/mv88e6xxx/global1.c +@@ -313,6 +313,11 @@ int mv88e6390_g1_set_cpu_port(struct mv8 + { + u16 ptr = MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST; + ++ /* Use the default high priority for management frames sent to ++ * the CPU. ++ */ ++ port |= MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI; ++ + return mv88e6390_g1_monitor_write(chip, ptr, port); + } + +--- a/drivers/net/dsa/mv88e6xxx/global1.h ++++ b/drivers/net/dsa/mv88e6xxx/global1.h +@@ -189,6 +189,7 @@ + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_INGRESS_DEST 0x2000 + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_EGRESS_DEST 0x2100 + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST 0x3000 ++#define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI 0x00e0 + #define MV88E6390_G1_MONITOR_MGMT_CTL_DATA_MASK 0x00ff + + /* Offset 0x1C: Global Control 2 */ diff --git a/queue-4.14/net-sch_prio-when-ungrafting-replace-with-fifo.patch b/queue-4.14/net-sch_prio-when-ungrafting-replace-with-fifo.patch new file mode 100644 index 00000000000..7202b8eeefd --- /dev/null +++ b/queue-4.14/net-sch_prio-when-ungrafting-replace-with-fifo.patch @@ -0,0 +1,48 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Petr Machata +Date: Mon, 6 Jan 2020 18:01:56 +0000 +Subject: net: sch_prio: When ungrafting, replace with FIFO + +From: Petr Machata + +[ Upstream commit 240ce7f6428ff5188b9eedc066e1e4d645b8635f ] + +When a child Qdisc is removed from one of the PRIO Qdisc's bands, it is +replaced unconditionally by a NOOP qdisc. As a result, any traffic hitting +that band gets dropped. That is incorrect--no Qdisc was explicitly added +when PRIO was created, and after removal, none should have to be added +either. + +Fix PRIO by first attempting to create a default Qdisc and only falling +back to noop when that fails. This pattern of attempting to create an +invisible FIFO, using NOOP only as a fallback, is also seen in other +Qdiscs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_prio.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -244,8 +244,14 @@ static int prio_graft(struct Qdisc *sch, + struct prio_sched_data *q = qdisc_priv(sch); + unsigned long band = arg - 1; + +- if (new == NULL) +- new = &noop_qdisc; ++ if (!new) { ++ new = qdisc_create_dflt(sch->dev_queue, &pfifo_qdisc_ops, ++ TC_H_MAKE(sch->handle, arg), extack); ++ if (!new) ++ new = &noop_qdisc; ++ else ++ qdisc_hash_add(new, true); ++ } + + *old = qdisc_replace(sch, new, &q->queues[band]); + return 0; diff --git a/queue-4.14/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch b/queue-4.14/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch new file mode 100644 index 00000000000..22f5fad543b --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch @@ -0,0 +1,33 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Chen-Yu Tsai +Date: Mon, 6 Jan 2020 11:09:45 +0800 +Subject: net: stmmac: dwmac-sun8i: Allow all RGMII modes + +From: Chen-Yu Tsai + +[ Upstream commit f1239d8aa84dad8fe4b6cc1356f40fc8e842db47 ] + +Allow all the RGMII modes to be used. This would allow us to represent +the hardware better in the device tree with RGMII_ID where in most +cases the PHY's internal delay for both RX and TX are used. + +Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -724,6 +724,9 @@ static int sun8i_dwmac_set_syscon(struct + /* default */ + break; + case PHY_INTERFACE_MODE_RGMII: ++ case PHY_INTERFACE_MODE_RGMII_ID: ++ case PHY_INTERFACE_MODE_RGMII_RXID: ++ case PHY_INTERFACE_MODE_RGMII_TXID: + reg |= SYSCON_EPIT | SYSCON_ETCS_INT_GMII; + break; + case PHY_INTERFACE_MODE_RMII: diff --git a/queue-4.14/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/queue-4.14/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch new file mode 100644 index 00000000000..b122518fd5a --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch @@ -0,0 +1,32 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Chen-Yu Tsai +Date: Mon, 6 Jan 2020 11:09:22 +0800 +Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes + +From: Chen-Yu Tsai + +[ Upstream commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a ] + +Allow all the RGMII modes to be used. This would allow us to represent +the hardware better in the device tree with RGMII_ID where in most +cases the PHY's internal delay for both RX and TX are used. + +Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c +@@ -53,7 +53,7 @@ static int sun7i_gmac_init(struct platfo + * rate, which then uses the auto-reparenting feature of the + * clock driver, and enabling/disabling the clock. + */ +- if (gmac->interface == PHY_INTERFACE_MODE_RGMII) { ++ if (phy_interface_mode_is_rgmii(gmac->interface)) { + clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE); + clk_prepare_enable(gmac->tx_clk); + gmac->clk_enabled = 1; diff --git a/queue-4.14/net-usb-lan78xx-fix-possible-skb-leak.patch b/queue-4.14/net-usb-lan78xx-fix-possible-skb-leak.patch new file mode 100644 index 00000000000..a83ee5b613a --- /dev/null +++ b/queue-4.14/net-usb-lan78xx-fix-possible-skb-leak.patch @@ -0,0 +1,52 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 10:57:01 -0800 +Subject: net: usb: lan78xx: fix possible skb leak + +From: Eric Dumazet + +[ Upstream commit 47240ba0cd09bb6fe6db9889582048324999dfa4 ] + +If skb_linearize() fails, we need to free the skb. + +TSO makes skb bigger, and this bug might be the reason +Raspberry Pi 3B+ users had to disable TSO. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Eric Dumazet +Reported-by: RENARD Pierre-Francois +Cc: Stefan Wahren +Cc: Woojung Huh +Cc: Microchip Linux Driver Support +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2604,11 +2604,6 @@ static int lan78xx_stop(struct net_devic + return 0; + } + +-static int lan78xx_linearize(struct sk_buff *skb) +-{ +- return skb_linearize(skb); +-} +- + static struct sk_buff *lan78xx_tx_prep(struct lan78xx_net *dev, + struct sk_buff *skb, gfp_t flags) + { +@@ -2619,8 +2614,10 @@ static struct sk_buff *lan78xx_tx_prep(s + return NULL; + } + +- if (lan78xx_linearize(skb) < 0) ++ if (skb_linearize(skb)) { ++ dev_kfree_skb_any(skb); + return NULL; ++ } + + tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN_MASK_) | TX_CMD_A_FCS_; + diff --git a/queue-4.14/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch b/queue-4.14/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch new file mode 100644 index 00000000000..8049d83d956 --- /dev/null +++ b/queue-4.14/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch @@ -0,0 +1,52 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 06:10:39 -0800 +Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM + +From: Eric Dumazet + +[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ] + +As diagnosed by Florian : + +If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue() +can loop forever in : + +if (f->credit <= 0) { + f->credit += q->quantum; + goto begin; +} + +... because f->credit is either 0 or -2147483648. + +Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 : +This max value should limit risks of breaking user setups +while fixing this bug. + +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Signed-off-by: Eric Dumazet +Diagnosed-by: Florian Westphal +Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -734,10 +734,12 @@ static int fq_change(struct Qdisc *sch, + if (tb[TCA_FQ_QUANTUM]) { + u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); + +- if (quantum > 0) ++ if (quantum > 0 && quantum <= (1 << 20)) { + q->quantum = quantum; +- else ++ } else { ++ NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); + err = -EINVAL; ++ } + } + + if (tb[TCA_FQ_INITIAL_QUANTUM]) diff --git a/queue-4.14/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/queue-4.14/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch new file mode 100644 index 00000000000..fc63ac625a7 --- /dev/null +++ b/queue-4.14/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch @@ -0,0 +1,94 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Xin Long +Date: Sat, 4 Jan 2020 14:15:02 +0800 +Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY + +From: Xin Long + +[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ] + +This patch is to fix a memleak caused by no place to free cmd->obj.chunk +for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to +process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq +with an allocated chunk in cmd->obj.chunk. + +So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on +the cmd seq when any cmd returns error. While at it, also remove 'nomem' +label. + +Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1359,8 +1359,10 @@ static int sctp_cmd_interpreter(enum sct + /* Generate an INIT ACK chunk. */ + new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC, + 0); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1382,7 +1384,8 @@ static int sctp_cmd_interpreter(enum sct + if (!new_obj) { + if (cmd->obj.chunk) + sctp_chunk_free(cmd->obj.chunk); +- goto nomem; ++ error = -ENOMEM; ++ break; + } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1429,8 +1432,10 @@ static int sctp_cmd_interpreter(enum sct + + /* Generate a SHUTDOWN chunk. */ + new_obj = sctp_make_shutdown(asoc, chunk); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); + break; +@@ -1760,11 +1765,17 @@ static int sctp_cmd_interpreter(enum sct + break; + } + +- if (error) ++ if (error) { ++ cmd = sctp_next_cmd(commands); ++ while (cmd) { ++ if (cmd->verb == SCTP_CMD_REPLY) ++ sctp_chunk_free(cmd->obj.chunk); ++ cmd = sctp_next_cmd(commands); ++ } + break; ++ } + } + +-out: + /* If this is in response to a received chunk, wait until + * we are done with the packet to open the queue so that we don't + * send multiple packets in response to a single request. +@@ -1779,8 +1790,5 @@ out: + sp->data_ready_signalled = 0; + + return error; +-nomem: +- error = -ENOMEM; +- goto out; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 2fa97dda9fd..6199d5c88f1 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -45,3 +45,16 @@ mmc-block-delete-mmc_access_rpmb.patch mmc-block-fix-bug-when-removing-rpmb-chardev.patch mmc-core-prevent-bus-reference-leak-in-mmc_blk_init.patch mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch +gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch +macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch +net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch +net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch +net-usb-lan78xx-fix-possible-skb-leak.patch +pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch +sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch +tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch +vxlan-fix-tos-value-before-xmit.patch +vlan-vlan_changelink-should-propagate-errors.patch +net-sch_prio-when-ungrafting-replace-with-fifo.patch +vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch diff --git a/queue-4.14/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/queue-4.14/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch new file mode 100644 index 00000000000..8bad13f4a16 --- /dev/null +++ b/queue-4.14/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch @@ -0,0 +1,46 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Pengcheng Yang +Date: Mon, 30 Dec 2019 17:54:41 +0800 +Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK + +From: Pengcheng Yang + +[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ] + +When we receive a D-SACK, where the sequence number satisfies: + undo_marker <= start_seq < end_seq <= prior_snd_una +we consider this is a valid D-SACK and tcp_is_sackblock_valid() +returns true, then this D-SACK is discarded as "old stuff", +but the variable first_sack_index is not marked as negative +in tcp_sacktag_write_queue(). + +If this D-SACK also carries a SACK that needs to be processed +(for example, the previous SACK segment was lost), this SACK +will be treated as a D-SACK in the following processing of +tcp_sacktag_write_queue(), which will eventually lead to +incorrect updates of undo_retrans and reordering. + +Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them") +Signed-off-by: Pengcheng Yang +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1750,8 +1750,11 @@ tcp_sacktag_write_queue(struct sock *sk, + } + + /* Ignore very old stuff early */ +- if (!after(sp[used_sacks].end_seq, prior_snd_una)) ++ if (!after(sp[used_sacks].end_seq, prior_snd_una)) { ++ if (i == 0) ++ first_sack_index = -1; + continue; ++ } + + used_sacks++; + } diff --git a/queue-4.14/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch b/queue-4.14/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch new file mode 100644 index 00000000000..0a1269d4f0d --- /dev/null +++ b/queue-4.14/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch @@ -0,0 +1,100 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 01:42:24 -0800 +Subject: vlan: fix memory leak in vlan_dev_set_egress_priority + +From: Eric Dumazet + +[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ] + +There are few cases where the ndo_uninit() handler might be not +called if an error happens while device is initialized. + +Since vlan_newlink() calls vlan_changelink() before +trying to register the netdevice, we need to make sure +vlan_dev_uninit() has been called at least once, +or we might leak allocated memory. + +BUG: memory leak +unreferenced object 0xffff888122a206c0 (size 32): + comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline] + [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline] + [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 + [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline] + [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194 + [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126 + [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181 + [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305 + [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363 + [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 + [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 + [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 + [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline] + [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659 + [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 + [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 + [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 + [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline] + [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline] + [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 + +Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.h | 1 + + net/8021q/vlan_dev.c | 3 ++- + net/8021q/vlan_netlink.c | 9 +++++---- + 3 files changed, 8 insertions(+), 5 deletions(-) + +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -110,6 +110,7 @@ int vlan_check_real_dev(struct net_devic + void vlan_setup(struct net_device *dev); + int register_vlan_dev(struct net_device *dev); + void unregister_vlan_dev(struct net_device *dev, struct list_head *head); ++void vlan_dev_uninit(struct net_device *dev); + bool vlan_dev_inherit_address(struct net_device *dev, + struct net_device *real_dev); + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -610,7 +610,8 @@ static int vlan_dev_init(struct net_devi + return 0; + } + +-static void vlan_dev_uninit(struct net_device *dev) ++/* Note: this function might be called multiple times for the same device. */ ++void vlan_dev_uninit(struct net_device *dev) + { + struct vlan_priority_tci_mapping *pm; + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -161,10 +161,11 @@ static int vlan_newlink(struct net *src_ + return -EINVAL; + + err = vlan_changelink(dev, tb, data, extack); +- if (err < 0) +- return err; +- +- return register_vlan_dev(dev); ++ if (!err) ++ err = register_vlan_dev(dev); ++ if (err) ++ vlan_dev_uninit(dev); ++ return err; + } + + static inline size_t vlan_qos_map_size(unsigned int n) diff --git a/queue-4.14/vlan-vlan_changelink-should-propagate-errors.patch b/queue-4.14/vlan-vlan_changelink-should-propagate-errors.patch new file mode 100644 index 00000000000..aac2555687d --- /dev/null +++ b/queue-4.14/vlan-vlan_changelink-should-propagate-errors.patch @@ -0,0 +1,49 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 01:42:25 -0800 +Subject: vlan: vlan_changelink() should propagate errors + +From: Eric Dumazet + +[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ] + +Both vlan_dev_change_flags() and vlan_dev_set_egress_priority() +can return an error. vlan_changelink() should not ignore them. + +Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_netlink.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -95,11 +95,13 @@ static int vlan_changelink(struct net_de + struct ifla_vlan_flags *flags; + struct ifla_vlan_qos_mapping *m; + struct nlattr *attr; +- int rem; ++ int rem, err; + + if (data[IFLA_VLAN_FLAGS]) { + flags = nla_data(data[IFLA_VLAN_FLAGS]); +- vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ err = vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ if (err) ++ return err; + } + if (data[IFLA_VLAN_INGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) { +@@ -110,7 +112,9 @@ static int vlan_changelink(struct net_de + if (data[IFLA_VLAN_EGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) { + m = nla_data(attr); +- vlan_dev_set_egress_priority(dev, m->from, m->to); ++ err = vlan_dev_set_egress_priority(dev, m->from, m->to); ++ if (err) ++ return err; + } + } + return 0; diff --git a/queue-4.14/vxlan-fix-tos-value-before-xmit.patch b/queue-4.14/vxlan-fix-tos-value-before-xmit.patch new file mode 100644 index 00000000000..b14d7f31855 --- /dev/null +++ b/queue-4.14/vxlan-fix-tos-value-before-xmit.patch @@ -0,0 +1,45 @@ +From foo@baz Sat 11 Jan 2020 09:21:00 AM CET +From: Hangbin Liu +Date: Thu, 2 Jan 2020 17:23:45 +0800 +Subject: vxlan: fix tos value before xmit + +From: Hangbin Liu + +[ Upstream commit 71130f29979c7c7956b040673e6b9d5643003176 ] + +Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter +tos value by RT_TOS() instead of using config tos directly. + +vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't +return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS() +directly in function ip_tunnel_ecn_encap(). + +Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API") +Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2216,7 +2216,7 @@ static void vxlan_xmit_one(struct sk_buf + skb_dst_update_pmtu(skb, mtu); + } + +- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); + err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr), + vni, md, flags, udp_sum); +@@ -2257,7 +2257,7 @@ static void vxlan_xmit_one(struct sk_buf + skb_dst_update_pmtu(skb, mtu); + } + +- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + ttl = ttl ? : ip6_dst_hoplimit(ndst); + skb_scrub_packet(skb, xnet); + err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr), -- 2.47.3