From d427de479819739db89b9f6cf067f74150327d2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 24 Oct 2019 21:38:06 -0400 Subject: [PATCH] 4.19-stable patches added patches: ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch net-avoid-potential-infinite-loop-in-tc_ctl_action.patch net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch net-i82596-fix-dma_alloc_attr-for-sni_82596.patch net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch sctp-change-sctp_prot-.no_autobind-with-true.patch --- ...etween-route-lookup-and-invalidation.patch | 67 +++++++++ ...an-t-create-route-but-saddr-is-valid.patch | 89 ++++++++++++ ...ntial-infinite-loop-in-tc_ctl_action.patch | 135 ++++++++++++++++++ ...rgmii_mode_en-value-for-genet-v1-2-3.patch | 47 ++++++ ...dev-dev_flags-only-for-internal-phys.patch | 40 ++++++ ...596-fix-dma_alloc_attr-for-sni_82596.patch | 85 +++++++++++ ...ic-fix-eoi-when-running-in-xive-mode.patch | 44 ++++++ ...ip6_rcv_finish-in-case-of-forwarding.patch | 73 ++++++++++ ...e-ptp_ref_clk-in-suspend-resume-flow.patch | 47 ++++++ ...nge-sctp_prot-.no_autobind-with-true.patch | 71 +++++++++ queue-4.19/series | 10 ++ 11 files changed, 708 insertions(+) create mode 100644 queue-4.19/ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch create mode 100644 queue-4.19/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch create mode 100644 queue-4.19/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch create mode 100644 queue-4.19/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch create mode 100644 queue-4.19/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch create mode 100644 queue-4.19/net-i82596-fix-dma_alloc_attr-for-sni_82596.patch create mode 100644 queue-4.19/net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch create mode 100644 queue-4.19/net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch create mode 100644 queue-4.19/net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch create mode 100644 queue-4.19/sctp-change-sctp_prot-.no_autobind-with-true.patch diff --git a/queue-4.19/ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch b/queue-4.19/ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch new file mode 100644 index 00000000000..390d01683dc --- /dev/null +++ b/queue-4.19/ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch @@ -0,0 +1,67 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Wei Wang +Date: Wed, 16 Oct 2019 12:03:15 -0700 +Subject: ipv4: fix race condition between route lookup and invalidation + +From: Wei Wang + +[ Upstream commit 5018c59607a511cdee743b629c76206d9c9e6d7b ] + +Jesse and Ido reported the following race condition: + - Received packet A is forwarded and cached dst entry is +taken from the nexthop ('nhc->nhc_rth_input'). Calls skb_dst_set() + + - Given Jesse has busy routers ("ingesting full BGP routing tables +from multiple ISPs"), route is added / deleted and rt_cache_flush() is +called + + - Received packet B tries to use the same cached dst entry +from t0, but rt_cache_valid() is no longer true and it is replaced in +rt_cache_route() by the newer one. This calls dst_dev_put() on the +original dst entry which assigns the blackhole netdev to 'dst->dev' + + - dst_input(skb) is called on packet A and it is dropped due +to 'dst->dev' being the blackhole netdev + +There are 2 issues in the v4 routing code: +1. A per-netns counter is used to do the validation of the route. That +means whenever a route is changed in the netns, users of all routes in +the netns needs to redo lookup. v6 has an implementation of only +updating fn_sernum for routes that are affected. +2. When rt_cache_valid() returns false, rt_cache_route() is called to +throw away the current cache, and create a new one. This seems +unnecessary because as long as this route does not change, the route +cache does not need to be recreated. + +To fully solve the above 2 issues, it probably needs quite some code +changes and requires careful testing, and does not suite for net branch. + +So this patch only tries to add the deleted cached rt into the uncached +list, so user could still be able to use it to receive packets until +it's done. + +Fixes: 95c47f9cf5e0 ("ipv4: call dst_dev_put() properly") +Signed-off-by: Wei Wang +Reported-by: Ido Schimmel +Reported-by: Jesse Hathaway +Tested-by: Jesse Hathaway +Acked-by: Martin KaFai Lau +Cc: David Ahern +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1476,7 +1476,7 @@ static bool rt_cache_route(struct fib_nh + prev = cmpxchg(p, orig, rt); + if (prev == orig) { + if (orig) { +- dst_dev_put(&orig->dst); ++ rt_add_uncached_list(orig); + dst_release(&orig->dst); + } + } else { diff --git a/queue-4.19/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch b/queue-4.19/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch new file mode 100644 index 00000000000..be1e6995f21 --- /dev/null +++ b/queue-4.19/ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch @@ -0,0 +1,89 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Stefano Brivio +Date: Wed, 16 Oct 2019 20:52:09 +0200 +Subject: ipv4: Return -ENETUNREACH if we can't create route but saddr is valid + +From: Stefano Brivio + +[ Upstream commit 595e0651d0296bad2491a4a29a7a43eae6328b02 ] + +...instead of -EINVAL. An issue was found with older kernel versions +while unplugging a NFS client with pending RPCs, and the wrong error +code here prevented it from recovering once link is back up with a +configured address. + +Incidentally, this is not an issue anymore since commit 4f8943f80883 +("SUNRPC: Replace direct task wakeups from softirq context"), included +in 5.2-rc7, had the effect of decoupling the forwarding of this error +by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin +Coddington. + +To the best of my knowledge, this isn't currently causing any further +issue, but the error code doesn't look appropriate anyway, and we +might hit this in other paths as well. + +In detail, as analysed by Gonzalo Siero, once the route is deleted +because the interface is down, and can't be resolved and we return +-EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(), +as the socket error seen by tcp_write_err(), called by +tcp_retransmit_timer(). + +In turn, tcp_write_err() indirectly calls xs_error_report(), which +wakes up the RPC pending tasks with a status of -EINVAL. This is then +seen by call_status() in the SUN RPC implementation, which aborts the +RPC call calling rpc_exit(), instead of handling this as a +potentially temporary condition, i.e. as a timeout. + +Return -EINVAL only if the input parameters passed to +ip_route_output_key_hash_rcu() are actually invalid (this is the case +if the specified source address is multicast, limited broadcast or +all zeroes), but return -ENETUNREACH in all cases where, at the given +moment, the given source address doesn't allow resolving the route. + +While at it, drop the initialisation of err to -ENETUNREACH, which +was added to __ip_route_output_key() back then by commit +0315e3827048 ("net: Fix behaviour of unreachable, blackhole and +prohibit routes"), but actually had no effect, as it was, and is, +overwritten by the fib_lookup() return code assignment, and anyway +ignored in all other branches, including the if (fl4->saddr) one: +I find this rather confusing, as it would look like -ENETUNREACH is +the "default" error, while that statement has no effect. + +Also note that after commit fc75fc8339e7 ("ipv4: dont create routes +on down devices"), we would get -ENETUNREACH if the device is down, +but -EINVAL if the source address is specified and we can't resolve +the route, and this appears to be rather inconsistent. + +Reported-by: Stefan Walter +Analysed-by: Benjamin Coddington +Analysed-by: Gonzalo Siero +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2381,14 +2381,17 @@ struct rtable *ip_route_output_key_hash_ + int orig_oif = fl4->flowi4_oif; + unsigned int flags = 0; + struct rtable *rth; +- int err = -ENETUNREACH; ++ int err; + + if (fl4->saddr) { +- rth = ERR_PTR(-EINVAL); + if (ipv4_is_multicast(fl4->saddr) || + ipv4_is_lbcast(fl4->saddr) || +- ipv4_is_zeronet(fl4->saddr)) ++ ipv4_is_zeronet(fl4->saddr)) { ++ rth = ERR_PTR(-EINVAL); + goto out; ++ } ++ ++ rth = ERR_PTR(-ENETUNREACH); + + /* I removed check for oif == dev_out->oif here. + It was wrong for two reasons: diff --git a/queue-4.19/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch b/queue-4.19/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch new file mode 100644 index 00000000000..c4ee4e6b172 --- /dev/null +++ b/queue-4.19/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch @@ -0,0 +1,135 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Eric Dumazet +Date: Mon, 14 Oct 2019 11:22:30 -0700 +Subject: net: avoid potential infinite loop in tc_ctl_action() + +From: Eric Dumazet + +[ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ] + +tc_ctl_action() has the ability to loop forever if tcf_action_add() +returns -EAGAIN. + +This special case has been done in case a module needed to be loaded, +but it turns out that tcf_add_notify() could also return -EAGAIN +if the socket sk_rcvbuf limit is hit. + +We need to separate the two cases, and only loop for the module +loading case. + +While we are at it, add a limit of 10 attempts since unbounded +loops are always scary. + +syzbot repro was something like : + +socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3 +write(3, ..., 38) = 38 +setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 +sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...) + +NMI backtrace for cpu 0 +CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 + nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 + arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 + trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] + check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] + watchdog+0x9d0/0xef0 kernel/hung_task.c:289 + kthread+0x361/0x430 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline] +RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453 +Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6 +RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046 +RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914 +RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1 +R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f +R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003 +FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159 + __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122 + __wake_up+0xe/0x10 kernel/sched/wait.c:142 + netlink_unlock_table net/netlink/af_netlink.c:466 [inline] + netlink_unlock_table net/netlink/af_netlink.c:463 [inline] + netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514 + netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534 + rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714 + tcf_add_notify net/sched/act_api.c:1343 [inline] + tcf_action_add+0x243/0x370 net/sched/act_api.c:1362 + tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410 + rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x803/0x920 net/socket.c:2311 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 + __do_sys_sendmsg net/socket.c:2365 [inline] + __se_sys_sendmsg net/socket.c:2363 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 + do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440939 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -1307,11 +1307,16 @@ static int tcf_action_add(struct net *ne + struct netlink_ext_ack *extack) + { + size_t attr_size = 0; +- int ret = 0; ++ int loop, ret; + struct tc_action *actions[TCA_ACT_MAX_PRIO] = {}; + +- ret = tcf_action_init(net, NULL, nla, NULL, NULL, ovr, 0, actions, +- &attr_size, true, extack); ++ for (loop = 0; loop < 10; loop++) { ++ ret = tcf_action_init(net, NULL, nla, NULL, NULL, ovr, 0, ++ actions, &attr_size, true, extack); ++ if (ret != -EAGAIN) ++ break; ++ } ++ + if (ret < 0) + return ret; + ret = tcf_add_notify(net, n, actions, portid, attr_size, extack); +@@ -1361,11 +1366,8 @@ static int tc_ctl_action(struct sk_buff + */ + if (n->nlmsg_flags & NLM_F_REPLACE) + ovr = 1; +-replay: + ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr, + extack); +- if (ret == -EAGAIN) +- goto replay; + break; + case RTM_DELACTION: + ret = tca_action_gd(net, tca[TCA_ACT_TAB], n, diff --git a/queue-4.19/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch b/queue-4.19/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch new file mode 100644 index 00000000000..fb38f033c4e --- /dev/null +++ b/queue-4.19/net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Florian Fainelli +Date: Tue, 15 Oct 2019 10:45:47 -0700 +Subject: net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 + +From: Florian Fainelli + +[ Upstream commit efb86fede98cdc70b674692ff617b1162f642c49 ] + +The RGMII_MODE_EN bit value was 0 for GENET versions 1 through 3, and +became 6 for GENET v4 and above, account for that difference. + +Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") +Signed-off-by: Florian Fainelli +Acked-by: Doug Berger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 1 + + drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -369,6 +369,7 @@ struct bcmgenet_mib_counters { + #define EXT_PWR_DOWN_PHY_EN (1 << 20) + + #define EXT_RGMII_OOB_CTRL 0x0C ++#define RGMII_MODE_EN_V123 (1 << 0) + #define RGMII_LINK (1 << 4) + #define OOB_DISABLE (1 << 5) + #define RGMII_MODE_EN (1 << 6) +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -261,7 +261,11 @@ int bcmgenet_mii_config(struct net_devic + */ + if (priv->ext_phy) { + reg = bcmgenet_ext_readl(priv, EXT_RGMII_OOB_CTRL); +- reg |= RGMII_MODE_EN | id_mode_dis; ++ reg |= id_mode_dis; ++ if (GENET_IS_V1(priv) || GENET_IS_V2(priv) || GENET_IS_V3(priv)) ++ reg |= RGMII_MODE_EN_V123; ++ else ++ reg |= RGMII_MODE_EN; + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + } + diff --git a/queue-4.19/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch b/queue-4.19/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch new file mode 100644 index 00000000000..88633c0e99d --- /dev/null +++ b/queue-4.19/net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch @@ -0,0 +1,40 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Florian Fainelli +Date: Fri, 11 Oct 2019 12:53:49 -0700 +Subject: net: bcmgenet: Set phydev->dev_flags only for internal PHYs + +From: Florian Fainelli + +[ Upstream commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ] + +phydev->dev_flags is entirely dependent on the PHY device driver which +is going to be used, setting the internal GENET PHY revision in those +bits only makes sense when drivers/net/phy/bcm7xxx.c is the PHY driver +being used. + +Fixes: 487320c54143 ("net: bcmgenet: communicate integrated PHY revision to PHY driver") +Signed-off-by: Florian Fainelli +Acked-by: Doug Berger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -280,11 +280,12 @@ int bcmgenet_mii_probe(struct net_device + struct bcmgenet_priv *priv = netdev_priv(dev); + struct device_node *dn = priv->pdev->dev.of_node; + struct phy_device *phydev; +- u32 phy_flags; ++ u32 phy_flags = 0; + int ret; + + /* Communicate the integrated PHY revision */ +- phy_flags = priv->gphy_rev; ++ if (priv->internal_phy) ++ phy_flags = priv->gphy_rev; + + /* Initialize link state variables that bcmgenet_mii_setup() uses */ + priv->old_link = -1; diff --git a/queue-4.19/net-i82596-fix-dma_alloc_attr-for-sni_82596.patch b/queue-4.19/net-i82596-fix-dma_alloc_attr-for-sni_82596.patch new file mode 100644 index 00000000000..895dbb54757 --- /dev/null +++ b/queue-4.19/net-i82596-fix-dma_alloc_attr-for-sni_82596.patch @@ -0,0 +1,85 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Thomas Bogendoerfer +Date: Tue, 15 Oct 2019 16:42:45 +0200 +Subject: net: i82596: fix dma_alloc_attr for sni_82596 + +From: Thomas Bogendoerfer + +[ Upstream commit 61c1d33daf7b5146f44d4363b3322f8cda6a6c43 ] + +Commit 7f683b920479 ("i825xx: switch to switch to dma_alloc_attrs") +switched dma allocation over to dma_alloc_attr, but didn't convert +the SNI part to request consistent DMA memory. This broke sni_82596 +since driver doesn't do dma_cache_sync for performance reasons. +Fix this by using different DMA_ATTRs for lasi_82596 and sni_82596. + +Fixes: 7f683b920479 ("i825xx: switch to switch to dma_alloc_attrs") +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/i825xx/lasi_82596.c | 4 +++- + drivers/net/ethernet/i825xx/lib82596.c | 4 ++-- + drivers/net/ethernet/i825xx/sni_82596.c | 4 +++- + 3 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/i825xx/lasi_82596.c ++++ b/drivers/net/ethernet/i825xx/lasi_82596.c +@@ -96,6 +96,8 @@ + + #define OPT_SWAP_PORT 0x0001 /* Need to wordswp on the MPU port */ + ++#define LIB82596_DMA_ATTR DMA_ATTR_NON_CONSISTENT ++ + #define DMA_WBACK(ndev, addr, len) \ + do { dma_cache_sync((ndev)->dev.parent, (void *)addr, len, DMA_TO_DEVICE); } while (0) + +@@ -199,7 +201,7 @@ static int __exit lan_remove_chip(struct + + unregister_netdev (dev); + dma_free_attrs(&pdev->dev, sizeof(struct i596_private), lp->dma, +- lp->dma_addr, DMA_ATTR_NON_CONSISTENT); ++ lp->dma_addr, LIB82596_DMA_ATTR); + free_netdev (dev); + return 0; + } +--- a/drivers/net/ethernet/i825xx/lib82596.c ++++ b/drivers/net/ethernet/i825xx/lib82596.c +@@ -1065,7 +1065,7 @@ static int i82596_probe(struct net_devic + + dma = dma_alloc_attrs(dev->dev.parent, sizeof(struct i596_dma), + &lp->dma_addr, GFP_KERNEL, +- DMA_ATTR_NON_CONSISTENT); ++ LIB82596_DMA_ATTR); + if (!dma) { + printk(KERN_ERR "%s: Couldn't get shared memory\n", __FILE__); + return -ENOMEM; +@@ -1087,7 +1087,7 @@ static int i82596_probe(struct net_devic + i = register_netdev(dev); + if (i) { + dma_free_attrs(dev->dev.parent, sizeof(struct i596_dma), +- dma, lp->dma_addr, DMA_ATTR_NON_CONSISTENT); ++ dma, lp->dma_addr, LIB82596_DMA_ATTR); + return i; + } + +--- a/drivers/net/ethernet/i825xx/sni_82596.c ++++ b/drivers/net/ethernet/i825xx/sni_82596.c +@@ -23,6 +23,8 @@ + + static const char sni_82596_string[] = "snirm_82596"; + ++#define LIB82596_DMA_ATTR 0 ++ + #define DMA_WBACK(priv, addr, len) do { } while (0) + #define DMA_INV(priv, addr, len) do { } while (0) + #define DMA_WBACK_INV(priv, addr, len) do { } while (0) +@@ -151,7 +153,7 @@ static int sni_82596_driver_remove(struc + + unregister_netdev(dev); + dma_free_attrs(dev->dev.parent, sizeof(struct i596_private), lp->dma, +- lp->dma_addr, DMA_ATTR_NON_CONSISTENT); ++ lp->dma_addr, LIB82596_DMA_ATTR); + iounmap(lp->ca); + iounmap(lp->mpu_port); + free_netdev (dev); diff --git a/queue-4.19/net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch b/queue-4.19/net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch new file mode 100644 index 00000000000..fd68b699291 --- /dev/null +++ b/queue-4.19/net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch @@ -0,0 +1,44 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: "Cédric Le Goater" +Date: Fri, 11 Oct 2019 07:52:54 +0200 +Subject: net/ibmvnic: Fix EOI when running in XIVE mode. + +From: "Cédric Le Goater" + +[ Upstream commit 11d49ce9f7946dfed4dcf5dbde865c78058b50ab ] + +pSeries machines on POWER9 processors can run with the XICS (legacy) +interrupt mode or with the XIVE exploitation interrupt mode. These +interrupt contollers have different interfaces for interrupt +management : XICS uses hcalls and XIVE loads and stores on a page. +H_EOI being a XICS interface the enable_scrq_irq() routine can fail +when the machine runs in XIVE mode. + +Fix that by calling the EOI handler of the interrupt chip. + +Fixes: f23e0643cd0b ("ibmvnic: Clear pending interrupt after device reset") +Signed-off-by: Cédric Le Goater +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2731,12 +2731,10 @@ static int enable_scrq_irq(struct ibmvni + + if (adapter->resetting && + adapter->reset_reason == VNIC_RESET_MOBILITY) { +- u64 val = (0xff000000) | scrq->hw_irq; ++ struct irq_desc *desc = irq_to_desc(scrq->irq); ++ struct irq_chip *chip = irq_desc_get_chip(desc); + +- rc = plpar_hcall_norets(H_EOI, val); +- if (rc) +- dev_err(dev, "H_EOI FAILED irq 0x%llx. rc=%ld\n", +- val, rc); ++ chip->irq_eoi(&desc->irq_data); + } + + rc = plpar_hcall_norets(H_VIOCTL, adapter->vdev->unit_address, diff --git a/queue-4.19/net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch b/queue-4.19/net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch new file mode 100644 index 00000000000..744509ebdc1 --- /dev/null +++ b/queue-4.19/net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch @@ -0,0 +1,73 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Xin Long +Date: Fri, 23 Aug 2019 19:33:03 +0800 +Subject: net: ipv6: fix listify ip6_rcv_finish in case of forwarding + +From: Xin Long + +[ Upstream commit c7a42eb49212f93a800560662d17d5293960d3c3 ] + +We need a similar fix for ipv6 as Commit 0761680d5215 ("net: ipv4: fix +listify ip_rcv_finish in case of forwarding") does for ipv4. + +This issue can be reprocuded by syzbot since Commit 323ebb61e32b ("net: +use listified RX for handling GRO_NORMAL skbs") on net-next. The call +trace was: + + kernel BUG at include/linux/skbuff.h:2225! + RIP: 0010:__skb_pull include/linux/skbuff.h:2225 [inline] + RIP: 0010:skb_pull+0xea/0x110 net/core/skbuff.c:1902 + Call Trace: + sctp_inq_pop+0x2f1/0xd80 net/sctp/inqueue.c:202 + sctp_endpoint_bh_rcv+0x184/0x8d0 net/sctp/endpointola.c:385 + sctp_inq_push+0x1e4/0x280 net/sctp/inqueue.c:80 + sctp_rcv+0x2807/0x3590 net/sctp/input.c:256 + sctp6_rcv+0x17/0x30 net/sctp/ipv6.c:1049 + ip6_protocol_deliver_rcu+0x2fe/0x1660 net/ipv6/ip6_input.c:397 + ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:438 + NF_HOOK include/linux/netfilter.h:305 [inline] + NF_HOOK include/linux/netfilter.h:299 [inline] + ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:447 + dst_input include/net/dst.h:442 [inline] + ip6_sublist_rcv_finish+0x98/0x1e0 net/ipv6/ip6_input.c:84 + ip6_list_rcv_finish net/ipv6/ip6_input.c:118 [inline] + ip6_sublist_rcv+0x80c/0xcf0 net/ipv6/ip6_input.c:282 + ipv6_list_rcv+0x373/0x4b0 net/ipv6/ip6_input.c:316 + __netif_receive_skb_list_ptype net/core/dev.c:5049 [inline] + __netif_receive_skb_list_core+0x5fc/0x9d0 net/core/dev.c:5097 + __netif_receive_skb_list net/core/dev.c:5149 [inline] + netif_receive_skb_list_internal+0x7eb/0xe60 net/core/dev.c:5244 + gro_normal_list.part.0+0x1e/0xb0 net/core/dev.c:5757 + gro_normal_list net/core/dev.c:5755 [inline] + gro_normal_one net/core/dev.c:5769 [inline] + napi_frags_finish net/core/dev.c:5782 [inline] + napi_gro_frags+0xa6a/0xea0 net/core/dev.c:5855 + tun_get_user+0x2e98/0x3fa0 drivers/net/tun.c:1974 + tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2020 + +Fixes: d8269e2cbf90 ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()") +Fixes: 323ebb61e32b ("net: use listified RX for handling GRO_NORMAL skbs") +Reported-by: syzbot+eb349eeee854e389c36d@syzkaller.appspotmail.com +Reported-by: syzbot+4a0643a653ac375612d1@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -80,8 +80,10 @@ static void ip6_sublist_rcv_finish(struc + { + struct sk_buff *skb, *next; + +- list_for_each_entry_safe(skb, next, head, list) ++ list_for_each_entry_safe(skb, next, head, list) { ++ skb_list_del_init(skb); + dst_input(skb); ++ } + } + + static void ip6_list_rcv_finish(struct net *net, struct sock *sk, diff --git a/queue-4.19/net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch b/queue-4.19/net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch new file mode 100644 index 00000000000..3a67a26dd9f --- /dev/null +++ b/queue-4.19/net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Biao Huang +Date: Tue, 15 Oct 2019 11:24:44 +0800 +Subject: net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow + +From: Biao Huang + +[ Upstream commit e497c20e203680aba9ccf7bb475959595908ca7e ] + +disable ptp_ref_clk in suspend flow, and enable it in resume flow. + +Fixes: f573c0b9c4e0 ("stmmac: move stmmac_clk, pclk, clk_ptp_ref and stmmac_rst to platform structure") +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4522,8 +4522,10 @@ int stmmac_suspend(struct device *dev) + stmmac_mac_set(priv, priv->ioaddr, false); + pinctrl_pm_select_sleep_state(priv->device); + /* Disable clock in case of PWM is off */ +- clk_disable(priv->plat->pclk); +- clk_disable(priv->plat->stmmac_clk); ++ if (priv->plat->clk_ptp_ref) ++ clk_disable_unprepare(priv->plat->clk_ptp_ref); ++ clk_disable_unprepare(priv->plat->pclk); ++ clk_disable_unprepare(priv->plat->stmmac_clk); + } + mutex_unlock(&priv->lock); + +@@ -4588,8 +4590,10 @@ int stmmac_resume(struct device *dev) + } else { + pinctrl_pm_select_default_state(priv->device); + /* enable the clk previously disabled */ +- clk_enable(priv->plat->stmmac_clk); +- clk_enable(priv->plat->pclk); ++ clk_prepare_enable(priv->plat->stmmac_clk); ++ clk_prepare_enable(priv->plat->pclk); ++ if (priv->plat->clk_ptp_ref) ++ clk_prepare_enable(priv->plat->clk_ptp_ref); + /* reset the phy so that it's ready */ + if (priv->mii) + stmmac_mdio_reset(priv->mii); diff --git a/queue-4.19/sctp-change-sctp_prot-.no_autobind-with-true.patch b/queue-4.19/sctp-change-sctp_prot-.no_autobind-with-true.patch new file mode 100644 index 00000000000..078fd38b3fa --- /dev/null +++ b/queue-4.19/sctp-change-sctp_prot-.no_autobind-with-true.patch @@ -0,0 +1,71 @@ +From foo@baz Thu 24 Oct 2019 09:37:44 PM EDT +From: Xin Long +Date: Tue, 15 Oct 2019 15:24:38 +0800 +Subject: sctp: change sctp_prot .no_autobind with true + +From: Xin Long + +[ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ] + +syzbot reported a memory leak: + + BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64): + backtrace: + + [...] slab_alloc mm/slab.c:3319 [inline] + [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483 + [...] sctp_bucket_create net/sctp/socket.c:8523 [inline] + [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270 + [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402 + [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497 + [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022 + [...] sctp_setsockopt net/sctp/socket.c:4641 [inline] + [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611 + [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147 + [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 + [...] __do_sys_setsockopt net/socket.c:2100 [inline] + +It was caused by when sending msgs without binding a port, in the path: +inet_sendmsg() -> inet_send_prepare() -> inet_autobind() -> +.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is +not. Later when binding another port by sctp_setsockopt_bindx(), a new +bucket will be created as bp->port is not set. + +sctp's autobind is supposed to call sctp_autobind() where it does all +things including setting bp->port. Since sctp_autobind() is called in +sctp_sendmsg() if the sk is not yet bound, it should have skipped the +auto bind. + +THis patch is to avoid calling inet_autobind() in inet_send_prepare() +by changing sctp_prot .no_autobind with true, also remove the unused +.get_port. + +Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8957,7 +8957,7 @@ struct proto sctp_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp_sock), + .useroffset = offsetof(struct sctp_sock, subscribe), + .usersize = offsetof(struct sctp_sock, initmsg) - +@@ -8999,7 +8999,7 @@ struct proto sctpv6_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp6_sock), + .useroffset = offsetof(struct sctp6_sock, sctp.subscribe), + .usersize = offsetof(struct sctp6_sock, sctp.initmsg) - diff --git a/queue-4.19/series b/queue-4.19/series index 5fedf6d51b1..071100845f6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,3 +22,13 @@ libata-ahci-fix-pcs-quirk-application.patch md-raid0-fix-warning-message-for-parameter-default_l.patch revert-drm-radeon-fix-eeh-during-kexec.patch ocfs2-fix-panic-due-to-ocfs2_wq-is-null.patch +ipv4-fix-race-condition-between-route-lookup-and-invalidation.patch +ipv4-return-enetunreach-if-we-can-t-create-route-but-saddr-is-valid.patch +net-avoid-potential-infinite-loop-in-tc_ctl_action.patch +net-bcmgenet-fix-rgmii_mode_en-value-for-genet-v1-2-3.patch +net-bcmgenet-set-phydev-dev_flags-only-for-internal-phys.patch +net-i82596-fix-dma_alloc_attr-for-sni_82596.patch +net-ibmvnic-fix-eoi-when-running-in-xive-mode.patch +net-ipv6-fix-listify-ip6_rcv_finish-in-case-of-forwarding.patch +net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch +sctp-change-sctp_prot-.no_autobind-with-true.patch -- 2.47.2