From dbf9df44f49b278623d84f57db95da8c8c642c71 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 19 Jun 2021 23:15:23 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-an-error-handling-path-in-alx_probe.patch | 36 ++++ ...-avoid-warn_on-timing-related-checks.patch | 45 +++++ ...x-an-error-handling-path-in-be_probe.patch | 37 ++++ ...t_ethtool_free-in-bnxt_init_one-erro.patch | 37 ++++ ...er-phy-capabilities-after-firmware-r.patch | 49 +++++ queue-5.4/cxgb4-fix-wrong-shift.patch | 36 ++++ ...out-icmp-messages-with-a-source-addr.patch | 100 +++++++++++ ...duplicated-skb-in-rx-descriptor-ring.patch | 54 ++++++ ...a-data-race-in-unix_dgram_sendmsg-un.patch | 96 ++++++++++ .../net-cdc_eem-fix-tx-fixup-skb-leak.patch | 44 +++++ ...ncm-switch-to-eth-d-interface-naming.patch | 77 ++++++++ ...-potential-use-after-free-in-ec_bhf_.patch | 56 ++++++ ...issue-caused-by-refactor-the-fec_dev.patch | 44 +++++ ...radio-fix-memory-leak-in-mkiss_close.patch | 112 ++++++++++++ ...v4-fix-memory-leak-in-ip_mc_add1_src.patch | 86 +++++++++ ...emory-leak-in-netlbl_cipsov4_add_std.patch | 66 +++++++ ...able-interrupt-before-sheduling-napi.patch | 45 +++++ ..._ns-return-error-if-net_ns-is-disabl.patch | 131 ++++++++++++++ ...r-roce-cap-before-init-rdma-resource.patch | 37 ++++ ...ow-tso-on-vxlan-over-vlan-topologies.patch | 37 ++++ ...offload-of-outer-header-csum-for-udp.patch | 46 +++++ ...x-page-reclaim-for-dead-peer-hairpin.patch | 169 ++++++++++++++++++ ...-dependency-in-ipsec-initialization-.patch | 43 +++++ ...r-fix-oob-read-in-qrtr_endpoint_post.patch | 50 ++++++ ...t-rds-fix-memory-leak-in-rds_recvmsg.patch | 73 ++++++++ ...d-act_ct-handle-dnat-tuple-collision.patch | 67 +++++++ ...1000-fix-extended-mac-address-regist.patch | 42 +++++ ...ible-use-after-free-in-smsc75xx_bind.patch | 72 ++++++++ ...xy-fix-out-of-bounds-when-parsing-tc.patch | 59 ++++++ ...n-error-handling-path-in-netxen_nic_.patch | 37 ++++ ...adj-check-against-unreasonable-value.patch | 80 +++++++++ ...-error-handling-path-in-qlcnic_probe.patch | 36 ++++ ...gression-in-bridge-vlan-configuratio.patch | 55 ++++++ ...-of-bounds-when-parsing-tcp-options-.patch | 72 ++++++++ queue-5.4/series | 36 ++++ ...fix-race-between-close-and-udp_abort.patch | 77 ++++++++ queue-5.4/vrf-fix-maximum-mtu.patch | 65 +++++++ 37 files changed, 2304 insertions(+) create mode 100644 queue-5.4/alx-fix-an-error-handling-path-in-alx_probe.patch create mode 100644 queue-5.4/batman-adv-avoid-warn_on-timing-related-checks.patch create mode 100644 queue-5.4/be2net-fix-an-error-handling-path-in-be_probe.patch create mode 100644 queue-5.4/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch create mode 100644 queue-5.4/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch create mode 100644 queue-5.4/cxgb4-fix-wrong-shift.patch create mode 100644 queue-5.4/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch create mode 100644 queue-5.4/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch create mode 100644 queue-5.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch create mode 100644 queue-5.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch create mode 100644 queue-5.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch create mode 100644 queue-5.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch create mode 100644 queue-5.4/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch create mode 100644 queue-5.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch create mode 100644 queue-5.4/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch create mode 100644 queue-5.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch create mode 100644 queue-5.4/net-lantiq-disable-interrupt-before-sheduling-napi.patch create mode 100644 queue-5.4/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch create mode 100644 queue-5.4/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch create mode 100644 queue-5.4/net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch create mode 100644 queue-5.4/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch create mode 100644 queue-5.4/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch create mode 100644 queue-5.4/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch create mode 100644 queue-5.4/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch create mode 100644 queue-5.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch create mode 100644 queue-5.4/net-sched-act_ct-handle-dnat-tuple-collision.patch create mode 100644 queue-5.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch create mode 100644 queue-5.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch create mode 100644 queue-5.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch create mode 100644 queue-5.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch create mode 100644 queue-5.4/ptp-improve-max_adj-check-against-unreasonable-value.patch create mode 100644 queue-5.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch create mode 100644 queue-5.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch create mode 100644 queue-5.4/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch create mode 100644 queue-5.4/udp-fix-race-between-close-and-udp_abort.patch create mode 100644 queue-5.4/vrf-fix-maximum-mtu.patch diff --git a/queue-5.4/alx-fix-an-error-handling-path-in-alx_probe.patch b/queue-5.4/alx-fix-an-error-handling-path-in-alx_probe.patch new file mode 100644 index 00000000000..62fe7207de7 --- /dev/null +++ b/queue-5.4/alx-fix-an-error-handling-path-in-alx_probe.patch @@ -0,0 +1,36 @@ +From b4d541cbbd9bbbbfa7285f2fd6012d94c53ee5e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 08:13:39 +0200 +Subject: alx: Fix an error handling path in 'alx_probe()' + +From: Christophe JAILLET + +[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index bde8ec75ac4e..bee62d7caccc 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1852,6 +1852,7 @@ out_free_netdev: + free_netdev(netdev); + out_pci_release: + pci_release_mem_regions(pdev); ++ pci_disable_pcie_error_reporting(pdev); + out_pci_disable: + pci_disable_device(pdev); + return err; +-- +2.30.2 + diff --git a/queue-5.4/batman-adv-avoid-warn_on-timing-related-checks.patch b/queue-5.4/batman-adv-avoid-warn_on-timing-related-checks.patch new file mode 100644 index 00000000000..2fea09db458 --- /dev/null +++ b/queue-5.4/batman-adv-avoid-warn_on-timing-related-checks.patch @@ -0,0 +1,45 @@ +From 6f42e27807fe7163e930b061e183d1b4da15f330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 21:00:27 +0200 +Subject: batman-adv: Avoid WARN_ON timing related checks + +From: Sven Eckelmann + +[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ] + +The soft/batadv interface for a queued OGM can be changed during the time +the OGM was queued for transmission and when the OGM is actually +transmitted by the worker. + +But WARN_ON must be used to denote kernel bugs and not to print simple +warnings. A warning can simply be printed using pr_warn. + +Reported-by: Tetsuo Handa +Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com +Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_iv_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c +index d88a4de02237..8be8a1feca84 100644 +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -409,8 +409,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet) + if (WARN_ON(!forw_packet->if_outgoing)) + return; + +- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface)) ++ if (forw_packet->if_outgoing->soft_iface != soft_iface) { ++ pr_warn("%s: soft interface switch for queued OGM\n", __func__); + return; ++ } + + if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE) + return; +-- +2.30.2 + diff --git a/queue-5.4/be2net-fix-an-error-handling-path-in-be_probe.patch b/queue-5.4/be2net-fix-an-error-handling-path-in-be_probe.patch new file mode 100644 index 00000000000..6093c059b47 --- /dev/null +++ b/queue-5.4/be2net-fix-an-error-handling-path-in-be_probe.patch @@ -0,0 +1,37 @@ +From 6969f0e02d2fb6dd1dbdc788a07c40d70c13384f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 20:43:37 +0200 +Subject: be2net: Fix an error handling path in 'be_probe()' + +From: Christophe JAILLET + +[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: d6b6d9877878 ("be2net: use PCIe AER capability") +Signed-off-by: Christophe JAILLET +Acked-by: Somnath Kotur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 39eb7d525043..9aebb121365f 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -6030,6 +6030,7 @@ drv_cleanup: + unmap_bars: + be_unmap_pci_bars(adapter); + free_netdev: ++ pci_disable_pcie_error_reporting(pdev); + free_netdev(netdev); + rel_reg: + pci_release_regions(pdev); +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch b/queue-5.4/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch new file mode 100644 index 00000000000..2cb97b1a066 --- /dev/null +++ b/queue-5.4/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch @@ -0,0 +1,37 @@ +From 404989e76f906a958922078b31e3b3b925f83330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 02:07:27 -0400 +Subject: bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path + +From: Somnath Kotur + +[ Upstream commit 03400aaa69f916a376e11526cf591901a96a3a5c ] + +bnxt_ethtool_init() may have allocated some memory and we need to +call bnxt_ethtool_free() to properly unwind if bnxt_init_one() +fails. + +Fixes: 7c3809181468 ("bnxt_en: Refactor bnxt_init_one() and turn on TPA support on 57500 chips.") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index f983d03da1e4..d1c3939b0307 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11963,6 +11963,7 @@ init_err_cleanup: + init_err_pci_clean: + bnxt_free_hwrm_short_cmd_req(bp); + bnxt_free_hwrm_resources(bp); ++ bnxt_ethtool_free(bp); + kfree(bp->fw_health); + bp->fw_health = NULL; + bnxt_cleanup_pci(bp); +-- +2.30.2 + diff --git a/queue-5.4/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch b/queue-5.4/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch new file mode 100644 index 00000000000..275fec4c086 --- /dev/null +++ b/queue-5.4/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch @@ -0,0 +1,49 @@ +From 28a3efb75d64e514e8b83dad0c8fe8f488939042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 02:07:25 -0400 +Subject: bnxt_en: Rediscover PHY capabilities after firmware reset + +From: Michael Chan + +[ Upstream commit 0afd6a4e8028cc487c240b6cfe04094e45a306e4 ] + +There is a missing bnxt_probe_phy() call in bnxt_fw_init_one() to +rediscover the PHY capabilities after a firmware reset. This can cause +some PHY related functionalities to fail after a firmware reset. For +example, in multi-host, the ability for any host to configure the PHY +settings may be lost after a firmware reset. + +Fixes: ec5d31e3c15d ("bnxt_en: Handle firmware reset status during IF_UP.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 00ae7a9a42bf..f983d03da1e4 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10610,6 +10610,8 @@ static void bnxt_fw_init_one_p3(struct bnxt *bp) + bnxt_hwrm_coal_params_qcaps(bp); + } + ++static int bnxt_probe_phy(struct bnxt *bp, bool fw_dflt); ++ + static int bnxt_fw_init_one(struct bnxt *bp) + { + int rc; +@@ -10624,6 +10626,9 @@ static int bnxt_fw_init_one(struct bnxt *bp) + netdev_err(bp->dev, "Firmware init phase 2 failed\n"); + return rc; + } ++ rc = bnxt_probe_phy(bp, false); ++ if (rc) ++ return rc; + rc = bnxt_approve_mac(bp, bp->dev->dev_addr, false); + if (rc) + return rc; +-- +2.30.2 + diff --git a/queue-5.4/cxgb4-fix-wrong-shift.patch b/queue-5.4/cxgb4-fix-wrong-shift.patch new file mode 100644 index 00000000000..83aaac62397 --- /dev/null +++ b/queue-5.4/cxgb4-fix-wrong-shift.patch @@ -0,0 +1,36 @@ +From a25af6e6a5e176ad583ab399b8eef080e043dd26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 11:29:48 +0200 +Subject: cxgb4: fix wrong shift. + +From: Pavel Machek + +[ Upstream commit 39eb028183bc7378bb6187067e20bf6d8c836407 ] + +While fixing coverity warning, commit dd2c79677375 introduced typo in +shift value. Fix that. + +Signed-off-by: Pavel Machek (CIP) +Fixes: dd2c79677375 ("cxgb4: Fix unintentional sign extension issues") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +index ccb28182f745..44f86a33ef62 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -198,7 +198,7 @@ static void set_nat_params(struct adapter *adap, struct filter_entry *f, + WORD_MASK, f->fs.nat_lip[3] | + f->fs.nat_lip[2] << 8 | + f->fs.nat_lip[1] << 16 | +- (u64)f->fs.nat_lip[0] << 25, 1); ++ (u64)f->fs.nat_lip[0] << 24, 1); + } + } + +-- +2.30.2 + diff --git a/queue-5.4/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch b/queue-5.4/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch new file mode 100644 index 00000000000..58b88943574 --- /dev/null +++ b/queue-5.4/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch @@ -0,0 +1,100 @@ +From 915dd00db085e8d84f158e19e67873b6cfa1f52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:04:35 +0200 +Subject: icmp: don't send out ICMP messages with a source address of 0.0.0.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ] + +When constructing ICMP response messages, the kernel will try to pick a +suitable source address for the outgoing packet. However, if no IPv4 +addresses are configured on the system at all, this will fail and we end up +producing an ICMP message with a source address of 0.0.0.0. This can happen +on a box routing IPv4 traffic via v6 nexthops, for instance. + +Since 0.0.0.0 is not generally routable on the internet, there's a good +chance that such ICMP messages will never make it back to the sender of the +original packet that the ICMP message was sent in response to. This, in +turn, can create connectivity and PMTUd problems for senders. Fortunately, +RFC7600 reserves a dummy address to be used as a source for ICMP +messages (192.0.0.8/32), so let's teach the kernel to substitute that +address as a last resort if the regular source address selection procedure +fails. + +Below is a quick example reproducing this issue with network namespaces: + +ip netns add ns0 +ip l add type veth peer netns ns0 +ip l set dev veth0 up +ip a add 10.0.0.1/24 dev veth0 +ip a add fc00:dead:cafe:42::1/64 dev veth0 +ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2 +ip -n ns0 l set dev veth0 up +ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0 +ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1 +ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0 +ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1 +tcpdump -tpni veth0 -c 2 icmp & +ping -w 1 10.1.0.1 > /dev/null +tcpdump: verbose output suppressed, use -v[v]... for full protocol decode +listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64 +IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 +2 packets captured +2 packets received by filter +0 packets dropped by kernel + +With this patch the above capture changes to: +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64 +IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Juliusz Chroboczek +Reviewed-by: David Ahern +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in.h | 3 +++ + net/ipv4/icmp.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index e7ad9d350a28..60e1241d4b77 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -284,6 +284,9 @@ struct sockaddr_in { + /* Address indicating an error return. */ + #define INADDR_NONE ((unsigned long int) 0xffffffff) + ++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ ++#define INADDR_DUMMY ((unsigned long int) 0xc0000008) ++ + /* Network number for local host loopback. */ + #define IN_LOOPBACKNET 127 + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index dd8fae89be72..c88612242c89 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -739,6 +739,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + icmp_param.data_len = room; + icmp_param.head_len = sizeof(struct icmphdr); + ++ /* if we don't have a source address at this point, fall back to the ++ * dummy address instead of sending out a packet with a source address ++ * of 0.0.0.0 ++ */ ++ if (!fl4.saddr) ++ fl4.saddr = htonl(INADDR_DUMMY); ++ + icmp_push_reply(&icmp_param, &fl4, &ipc, &rt); + ende: + ip_rt_put(rt); +-- +2.30.2 + diff --git a/queue-5.4/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch b/queue-5.4/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch new file mode 100644 index 00000000000..2c21c888ce0 --- /dev/null +++ b/queue-5.4/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch @@ -0,0 +1,54 @@ +From 365d204973319580d48902d95b0f78ef0b1444d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 22:42:57 +0200 +Subject: lantiq: net: fix duplicated skb in rx descriptor ring + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7ea6cd16f1599c1eac6018751eadbc5fc736b99a ] + +The previous commit didn't fix the bug properly. By mistake, it replaces +the pointer of the next skb in the descriptor ring instead of the current +one. As a result, the two descriptors are assigned the same SKB. The error +is seen during the iperf test when skb_put tries to insert a second packet +and exceeds the available buffer. + +Fixes: c7718ee96dbc ("net: lantiq: fix memory corruption in RX ring ") +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_xrx200.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c +index 8d073b895fc0..6e504854571c 100644 +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -154,6 +154,7 @@ static int xrx200_close(struct net_device *net_dev) + + static int xrx200_alloc_skb(struct xrx200_chan *ch) + { ++ struct sk_buff *skb = ch->skb[ch->dma.desc]; + dma_addr_t mapping; + int ret = 0; + +@@ -168,6 +169,7 @@ static int xrx200_alloc_skb(struct xrx200_chan *ch) + XRX200_DMA_DATA_LEN, DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(ch->priv->dev, mapping))) { + dev_kfree_skb_any(ch->skb[ch->dma.desc]); ++ ch->skb[ch->dma.desc] = skb; + ret = -ENOMEM; + goto skip; + } +@@ -198,7 +200,6 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) + ch->dma.desc %= LTQ_DESC_NUM; + + if (ret) { +- ch->skb[ch->dma.desc] = skb; + net_dev->stats.rx_dropped++; + netdev_err(net_dev, "failed to allocate new rx buffer\n"); + return ret; +-- +2.30.2 + diff --git a/queue-5.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch b/queue-5.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch new file mode 100644 index 00000000000..dbd4f06b0a1 --- /dev/null +++ b/queue-5.4/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch @@ -0,0 +1,96 @@ +From 1e62044148eb9a8ec0aff82741f00733c11193df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:47:15 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg / + unix_release_sock + +From: Eric Dumazet + +[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ] + +While unix_may_send(sk, osk) is called while osk is locked, it appears +unix_release_sock() can overwrite unix_peer() after this lock has been +released, making KCSAN unhappy. + +Changing unix_release_sock() to access/change unix_peer() +before lock is released should fix this issue. + +BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock + +write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1: + unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558 + unix_release+0x2f/0x50 net/unix/af_unix.c:859 + __sock_release net/socket.c:599 [inline] + sock_close+0x6c/0x150 net/socket.c:1258 + __fput+0x25b/0x4e0 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209 + __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0: + unix_may_send net/unix/af_unix.c:189 [inline] + unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff888167905400 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index ecadd9e482c4..9f96826eb3ba 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -537,12 +537,14 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.mnt = NULL; + state = sk->sk_state; + sk->sk_state = TCP_CLOSE; ++ ++ skpair = unix_peer(sk); ++ unix_peer(sk) = NULL; ++ + unix_state_unlock(sk); + + wake_up_interruptible_all(&u->peer_wait); + +- skpair = unix_peer(sk); +- + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); +@@ -557,7 +559,6 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ +- unix_peer(sk) = NULL; + } + + /* Try to flush out this socket. Throw out buffers at least */ +-- +2.30.2 + diff --git a/queue-5.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch b/queue-5.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch new file mode 100644 index 00000000000..a0f61219f2a --- /dev/null +++ b/queue-5.4/net-cdc_eem-fix-tx-fixup-skb-leak.patch @@ -0,0 +1,44 @@ +From 90f480a3e0fc73b4e371f8b6fd0d4c2005b5fcc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 07:32:32 +0800 +Subject: net: cdc_eem: fix tx fixup skb leak + +From: Linyu Yuan + +[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ] + +when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), +if skb_copy_expand() failed, it return NULL, +usbnet_start_xmit() will have no chance to free original skb. + +fix it by free orginal skb in eem_tx_fixup() first, +then check skb clone status, if failed, return NULL to usbnet. + +Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") +Signed-off-by: Linyu Yuan +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_eem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c +index 0eeec80bec31..e4a570366646 100644 +--- a/drivers/net/usb/cdc_eem.c ++++ b/drivers/net/usb/cdc_eem.c +@@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + } + + skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); ++ dev_kfree_skb_any(skb); + if (!skb2) + return NULL; + +- dev_kfree_skb_any(skb); + skb = skb2; + + done: +-- +2.30.2 + diff --git a/queue-5.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch b/queue-5.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch new file mode 100644 index 00000000000..0f640b9ce6b --- /dev/null +++ b/queue-5.4/net-cdc_ncm-switch-to-eth-d-interface-naming.patch @@ -0,0 +1,77 @@ +From 40aa46326f67ae50a8fa4c33705f0b5826df2f0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 01:05:49 -0700 +Subject: net: cdc_ncm: switch to eth%d interface naming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ] + +This is meant to make the host side cdc_ncm interface consistently +named just like the older CDC protocols: cdc_ether & cdc_ecm +(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'. + +include/linux/usb/usbnet.h: + #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */ + #define FLAG_WLAN 0x0080 /* use "wlan%d" names */ + #define FLAG_WWAN 0x0400 /* use "wwan%d" names */ + #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */ + +drivers/net/usb/usbnet.c @ line 1711: + strcpy (net->name, "usb%d"); + ... + // heuristic: "usb%d" for links we know are two-host, + // else "eth%d" when there's reasonable doubt. userspace + // can rename the link if it knows better. + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || + (net->dev_addr [0] & 0x02) == 0)) + strcpy (net->name, "eth%d"); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + strcpy(net->name, "wlan%d"); + /* WWAN devices should always be named "wwan%d" */ + if ((dev->driver_info->flags & FLAG_WWAN) != 0) + strcpy(net->name, "wwan%d"); + +So by using ETHER | POINTTOPOINT the interface naming is +either usb%d or eth%d based on the global uniqueness of the +mac address of the device. + +Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm +driver end up being called usb%d instead of eth%d even though they're +definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've +tested don't hit this problem due to use of different drivers, primarily +r8152 and aqc111) + +Fixes tag is based purely on git blame, and is really just here to make +sure this hits LTS branches newer than v4.5. + +Cc: Lorenzo Colitti +Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind") +Signed-off-by: Maciej Żenczykowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 0646bcd26968..4cff0a6b1098 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1662,7 +1662,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_LINK_INTR, ++ | FLAG_LINK_INTR | FLAG_ETHER, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .manage_power = usbnet_manage_power, +-- +2.30.2 + diff --git a/queue-5.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/queue-5.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch new file mode 100644 index 00000000000..a510ee2fd07 --- /dev/null +++ b/queue-5.4/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch @@ -0,0 +1,56 @@ +From eec60eb55898ede18af59a7dc0bb0e239dc04677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 16:49:02 +0300 +Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove + +From: Pavel Skripkin + +[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] + +static void ec_bhf_remove(struct pci_dev *dev) +{ +... + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); + free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); +... +} + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after pci_iounmap() +calls. + +Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ec_bhf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index 46b0dbab8aad..7c992172933b 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -576,10 +576,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +-- +2.30.2 + diff --git a/queue-5.4/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch b/queue-5.4/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch new file mode 100644 index 00000000000..b708d6c9852 --- /dev/null +++ b/queue-5.4/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch @@ -0,0 +1,44 @@ +From a83cac4ce6a2bcbccb5ad63158590209023399e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:14:26 +0800 +Subject: net: fec_ptp: fix issue caused by refactor the fec_devtype + +From: Joakim Zhang + +[ Upstream commit d23765646e71b43ed2b809930411ba5c0aadee7b ] + +Commit da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +refactor the fec_devtype, need adjust ptp driver accordingly. + +Fixes: da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 49fad118988b..da04e61d819a 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -220,15 +220,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc) + { + struct fec_enet_private *fep = + container_of(cc, struct fec_enet_private, cc); +- const struct platform_device_id *id_entry = +- platform_get_device_id(fep->pdev); + u32 tempval; + + tempval = readl(fep->hwp + FEC_ATIME_CTRL); + tempval |= FEC_T_CTRL_CAPTURE; + writel(tempval, fep->hwp + FEC_ATIME_CTRL); + +- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE) ++ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE) + udelay(1); + + return readl(fep->hwp + FEC_ATIME); +-- +2.30.2 + diff --git a/queue-5.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/queue-5.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch new file mode 100644 index 00000000000..fadb5e6fde4 --- /dev/null +++ b/queue-5.4/net-hamradio-fix-memory-leak-in-mkiss_close.patch @@ -0,0 +1,112 @@ +From a4f94c923f8233de87a2b478705c75a0d1158997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 22:09:06 +0300 +Subject: net: hamradio: fix memory leak in mkiss_close + +From: Pavel Skripkin + +[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ] + +My local syzbot instance hit memory leak in +mkiss_open()[1]. The problem was in missing +free_netdev() in mkiss_close(). + +In mkiss_open() netdevice is allocated and then +registered, but in mkiss_close() netdevice was +only unregistered, but not freed. + +Fail log: + +BUG: memory leak +unreferenced object 0xffff8880281ba000 (size 4096): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. + 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x98/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880141a9a00 (size 96): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... + 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... + backtrace: + [] __hw_addr_create_ex+0x5b/0x310 + [] __hw_addr_add_ex+0x1f8/0x2b0 + [] dev_addr_init+0x10b/0x1f0 + [] alloc_netdev_mqs+0x13b/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880219bfc00 (size 512): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ + 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x777/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff888029b2b200 (size 256): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x912/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index deef14215110..352f9e75954c 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -800,6 +800,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +-- +2.30.2 + diff --git a/queue-5.4/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch b/queue-5.4/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch new file mode 100644 index 00000000000..b70b5cf75e8 --- /dev/null +++ b/queue-5.4/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch @@ -0,0 +1,86 @@ +From 0dcbe9901b01db145c5b099cf592fb1268b1ae07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:59:25 +0800 +Subject: net: ipv4: fix memory leak in ip_mc_add1_src + +From: Chengyang Fan + +[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ] + +BUG: memory leak +unreferenced object 0xffff888101bc4c00 (size 32): + comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ + backtrace: + [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] + [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] + [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] + [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 + [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 + [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] + [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 + [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 + [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 + [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] + [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] + [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 + [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 + [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set +link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, +because it was also called in igmpv3_clear_delrec(). + +Rough callgraph: + +inetdev_destroy +-> ip_mc_destroy_dev + -> igmpv3_clear_delrec + -> ip_mc_clear_src +-> RCU_INIT_POINTER(dev->ip_ptr, NULL) + +However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't +release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the +NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through +inetdev_by_index() and then in_dev->mc_list->sources cannot be released +by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: + +sock_close +-> __sock_release + -> inet_release + -> ip_mc_drop_socket + -> inetdev_by_index + -> ip_mc_leave_src + -> ip_mc_del_src + -> ip_mc_del1_src + +So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free +in_dev->mc_list->sources. + +Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...") +Reported-by: Hulk Robot +Signed-off-by: Chengyang Fan +Acked-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 480d0b22db1a..c8cbdc4d5cbc 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1803,6 +1803,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev) + while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) { + in_dev->mc_list = i->next_rcu; + in_dev->mc_count--; ++ ip_mc_clear_src(i); + ip_ma_put(i); + } + } +-- +2.30.2 + diff --git a/queue-5.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch b/queue-5.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..45da463effc --- /dev/null +++ b/queue-5.4/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,66 @@ +From 8026239dc6b512cee93e46e5ce8c00b533c496e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 09:51:58 +0800 +Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std + +From: Nanyong Sun + +[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ] + +Reported by syzkaller: +BUG: memory leak +unreferenced object 0xffff888105df7000 (size 64): +comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) +hex dump (first 32 bytes): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] +[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 +[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 +[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] +[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 +[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 +[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 +[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] +[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 +[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 +[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] +[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 +[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 +[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 +[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 +[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 +[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +The memory of doi_def->map.std pointing is allocated in +netlbl_cipsov4_add_std, but no place has freed it. It should be +freed in cipso_v4_doi_free which frees the cipso DOI resource. + +Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Reported-by: Hulk Robot +Signed-off-by: Nanyong Sun +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index e290a0c9e928..c1ac802d6894 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -472,6 +472,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) + kfree(doi_def->map.std->lvl.local); + kfree(doi_def->map.std->cat.cipso); + kfree(doi_def->map.std->cat.local); ++ kfree(doi_def->map.std); + break; + } + kfree(doi_def); +-- +2.30.2 + diff --git a/queue-5.4/net-lantiq-disable-interrupt-before-sheduling-napi.patch b/queue-5.4/net-lantiq-disable-interrupt-before-sheduling-napi.patch new file mode 100644 index 00000000000..59aa611ce4f --- /dev/null +++ b/queue-5.4/net-lantiq-disable-interrupt-before-sheduling-napi.patch @@ -0,0 +1,45 @@ +From b7075fc3cab1a48b2483103806606536a90fcbb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 23:21:07 +0200 +Subject: net: lantiq: disable interrupt before sheduling NAPI + +From: Aleksander Jan Bajkowski + +[ Upstream commit f2386cf7c5f4ff5d7b584f5d92014edd7df6c676 ] + +This patch fixes TX hangs with threaded NAPI enabled. The scheduled +NAPI seems to be executed in parallel with the interrupt on second +thread. Sometimes it happens that ltq_dma_disable_irq() is executed +after xrx200_tx_housekeeping(). The symptom is that TX interrupts +are disabled in the DMA controller. As a result, the TX hangs after +a few seconds of the iperf test. Scheduling NAPI after disabling +interrupts fixes this issue. + +Tested on Lantiq xRX200 (BT Home Hub 5A). + +Fixes: 9423361da523 ("net: lantiq: Disable IRQs only if NAPI gets scheduled ") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_xrx200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c +index 6ece99e6b6dd..8d073b895fc0 100644 +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -351,8 +351,8 @@ static irqreturn_t xrx200_dma_irq(int irq, void *ptr) + struct xrx200_chan *ch = ptr; + + if (napi_schedule_prep(&ch->napi)) { +- __napi_schedule(&ch->napi); + ltq_dma_disable_irq(&ch->dma); ++ __napi_schedule(&ch->napi); + } + + ltq_dma_ack_irq(&ch->dma); +-- +2.30.2 + diff --git a/queue-5.4/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch b/queue-5.4/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch new file mode 100644 index 00000000000..aa94330f768 --- /dev/null +++ b/queue-5.4/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch @@ -0,0 +1,131 @@ +From db464c68aede652cbf0e8065e710dfcd1478af5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:29:59 +0800 +Subject: net: make get_net_ns return error if NET_NS is disabled + +From: Changbin Du + +[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ] + +There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled. +The reason is that nsfs tries to access ns->ops but the proc_ns_operations +is not implemented in this case. + +[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010 +[7.670268] pgd = 32b54000 +[7.670544] [00000010] *pgd=00000000 +[7.671861] Internal error: Oops: 5 [#1] SMP ARM +[7.672315] Modules linked in: +[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16 +[7.673309] Hardware name: Generic DT based system +[7.673642] PC is at nsfs_evict+0x24/0x30 +[7.674486] LR is at clear_inode+0x20/0x9c + +The same to tun SIOCGSKNS command. + +To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is +disabled. Meanwhile move it to right place net/core/net_namespace.c. + +Signed-off-by: Changbin Du +Fixes: c62cce2caee5 ("net: add an ioctl to get a socket network namespace") +Cc: Cong Wang +Cc: Jakub Kicinski +Cc: David Laight +Cc: Christian Brauner +Suggested-by: Jakub Kicinski +Acked-by: Christian Brauner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/socket.h | 2 -- + include/net/net_namespace.h | 7 +++++++ + net/core/net_namespace.c | 12 ++++++++++++ + net/socket.c | 13 ------------- + 4 files changed, 19 insertions(+), 15 deletions(-) + +diff --git a/include/linux/socket.h b/include/linux/socket.h +index 4049d9755cf1..a465c6a45d6f 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -406,6 +406,4 @@ extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr, + extern int __sys_socketpair(int family, int type, int protocol, + int __user *usockvec); + extern int __sys_shutdown(int fd, int how); +- +-extern struct ns_common *get_net_ns(struct ns_common *ns); + #endif /* _LINUX_SOCKET_H */ +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 0fca98a3d2d3..167e390ac9d4 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -195,6 +195,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, + void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); + + void net_ns_barrier(void); ++ ++struct ns_common *get_net_ns(struct ns_common *ns); + #else /* CONFIG_NET_NS */ + #include + #include +@@ -214,6 +216,11 @@ static inline void net_ns_get_ownership(const struct net *net, + } + + static inline void net_ns_barrier(void) {} ++ ++static inline struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return ERR_PTR(-EINVAL); ++} + #endif /* CONFIG_NET_NS */ + + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 39402840025e..c303873496a3 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -643,6 +643,18 @@ void __put_net(struct net *net) + } + EXPORT_SYMBOL_GPL(__put_net); + ++/** ++ * get_net_ns - increment the refcount of the network namespace ++ * @ns: common namespace (net) ++ * ++ * Returns the net's common namespace. ++ */ ++struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return &get_net(container_of(ns, struct net, ns))->ns; ++} ++EXPORT_SYMBOL_GPL(get_net_ns); ++ + struct net *get_net_ns_by_fd(int fd) + { + struct file *file; +diff --git a/net/socket.c b/net/socket.c +index d1a0264401b7..b14917dd811a 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1071,19 +1071,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock, + * what to do with it - that's up to the protocol still. + */ + +-/** +- * get_net_ns - increment the refcount of the network namespace +- * @ns: common namespace (net) +- * +- * Returns the net's common namespace. +- */ +- +-struct ns_common *get_net_ns(struct ns_common *ns) +-{ +- return &get_net(container_of(ns, struct net, ns))->ns; +-} +-EXPORT_SYMBOL_GPL(get_net_ns); +- + static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) + { + struct socket *sock; +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch b/queue-5.4/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch new file mode 100644 index 00000000000..773f6b4bc45 --- /dev/null +++ b/queue-5.4/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch @@ -0,0 +1,37 @@ +From 7b7a2d157c7e54cd5485dc869592f07311f3847f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 11:20:46 +0300 +Subject: net/mlx5: Consider RoCE cap before init RDMA resources + +From: Maor Gottlieb + +[ Upstream commit c189716b2a7c1d2d8658e269735273caa1c38b54 ] + +Check if RoCE is supported by the device before enable it in +the vport context and create all the RDMA steering objects. + +Fixes: 80f09dfc237f ("net/mlx5: Eswitch, enable RoCE loopback traffic") +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c +index 8e0dddc6383f..2389239acadc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c +@@ -156,6 +156,9 @@ void mlx5_rdma_enable_roce(struct mlx5_core_dev *dev) + { + int err; + ++ if (!MLX5_CAP_GEN(dev, roce)) ++ return; ++ + err = mlx5_nic_vport_enable_roce(dev); + if (err) { + mlx5_core_err(dev, "Failed to enable RoCE: %d\n", err); +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch b/queue-5.4/net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch new file mode 100644 index 00000000000..dc787b44cc7 --- /dev/null +++ b/queue-5.4/net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch @@ -0,0 +1,37 @@ +From 2d2e2a86ab12177ebdd16691afaf8e78a4132e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 12:07:59 +0100 +Subject: net/mlx5e: allow TSO on VXLAN over VLAN topologies + +From: Davide Caratti + +[ Upstream commit a1718505d7f67ee0ab051322f1cbc7ac42b5da82 ] + +since mlx5 hardware can segment correctly TSO packets on VXLAN over VLAN +topologies, CPU usage can improve significantly if we enable tunnel +offloads in dev->vlan_features, like it was done in the past with other +NIC drivers (e.g. mlx4, be2net and ixgbe). + +Signed-off-by: Davide Caratti +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 36b9a364ef26..374ce17e1499 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5012,6 +5012,8 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | + NETIF_F_GSO_UDP_TUNNEL_CSUM; + netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL | ++ NETIF_F_GSO_UDP_TUNNEL_CSUM; + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) { +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch b/queue-5.4/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch new file mode 100644 index 00000000000..48c7490ef58 --- /dev/null +++ b/queue-5.4/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch @@ -0,0 +1,46 @@ +From 2c00f817d2a9b974c2008872e85e21200a94ba49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 14:34:58 +0300 +Subject: net/mlx5e: Block offload of outer header csum for UDP tunnels + +From: Aya Levin + +[ Upstream commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122 ] + +The device is able to offload either the outer header csum or inner +header csum. The driver utilizes the inner csum offload. Hence, block +setting of tx-udp_tnl-csum-segmentation and set it to off[fixed]. + +Fixes: b49663c8fb49 ("net/mlx5e: Add support for UDP tunnel segmentation with outer checksum offload") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 374ce17e1499..24c49a84947f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5007,13 +5007,9 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + } + + if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) { +- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL; + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) { +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch b/queue-5.4/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch new file mode 100644 index 00000000000..1681c3817cc --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch @@ -0,0 +1,169 @@ +From 614da970adb3ca7d8837a401bd2cd2237a7ef741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 13:45:10 +0300 +Subject: net/mlx5e: Fix page reclaim for dead peer hairpin + +From: Dima Chumak + +[ Upstream commit a3e5fd9314dfc4314a9567cde96e1aef83a7458a ] + +When adding a hairpin flow, a firmware-side send queue is created for +the peer net device, which claims some host memory pages for its +internal ring buffer. If the peer net device is removed/unbound before +the hairpin flow is deleted, then the send queue is not destroyed which +leads to a stack trace on pci device remove: + +[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource +[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110 +[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 +[ 748.002171] ------------[ cut here ]------------ +[ 748.001177] FW pages counter is 4 after reclaiming all pages +[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core] +[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 +[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] +[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 +[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 +[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 +[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 +[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 +[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 +[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 +[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 +[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 +[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 748.001654] Call Trace: +[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core] +[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core] +[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core] +[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core] +[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core] +[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core] +[ 748.001075] pci_device_remove+0x9f/0x1d0 +[ 748.000833] device_release_driver_internal+0x1e0/0x490 +[ 748.001207] unbind_store+0x19f/0x200 +[ 748.000942] ? sysfs_file_ops+0x170/0x170 +[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450 +[ 748.000970] new_sync_write+0x373/0x610 +[ 748.001124] ? new_sync_read+0x600/0x600 +[ 748.001057] ? lock_acquire+0x4d6/0x700 +[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400 +[ 748.001126] ? fd_install+0x1c9/0x4d0 +[ 748.000951] vfs_write+0x4d0/0x800 +[ 748.000804] ksys_write+0xf9/0x1d0 +[ 748.000868] ? __x64_sys_read+0xb0/0xb0 +[ 748.000811] ? filp_open+0x50/0x50 +[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50 +[ 748.001223] do_syscall_64+0x3f/0x80 +[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 748.001026] RIP: 0033:0x7f58bcfb22f7 +[ 748.000944] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +[ 748.003925] RSP: 002b:00007fffd7f2aaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 748.001732] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f58bcfb22f7 +[ 748.001426] RDX: 000000000000000d RSI: 00007fffd7f2abc0 RDI: 0000000000000003 +[ 748.001746] RBP: 00007fffd7f2abc0 R08: 0000000000000000 R09: 0000000000000001 +[ 748.001631] R10: 00000000000001b6 R11: 0000000000000246 R12: 000000000000000d +[ 748.001537] R13: 00005597ac2c24a0 R14: 000000000000000d R15: 00007f58bd084700 +[ 748.001564] irq event stamp: 0 +[ 748.000787] hardirqs last enabled at (0): [<0000000000000000>] 0x0 +[ 748.001399] hardirqs last disabled at (0): [] copy_process+0x146f/0x5eb0 +[ 748.001854] softirqs last enabled at (0): [] copy_process+0x14ae/0x5eb0 +[ 748.013431] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[ 748.001492] ---[ end trace a6fabd773d1c51ae ]--- + +Fix by destroying the send queue of a hairpin peer net device that is +being removed/unbound, which returns the allocated ring buffer pages to +the host. + +Fixes: 4d8fcf216c90 ("net/mlx5e: Avoid unbounded peer devices when unpairing TC hairpin rules") +Signed-off-by: Dima Chumak +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +- + .../ethernet/mellanox/mlx5/core/transobj.c | 30 +++++++++++++++---- + include/linux/mlx5/transobj.h | 1 + + 3 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index fe7342e8a043..9d26463f3fa5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -4079,7 +4079,7 @@ static void mlx5e_tc_hairpin_update_dead_peer(struct mlx5e_priv *priv, + list_for_each_entry_safe(hpe, tmp, &init_wait_list, dead_peer_wait_list) { + wait_for_completion(&hpe->res_ready); + if (!IS_ERR_OR_NULL(hpe->hp) && hpe->peer_vhca_id == peer_vhca_id) +- hpe->hp->pair->peer_gone = true; ++ mlx5_core_hairpin_clear_dead_peer(hpe->hp->pair); + + mlx5e_hairpin_put(priv, hpe); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c +index b1068500f1df..0b5437051a3b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c +@@ -457,6 +457,15 @@ err_modify_sq: + return err; + } + ++static void mlx5_hairpin_unpair_peer_sq(struct mlx5_hairpin *hp) ++{ ++ int i; ++ ++ for (i = 0; i < hp->num_channels; i++) ++ mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, ++ MLX5_SQC_STATE_RST, 0, 0); ++} ++ + static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) + { + int i; +@@ -465,13 +474,9 @@ static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) + for (i = 0; i < hp->num_channels; i++) + mlx5_hairpin_modify_rq(hp->func_mdev, hp->rqn[i], MLX5_RQC_STATE_RDY, + MLX5_RQC_STATE_RST, 0, 0); +- + /* unset peer SQs */ +- if (hp->peer_gone) +- return; +- for (i = 0; i < hp->num_channels; i++) +- mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, +- MLX5_SQC_STATE_RST, 0, 0); ++ if (!hp->peer_gone) ++ mlx5_hairpin_unpair_peer_sq(hp); + } + + struct mlx5_hairpin * +@@ -518,3 +523,16 @@ void mlx5_core_hairpin_destroy(struct mlx5_hairpin *hp) + mlx5_hairpin_destroy_queues(hp); + kfree(hp); + } ++ ++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp) ++{ ++ int i; ++ ++ mlx5_hairpin_unpair_peer_sq(hp); ++ ++ /* destroy peer SQ */ ++ for (i = 0; i < hp->num_channels; i++) ++ mlx5_core_destroy_sq(hp->peer_mdev, hp->sqn[i]); ++ ++ hp->peer_gone = true; ++} +diff --git a/include/linux/mlx5/transobj.h b/include/linux/mlx5/transobj.h +index dc6b1e7cb8c4..3abefd40a4d8 100644 +--- a/include/linux/mlx5/transobj.h ++++ b/include/linux/mlx5/transobj.h +@@ -92,4 +92,5 @@ mlx5_core_hairpin_create(struct mlx5_core_dev *func_mdev, + struct mlx5_hairpin_params *params); + + void mlx5_core_hairpin_destroy(struct mlx5_hairpin *pair); ++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp); + #endif /* __TRANSOBJ_H__ */ +-- +2.30.2 + diff --git a/queue-5.4/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch b/queue-5.4/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch new file mode 100644 index 00000000000..aa6e5027961 --- /dev/null +++ b/queue-5.4/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch @@ -0,0 +1,43 @@ +From 169fc12c42032da2d83c82de1436d11599fa91cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:20:32 -0500 +Subject: net/mlx5e: Remove dependency in IPsec initialization flows + +From: Huy Nguyen + +[ Upstream commit 8ad893e516a77209a1818a2072d2027d87db809f ] + +Currently, IPsec feature is disabled because mlx5e_build_nic_netdev +is required to be called after mlx5e_ipsec_init. This requirement is +invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize +independent resources. + +Remove ipsec pointer check in mlx5e_build_nic_netdev so that the +two functions can be called at any order. + +Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") +Signed-off-by: Huy Nguyen +Reviewed-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index cf58c9637904..c467f5e981f6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -515,9 +515,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) + struct mlx5_core_dev *mdev = priv->mdev; + struct net_device *netdev = priv->netdev; + +- if (!priv->ipsec) +- return; +- + if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) || + !MLX5_CAP_ETH(mdev, swp)) { + mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n"); +-- +2.30.2 + diff --git a/queue-5.4/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch b/queue-5.4/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch new file mode 100644 index 00000000000..cc9b38dc3ff --- /dev/null +++ b/queue-5.4/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch @@ -0,0 +1,50 @@ +From 9e7e2cb3ba7bac45c87ee2e18eaca4881a2ef917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:06:50 +0300 +Subject: net: qrtr: fix OOB Read in qrtr_endpoint_post + +From: Pavel Skripkin + +[ Upstream commit ad9d24c9429e2159d1e279dc3a83191ccb4daf1d ] + +Syzbot reported slab-out-of-bounds Read in +qrtr_endpoint_post. The problem was in wrong +_size_ type: + + if (len != ALIGN(size, 4) + hdrlen) + goto err; + +If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of +ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293 +in header this check won't fail and + + skb_put_data(skb, data + hdrlen, size); + +will read out of bound from data, which is hdrlen allocated block. + +Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") +Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index 46273a838361..faea2ce12511 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -257,7 +257,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + const struct qrtr_hdr_v2 *v2; + struct sk_buff *skb; + struct qrtr_cb *cb; +- unsigned int size; ++ size_t size; + unsigned int ver; + size_t hdrlen; + +-- +2.30.2 + diff --git a/queue-5.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch b/queue-5.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch new file mode 100644 index 00000000000..62c36c7a92a --- /dev/null +++ b/queue-5.4/net-rds-fix-memory-leak-in-rds_recvmsg.patch @@ -0,0 +1,73 @@ +From b638a86489c81b9a4da763fce9bb6677b2898336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:06:41 +0300 +Subject: net: rds: fix memory leak in rds_recvmsg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ] + +Syzbot reported memory leak in rds. The problem +was in unputted refcount in case of error. + +int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + int msg_flags) +{ +... + + if (!rds_next_incoming(rs, &inc)) { + ... + } + +After this "if" inc refcount incremented and + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; + goto out; + } +... +out: + return ret; +} + +in case of rds_cmsg_recv() fail the refcount won't be +decremented. And it's easy to see from ftrace log, that +rds_inc_addref() don't have rds_inc_put() pair in +rds_recvmsg() after rds_cmsg_recv() + + 1) | rds_recvmsg() { + 1) 3.721 us | rds_inc_addref(); + 1) 3.853 us | rds_message_inc_copy_to_user(); + 1) + 10.395 us | rds_cmsg_recv(); + 1) + 34.260 us | } + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Håkon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/recv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index aba4afe4dfed..967d115f97ef 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -714,7 +714,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; +- goto out; ++ break; + } + rds_recvmsg_zcookie(rs, msg); + +-- +2.30.2 + diff --git a/queue-5.4/net-sched-act_ct-handle-dnat-tuple-collision.patch b/queue-5.4/net-sched-act_ct-handle-dnat-tuple-collision.patch new file mode 100644 index 00000000000..7f9efcb4dc0 --- /dev/null +++ b/queue-5.4/net-sched-act_ct-handle-dnat-tuple-collision.patch @@ -0,0 +1,67 @@ +From cb9a79c2463e6cc928b4a7576297fdf497518565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 11:23:56 -0300 +Subject: net/sched: act_ct: handle DNAT tuple collision + +From: Marcelo Ricardo Leitner + +[ Upstream commit 13c62f5371e3eb4fc3400cfa26e64ca75f888008 ] + +This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT +tuple collision") for act_ct. From that commit changelog: + +""" +With multiple DNAT rules it's possible that after destination +translation the resulting tuples collide. + +... + +Netfilter handles this case by allocating a null binding for SNAT at +egress by default. Perform the same operation in openvswitch for DNAT +if no explicit SNAT is requested by the user and allocate a null binding +for SNAT for packets in the "original" direction. +""" + +Fixes: 95219afbb980 ("act_ct: support asymmetric conntrack") +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 31eb8eefc868..16c4cbf6d1f0 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -361,14 +361,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb, + } + + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); +- if (err == NF_ACCEPT && +- ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { +- if (maniptype == NF_NAT_MANIP_SRC) +- maniptype = NF_NAT_MANIP_DST; +- else +- maniptype = NF_NAT_MANIP_SRC; +- +- err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); ++ if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { ++ if (ct->status & IPS_SRC_NAT) { ++ if (maniptype == NF_NAT_MANIP_SRC) ++ maniptype = NF_NAT_MANIP_DST; ++ else ++ maniptype = NF_NAT_MANIP_SRC; ++ ++ err = ct_nat_execute(skb, ct, ctinfo, range, ++ maniptype); ++ } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { ++ err = ct_nat_execute(skb, ct, ctinfo, NULL, ++ NF_NAT_MANIP_SRC); ++ } + } + return err; + #else +-- +2.30.2 + diff --git a/queue-5.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch b/queue-5.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch new file mode 100644 index 00000000000..cee589c4a9e --- /dev/null +++ b/queue-5.4/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch @@ -0,0 +1,42 @@ +From 91c0216bf791b73595205db469112e7fcc41139f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:16:11 +0800 +Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition + +From: Jisheng Zhang + +[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ] + +The register starts from 0x800 is the 16th MAC address register rather +than the first one. + +Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index b70d44ac0990..3c73453725f9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -76,10 +76,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ +-- +2.30.2 + diff --git a/queue-5.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch b/queue-5.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch new file mode 100644 index 00000000000..6925f13ebb0 --- /dev/null +++ b/queue-5.4/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch @@ -0,0 +1,72 @@ +From a4d4752806443a00ebd12ead50b3bb9759b4a469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:48:33 +0800 +Subject: net: usb: fix possible use-after-free in smsc75xx_bind + +From: Dongliang Mu + +[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ] + +The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +fails to clean up the work scheduled in smsc75xx_reset-> +smsc75xx_set_multicast, which leads to use-after-free if the work is +scheduled to start after the deallocation. In addition, this patch +also removes a dangling pointer - dev->data[0]. + +This patch calls cancel_work_sync to cancel the scheduled work and set +the dangling pointer to NULL. + +Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index d0ae0df34e13..aa848be459ec 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1482,7 +1482,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- goto err; ++ goto free_pdata; + } + + smsc75xx_init_mac_address(dev); +@@ -1491,7 +1491,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- goto err; ++ goto cancel_work; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1502,8 +1502,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; + return 0; + +-err: ++cancel_work: ++ cancel_work_sync(&pdata->set_multicast); ++free_pdata: + kfree(pdata); ++ dev->data[0] = 0; + return ret; + } + +@@ -1514,7 +1517,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) + cancel_work_sync(&pdata->set_multicast); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); +- pdata = NULL; + dev->data[0] = 0; + } + } +-- +2.30.2 + diff --git a/queue-5.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch b/queue-5.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch new file mode 100644 index 00000000000..eec424c5e1f --- /dev/null +++ b/queue-5.4/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch @@ -0,0 +1,59 @@ +From 42483fde12b1f3df0d94046c3fba904952a12496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:29 +0300 +Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options + +From: Maxim Mikityanskiy + +[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] + +The TCP option parser in synproxy (synproxy_parse_options) could read +one byte out of bounds. When the length is 1, the execution flow gets +into the loop, reads one byte of the opcode, and if the opcode is +neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds +the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added an early return when length < 0 to avoid calling +skb_header_pointer with negative length. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_synproxy_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index 4bb4cfde28b4..c6c0d27caaed 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + int length = (th->doff * 4) - sizeof(*th); + u8 buf[40], *ptr; + ++ if (unlikely(length < 0)) ++ return false; ++ + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); + if (ptr == NULL) + return false; +@@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + length--; + continue; + default: ++ if (length < 2) ++ return true; + opsize = *ptr++; + if (opsize < 2) + return true; +-- +2.30.2 + diff --git a/queue-5.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch b/queue-5.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch new file mode 100644 index 00000000000..b01b3ce457a --- /dev/null +++ b/queue-5.4/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch @@ -0,0 +1,37 @@ +From ff196812de3b200f7690a9be2fbf1978880930b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:53:12 +0200 +Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + +From: Christophe JAILLET + +[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: e87ad5539343 ("netxen: support pci error handlers") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index 25b6f2ee2beb..1b9867ea4333 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1602,6 +1602,8 @@ err_out_free_netdev: + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-5.4/ptp-improve-max_adj-check-against-unreasonable-value.patch b/queue-5.4/ptp-improve-max_adj-check-against-unreasonable-value.patch new file mode 100644 index 00000000000..5bbdf0017b1 --- /dev/null +++ b/queue-5.4/ptp-improve-max_adj-check-against-unreasonable-value.patch @@ -0,0 +1,80 @@ +From faa92318b2aaeec193c6ebbbbd5a5e5985ef85eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:24:05 -0700 +Subject: ptp: improve max_adj check against unreasonable values + +From: Jakub Kicinski + +[ Upstream commit 475b92f932168a78da8109acd10bfb7578b8f2bb ] + +Scaled PPM conversion to PPB may (on 64bit systems) result +in a value larger than s32 can hold (freq/scaled_ppm is a long). +This means the kernel will not correctly reject unreasonably +high ->freq values (e.g. > 4294967295ppb, 281474976645 scaled PPM). + +The conversion is equivalent to a division by ~66 (65.536), +so the value of ppb is always smaller than ppm, but not small +enough to assume narrowing the type from long -> s32 is okay. + +Note that reasonable user space (e.g. ptp4l) will not use such +high values, anyway, 4289046510ppb ~= 4.3x, so the fix is +somewhat pedantic. + +Fixes: d39a743511cd ("ptp: validate the requested frequency adjustment.") +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Signed-off-by: Jakub Kicinski +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 6 +++--- + include/linux/ptp_clock_kernel.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index b84f16bbd6f2..eedf067ee8e3 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -63,7 +63,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, + spin_unlock_irqrestore(&queue->lock, flags); + } + +-s32 scaled_ppm_to_ppb(long ppm) ++long scaled_ppm_to_ppb(long ppm) + { + /* + * The 'freq' field in the 'struct timex' is in parts per +@@ -80,7 +80,7 @@ s32 scaled_ppm_to_ppb(long ppm) + s64 ppb = 1 + ppm; + ppb *= 125; + ppb >>= 13; +- return (s32) ppb; ++ return (long) ppb; + } + EXPORT_SYMBOL(scaled_ppm_to_ppb); + +@@ -138,7 +138,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx) + delta = ktime_to_ns(kt); + err = ops->adjtime(ops, delta); + } else if (tx->modes & ADJ_FREQUENCY) { +- s32 ppb = scaled_ppm_to_ppb(tx->freq); ++ long ppb = scaled_ppm_to_ppb(tx->freq); + if (ppb > ops->max_adj || ppb < -ops->max_adj) + return -ERANGE; + if (ops->adjfine) +diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h +index 93cc4f1d444a..874f7e73ed01 100644 +--- a/include/linux/ptp_clock_kernel.h ++++ b/include/linux/ptp_clock_kernel.h +@@ -218,7 +218,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp); + * @ppm: Parts per million, but with a 16 bit binary fractional field + */ + +-extern s32 scaled_ppm_to_ppb(long ppm); ++extern long scaled_ppm_to_ppb(long ppm); + + /** + * ptp_find_pin() - obtain the pin index of a given auxiliary function +-- +2.30.2 + diff --git a/queue-5.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch b/queue-5.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch new file mode 100644 index 00000000000..3c85281287c --- /dev/null +++ b/queue-5.4/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch @@ -0,0 +1,36 @@ +From 5f6c4ec806d41d2bd9c03a8ab0e9763dee74e4e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:37:46 +0200 +Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()' + +From: Christophe JAILLET + +[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 451724c821c1 ("qlcnic: aer support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index f2e5f494462b..3a96fd6deef7 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2709,6 +2709,7 @@ err_out_free_hw_res: + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-5.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch b/queue-5.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch new file mode 100644 index 00000000000..ebd6a3f787b --- /dev/null +++ b/queue-5.4/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch @@ -0,0 +1,55 @@ +From 552356792ccfba48d223cb9690158f7248f73bb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 14:17:53 +0300 +Subject: rtnetlink: Fix regression in bridge VLAN configuration + +From: Ido Schimmel + +[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ] + +Cited commit started returning errors when notification info is not +filled by the bridge driver, resulting in the following regression: + + # ip link add name br1 type bridge vlan_filtering 1 + # bridge vlan add dev br1 vid 555 self pvid untagged + RTNETLINK answers: Invalid argument + +As long as the bridge driver does not fill notification info for the +bridge device itself, an empty notification should not be considered as +an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send +notification when skb->len == 0 in rtnl_bridge_notify"). + +Fix by removing the error and add a comment to avoid future bugs. + +Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()") +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index bdeb169a7a99..0bad5db23129 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -4535,10 +4535,12 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) { +- err = -EINVAL; ++ /* Notification info is only filled for bridge ports, not the bridge ++ * device itself. Therefore, a zero notification length is valid and ++ * should not result in an error. ++ */ ++ if (!skb->len) + goto errout; +- } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-5.4/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch b/queue-5.4/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch new file mode 100644 index 00000000000..86d91cb051e --- /dev/null +++ b/queue-5.4/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch @@ -0,0 +1,72 @@ +From 4f27127279f453a659be837dcc01d535e61ac677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:31 +0300 +Subject: sch_cake: Fix out of bounds when parsing TCP options and header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxim Mikityanskiy + +[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ] + +The TCP option parser in cake qdisc (cake_get_tcpopt and +cake_tcph_may_drop) could read one byte out of bounds. When the length +is 1, the execution flow gets into the loop, reads one byte of the +opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads +one more byte, which exceeds the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP +header. Although it wasn't strictly an out-of-bounds access (memory was +allocated), garbage values could be read where CAKE expected the TCP +header if doff was smaller than 5. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") +Signed-off-by: Maxim Mikityanskiy +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 896c0562cb42..e8eebe40e0ae 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -907,7 +907,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb, + } + + tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); +- if (!tcph) ++ if (!tcph || tcph->doff < 5) + return NULL; + + return skb_header_pointer(skb, offset, +@@ -931,6 +931,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +@@ -1068,6 +1070,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index f90af7432b1..19053050b8c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -4,3 +4,39 @@ dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch afs-fix-an-is_err-vs-null-check.patch mm-memory-failure-make-sure-wait-for-page-writeback-.patch kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch +batman-adv-avoid-warn_on-timing-related-checks.patch +net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch +vrf-fix-maximum-mtu.patch +net-rds-fix-memory-leak-in-rds_recvmsg.patch +net-lantiq-disable-interrupt-before-sheduling-napi.patch +udp-fix-race-between-close-and-udp_abort.patch +rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch +net-sched-act_ct-handle-dnat-tuple-collision.patch +net-mlx5e-remove-dependency-in-ipsec-initialization-.patch +net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch +net-mlx5-consider-roce-cap-before-init-rdma-resource.patch +net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch +net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch +netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch +sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch +alx-fix-an-error-handling-path-in-alx_probe.patch +net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch +net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch +qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch +netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch +net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch +ptp-improve-max_adj-check-against-unreasonable-value.patch +net-cdc_ncm-switch-to-eth-d-interface-naming.patch +lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch +net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch +net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch +net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch +net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch +be2net-fix-an-error-handling-path-in-be_probe.patch +net-hamradio-fix-memory-leak-in-mkiss_close.patch +net-cdc_eem-fix-tx-fixup-skb-leak.patch +cxgb4-fix-wrong-shift.patch +bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch +bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch +icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch +net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch diff --git a/queue-5.4/udp-fix-race-between-close-and-udp_abort.patch b/queue-5.4/udp-fix-race-between-close-and-udp_abort.patch new file mode 100644 index 00000000000..64454dc9af4 --- /dev/null +++ b/queue-5.4/udp-fix-race-between-close-and-udp_abort.patch @@ -0,0 +1,77 @@ +From 424f7927c1ed0c4a954fc03320368bd8d0e681d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 11:49:01 +0200 +Subject: udp: fix race between close() and udp_abort() + +From: Paolo Abeni + +[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ] + +Kaustubh reported and diagnosed a panic in udp_lib_lookup(). +The root cause is udp_abort() racing with close(). Both +racing functions acquire the socket lock, but udp{v6}_destroy_sock() +release it before performing destructive actions. + +We can't easily extend the socket lock scope to avoid the race, +instead use the SOCK_DEAD flag to prevent udp_abort from doing +any action when the critical race happens. + +Diagnosed-and-tested-by: Kaustubh Pandey +Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 10 ++++++++++ + net/ipv6/udp.c | 3 +++ + 2 files changed, 13 insertions(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 24841a9e9966..4644f86c932f 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2511,6 +2511,9 @@ void udp_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + bool slow = lock_sock_fast(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_flush_pending_frames(sk); + unlock_sock_fast(sk, slow); + if (static_branch_unlikely(&udp_encap_needed_key)) { +@@ -2770,10 +2773,17 @@ int udp_abort(struct sock *sk, int err) + { + lock_sock(sk); + ++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing ++ * with close() ++ */ ++ if (sock_flag(sk, SOCK_DEAD)) ++ goto out; ++ + sk->sk_err = err; + sk->sk_error_report(sk); + __udp_disconnect(sk, 0); + ++out: + release_sock(sk); + + return 0; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 6762430280f5..3c94b81bb459 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1539,6 +1539,9 @@ void udpv6_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + lock_sock(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_v6_flush_pending_frames(sk); + release_sock(sk); + +-- +2.30.2 + diff --git a/queue-5.4/vrf-fix-maximum-mtu.patch b/queue-5.4/vrf-fix-maximum-mtu.patch new file mode 100644 index 00000000000..dac52ba3099 --- /dev/null +++ b/queue-5.4/vrf-fix-maximum-mtu.patch @@ -0,0 +1,65 @@ +From b3ee103f019d3a836268244176dd451d064fc4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 16:59:51 +0200 +Subject: vrf: fix maximum MTU + +From: Nicolas Dichtel + +[ Upstream commit 9bb392f62447d73cc7dd7562413a2cd9104c82f8 ] + +My initial goal was to fix the default MTU, which is set to 65536, ie above +the maximum defined in the driver: 65535 (ETH_MAX_MTU). + +In fact, it's seems more consistent, wrt min_mtu, to set the max_mtu to +IP6_MAX_MTU (65535 + sizeof(struct ipv6hdr)) and use it by default. + +Let's also, for consistency, set the mtu in vrf_setup(). This function +calls ether_setup(), which set the mtu to 1500. Thus, the whole mtu config +is done in the same function. + +Before the patch: +$ ip link add blue type vrf table 1234 +$ ip link list blue +9: blue: mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether fa:f5:27:70:24:2a brd ff:ff:ff:ff:ff:ff +$ ip link set dev blue mtu 65535 +$ ip link set dev blue mtu 65536 +Error: mtu greater than device maximum. + +Fixes: 5055376a3b44 ("net: vrf: Fix ping failed when vrf mtu is set to 0") +CC: Miaohe Lin +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 14dfb9278345..1267786d2931 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -908,9 +908,6 @@ static int vrf_dev_init(struct net_device *dev) + + dev->flags = IFF_MASTER | IFF_NOARP; + +- /* MTU is irrelevant for VRF device; set to 64k similar to lo */ +- dev->mtu = 64 * 1024; +- + /* similarly, oper state is irrelevant; set to up to avoid confusion */ + dev->operstate = IF_OPER_UP; + return 0; +@@ -1343,7 +1340,8 @@ static void vrf_setup(struct net_device *dev) + * which breaks networking. + */ + dev->min_mtu = IPV6_MIN_MTU; +- dev->max_mtu = ETH_MAX_MTU; ++ dev->max_mtu = IP6_MAX_MTU; ++ dev->mtu = dev->max_mtu; + } + + static int vrf_validate(struct nlattr *tb[], struct nlattr *data[], +-- +2.30.2 + -- 2.47.2