From ada3fa93d5b5a32c9312618dd4ee635e5f1d27a7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 11 Jan 2020 09:18:01 +0100 Subject: [PATCH] 4.19-stable patches added patches: gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch net-sch_prio-when-ungrafting-replace-with-fifo.patch net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch net-usb-lan78xx-fix-possible-skb-leak.patch pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch vlan-vlan_changelink-should-propagate-errors.patch vxlan-fix-tos-value-before-xmit.patch --- ...k-balance-in-gtp_encap_enable_socket.patch | 97 ++++++++++ ...c_header-is-set-in-macvlan_broadcast.patch | 170 ++++++++++++++++++ ...sc-ignore-grafting-of-invisible-fifo.patch | 48 +++++ ...serve-priority-when-setting-cpu-port.patch | 50 ++++++ ...io-when-ungrafting-replace-with-fifo.patch | 48 +++++ ...ac-dwmac-sun8i-allow-all-rgmii-modes.patch | 33 ++++ ...ac-dwmac-sunxi-allow-all-rgmii-modes.patch | 32 ++++ ...et-usb-lan78xx-fix-possible-skb-leak.patch | 52 ++++++ ...q-do-not-accept-silly-tca_fq_quantum.patch | 52 ++++++ ...sible-divide-by-zero-in-cake_enqueue.patch | 43 +++++ ...k-for-the-unprocessed-sctp_cmd_reply.patch | 93 ++++++++++ queue-4.19/series | 15 ++ ...causing-sack-to-be-treated-as-d-sack.patch | 46 +++++ ...leak-in-vlan_dev_set_egress_priority.patch | 100 +++++++++++ ...n_changelink-should-propagate-errors.patch | 49 +++++ .../vxlan-fix-tos-value-before-xmit.patch | 45 +++++ 16 files changed, 973 insertions(+) create mode 100644 queue-4.19/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch create mode 100644 queue-4.19/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch create mode 100644 queue-4.19/mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch create mode 100644 queue-4.19/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch create mode 100644 queue-4.19/net-sch_prio-when-ungrafting-replace-with-fifo.patch create mode 100644 queue-4.19/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch create mode 100644 queue-4.19/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch create mode 100644 queue-4.19/net-usb-lan78xx-fix-possible-skb-leak.patch create mode 100644 queue-4.19/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch create mode 100644 queue-4.19/sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch create mode 100644 queue-4.19/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch create mode 100644 queue-4.19/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch create mode 100644 queue-4.19/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch create mode 100644 queue-4.19/vlan-vlan_changelink-should-propagate-errors.patch create mode 100644 queue-4.19/vxlan-fix-tos-value-before-xmit.patch diff --git a/queue-4.19/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch b/queue-4.19/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch new file mode 100644 index 00000000000..30f36abbd39 --- /dev/null +++ b/queue-4.19/gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch @@ -0,0 +1,97 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 06:45:37 -0800 +Subject: gtp: fix bad unlock balance in gtp_encap_enable_socket + +From: Eric Dumazet + +[ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ] + +WARNING: bad unlock balance detected! +5.5.0-rc5-syzkaller #0 Not tainted +------------------------------------- +syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at: +[] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 +but there are no more locks to release! + +other info that might help us debug this: +2 locks held by syz-executor921/9688: + #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] + #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421 + #1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline] + #1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951 + +stack backtrace: +CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline] + print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984 + __lock_release kernel/locking/lockdep.c:4242 [inline] + lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503 + sock_release_ownership include/net/sock.h:1496 [inline] + release_sock+0x17c/0x1c0 net/core/sock.c:2961 + gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830 + gtp_encap_enable drivers/net/gtp.c:852 [inline] + gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666 + __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305 + rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363 + rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + ____sys_sendmsg+0x753/0x880 net/socket.c:2330 + ___sys_sendmsg+0x100/0x170 net/socket.c:2384 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg net/socket.c:2424 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x445d49 +Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000 +R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c +R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -818,7 +818,7 @@ static struct sock *gtp_encap_enable_soc + lock_sock(sock->sk); + if (sock->sk->sk_user_data) { + sk = ERR_PTR(-EBUSY); +- goto out_sock; ++ goto out_rel_sock; + } + + sk = sock->sk; +@@ -831,8 +831,9 @@ static struct sock *gtp_encap_enable_soc + + setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); + +-out_sock: ++out_rel_sock: + release_sock(sock->sk); ++out_sock: + sockfd_put(sock); + return sk; + } diff --git a/queue-4.19/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/queue-4.19/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch new file mode 100644 index 00000000000..3e2a52c17bf --- /dev/null +++ b/queue-4.19/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch @@ -0,0 +1,170 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 12:30:48 -0800 +Subject: macvlan: do not assume mac_header is set in macvlan_broadcast() + +From: Eric Dumazet + +[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] + +Use of eth_hdr() in tx path is error prone. + +Many drivers call skb_reset_mac_header() before using it, +but others do not. + +Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") +attempted to fix this generically, but commit d346a3fae3ff +("packet: introduce PACKET_QDISC_BYPASS socket option") brought +back the macvlan bug. + +Lets add a new helper, so that tx paths no longer have +to call skb_reset_mac_header() only to get a pointer +to skb->data. + +Hopefully we will be able to revert 6d1ccff62780 +("net: reset mac header in dev_start_xmit()") and save few cycles +in transmit fast path. + +BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] +BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] +BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 +Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 + +CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:639 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 + __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] + mc_hash drivers/net/macvlan.c:251 [inline] + macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 + macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] + macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 + __netdev_start_xmit include/linux/netdevice.h:4447 [inline] + netdev_start_xmit include/linux/netdevice.h:4461 [inline] + dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 + packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 + packet_snd net/packet/af_packet.c:2966 [inline] + packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + __sys_sendto+0x262/0x380 net/socket.c:1985 + __do_sys_sendto net/socket.c:1997 [inline] + __se_sys_sendto net/socket.c:1993 [inline] + __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x442639 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 +RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc mm/kasan/common.c:513 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 + __do_kmalloc mm/slab.c:3656 [inline] + __kmalloc+0x163/0x770 mm/slab.c:3665 + kmalloc include/linux/slab.h:561 [inline] + tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:335 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10a/0x2c0 mm/slab.c:3757 + tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880a4932000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 1025 bytes inside of + 4096-byte region [ffff8880a4932000, ffff8880a4933000) +The buggy address belongs to the page: +page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 +raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 +raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + include/linux/if_ether.h | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -263,7 +263,7 @@ static void macvlan_broadcast(struct sk_ + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = eth_hdr(skb); ++ const struct ethhdr *eth = skb_eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con + return (struct ethhdr *)skb_mac_header(skb); + } + ++/* Prefer this version in TX path, instead of ++ * skb_reset_mac_header() + eth_hdr() ++ */ ++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) ++{ ++ return (struct ethhdr *)skb->data; ++} ++ + static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb) + { + return (struct ethhdr *)skb_inner_mac_header(skb); diff --git a/queue-4.19/mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch b/queue-4.19/mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch new file mode 100644 index 00000000000..42879473cf5 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch @@ -0,0 +1,48 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Petr Machata +Date: Mon, 6 Jan 2020 18:01:55 +0000 +Subject: mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO + +From: Petr Machata + +[ Upstream commit 3971a535b839489e4ea31796cc086e6ce616318c ] + +The following patch will change PRIO to replace a removed Qdisc with an +invisible FIFO, instead of NOOP. mlxsw will see this replacement due to the +graft message that is generated. But because FIFO does not issue its own +REPLACE message, when the graft operation takes place, the Qdisc that mlxsw +tracks under the indicated band is still the old one. The child +handle (0:0) therefore does not match, and mlxsw rejects the graft +operation, which leads to an extack message: + + Warning: Offloading graft operation failed. + +Fix by ignoring the invisible children in the PRIO graft handler. The +DESTROY message of the removed Qdisc is going to follow shortly and handle +the removal. + +Fixes: 32dc5efc6cb4 ("mlxsw: spectrum: qdiscs: prio: Handle graft command") +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c +@@ -650,6 +650,13 @@ mlxsw_sp_qdisc_prio_graft(struct mlxsw_s + mlxsw_sp_port->tclass_qdiscs[tclass_num].handle == p->child_handle) + return 0; + ++ if (!p->child_handle) { ++ /* This is an invisible FIFO replacing the original Qdisc. ++ * Ignore it--the original Qdisc's destroy will follow. ++ */ ++ return 0; ++ } ++ + /* See if the grafted qdisc is already offloaded on any tclass. If so, + * unoffload it. + */ diff --git a/queue-4.19/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch b/queue-4.19/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch new file mode 100644 index 00000000000..d43d4deba5f --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch @@ -0,0 +1,50 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Andrew Lunn +Date: Sat, 4 Jan 2020 23:14:51 +0100 +Subject: net: dsa: mv88e6xxx: Preserve priority when setting CPU port. + +From: Andrew Lunn + +[ Upstream commit d8dc2c9676e614ef62f54a155b50076888c8a29a ] + +The 6390 family uses an extended register to set the port connected to +the CPU. The lower 5 bits indicate the port, the upper three bits are +the priority of the frames as they pass through the switch, what +egress queue they should use, etc. Since frames being set to the CPU +are typically management frames, BPDU, IGMP, ARP, etc set the priority +to 7, the reset default, and the highest. + +Fixes: 33641994a676 ("net: dsa: mv88e6xxx: Monitor and Management tables") +Signed-off-by: Andrew Lunn +Tested-by: Chris Healy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/global1.c | 5 +++++ + drivers/net/dsa/mv88e6xxx/global1.h | 1 + + 2 files changed, 6 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/global1.c ++++ b/drivers/net/dsa/mv88e6xxx/global1.c +@@ -371,6 +371,11 @@ int mv88e6390_g1_set_cpu_port(struct mv8 + { + u16 ptr = MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST; + ++ /* Use the default high priority for management frames sent to ++ * the CPU. ++ */ ++ port |= MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI; ++ + return mv88e6390_g1_monitor_write(chip, ptr, port); + } + +--- a/drivers/net/dsa/mv88e6xxx/global1.h ++++ b/drivers/net/dsa/mv88e6xxx/global1.h +@@ -197,6 +197,7 @@ + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_INGRESS_DEST 0x2000 + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_EGRESS_DEST 0x2100 + #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST 0x3000 ++#define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI 0x00e0 + #define MV88E6390_G1_MONITOR_MGMT_CTL_DATA_MASK 0x00ff + + /* Offset 0x1C: Global Control 2 */ diff --git a/queue-4.19/net-sch_prio-when-ungrafting-replace-with-fifo.patch b/queue-4.19/net-sch_prio-when-ungrafting-replace-with-fifo.patch new file mode 100644 index 00000000000..be550a04fec --- /dev/null +++ b/queue-4.19/net-sch_prio-when-ungrafting-replace-with-fifo.patch @@ -0,0 +1,48 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Petr Machata +Date: Mon, 6 Jan 2020 18:01:56 +0000 +Subject: net: sch_prio: When ungrafting, replace with FIFO + +From: Petr Machata + +[ Upstream commit 240ce7f6428ff5188b9eedc066e1e4d645b8635f ] + +When a child Qdisc is removed from one of the PRIO Qdisc's bands, it is +replaced unconditionally by a NOOP qdisc. As a result, any traffic hitting +that band gets dropped. That is incorrect--no Qdisc was explicitly added +when PRIO was created, and after removal, none should have to be added +either. + +Fix PRIO by first attempting to create a default Qdisc and only falling +back to noop when that fails. This pattern of attempting to create an +invisible FIFO, using NOOP only as a fallback, is also seen in other +Qdiscs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Petr Machata +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_prio.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -314,8 +314,14 @@ static int prio_graft(struct Qdisc *sch, + bool any_qdisc_is_offloaded; + int err; + +- if (new == NULL) +- new = &noop_qdisc; ++ if (!new) { ++ new = qdisc_create_dflt(sch->dev_queue, &pfifo_qdisc_ops, ++ TC_H_MAKE(sch->handle, arg), extack); ++ if (!new) ++ new = &noop_qdisc; ++ else ++ qdisc_hash_add(new, true); ++ } + + *old = qdisc_replace(sch, new, &q->queues[band]); + diff --git a/queue-4.19/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch b/queue-4.19/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch new file mode 100644 index 00000000000..847f8d1044f --- /dev/null +++ b/queue-4.19/net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch @@ -0,0 +1,33 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Chen-Yu Tsai +Date: Mon, 6 Jan 2020 11:09:45 +0800 +Subject: net: stmmac: dwmac-sun8i: Allow all RGMII modes + +From: Chen-Yu Tsai + +[ Upstream commit f1239d8aa84dad8fe4b6cc1356f40fc8e842db47 ] + +Allow all the RGMII modes to be used. This would allow us to represent +the hardware better in the device tree with RGMII_ID where in most +cases the PHY's internal delay for both RX and TX are used. + +Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -946,6 +946,9 @@ static int sun8i_dwmac_set_syscon(struct + /* default */ + break; + case PHY_INTERFACE_MODE_RGMII: ++ case PHY_INTERFACE_MODE_RGMII_ID: ++ case PHY_INTERFACE_MODE_RGMII_RXID: ++ case PHY_INTERFACE_MODE_RGMII_TXID: + reg |= SYSCON_EPIT | SYSCON_ETCS_INT_GMII; + break; + case PHY_INTERFACE_MODE_RMII: diff --git a/queue-4.19/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/queue-4.19/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch new file mode 100644 index 00000000000..4372ec8403d --- /dev/null +++ b/queue-4.19/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch @@ -0,0 +1,32 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Chen-Yu Tsai +Date: Mon, 6 Jan 2020 11:09:22 +0800 +Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes + +From: Chen-Yu Tsai + +[ Upstream commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a ] + +Allow all the RGMII modes to be used. This would allow us to represent +the hardware better in the device tree with RGMII_ID where in most +cases the PHY's internal delay for both RX and TX are used. + +Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c +@@ -53,7 +53,7 @@ static int sun7i_gmac_init(struct platfo + * rate, which then uses the auto-reparenting feature of the + * clock driver, and enabling/disabling the clock. + */ +- if (gmac->interface == PHY_INTERFACE_MODE_RGMII) { ++ if (phy_interface_mode_is_rgmii(gmac->interface)) { + clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE); + clk_prepare_enable(gmac->tx_clk); + gmac->clk_enabled = 1; diff --git a/queue-4.19/net-usb-lan78xx-fix-possible-skb-leak.patch b/queue-4.19/net-usb-lan78xx-fix-possible-skb-leak.patch new file mode 100644 index 00000000000..40e3361ad71 --- /dev/null +++ b/queue-4.19/net-usb-lan78xx-fix-possible-skb-leak.patch @@ -0,0 +1,52 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 10:57:01 -0800 +Subject: net: usb: lan78xx: fix possible skb leak + +From: Eric Dumazet + +[ Upstream commit 47240ba0cd09bb6fe6db9889582048324999dfa4 ] + +If skb_linearize() fails, we need to free the skb. + +TSO makes skb bigger, and this bug might be the reason +Raspberry Pi 3B+ users had to disable TSO. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Eric Dumazet +Reported-by: RENARD Pierre-Francois +Cc: Stefan Wahren +Cc: Woojung Huh +Cc: Microchip Linux Driver Support +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2736,11 +2736,6 @@ static int lan78xx_stop(struct net_devic + return 0; + } + +-static int lan78xx_linearize(struct sk_buff *skb) +-{ +- return skb_linearize(skb); +-} +- + static struct sk_buff *lan78xx_tx_prep(struct lan78xx_net *dev, + struct sk_buff *skb, gfp_t flags) + { +@@ -2751,8 +2746,10 @@ static struct sk_buff *lan78xx_tx_prep(s + return NULL; + } + +- if (lan78xx_linearize(skb) < 0) ++ if (skb_linearize(skb)) { ++ dev_kfree_skb_any(skb); + return NULL; ++ } + + tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN_MASK_) | TX_CMD_A_FCS_; + diff --git a/queue-4.19/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch b/queue-4.19/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch new file mode 100644 index 00000000000..1df6aae9c10 --- /dev/null +++ b/queue-4.19/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch @@ -0,0 +1,52 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Mon, 6 Jan 2020 06:10:39 -0800 +Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM + +From: Eric Dumazet + +[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ] + +As diagnosed by Florian : + +If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue() +can loop forever in : + +if (f->credit <= 0) { + f->credit += q->quantum; + goto begin; +} + +... because f->credit is either 0 or -2147483648. + +Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 : +This max value should limit risks of breaking user setups +while fixing this bug. + +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Signed-off-by: Eric Dumazet +Diagnosed-by: Florian Westphal +Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -735,10 +735,12 @@ static int fq_change(struct Qdisc *sch, + if (tb[TCA_FQ_QUANTUM]) { + u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); + +- if (quantum > 0) ++ if (quantum > 0 && quantum <= (1 << 20)) { + q->quantum = quantum; +- else ++ } else { ++ NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); + err = -EINVAL; ++ } + } + + if (tb[TCA_FQ_INITIAL_QUANTUM]) diff --git a/queue-4.19/sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch b/queue-4.19/sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch new file mode 100644 index 00000000000..e0a8c0ae7bf --- /dev/null +++ b/queue-4.19/sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Wen Yang +Date: Thu, 2 Jan 2020 17:21:43 +0800 +Subject: sch_cake: avoid possible divide by zero in cake_enqueue() + +From: Wen Yang + +[ Upstream commit 68aab823c223646fab311f8a6581994facee66a0 ] + +The variables 'window_interval' is u64 and do_div() +truncates it to 32 bits, which means it can test +non-zero and be truncated to zero for division. +The unit of window_interval is nanoseconds, +so its lower 32-bit is relatively easy to exceed. +Fix this issue by using div64_u64() instead. + +Fixes: 7298de9cd725 ("sch_cake: Add ingress mode") +Signed-off-by: Wen Yang +Cc: Kevin Darbyshire-Bryant +Cc: Toke Høiland-Jørgensen +Cc: David S. Miller +Cc: Cong Wang +Cc: cake@lists.bufferbloat.net +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cake.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1758,7 +1758,7 @@ static s32 cake_enqueue(struct sk_buff * + q->avg_window_begin)); + u64 b = q->avg_window_bytes * (u64)NSEC_PER_SEC; + +- do_div(b, window_interval); ++ b = div64_u64(b, window_interval); + q->avg_peak_bandwidth = + cake_ewma(q->avg_peak_bandwidth, b, + b > q->avg_peak_bandwidth ? 2 : 8); diff --git a/queue-4.19/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/queue-4.19/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch new file mode 100644 index 00000000000..aed3c8ed90c --- /dev/null +++ b/queue-4.19/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch @@ -0,0 +1,93 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Xin Long +Date: Sat, 4 Jan 2020 14:15:02 +0800 +Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY + +From: Xin Long + +[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ] + +This patch is to fix a memleak caused by no place to free cmd->obj.chunk +for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to +process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq +with an allocated chunk in cmd->obj.chunk. + +So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on +the cmd seq when any cmd returns error. While at it, also remove 'nomem' +label. + +Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1373,8 +1373,10 @@ static int sctp_cmd_interpreter(enum sct + /* Generate an INIT ACK chunk. */ + new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC, + 0); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1396,7 +1398,8 @@ static int sctp_cmd_interpreter(enum sct + if (!new_obj) { + if (cmd->obj.chunk) + sctp_chunk_free(cmd->obj.chunk); +- goto nomem; ++ error = -ENOMEM; ++ break; + } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1443,8 +1446,10 @@ static int sctp_cmd_interpreter(enum sct + + /* Generate a SHUTDOWN chunk. */ + new_obj = sctp_make_shutdown(asoc, chunk); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); + break; +@@ -1780,11 +1785,17 @@ static int sctp_cmd_interpreter(enum sct + break; + } + +- if (error) ++ if (error) { ++ cmd = sctp_next_cmd(commands); ++ while (cmd) { ++ if (cmd->verb == SCTP_CMD_REPLY) ++ sctp_chunk_free(cmd->obj.chunk); ++ cmd = sctp_next_cmd(commands); ++ } + break; ++ } + } + +-out: + /* If this is in response to a received chunk, wait until + * we are done with the packet to open the queue so that we don't + * send multiple packets in response to a single request. +@@ -1799,7 +1810,4 @@ out: + sp->data_ready_signalled = 0; + + return error; +-nomem: +- error = -ENOMEM; +- goto out; + } diff --git a/queue-4.19/series b/queue-4.19/series index 13a6867835f..a683dc497fa 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -63,3 +63,18 @@ cpufreq-imx6q-read-ocotp-through-nvmem-for-imx6ul-imx6ull.patch arm-dts-imx6ul-use-nvmem-cells-for-cpu-speed-grading.patch pci-switchtec-read-all-64-bits-of-part_event_bitmap.patch arm64-kvm-trap-vm-ops-when-arm64_workaround_cavium_tx2_219_tvm-is-set.patch +gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch +macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch +net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch +net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch +net-usb-lan78xx-fix-possible-skb-leak.patch +pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch +sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch +sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch +tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch +vxlan-fix-tos-value-before-xmit.patch +vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch +vlan-vlan_changelink-should-propagate-errors.patch +mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch +net-sch_prio-when-ungrafting-replace-with-fifo.patch diff --git a/queue-4.19/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/queue-4.19/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch new file mode 100644 index 00000000000..e95933e355d --- /dev/null +++ b/queue-4.19/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch @@ -0,0 +1,46 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Pengcheng Yang +Date: Mon, 30 Dec 2019 17:54:41 +0800 +Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK + +From: Pengcheng Yang + +[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ] + +When we receive a D-SACK, where the sequence number satisfies: + undo_marker <= start_seq < end_seq <= prior_snd_una +we consider this is a valid D-SACK and tcp_is_sackblock_valid() +returns true, then this D-SACK is discarded as "old stuff", +but the variable first_sack_index is not marked as negative +in tcp_sacktag_write_queue(). + +If this D-SACK also carries a SACK that needs to be processed +(for example, the previous SACK segment was lost), this SACK +will be treated as a D-SACK in the following processing of +tcp_sacktag_write_queue(), which will eventually lead to +incorrect updates of undo_retrans and reordering. + +Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them") +Signed-off-by: Pengcheng Yang +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1716,8 +1716,11 @@ tcp_sacktag_write_queue(struct sock *sk, + } + + /* Ignore very old stuff early */ +- if (!after(sp[used_sacks].end_seq, prior_snd_una)) ++ if (!after(sp[used_sacks].end_seq, prior_snd_una)) { ++ if (i == 0) ++ first_sack_index = -1; + continue; ++ } + + used_sacks++; + } diff --git a/queue-4.19/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch b/queue-4.19/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch new file mode 100644 index 00000000000..9b7547ce9a6 --- /dev/null +++ b/queue-4.19/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch @@ -0,0 +1,100 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 01:42:24 -0800 +Subject: vlan: fix memory leak in vlan_dev_set_egress_priority + +From: Eric Dumazet + +[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ] + +There are few cases where the ndo_uninit() handler might be not +called if an error happens while device is initialized. + +Since vlan_newlink() calls vlan_changelink() before +trying to register the netdevice, we need to make sure +vlan_dev_uninit() has been called at least once, +or we might leak allocated memory. + +BUG: memory leak +unreferenced object 0xffff888122a206c0 (size 32): + comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline] + [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline] + [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 + [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline] + [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194 + [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126 + [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181 + [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305 + [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363 + [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 + [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 + [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 + [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline] + [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659 + [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 + [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 + [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 + [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline] + [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline] + [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 + +Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.h | 1 + + net/8021q/vlan_dev.c | 3 ++- + net/8021q/vlan_netlink.c | 9 +++++---- + 3 files changed, 8 insertions(+), 5 deletions(-) + +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -114,6 +114,7 @@ int vlan_check_real_dev(struct net_devic + void vlan_setup(struct net_device *dev); + int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack); + void unregister_vlan_dev(struct net_device *dev, struct list_head *head); ++void vlan_dev_uninit(struct net_device *dev); + bool vlan_dev_inherit_address(struct net_device *dev, + struct net_device *real_dev); + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -612,7 +612,8 @@ static int vlan_dev_init(struct net_devi + return 0; + } + +-static void vlan_dev_uninit(struct net_device *dev) ++/* Note: this function might be called multiple times for the same device. */ ++void vlan_dev_uninit(struct net_device *dev) + { + struct vlan_priority_tci_mapping *pm; + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -181,10 +181,11 @@ static int vlan_newlink(struct net *src_ + return -EINVAL; + + err = vlan_changelink(dev, tb, data, extack); +- if (err < 0) +- return err; +- +- return register_vlan_dev(dev, extack); ++ if (!err) ++ err = register_vlan_dev(dev, extack); ++ if (err) ++ vlan_dev_uninit(dev); ++ return err; + } + + static inline size_t vlan_qos_map_size(unsigned int n) diff --git a/queue-4.19/vlan-vlan_changelink-should-propagate-errors.patch b/queue-4.19/vlan-vlan_changelink-should-propagate-errors.patch new file mode 100644 index 00000000000..1ccd2d6d15f --- /dev/null +++ b/queue-4.19/vlan-vlan_changelink-should-propagate-errors.patch @@ -0,0 +1,49 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Eric Dumazet +Date: Tue, 7 Jan 2020 01:42:25 -0800 +Subject: vlan: vlan_changelink() should propagate errors + +From: Eric Dumazet + +[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ] + +Both vlan_dev_change_flags() and vlan_dev_set_egress_priority() +can return an error. vlan_changelink() should not ignore them. + +Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_netlink.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -110,11 +110,13 @@ static int vlan_changelink(struct net_de + struct ifla_vlan_flags *flags; + struct ifla_vlan_qos_mapping *m; + struct nlattr *attr; +- int rem; ++ int rem, err; + + if (data[IFLA_VLAN_FLAGS]) { + flags = nla_data(data[IFLA_VLAN_FLAGS]); +- vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ err = vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ if (err) ++ return err; + } + if (data[IFLA_VLAN_INGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) { +@@ -125,7 +127,9 @@ static int vlan_changelink(struct net_de + if (data[IFLA_VLAN_EGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) { + m = nla_data(attr); +- vlan_dev_set_egress_priority(dev, m->from, m->to); ++ err = vlan_dev_set_egress_priority(dev, m->from, m->to); ++ if (err) ++ return err; + } + } + return 0; diff --git a/queue-4.19/vxlan-fix-tos-value-before-xmit.patch b/queue-4.19/vxlan-fix-tos-value-before-xmit.patch new file mode 100644 index 00000000000..b0908f56dbd --- /dev/null +++ b/queue-4.19/vxlan-fix-tos-value-before-xmit.patch @@ -0,0 +1,45 @@ +From foo@baz Sat 11 Jan 2020 09:14:34 AM CET +From: Hangbin Liu +Date: Thu, 2 Jan 2020 17:23:45 +0800 +Subject: vxlan: fix tos value before xmit + +From: Hangbin Liu + +[ Upstream commit 71130f29979c7c7956b040673e6b9d5643003176 ] + +Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter +tos value by RT_TOS() instead of using config tos directly. + +vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't +return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS() +directly in function ip_tunnel_ecn_encap(). + +Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API") +Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2217,7 +2217,7 @@ static void vxlan_xmit_one(struct sk_buf + ndst = &rt->dst; + skb_tunnel_check_pmtu(skb, ndst, VXLAN_HEADROOM); + +- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); + err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr), + vni, md, flags, udp_sum); +@@ -2254,7 +2254,7 @@ static void vxlan_xmit_one(struct sk_buf + + skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM); + +- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + ttl = ttl ? : ip6_dst_hoplimit(ndst); + skb_scrub_packet(skb, xnet); + err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr), -- 2.47.3