From dd327236c04aa18441c600b20063dc7baa580307 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Oct 2019 09:50:00 +0200 Subject: [PATCH] 5.2-stable patches added patches: cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch erspan-remove-the-incorrect-mtu-limit-for-erspan.patch hso-fix-null-deref-on-tty-open.patch ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch net-dsa-rtl8366-check-vlan-id-and-not-ports.patch net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch net-rds-fix-error-handling-in-rds_ib_add_one.patch net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch nfc-fix-memory-leak-in-llcp_sock_bind.patch ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch qmi_wwan-add-support-for-cinterion-cls8-devices.patch rxrpc-fix-rxrpc_recvmsg-tracepoint.patch sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch tcp-adjust-rto_base-in-retransmits_timed_out.patch tipc-fix-unlimited-bundling-of-small-messages.patch udp-fix-gso_segs-calculations.patch udp-only-do-gso-if-of-segs-1.patch vsock-fix-a-lockdep-warning-in-__vsock_release.patch xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch --- ...ut-of-bounds-msi-x-info-array-access.patch | 51 ++++++ ...e-the-incorrect-mtu-limit-for-erspan.patch | 45 +++++ .../hso-fix-null-deref-on-tty-open.patch | 54 ++++++ ...ets-having-a-v4mapped-source-address.patch | 67 +++++++ ...sing-host-route-in-__ipv6_ifa_notify.patch | 85 +++++++++ ...-rtl8366-check-vlan-id-and-not-ports.patch | 58 ++++++ ...ed-n_redirects-and-rate_tokens-usage.patch | 62 +++++++ ...emory-leak-in-ql_alloc_large_buffers.patch | 30 +++ ...fix-error-handling-in-rds_ib_add_one.patch | 47 +++++ ...-zero-when-calculating-the-port-rate.patch | 34 ++++ ...vision-by-zero-on-invalid-link-speed.patch | 71 ++++++++ ...verflow-in-taprio_set_picos_per_byte.patch | 39 ++++ ...from-sk_reuseport_cb-before-call_rcu.patch | 59 ++++++ ...fc-fix-memory-leak-in-llcp_sock_bind.patch | 62 +++++++ ...ock-before-calling-ptp_qoriq_settime.patch | 69 +++++++ ...d-support-for-cinterion-cls8-devices.patch | 56 ++++++ .../rxrpc-fix-rxrpc_recvmsg-tracepoint.patch | 31 ++++ ...lidate-tca_cbq_wrropt-to-avoid-crash.patch | 128 +++++++++++++ ...-potential-null-deref-in-dsmark_init.patch | 73 ++++++++ queue-5.2/series | 25 +++ ...st-rto_base-in-retransmits_timed_out.patch | 48 +++++ ...unlimited-bundling-of-small-messages.patch | 171 ++++++++++++++++++ queue-5.2/udp-fix-gso_segs-calculations.patch | 47 +++++ queue-5.2/udp-only-do-gso-if-of-segs-1.patch | 140 ++++++++++++++ ...a-lockdep-warning-in-__vsock_release.patch | 146 +++++++++++++++ ...r-return-value-for-xennet_fill_frags.patch | 95 ++++++++++ 26 files changed, 1793 insertions(+) create mode 100644 queue-5.2/cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch create mode 100644 queue-5.2/erspan-remove-the-incorrect-mtu-limit-for-erspan.patch create mode 100644 queue-5.2/hso-fix-null-deref-on-tty-open.patch create mode 100644 queue-5.2/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch create mode 100644 queue-5.2/ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch create mode 100644 queue-5.2/net-dsa-rtl8366-check-vlan-id-and-not-ports.patch create mode 100644 queue-5.2/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch create mode 100644 queue-5.2/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch create mode 100644 queue-5.2/net-rds-fix-error-handling-in-rds_ib_add_one.patch create mode 100644 queue-5.2/net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch create mode 100644 queue-5.2/net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch create mode 100644 queue-5.2/net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch create mode 100644 queue-5.2/net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch create mode 100644 queue-5.2/nfc-fix-memory-leak-in-llcp_sock_bind.patch create mode 100644 queue-5.2/ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch create mode 100644 queue-5.2/qmi_wwan-add-support-for-cinterion-cls8-devices.patch create mode 100644 queue-5.2/rxrpc-fix-rxrpc_recvmsg-tracepoint.patch create mode 100644 queue-5.2/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch create mode 100644 queue-5.2/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch create mode 100644 queue-5.2/tcp-adjust-rto_base-in-retransmits_timed_out.patch create mode 100644 queue-5.2/tipc-fix-unlimited-bundling-of-small-messages.patch create mode 100644 queue-5.2/udp-fix-gso_segs-calculations.patch create mode 100644 queue-5.2/udp-only-do-gso-if-of-segs-1.patch create mode 100644 queue-5.2/vsock-fix-a-lockdep-warning-in-__vsock_release.patch create mode 100644 queue-5.2/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch diff --git a/queue-5.2/cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch b/queue-5.2/cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch new file mode 100644 index 00000000000..1584beb0706 --- /dev/null +++ b/queue-5.2/cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch @@ -0,0 +1,51 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Vishal Kulkarni +Date: Fri, 4 Oct 2019 04:06:15 +0530 +Subject: cxgb4:Fix out-of-bounds MSI-X info array access + +From: Vishal Kulkarni + +[ Upstream commit 6b517374f4ea5a3c6e307e1219ec5f35d42e6d00 ] + +When fetching free MSI-X vectors for ULDs, check for the error code +before accessing MSI-X info array. Otherwise, an out-of-bounds access is +attempted, which results in kernel panic. + +Fixes: 94cdb8bb993a ("cxgb4: Add support for dynamic allocation of resources for ULD") +Signed-off-by: Shahjada Abul Husain +Signed-off-by: Vishal Kulkarni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -137,13 +137,12 @@ static int uldrx_handler(struct sge_rspq + static int alloc_uld_rxqs(struct adapter *adap, + struct sge_uld_rxq_info *rxq_info, bool lro) + { +- struct sge *s = &adap->sge; + unsigned int nq = rxq_info->nrxq + rxq_info->nciq; ++ int i, err, msi_idx, que_idx = 0, bmap_idx = 0; + struct sge_ofld_rxq *q = rxq_info->uldrxq; + unsigned short *ids = rxq_info->rspq_id; +- unsigned int bmap_idx = 0; ++ struct sge *s = &adap->sge; + unsigned int per_chan; +- int i, err, msi_idx, que_idx = 0; + + per_chan = rxq_info->nrxq / adap->params.nports; + +@@ -161,6 +160,10 @@ static int alloc_uld_rxqs(struct adapter + + if (msi_idx >= 0) { + bmap_idx = get_msix_idx_from_bmap(adap); ++ if (bmap_idx < 0) { ++ err = -ENOSPC; ++ goto freeout; ++ } + msi_idx = adap->msix_info_ulds[bmap_idx].idx; + } + err = t4_sge_alloc_rxq(adap, &q->rspq, false, diff --git a/queue-5.2/erspan-remove-the-incorrect-mtu-limit-for-erspan.patch b/queue-5.2/erspan-remove-the-incorrect-mtu-limit-for-erspan.patch new file mode 100644 index 00000000000..20e4d2cd7f7 --- /dev/null +++ b/queue-5.2/erspan-remove-the-incorrect-mtu-limit-for-erspan.patch @@ -0,0 +1,45 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Haishuang Yan +Date: Fri, 27 Sep 2019 14:58:20 +0800 +Subject: erspan: remove the incorrect mtu limit for erspan + +From: Haishuang Yan + +[ Upstream commit 0e141f757b2c78c983df893e9993313e2dc21e38 ] + +erspan driver calls ether_setup(), after commit 61e84623ace3 +("net: centralize net_device min/max MTU checking"), the range +of mtu is [min_mtu, max_mtu], which is [68, 1500] by default. + +It causes the dev mtu of the erspan device to not be greater +than 1500, this limit value is not correct for ipgre tap device. + +Tested: +Before patch: +# ip link set erspan0 mtu 1600 +Error: mtu greater than device maximum. +After patch: +# ip link set erspan0 mtu 1600 +# ip -d link show erspan0 +21: erspan0@NONE: mtu 1600 qdisc noop state DOWN +mode DEFAULT group default qlen 1000 + link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 0 + +Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1446,6 +1446,7 @@ static void erspan_setup(struct net_devi + struct ip_tunnel *t = netdev_priv(dev); + + ether_setup(dev); ++ dev->max_mtu = 0; + dev->netdev_ops = &erspan_netdev_ops; + dev->priv_flags &= ~IFF_TX_SKB_SHARING; + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; diff --git a/queue-5.2/hso-fix-null-deref-on-tty-open.patch b/queue-5.2/hso-fix-null-deref-on-tty-open.patch new file mode 100644 index 00000000000..f3ef53ccd11 --- /dev/null +++ b/queue-5.2/hso-fix-null-deref-on-tty-open.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Johan Hovold +Date: Mon, 30 Sep 2019 17:12:41 +0200 +Subject: hso: fix NULL-deref on tty open + +From: Johan Hovold + +[ Upstream commit 8353da9fa69722b54cba82b2ec740afd3d438748 ] + +Fix NULL-pointer dereference on tty open due to a failure to handle a +missing interrupt-in endpoint when probing modem ports: + + BUG: kernel NULL pointer dereference, address: 0000000000000006 + ... + RIP: 0010:tiocmget_submit_urb+0x1c/0xe0 [hso] + ... + Call Trace: + hso_start_serial_device+0xdc/0x140 [hso] + hso_serial_open+0x118/0x1b0 [hso] + tty_open+0xf1/0x490 + +Fixes: 542f54823614 ("tty: Modem functions for the HSO driver") +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/hso.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2620,14 +2620,18 @@ static struct hso_device *hso_create_bul + */ + if (serial->tiocmget) { + tiocmget = serial->tiocmget; ++ tiocmget->endp = hso_get_ep(interface, ++ USB_ENDPOINT_XFER_INT, ++ USB_DIR_IN); ++ if (!tiocmget->endp) { ++ dev_err(&interface->dev, "Failed to find INT IN ep\n"); ++ goto exit; ++ } ++ + tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL); + if (tiocmget->urb) { + mutex_init(&tiocmget->mutex); + init_waitqueue_head(&tiocmget->waitq); +- tiocmget->endp = hso_get_ep( +- interface, +- USB_ENDPOINT_XFER_INT, +- USB_DIR_IN); + } else + hso_free_tiomget(serial); + } diff --git a/queue-5.2/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch b/queue-5.2/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch new file mode 100644 index 00000000000..fbd7b858059 --- /dev/null +++ b/queue-5.2/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch @@ -0,0 +1,67 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Eric Dumazet +Date: Wed, 2 Oct 2019 09:38:55 -0700 +Subject: ipv6: drop incoming packets having a v4mapped source address + +From: Eric Dumazet + +[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ] + +This began with a syzbot report. syzkaller was injecting +IPv6 TCP SYN packets having a v4mapped source address. + +After an unsuccessful 4-tuple lookup, TCP creates a request +socket (SYN_RECV) and calls reqsk_queue_hash_req() + +reqsk_queue_hash_req() calls sk_ehashfn(sk) + +At this point we have AF_INET6 sockets, and the heuristic +used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses +is to use ipv6_addr_v4mapped(&sk->sk_v6_daddr) + +For the particular spoofed packet, we end up hashing V4 addresses +which were not initialized by the TCP IPv6 stack, so KMSAN fired +a warning. + +I first fixed sk_ehashfn() to test both source and destination addresses, +but then faced various problems, including user-space programs +like packetdrill that had similar assumptions. + +Instead of trying to fix the whole ecosystem, it is better +to admit that we have a dual stack behavior, and that we +can not build linux kernels without V4 stack anyway. + +The dual stack API automatically forces the traffic to be IPv4 +if v4mapped addresses are used at bind() or connect(), so it makes +no sense to allow IPv6 traffic to use the same v4mapped class. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Hannes Frederic Sowa +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -221,6 +221,16 @@ static struct sk_buff *ip6_rcv_core(stru + if (ipv6_addr_is_multicast(&hdr->saddr)) + goto err; + ++ /* While RFC4291 is not explicit about v4mapped addresses ++ * in IPv6 headers, it seems clear linux dual-stack ++ * model can not deal properly with these. ++ * Security models could be fooled by ::ffff:127.0.0.1 for example. ++ * ++ * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 ++ */ ++ if (ipv6_addr_v4mapped(&hdr->saddr)) ++ goto err; ++ + skb->transport_header = skb->network_header + sizeof(*hdr); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + diff --git a/queue-5.2/ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch b/queue-5.2/ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch new file mode 100644 index 00000000000..dc977485c35 --- /dev/null +++ b/queue-5.2/ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch @@ -0,0 +1,85 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: David Ahern +Date: Fri, 4 Oct 2019 08:03:09 -0700 +Subject: ipv6: Handle missing host route in __ipv6_ifa_notify + +From: David Ahern + +[ Upstream commit 2d819d250a1393a3e725715425ab70a0e0772a71 ] + +Rajendra reported a kernel panic when a link was taken down: + + [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 + [ 6870.271856] IP: [] __ipv6_ifa_notify+0x154/0x290 + + + + [ 6870.570501] Call Trace: + [ 6870.573238] [] ? ipv6_ifa_notify+0x26/0x40 + [ 6870.579665] [] ? addrconf_dad_completed+0x4c/0x2c0 + [ 6870.586869] [] ? ipv6_dev_mc_inc+0x196/0x260 + [ 6870.593491] [] ? addrconf_dad_work+0x10a/0x430 + [ 6870.600305] [] ? __switch_to_asm+0x34/0x70 + [ 6870.606732] [] ? process_one_work+0x18a/0x430 + [ 6870.613449] [] ? worker_thread+0x4d/0x490 + [ 6870.619778] [] ? process_one_work+0x430/0x430 + [ 6870.626495] [] ? kthread+0xd9/0xf0 + [ 6870.632145] [] ? __switch_to_asm+0x34/0x70 + [ 6870.638573] [] ? kthread_park+0x60/0x60 + [ 6870.644707] [] ? ret_from_fork+0x57/0x70 + [ 6870.650936] Code: 31 c0 31 d2 41 b9 20 00 08 02 b9 09 00 00 0 + +addrconf_dad_work is kicked to be scheduled when a device is brought +up. There is a race between addrcond_dad_work getting scheduled and +taking the rtnl lock and a process taking the link down (under rtnl). +The latter removes the host route from the inet6_addr as part of +addrconf_ifdown which is run for NETDEV_DOWN. The former attempts +to use the host route in __ipv6_ifa_notify. If the down event removes +the host route due to the race to the rtnl, then the BUG listed above +occurs. + +Since the DAD sequence can not be aborted, add a check for the missing +host route in __ipv6_ifa_notify. The only way this should happen is due +to the previously mentioned race. The host route is created when the +address is added to an interface; it is only removed on a down event +where the address is kept. Add a warning if the host route is missing +AND the device is up; this is a situation that should never happen. + +Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional") +Reported-by: Rajendra Dendukuri +Signed-off-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5962,13 +5962,20 @@ static void __ipv6_ifa_notify(int event, + switch (event) { + case RTM_NEWADDR: + /* +- * If the address was optimistic +- * we inserted the route at the start of +- * our DAD process, so we don't need +- * to do it again ++ * If the address was optimistic we inserted the route at the ++ * start of our DAD process, so we don't need to do it again. ++ * If the device was taken down in the middle of the DAD ++ * cycle there is a race where we could get here without a ++ * host route, so nothing to insert. That will be fixed when ++ * the device is brought up. + */ +- if (!rcu_access_pointer(ifp->rt->fib6_node)) ++ if (ifp->rt && !rcu_access_pointer(ifp->rt->fib6_node)) { + ip6_ins_rt(net, ifp->rt); ++ } else if (!ifp->rt && (ifp->idev->dev->flags & IFF_UP)) { ++ pr_warn("BUG: Address %pI6c on device %s is missing its host route.\n", ++ &ifp->addr, ifp->idev->dev->name); ++ } ++ + if (ifp->idev->cnf.forwarding) + addrconf_join_anycast(ifp); + if (!ipv6_addr_any(&ifp->peer_addr)) diff --git a/queue-5.2/net-dsa-rtl8366-check-vlan-id-and-not-ports.patch b/queue-5.2/net-dsa-rtl8366-check-vlan-id-and-not-ports.patch new file mode 100644 index 00000000000..36fafc53e42 --- /dev/null +++ b/queue-5.2/net-dsa-rtl8366-check-vlan-id-and-not-ports.patch @@ -0,0 +1,58 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Linus Walleij +Date: Tue, 1 Oct 2019 16:28:43 +0200 +Subject: net: dsa: rtl8366: Check VLAN ID and not ports + +From: Linus Walleij + +[ Upstream commit e8521e53cca584ddf8ec4584d3c550a6c65f88c4 ] + +There has been some confusion between the port number and +the VLAN ID in this driver. What we need to check for +validity is the VLAN ID, nothing else. + +The current confusion came from assigning a few default +VLANs for default routing and we need to rewrite that +properly. + +Instead of checking if the port number is a valid VLAN +ID, check the actual VLAN IDs passed in to the callback +one by one as expected. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/rtl8366.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -339,10 +339,12 @@ int rtl8366_vlan_prepare(struct dsa_swit + const struct switchdev_obj_port_vlan *vlan) + { + struct realtek_smi *smi = ds->priv; ++ u16 vid; + int ret; + +- if (!smi->ops->is_vlan_valid(smi, port)) +- return -EINVAL; ++ for (vid = vlan->vid_begin; vid < vlan->vid_end; vid++) ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; + + dev_info(smi->dev, "prepare VLANs %04x..%04x\n", + vlan->vid_begin, vlan->vid_end); +@@ -370,8 +372,9 @@ void rtl8366_vlan_add(struct dsa_switch + u16 vid; + int ret; + +- if (!smi->ops->is_vlan_valid(smi, port)) +- return; ++ for (vid = vlan->vid_begin; vid < vlan->vid_end; vid++) ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return; + + dev_info(smi->dev, "add VLAN on port %d, %s, %s\n", + port, diff --git a/queue-5.2/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch b/queue-5.2/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch new file mode 100644 index 00000000000..0bdd726145c --- /dev/null +++ b/queue-5.2/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch @@ -0,0 +1,62 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Paolo Abeni +Date: Fri, 4 Oct 2019 15:11:17 +0200 +Subject: net: ipv4: avoid mixed n_redirects and rate_tokens usage + +From: Paolo Abeni + +[ Upstream commit b406472b5ad79ede8d10077f0c8f05505ace8b6d ] + +Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter +for icmp_v4 redirect packets") we use 'n_redirects' to account +for redirect packets, but we still use 'rate_tokens' to compute +the redirect packets exponential backoff. + +If the device sent to the relevant peer any ICMP error packet +after sending a redirect, it will also update 'rate_token' according +to the leaking bucket schema; typically 'rate_token' will raise +above BITS_PER_LONG and the redirect packets backoff algorithm +will produce undefined behavior. + +Fix the issue using 'n_redirects' to compute the exponential backoff +in ip_rt_send_redirect(). + +Note that we still clear rate_tokens after a redirect silence period, +to avoid changing an established behaviour. + +The root cause predates git history; before the mentioned commit in +the critical scenario, the kernel stopped sending redirects, after +the mentioned commit the behavior more randomic. + +Reported-by: Xiumei Mu +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets") +Signed-off-by: Paolo Abeni +Acked-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -915,16 +915,15 @@ void ip_rt_send_redirect(struct sk_buff + if (peer->rate_tokens == 0 || + time_after(jiffies, + (peer->rate_last + +- (ip_rt_redirect_load << peer->rate_tokens)))) { ++ (ip_rt_redirect_load << peer->n_redirects)))) { + __be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr); + + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); + peer->rate_last = jiffies; +- ++peer->rate_tokens; + ++peer->n_redirects; + #ifdef CONFIG_IP_ROUTE_VERBOSE + if (log_martians && +- peer->rate_tokens == ip_rt_redirect_number) ++ peer->n_redirects == ip_rt_redirect_number) + net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", + &ip_hdr(skb)->saddr, inet_iif(skb), + &ip_hdr(skb)->daddr, &gw); diff --git a/queue-5.2/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch b/queue-5.2/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch new file mode 100644 index 00000000000..25b7e571b43 --- /dev/null +++ b/queue-5.2/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 15:24:39 -0500 +Subject: net: qlogic: Fix memory leak in ql_alloc_large_buffers + +From: Navid Emamdoost + +[ Upstream commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 ] + +In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb. +This skb should be released if pci_dma_mapping_error fails. + +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2787,6 +2787,7 @@ static int ql_alloc_large_buffers(struct + netdev_err(qdev->ndev, + "PCI mapping failed with error: %d\n", + err); ++ dev_kfree_skb_irq(skb); + ql_free_large_buffers(qdev); + return -ENOMEM; + } diff --git a/queue-5.2/net-rds-fix-error-handling-in-rds_ib_add_one.patch b/queue-5.2/net-rds-fix-error-handling-in-rds_ib_add_one.patch new file mode 100644 index 00000000000..9e8eca09ab4 --- /dev/null +++ b/queue-5.2/net-rds-fix-error-handling-in-rds_ib_add_one.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Dotan Barak +Date: Tue, 1 Oct 2019 10:21:02 -0700 +Subject: net/rds: Fix error handling in rds_ib_add_one() + +From: Dotan Barak + +[ Upstream commit d64bf89a75b65f83f06be9fb8f978e60d53752db ] + +rds_ibdev:ipaddr_list and rds_ibdev:conn_list are initialized +after allocation some resources such as protection domain. +If allocation of such resources fail, then these uninitialized +variables are accessed in rds_ib_dev_free() in failure path. This +can potentially crash the system. The code has been updated to +initialize these variables very early in the function. + +Signed-off-by: Dotan Barak +Signed-off-by: Sudhakar Dindukurti +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -143,6 +143,9 @@ static void rds_ib_add_one(struct ib_dev + refcount_set(&rds_ibdev->refcount, 1); + INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free); + ++ INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); ++ INIT_LIST_HEAD(&rds_ibdev->conn_list); ++ + rds_ibdev->max_wrs = device->attrs.max_qp_wr; + rds_ibdev->max_sge = min(device->attrs.max_send_sge, RDS_IB_MAX_SGE); + +@@ -203,9 +206,6 @@ static void rds_ib_add_one(struct ib_dev + device->name, + rds_ibdev->use_fastreg ? "FRMR" : "FMR"); + +- INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); +- INIT_LIST_HEAD(&rds_ibdev->conn_list); +- + down_write(&rds_ib_devices_lock); + list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices); + up_write(&rds_ib_devices_lock); diff --git a/queue-5.2/net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch b/queue-5.2/net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch new file mode 100644 index 00000000000..78b2cc1f093 --- /dev/null +++ b/queue-5.2/net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch @@ -0,0 +1,34 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Vladimir Oltean +Date: Sun, 29 Sep 2019 02:39:48 +0300 +Subject: net: sched: cbs: Avoid division by zero when calculating the port rate + +From: Vladimir Oltean + +[ Upstream commit 83c8c3cf45163f0c823db37be6ab04dfcf8ac751 ] + +As explained in the "net: sched: taprio: Avoid division by zero on +invalid link speed" commit, it is legal for the ethtool API to return +zero as a link speed. So guard against it to ensure we don't perform a +division by zero in kernel. + +Fixes: e0a7683d30e9 ("net/sched: cbs: fix port_rate miscalculation") +Signed-off-by: Vladimir Oltean +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_cbs.c ++++ b/net/sched/sch_cbs.c +@@ -306,7 +306,7 @@ static void cbs_set_port_rate(struct net + if (err < 0) + goto skip; + +- if (ecmd.base.speed != SPEED_UNKNOWN) ++ if (ecmd.base.speed && ecmd.base.speed != SPEED_UNKNOWN) + speed = ecmd.base.speed; + + skip: diff --git a/queue-5.2/net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch b/queue-5.2/net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch new file mode 100644 index 00000000000..504f33c526b --- /dev/null +++ b/queue-5.2/net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch @@ -0,0 +1,71 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Vladimir Oltean +Date: Sun, 29 Sep 2019 02:37:22 +0300 +Subject: net: sched: taprio: Avoid division by zero on invalid link speed + +From: Vladimir Oltean + +[ Upstream commit 9a9251a3534745d08a92abfeca0ca467b912b5f6 ] + +The check in taprio_set_picos_per_byte is currently not robust enough +and will trigger this division by zero, due to e.g. PHYLINK not setting +kset->base.speed when there is no PHY connected: + +[ 27.109992] Division by zero in kernel. +[ 27.113842] CPU: 1 PID: 198 Comm: tc Not tainted 5.3.0-rc5-01246-gc4006b8c2637-dirty #212 +[ 27.121974] Hardware name: Freescale LS1021A +[ 27.126234] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 27.133938] [] (show_stack) from [] (dump_stack+0xb0/0xc4) +[ 27.141124] [] (dump_stack) from [] (Ldiv0_64+0x8/0x18) +[ 27.148052] [] (Ldiv0_64) from [] (div64_u64+0xcc/0xf0) +[ 27.154978] [] (div64_u64) from [] (div64_s64+0x4c/0x68) +[ 27.161993] [] (div64_s64) from [] (taprio_set_picos_per_byte+0xe8/0xf4) +[ 27.170388] [] (taprio_set_picos_per_byte) from [] (taprio_change+0x668/0xcec) +[ 27.179302] [] (taprio_change) from [] (qdisc_create+0x1fc/0x4f4) +[ 27.187091] [] (qdisc_create) from [] (tc_modify_qdisc+0x1ac/0x6f8) +[ 27.195055] [] (tc_modify_qdisc) from [] (rtnetlink_rcv_msg+0x268/0x2dc) +[ 27.203449] [] (rtnetlink_rcv_msg) from [] (netlink_rcv_skb+0xe0/0x114) +[ 27.211756] [] (netlink_rcv_skb) from [] (netlink_unicast+0x1b4/0x22c) +[ 27.219977] [] (netlink_unicast) from [] (netlink_sendmsg+0x284/0x340) +[ 27.228198] [] (netlink_sendmsg) from [] (sock_sendmsg+0x14/0x24) +[ 27.235988] [] (sock_sendmsg) from [] (___sys_sendmsg+0x214/0x228) +[ 27.243863] [] (___sys_sendmsg) from [] (__sys_sendmsg+0x50/0x8c) +[ 27.251652] [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x54) +[ 27.259524] Exception stack(0xe8045fa8 to 0xe8045ff0) +[ 27.264546] 5fa0: b6f608c8 000000f8 00000003 bed7e2f0 00000000 00000000 +[ 27.272681] 5fc0: b6f608c8 000000f8 004ce54c 00000128 5d3ce8c7 00000000 00000026 00505c9c +[ 27.280812] 5fe0: 00000070 bed7e298 004ddd64 b6dd1e64 + +Russell King points out that the ethtool API says zero is a valid return +value of __ethtool_get_link_ksettings: + + * If it is enabled then they are read-only; if the link + * is up they represent the negotiated link mode; if the link is down, + * the speed is 0, %SPEED_UNKNOWN or the highest enabled speed and + * @duplex is %DUPLEX_UNKNOWN or the best enabled duplex mode. + + So, it seems that taprio is not following the API... I'd suggest either + fixing taprio, or getting agreement to change the ethtool API. + +The chosen path was to fix taprio. + +Fixes: 7b9eba7ba0c1 ("net/sched: taprio: fix picos_per_byte miscalculation") +Signed-off-by: Vladimir Oltean +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -668,7 +668,7 @@ static void taprio_set_picos_per_byte(st + if (err < 0) + goto skip; + +- if (ecmd.base.speed != SPEED_UNKNOWN) ++ if (ecmd.base.speed && ecmd.base.speed != SPEED_UNKNOWN) + speed = ecmd.base.speed; + + skip: diff --git a/queue-5.2/net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch b/queue-5.2/net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch new file mode 100644 index 00000000000..a240ca475f8 --- /dev/null +++ b/queue-5.2/net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch @@ -0,0 +1,39 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Vladimir Oltean +Date: Sun, 29 Sep 2019 02:01:39 +0300 +Subject: net: sched: taprio: Fix potential integer overflow in taprio_set_picos_per_byte + +From: Vladimir Oltean + +[ Upstream commit 68ce6688a5baefde30914fc07fc27292dbbe8320 ] + +The speed divisor is used in a context expecting an s64, but it is +evaluated using 32-bit arithmetic. + +To avoid that happening, instead of multiplying by 1,000,000 in the +first place, simplify the fraction and do a standard 32 bit division +instead. + +Fixes: f04b514c0ce2 ("taprio: Set default link speed to 10 Mbps in taprio_set_picos_per_byte") +Reported-by: Gustavo A. R. Silva +Suggested-by: Eric Dumazet +Signed-off-by: Vladimir Oltean +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_taprio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -672,8 +672,7 @@ static void taprio_set_picos_per_byte(st + speed = ecmd.base.speed; + + skip: +- picos_per_byte = div64_s64(NSEC_PER_SEC * 1000LL * 8, +- speed * 1000 * 1000); ++ picos_per_byte = (USEC_PER_SEC * 8) / speed; + + atomic64_set(&q->picos_per_byte, picos_per_byte); + netdev_dbg(dev, "taprio: set %s's picos_per_byte to: %lld, linkspeed: %d\n", diff --git a/queue-5.2/net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch b/queue-5.2/net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch new file mode 100644 index 00000000000..4316762b2e0 --- /dev/null +++ b/queue-5.2/net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch @@ -0,0 +1,59 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Martin KaFai Lau +Date: Fri, 27 Sep 2019 16:00:31 -0700 +Subject: net: Unpublish sk from sk_reuseport_cb before call_rcu + +From: Martin KaFai Lau + +[ Upstream commit 8c7138b33e5c690c308b2a7085f6313fdcb3f616 ] + +The "reuse->sock[]" array is shared by multiple sockets. The going away +sk must unpublish itself from "reuse->sock[]" before making call_rcu() +call. However, this unpublish-action is currently done after a grace +period and it may cause use-after-free. + +The fix is to move reuseport_detach_sock() to sk_destruct(). +Due to the above reason, any socket with sk_reuseport_cb has +to go through the rcu grace period before freeing it. + +It is a rather old bug (~3 yrs). The Fixes tag is not necessary +the right commit but it is the one that introduced the SOCK_RCU_FREE +logic and this fix is depending on it. + +Fixes: a4298e4522d6 ("net: add SOCK_RCU_FREE socket flag") +Cc: Eric Dumazet +Suggested-by: Eric Dumazet +Signed-off-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1696,8 +1696,6 @@ static void __sk_destruct(struct rcu_hea + sk_filter_uncharge(sk, filter); + RCU_INIT_POINTER(sk->sk_filter, NULL); + } +- if (rcu_access_pointer(sk->sk_reuseport_cb)) +- reuseport_detach_sock(sk); + + sock_disable_timestamp(sk, SK_FLAGS_TIMESTAMP); + +@@ -1724,7 +1722,14 @@ static void __sk_destruct(struct rcu_hea + + void sk_destruct(struct sock *sk) + { +- if (sock_flag(sk, SOCK_RCU_FREE)) ++ bool use_call_rcu = sock_flag(sk, SOCK_RCU_FREE); ++ ++ if (rcu_access_pointer(sk->sk_reuseport_cb)) { ++ reuseport_detach_sock(sk); ++ use_call_rcu = true; ++ } ++ ++ if (use_call_rcu) + call_rcu(&sk->sk_rcu, __sk_destruct); + else + __sk_destruct(&sk->sk_rcu); diff --git a/queue-5.2/nfc-fix-memory-leak-in-llcp_sock_bind.patch b/queue-5.2/nfc-fix-memory-leak-in-llcp_sock_bind.patch new file mode 100644 index 00000000000..4bd7328214a --- /dev/null +++ b/queue-5.2/nfc-fix-memory-leak-in-llcp_sock_bind.patch @@ -0,0 +1,62 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Eric Dumazet +Date: Fri, 4 Oct 2019 11:08:34 -0700 +Subject: nfc: fix memory leak in llcp_sock_bind() + +From: Eric Dumazet + +[ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ] + +sysbot reported a memory leak after a bind() has failed. + +While we are at it, abort the operation if kmemdup() has failed. + +BUG: memory leak +unreferenced object 0xffff888105d83ec0 (size 32): + comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) + hex dump (first 32 bytes): + 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 + 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... + backtrace: + [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] + [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] + [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] + [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] + [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 + [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 + [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] + [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 + [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 + [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] + [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] + [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 + [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 + [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -107,9 +107,14 @@ static int llcp_sock_bind(struct socket + llcp_sock->service_name = kmemdup(llcp_addr.service_name, + llcp_sock->service_name_len, + GFP_KERNEL); +- ++ if (!llcp_sock->service_name) { ++ ret = -ENOMEM; ++ goto put_dev; ++ } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ kfree(llcp_sock->service_name); ++ llcp_sock->service_name = NULL; + ret = -EADDRINUSE; + goto put_dev; + } diff --git a/queue-5.2/ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch b/queue-5.2/ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch new file mode 100644 index 00000000000..f2d4ed8d44f --- /dev/null +++ b/queue-5.2/ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch @@ -0,0 +1,69 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Vladimir Oltean +Date: Tue, 1 Oct 2019 22:07:01 +0300 +Subject: ptp_qoriq: Initialize the registers' spinlock before calling ptp_qoriq_settime + +From: Vladimir Oltean + +[ Upstream commit db34a4714c013b644eec2de0ec81b1f0373b8b93 ] + +Because ptp_qoriq_settime is being called prior to spin_lock_init, the +following stack trace can be seen at driver probe time: + +[ 2.269117] the code is fine but needs lockdep annotation. +[ 2.274569] turning off the locking correctness validator. +[ 2.280027] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.3.0-rc7-01478-g01eaa67a4797 #263 +[ 2.288073] Hardware name: Freescale LS1021A +[ 2.292337] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 2.300045] [] (show_stack) from [] (dump_stack+0xcc/0xf8) +[ 2.307235] [] (dump_stack) from [] (register_lock_class+0x730/0x73c) +[ 2.315372] [] (register_lock_class) from [] (__lock_acquire+0x78/0x270c) +[ 2.323856] [] (__lock_acquire) from [] (lock_acquire+0xe0/0x22c) +[ 2.331649] [] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x54/0x68) +[ 2.340048] [] (_raw_spin_lock_irqsave) from [] (ptp_qoriq_settime+0x38/0x80) +[ 2.348878] [] (ptp_qoriq_settime) from [] (ptp_qoriq_init+0x1f8/0x484) +[ 2.357189] [] (ptp_qoriq_init) from [] (ptp_qoriq_probe+0xd0/0x184) +[ 2.365243] [] (ptp_qoriq_probe) from [] (platform_drv_probe+0x48/0x9c) +[ 2.373555] [] (platform_drv_probe) from [] (really_probe+0x1c4/0x400) +[ 2.381779] [] (really_probe) from [] (driver_probe_device+0x78/0x1b8) +[ 2.390003] [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) +[ 2.398832] [] (device_driver_attach) from [] (__driver_attach+0xfc/0x160) +[ 2.407402] [] (__driver_attach) from [] (bus_for_each_dev+0x68/0xb4) +[ 2.415539] [] (bus_for_each_dev) from [] (bus_add_driver+0x104/0x20c) +[ 2.423763] [] (bus_add_driver) from [] (driver_register+0x78/0x10c) +[ 2.431815] [] (driver_register) from [] (do_one_initcall+0x8c/0x3ac) +[ 2.439954] [] (do_one_initcall) from [] (kernel_init_freeable+0x468/0x548) +[ 2.448610] [] (kernel_init_freeable) from [] (kernel_init+0x8/0x10c) +[ 2.456745] [] (kernel_init) from [] (ret_from_fork+0x14/0x20) +[ 2.464273] Exception stack(0xea89ffb0 to 0xea89fff8) +[ 2.469297] ffa0: 00000000 00000000 00000000 00000000 +[ 2.477432] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 2.485566] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 + +Fixes: ff54571a747b ("ptp_qoriq: convert to use ptp_qoriq_init/free") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_qoriq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/ptp/ptp_qoriq.c ++++ b/drivers/ptp/ptp_qoriq.c +@@ -507,6 +507,8 @@ int ptp_qoriq_init(struct ptp_qoriq *ptp + ptp_qoriq->regs.etts_regs = base + ETTS_REGS_OFFSET; + } + ++ spin_lock_init(&ptp_qoriq->lock); ++ + ktime_get_real_ts64(&now); + ptp_qoriq_settime(&ptp_qoriq->caps, &now); + +@@ -514,7 +516,6 @@ int ptp_qoriq_init(struct ptp_qoriq *ptp + (ptp_qoriq->tclk_period & TCLK_PERIOD_MASK) << TCLK_PERIOD_SHIFT | + (ptp_qoriq->cksel & CKSEL_MASK) << CKSEL_SHIFT; + +- spin_lock_init(&ptp_qoriq->lock); + spin_lock_irqsave(&ptp_qoriq->lock, flags); + + regs = &ptp_qoriq->regs; diff --git a/queue-5.2/qmi_wwan-add-support-for-cinterion-cls8-devices.patch b/queue-5.2/qmi_wwan-add-support-for-cinterion-cls8-devices.patch new file mode 100644 index 00000000000..6e90d61e277 --- /dev/null +++ b/queue-5.2/qmi_wwan-add-support-for-cinterion-cls8-devices.patch @@ -0,0 +1,56 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Reinhard Speyerer +Date: Thu, 3 Oct 2019 18:34:39 +0200 +Subject: qmi_wwan: add support for Cinterion CLS8 devices + +From: Reinhard Speyerer + +[ Upstream commit cf74ac6db25d4002089e85cc623ad149ecc25614 ] + +Add support for Cinterion CLS8 devices. +Use QMI_QUIRK_SET_DTR as required for Qualcomm MDM9x07 chipsets. + +T: Bus=01 Lev=03 Prnt=05 Port=01 Cnt=02 Dev#= 25 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1e2d ProdID=00b0 Rev= 3.18 +S: Manufacturer=GEMALTO +S: Product=USB Modem +C:* #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Reinhard Speyerer +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1349,6 +1349,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1e2d, 0x0082, 4)}, /* Cinterion PHxx,PXxx (2 RmNet) */ + {QMI_FIXED_INTF(0x1e2d, 0x0082, 5)}, /* Cinterion PHxx,PXxx (2 RmNet) */ + {QMI_FIXED_INTF(0x1e2d, 0x0083, 4)}, /* Cinterion PHxx,PXxx (1 RmNet + USB Audio)*/ ++ {QMI_QUIRK_SET_DTR(0x1e2d, 0x00b0, 4)}, /* Cinterion CLS8 */ + {QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a3, 8)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-5.2/rxrpc-fix-rxrpc_recvmsg-tracepoint.patch b/queue-5.2/rxrpc-fix-rxrpc_recvmsg-tracepoint.patch new file mode 100644 index 00000000000..3fa9f6ccb79 --- /dev/null +++ b/queue-5.2/rxrpc-fix-rxrpc_recvmsg-tracepoint.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: David Howells +Date: Thu, 3 Oct 2019 17:44:44 +0100 +Subject: rxrpc: Fix rxrpc_recvmsg tracepoint + +From: David Howells + +[ Upstream commit db9b2e0af605e7c994784527abfd9276cabd718a ] + +Fix the rxrpc_recvmsg tracepoint to handle being called with a NULL call +parameter. + +Fixes: a25e21f0bcd2 ("rxrpc, afs: Use debug_ids rather than pointers in traces") +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -1071,7 +1071,7 @@ TRACE_EVENT(rxrpc_recvmsg, + ), + + TP_fast_assign( +- __entry->call = call->debug_id; ++ __entry->call = call ? call->debug_id : 0; + __entry->why = why; + __entry->seq = seq; + __entry->offset = offset; diff --git a/queue-5.2/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch b/queue-5.2/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch new file mode 100644 index 00000000000..f096948024e --- /dev/null +++ b/queue-5.2/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch @@ -0,0 +1,128 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Eric Dumazet +Date: Thu, 26 Sep 2019 18:24:43 -0700 +Subject: sch_cbq: validate TCA_CBQ_WRROPT to avoid crash + +From: Eric Dumazet + +[ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ] + +syzbot reported a crash in cbq_normalize_quanta() caused +by an out of range cl->priority. + +iproute2 enforces this check, but malicious users do not. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +Modules linked in: +CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902 +RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206 +RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000 +RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018 +RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef +R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015 +FS: 00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + [] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline] + [] cbq_addprio net/sched/sch_cbq.c:1097 [inline] + [] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115 + [] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537 + [] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329 + [] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248 + [] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510 + [] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266 + [] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline] + [] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350 + [] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939 + [] sock_sendmsg_nosec net/socket.c:673 [inline] + [] sock_sendmsg+0x12e/0x170 net/socket.c:684 + [] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359 + [] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397 + [] SYSC_sendmsg net/socket.c:2406 [inline] + [] SyS_sendmsg+0x29/0x30 net/socket.c:2404 + [] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 + [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbq.c | 43 +++++++++++++++++++++++++++++-------------- + 1 file changed, 29 insertions(+), 14 deletions(-) + +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1127,6 +1127,33 @@ static const struct nla_policy cbq_polic + [TCA_CBQ_POLICE] = { .len = sizeof(struct tc_cbq_police) }, + }; + ++static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], ++ struct nlattr *opt, ++ struct netlink_ext_ack *extack) ++{ ++ int err; ++ ++ if (!opt) { ++ NL_SET_ERR_MSG(extack, "CBQ options are required for this operation"); ++ return -EINVAL; ++ } ++ ++ err = nla_parse_nested_deprecated(tb, TCA_CBQ_MAX, opt, ++ cbq_policy, extack); ++ if (err < 0) ++ return err; ++ ++ if (tb[TCA_CBQ_WRROPT]) { ++ const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]); ++ ++ if (wrr->priority > TC_CBQ_MAXPRIO) { ++ NL_SET_ERR_MSG(extack, "priority is bigger than TC_CBQ_MAXPRIO"); ++ err = -EINVAL; ++ } ++ } ++ return err; ++} ++ + static int cbq_init(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { +@@ -1139,13 +1166,7 @@ static int cbq_init(struct Qdisc *sch, s + hrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_PINNED); + q->delay_timer.function = cbq_undelay; + +- if (!opt) { +- NL_SET_ERR_MSG(extack, "CBQ options are required for this operation"); +- return -EINVAL; +- } +- +- err = nla_parse_nested_deprecated(tb, TCA_CBQ_MAX, opt, cbq_policy, +- extack); ++ err = cbq_opt_parse(tb, opt, extack); + if (err < 0) + return err; + +@@ -1464,13 +1485,7 @@ cbq_change_class(struct Qdisc *sch, u32 + struct cbq_class *parent; + struct qdisc_rate_table *rtab = NULL; + +- if (!opt) { +- NL_SET_ERR_MSG(extack, "Mandatory qdisc options missing"); +- return -EINVAL; +- } +- +- err = nla_parse_nested_deprecated(tb, TCA_CBQ_MAX, opt, cbq_policy, +- extack); ++ err = cbq_opt_parse(tb, opt, extack); + if (err < 0) + return err; + diff --git a/queue-5.2/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch b/queue-5.2/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch new file mode 100644 index 00000000000..9a4672b0b68 --- /dev/null +++ b/queue-5.2/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch @@ -0,0 +1,73 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Eric Dumazet +Date: Fri, 4 Oct 2019 10:34:45 -0700 +Subject: sch_dsmark: fix potential NULL deref in dsmark_init() + +From: Eric Dumazet + +[ Upstream commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 ] + +Make sure TCA_DSMARK_INDICES was provided by the user. + +syzbot reported : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 8799 Comm: syz-executor235 Not tainted 5.3.0+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:nla_get_u16 include/net/netlink.h:1501 [inline] +RIP: 0010:dsmark_init net/sched/sch_dsmark.c:364 [inline] +RIP: 0010:dsmark_init+0x193/0x640 net/sched/sch_dsmark.c:339 +Code: 85 db 58 0f 88 7d 03 00 00 e8 e9 1a ac fb 48 8b 9d 70 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ca +RSP: 0018:ffff88809426f3b8 EFLAGS: 00010247 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff85c6eb09 +RDX: 0000000000000000 RSI: ffffffff85c6eb17 RDI: 0000000000000004 +RBP: ffff88809426f4b0 R08: ffff88808c4085c0 R09: ffffed1015d26159 +R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a7e96940 +R13: dffffc0000000000 R14: ffff88809426f8c0 R15: 0000000000000000 +FS: 0000000001292880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000080 CR3: 000000008ca1b000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + qdisc_create+0x4ee/0x1210 net/sched/sch_api.c:1237 + tc_modify_qdisc+0x524/0x1c50 net/sched/sch_api.c:1653 + rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5223 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x803/0x920 net/socket.c:2311 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 + __do_sys_sendmsg net/socket.c:2365 [inline] + __se_sys_sendmsg net/socket.c:2363 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 + do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440369 + +Fixes: 758cc43c6d73 ("[PKT_SCHED]: Fix dsmark to apply changes consistent") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_dsmark.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -361,6 +361,8 @@ static int dsmark_init(struct Qdisc *sch + goto errout; + + err = -EINVAL; ++ if (!tb[TCA_DSMARK_INDICES]) ++ goto errout; + indices = nla_get_u16(tb[TCA_DSMARK_INDICES]); + + if (hweight32(indices) != 1) diff --git a/queue-5.2/series b/queue-5.2/series index 3da6bdfb2f0..f89fc7045b6 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -1,3 +1,28 @@ +cxgb4-fix-out-of-bounds-msi-x-info-array-access.patch +erspan-remove-the-incorrect-mtu-limit-for-erspan.patch +hso-fix-null-deref-on-tty-open.patch +ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch +ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch +net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch +net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch +net-sched-taprio-fix-potential-integer-overflow-in-taprio_set_picos_per_byte.patch +net-unpublish-sk-from-sk_reuseport_cb-before-call_rcu.patch +nfc-fix-memory-leak-in-llcp_sock_bind.patch +qmi_wwan-add-support-for-cinterion-cls8-devices.patch +rxrpc-fix-rxrpc_recvmsg-tracepoint.patch +sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch +sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch +tipc-fix-unlimited-bundling-of-small-messages.patch +udp-fix-gso_segs-calculations.patch +vsock-fix-a-lockdep-warning-in-__vsock_release.patch +net-dsa-rtl8366-check-vlan-id-and-not-ports.patch +tcp-adjust-rto_base-in-retransmits_timed_out.patch +udp-only-do-gso-if-of-segs-1.patch +net-rds-fix-error-handling-in-rds_ib_add_one.patch +xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch +ptp_qoriq-initialize-the-registers-spinlock-before-calling-ptp_qoriq_settime.patch +net-sched-cbs-avoid-division-by-zero-when-calculating-the-port-rate.patch +net-sched-taprio-avoid-division-by-zero-on-invalid-link-speed.patch drm-vkms-fix-crc-worker-races.patch drm-bridge-tc358767-increase-aux-transfer-length-lim.patch drm-vkms-avoid-assigning-0-for-possible_crtc.patch diff --git a/queue-5.2/tcp-adjust-rto_base-in-retransmits_timed_out.patch b/queue-5.2/tcp-adjust-rto_base-in-retransmits_timed_out.patch new file mode 100644 index 00000000000..cf76a7a2d6d --- /dev/null +++ b/queue-5.2/tcp-adjust-rto_base-in-retransmits_timed_out.patch @@ -0,0 +1,48 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Eric Dumazet +Date: Mon, 30 Sep 2019 15:44:44 -0700 +Subject: tcp: adjust rto_base in retransmits_timed_out() + +From: Eric Dumazet + +[ Upstream commit 3256a2d6ab1f71f9a1bd2d7f6f18eb8108c48d17 ] + +The cited commit exposed an old retransmits_timed_out() bug +which assumed it could call tcp_model_timeout() with +TCP_RTO_MIN as rto_base for all states. + +But flows in SYN_SENT or SYN_RECV state uses a different +RTO base (1 sec instead of 200 ms, unless BPF choses +another value) + +This caused a reduction of SYN retransmits from 6 to 4 with +the default /proc/sys/net/ipv4/tcp_syn_retries value. + +Fixes: a41e8a88b06e ("tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Marek Majkowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_timer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -198,8 +198,13 @@ static bool retransmits_timed_out(struct + return false; + + start_ts = tcp_sk(sk)->retrans_stamp; +- if (likely(timeout == 0)) +- timeout = tcp_model_timeout(sk, boundary, TCP_RTO_MIN); ++ if (likely(timeout == 0)) { ++ unsigned int rto_base = TCP_RTO_MIN; ++ ++ if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) ++ rto_base = tcp_timeout_init(sk); ++ timeout = tcp_model_timeout(sk, boundary, rto_base); ++ } + + return (s32)(tcp_time_stamp(tcp_sk(sk)) - start_ts - timeout) >= 0; + } diff --git a/queue-5.2/tipc-fix-unlimited-bundling-of-small-messages.patch b/queue-5.2/tipc-fix-unlimited-bundling-of-small-messages.patch new file mode 100644 index 00000000000..c33eb77be9e --- /dev/null +++ b/queue-5.2/tipc-fix-unlimited-bundling-of-small-messages.patch @@ -0,0 +1,171 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Tuong Lien +Date: Wed, 2 Oct 2019 18:49:43 +0700 +Subject: tipc: fix unlimited bundling of small messages + +From: Tuong Lien + +[ Upstream commit e95584a889e1902fdf1ded9712e2c3c3083baf96 ] + +We have identified a problem with the "oversubscription" policy in the +link transmission code. + +When small messages are transmitted, and the sending link has reached +the transmit window limit, those messages will be bundled and put into +the link backlog queue. However, bundles of data messages are counted +at the 'CRITICAL' level, so that the counter for that level, instead of +the counter for the real, bundled message's level is the one being +increased. +Subsequent, to-be-bundled data messages at non-CRITICAL levels continue +to be tested against the unchanged counter for their own level, while +contributing to an unrestrained increase at the CRITICAL backlog level. + +This leaves a gap in congestion control algorithm for small messages +that can result in starvation for other users or a "real" CRITICAL +user. Even that eventually can lead to buffer exhaustion & link reset. + +We fix this by keeping a 'target_bskb' buffer pointer at each levels, +then when bundling, we only bundle messages at the same importance +level only. This way, we know exactly how many slots a certain level +have occupied in the queue, so can manage level congestion accurately. + +By bundling messages at the same level, we even have more benefits. Let +consider this: +- One socket sends 64-byte messages at the 'CRITICAL' level; +- Another sends 4096-byte messages at the 'LOW' level; + +When a 64-byte message comes and is bundled the first time, we put the +overhead of message bundle to it (+ 40-byte header, data copy, etc.) +for later use, but the next message can be a 4096-byte one that cannot +be bundled to the previous one. This means the last bundle carries only +one payload message which is totally inefficient, as for the receiver +also! Later on, another 64-byte message comes, now we make a new bundle +and the same story repeats... + +With the new bundling algorithm, this will not happen, the 64-byte +messages will be bundled together even when the 4096-byte message(s) +comes in between. However, if the 4096-byte messages are sent at the +same level i.e. 'CRITICAL', the bundling algorithm will again cause the +same overhead. + +Also, the same will happen even with only one socket sending small +messages at a rate close to the link transmit's one, so that, when one +message is bundled, it's transmitted shortly. Then, another message +comes, a new bundle is created and so on... + +We will solve this issue radically by another patch. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Reported-by: Hoang Le +Acked-by: Jon Maloy +Signed-off-by: Tuong Lien +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/link.c | 29 ++++++++++++++++++----------- + net/tipc/msg.c | 5 +---- + 2 files changed, 19 insertions(+), 15 deletions(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -163,6 +163,7 @@ struct tipc_link { + struct { + u16 len; + u16 limit; ++ struct sk_buff *target_bskb; + } backlog[5]; + u16 snd_nxt; + u16 prev_from; +@@ -872,6 +873,7 @@ static void link_prepare_wakeup(struct t + void tipc_link_reset(struct tipc_link *l) + { + struct sk_buff_head list; ++ u32 imp; + + __skb_queue_head_init(&list); + +@@ -893,11 +895,10 @@ void tipc_link_reset(struct tipc_link *l + __skb_queue_purge(&l->deferdq); + __skb_queue_purge(&l->backlogq); + __skb_queue_purge(&l->failover_deferdq); +- l->backlog[TIPC_LOW_IMPORTANCE].len = 0; +- l->backlog[TIPC_MEDIUM_IMPORTANCE].len = 0; +- l->backlog[TIPC_HIGH_IMPORTANCE].len = 0; +- l->backlog[TIPC_CRITICAL_IMPORTANCE].len = 0; +- l->backlog[TIPC_SYSTEM_IMPORTANCE].len = 0; ++ for (imp = 0; imp <= TIPC_SYSTEM_IMPORTANCE; imp++) { ++ l->backlog[imp].len = 0; ++ l->backlog[imp].target_bskb = NULL; ++ } + kfree_skb(l->reasm_buf); + kfree_skb(l->failover_reasm_skb); + l->reasm_buf = NULL; +@@ -938,7 +939,7 @@ int tipc_link_xmit(struct tipc_link *l, + u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; + struct sk_buff_head *transmq = &l->transmq; + struct sk_buff_head *backlogq = &l->backlogq; +- struct sk_buff *skb, *_skb, *bskb; ++ struct sk_buff *skb, *_skb, **tskb; + int pkt_cnt = skb_queue_len(list); + int rc = 0; + +@@ -988,19 +989,21 @@ int tipc_link_xmit(struct tipc_link *l, + seqno++; + continue; + } +- if (tipc_msg_bundle(skb_peek_tail(backlogq), hdr, mtu)) { ++ tskb = &l->backlog[imp].target_bskb; ++ if (tipc_msg_bundle(*tskb, hdr, mtu)) { + kfree_skb(__skb_dequeue(list)); + l->stats.sent_bundled++; + continue; + } +- if (tipc_msg_make_bundle(&bskb, hdr, mtu, l->addr)) { ++ if (tipc_msg_make_bundle(tskb, hdr, mtu, l->addr)) { + kfree_skb(__skb_dequeue(list)); +- __skb_queue_tail(backlogq, bskb); +- l->backlog[msg_importance(buf_msg(bskb))].len++; ++ __skb_queue_tail(backlogq, *tskb); ++ l->backlog[imp].len++; + l->stats.sent_bundled++; + l->stats.sent_bundles++; + continue; + } ++ l->backlog[imp].target_bskb = NULL; + l->backlog[imp].len += skb_queue_len(list); + skb_queue_splice_tail_init(list, backlogq); + } +@@ -1016,6 +1019,7 @@ static void tipc_link_advance_backlog(st + u16 seqno = l->snd_nxt; + u16 ack = l->rcv_nxt - 1; + u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; ++ u32 imp; + + while (skb_queue_len(&l->transmq) < l->window) { + skb = skb_peek(&l->backlogq); +@@ -1026,7 +1030,10 @@ static void tipc_link_advance_backlog(st + break; + __skb_dequeue(&l->backlogq); + hdr = buf_msg(skb); +- l->backlog[msg_importance(hdr)].len--; ++ imp = msg_importance(hdr); ++ l->backlog[imp].len--; ++ if (unlikely(skb == l->backlog[imp].target_bskb)) ++ l->backlog[imp].target_bskb = NULL; + __skb_queue_tail(&l->transmq, skb); + /* next retransmit attempt */ + if (link_is_bc_sndlink(l)) +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -484,10 +484,7 @@ bool tipc_msg_make_bundle(struct sk_buff + bmsg = buf_msg(_skb); + tipc_msg_init(msg_prevnode(msg), bmsg, MSG_BUNDLER, 0, + INT_H_SIZE, dnode); +- if (msg_isdata(msg)) +- msg_set_importance(bmsg, TIPC_CRITICAL_IMPORTANCE); +- else +- msg_set_importance(bmsg, TIPC_SYSTEM_IMPORTANCE); ++ msg_set_importance(bmsg, msg_importance(msg)); + msg_set_seqno(bmsg, msg_seqno(msg)); + msg_set_ack(bmsg, msg_ack(msg)); + msg_set_bcast_ack(bmsg, msg_bcast_ack(msg)); diff --git a/queue-5.2/udp-fix-gso_segs-calculations.patch b/queue-5.2/udp-fix-gso_segs-calculations.patch new file mode 100644 index 00000000000..703b180a2da --- /dev/null +++ b/queue-5.2/udp-fix-gso_segs-calculations.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Josh Hunt +Date: Wed, 2 Oct 2019 13:29:22 -0400 +Subject: udp: fix gso_segs calculations + +From: Josh Hunt + +[ Upstream commit 44b321e5020d782ad6e8ae8183f09b163be6e6e2 ] + +Commit dfec0ee22c0a ("udp: Record gso_segs when supporting UDP segmentation offload") +added gso_segs calculation, but incorrectly got sizeof() the pointer and +not the underlying data type. In addition let's fix the v6 case. + +Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT") +Fixes: dfec0ee22c0a ("udp: Record gso_segs when supporting UDP segmentation offload") +Signed-off-by: Josh Hunt +Reviewed-by: Alexander Duyck +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 2 +- + net/ipv6/udp.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -868,7 +868,7 @@ static int udp_send_skb(struct sk_buff * + + skb_shinfo(skb)->gso_size = cork->gso_size; + skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; +- skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(len - sizeof(uh), ++ skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(len - sizeof(*uh), + cork->gso_size); + goto csum_partial; + } +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1156,6 +1156,8 @@ static int udp_v6_send_skb(struct sk_buf + + skb_shinfo(skb)->gso_size = cork->gso_size; + skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; ++ skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(len - sizeof(*uh), ++ cork->gso_size); + goto csum_partial; + } + diff --git a/queue-5.2/udp-only-do-gso-if-of-segs-1.patch b/queue-5.2/udp-only-do-gso-if-of-segs-1.patch new file mode 100644 index 00000000000..de7905a30be --- /dev/null +++ b/queue-5.2/udp-only-do-gso-if-of-segs-1.patch @@ -0,0 +1,140 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Josh Hunt +Date: Wed, 2 Oct 2019 13:29:23 -0400 +Subject: udp: only do GSO if # of segs > 1 + +From: Josh Hunt + +[ Upstream commit 4094871db1d65810acab3d57f6089aa39ef7f648 ] + +Prior to this change an application sending <= 1MSS worth of data and +enabling UDP GSO would fail if the system had SW GSO enabled, but the +same send would succeed if HW GSO offload is enabled. In addition to this +inconsistency the error in the SW GSO case does not get back to the +application if sending out of a real device so the user is unaware of this +failure. + +With this change we only perform GSO if the # of segments is > 1 even +if the application has enabled segmentation. I've also updated the +relevant udpgso selftests. + +Fixes: bec1f6f69736 ("udp: generate gso with UDP_SEGMENT") +Signed-off-by: Josh Hunt +Reviewed-by: Willem de Bruijn +Reviewed-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 11 +++++++---- + net/ipv6/udp.c | 11 +++++++---- + tools/testing/selftests/net/udpgso.c | 16 ++++------------ + 3 files changed, 18 insertions(+), 20 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -833,6 +833,7 @@ static int udp_send_skb(struct sk_buff * + int is_udplite = IS_UDPLITE(sk); + int offset = skb_transport_offset(skb); + int len = skb->len - offset; ++ int datalen = len - sizeof(*uh); + __wsum csum = 0; + + /* +@@ -866,10 +867,12 @@ static int udp_send_skb(struct sk_buff * + return -EIO; + } + +- skb_shinfo(skb)->gso_size = cork->gso_size; +- skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; +- skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(len - sizeof(*uh), +- cork->gso_size); ++ if (datalen > cork->gso_size) { ++ skb_shinfo(skb)->gso_size = cork->gso_size; ++ skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; ++ skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, ++ cork->gso_size); ++ } + goto csum_partial; + } + +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1122,6 +1122,7 @@ static int udp_v6_send_skb(struct sk_buf + __wsum csum = 0; + int offset = skb_transport_offset(skb); + int len = skb->len - offset; ++ int datalen = len - sizeof(*uh); + + /* + * Create a UDP header +@@ -1154,10 +1155,12 @@ static int udp_v6_send_skb(struct sk_buf + return -EIO; + } + +- skb_shinfo(skb)->gso_size = cork->gso_size; +- skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; +- skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(len - sizeof(*uh), +- cork->gso_size); ++ if (datalen > cork->gso_size) { ++ skb_shinfo(skb)->gso_size = cork->gso_size; ++ skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; ++ skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, ++ cork->gso_size); ++ } + goto csum_partial; + } + +--- a/tools/testing/selftests/net/udpgso.c ++++ b/tools/testing/selftests/net/udpgso.c +@@ -89,12 +89,9 @@ struct testcase testcases_v4[] = { + .tfail = true, + }, + { +- /* send a single MSS: will fail with GSO, because the segment +- * logic in udp4_ufo_fragment demands a gso skb to be > MTU +- */ ++ /* send a single MSS: will fall back to no GSO */ + .tlen = CONST_MSS_V4, + .gso_len = CONST_MSS_V4, +- .tfail = true, + .r_num_mss = 1, + }, + { +@@ -139,10 +136,9 @@ struct testcase testcases_v4[] = { + .tfail = true, + }, + { +- /* send a single 1B MSS: will fail, see single MSS above */ ++ /* send a single 1B MSS: will fall back to no GSO */ + .tlen = 1, + .gso_len = 1, +- .tfail = true, + .r_num_mss = 1, + }, + { +@@ -196,12 +192,9 @@ struct testcase testcases_v6[] = { + .tfail = true, + }, + { +- /* send a single MSS: will fail with GSO, because the segment +- * logic in udp4_ufo_fragment demands a gso skb to be > MTU +- */ ++ /* send a single MSS: will fall back to no GSO */ + .tlen = CONST_MSS_V6, + .gso_len = CONST_MSS_V6, +- .tfail = true, + .r_num_mss = 1, + }, + { +@@ -246,10 +239,9 @@ struct testcase testcases_v6[] = { + .tfail = true, + }, + { +- /* send a single 1B MSS: will fail, see single MSS above */ ++ /* send a single 1B MSS: will fall back to no GSO */ + .tlen = 1, + .gso_len = 1, +- .tfail = true, + .r_num_mss = 1, + }, + { diff --git a/queue-5.2/vsock-fix-a-lockdep-warning-in-__vsock_release.patch b/queue-5.2/vsock-fix-a-lockdep-warning-in-__vsock_release.patch new file mode 100644 index 00000000000..f22b7736b4f --- /dev/null +++ b/queue-5.2/vsock-fix-a-lockdep-warning-in-__vsock_release.patch @@ -0,0 +1,146 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Dexuan Cui +Date: Mon, 30 Sep 2019 18:43:50 +0000 +Subject: vsock: Fix a lockdep warning in __vsock_release() + +From: Dexuan Cui + +[ Upstream commit 0d9138ffac24cf8b75366ede3a68c951e6dcc575 ] + +Lockdep is unhappy if two locks from the same class are held. + +Fix the below warning for hyperv and virtio sockets (vmci socket code +doesn't have the issue) by using lock_sock_nested() when __vsock_release() +is called recursively: + +============================================ +WARNING: possible recursive locking detected +5.3.0+ #1 Not tainted +-------------------------------------------- +server/1795 is trying to acquire lock: +ffff8880c5158990 (sk_lock-AF_VSOCK){+.+.}, at: hvs_release+0x10/0x120 [hv_sock] + +but task is already holding lock: +ffff8880c5158150 (sk_lock-AF_VSOCK){+.+.}, at: __vsock_release+0x2e/0xf0 [vsock] + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(sk_lock-AF_VSOCK); + lock(sk_lock-AF_VSOCK); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +2 locks held by server/1795: + #0: ffff8880c5d05ff8 (&sb->s_type->i_mutex_key#10){+.+.}, at: __sock_release+0x2d/0xa0 + #1: ffff8880c5158150 (sk_lock-AF_VSOCK){+.+.}, at: __vsock_release+0x2e/0xf0 [vsock] + +stack backtrace: +CPU: 5 PID: 1795 Comm: server Not tainted 5.3.0+ #1 +Call Trace: + dump_stack+0x67/0x90 + __lock_acquire.cold.67+0xd2/0x20b + lock_acquire+0xb5/0x1c0 + lock_sock_nested+0x6d/0x90 + hvs_release+0x10/0x120 [hv_sock] + __vsock_release+0x24/0xf0 [vsock] + __vsock_release+0xa0/0xf0 [vsock] + vsock_release+0x12/0x30 [vsock] + __sock_release+0x37/0xa0 + sock_close+0x14/0x20 + __fput+0xc1/0x250 + task_work_run+0x98/0xc0 + do_exit+0x344/0xc60 + do_group_exit+0x47/0xb0 + get_signal+0x15c/0xc50 + do_signal+0x30/0x720 + exit_to_usermode_loop+0x50/0xa0 + do_syscall_64+0x24e/0x270 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f4184e85f31 + +Tested-by: Stefano Garzarella +Signed-off-by: Dexuan Cui +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 16 ++++++++++++---- + net/vmw_vsock/hyperv_transport.c | 2 +- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -638,7 +638,7 @@ struct sock *__vsock_create(struct net * + } + EXPORT_SYMBOL_GPL(__vsock_create); + +-static void __vsock_release(struct sock *sk) ++static void __vsock_release(struct sock *sk, int level) + { + if (sk) { + struct sk_buff *skb; +@@ -648,9 +648,17 @@ static void __vsock_release(struct sock + vsk = vsock_sk(sk); + pending = NULL; /* Compiler warning. */ + ++ /* The release call is supposed to use lock_sock_nested() ++ * rather than lock_sock(), if a sock lock should be acquired. ++ */ + transport->release(vsk); + +- lock_sock(sk); ++ /* When "level" is SINGLE_DEPTH_NESTING, use the nested ++ * version to avoid the warning "possible recursive locking ++ * detected". When "level" is 0, lock_sock_nested(sk, level) ++ * is the same as lock_sock(sk). ++ */ ++ lock_sock_nested(sk, level); + sock_orphan(sk); + sk->sk_shutdown = SHUTDOWN_MASK; + +@@ -659,7 +667,7 @@ static void __vsock_release(struct sock + + /* Clean up any sockets that never were accepted. */ + while ((pending = vsock_dequeue_accept(sk)) != NULL) { +- __vsock_release(pending); ++ __vsock_release(pending, SINGLE_DEPTH_NESTING); + sock_put(pending); + } + +@@ -708,7 +716,7 @@ EXPORT_SYMBOL_GPL(vsock_stream_has_space + + static int vsock_release(struct socket *sock) + { +- __vsock_release(sock->sk); ++ __vsock_release(sock->sk, 0); + sock->sk = NULL; + sock->state = SS_FREE; + +--- a/net/vmw_vsock/hyperv_transport.c ++++ b/net/vmw_vsock/hyperv_transport.c +@@ -528,7 +528,7 @@ static void hvs_release(struct vsock_soc + struct sock *sk = sk_vsock(vsk); + bool remove_sock; + +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + remove_sock = hvs_close_lock_held(vsk); + release_sock(sk); + if (remove_sock) +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -790,7 +790,7 @@ void virtio_transport_release(struct vso + struct sock *sk = &vsk->sk; + bool remove_sock = true; + +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + if (sk->sk_type == SOCK_STREAM) + remove_sock = virtio_transport_close(vsk); + diff --git a/queue-5.2/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch b/queue-5.2/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch new file mode 100644 index 00000000000..7bd1145f75b --- /dev/null +++ b/queue-5.2/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch @@ -0,0 +1,95 @@ +From foo@baz Sun 06 Oct 2019 09:49:37 AM CEST +From: Dongli Zhang +Date: Tue, 1 Oct 2019 21:56:41 +0800 +Subject: xen-netfront: do not use ~0U as error return value for xennet_fill_frags() + +From: Dongli Zhang + +[ Upstream commit a761129e3625688310aecf26e1be9e98e85f8eb5 ] + +xennet_fill_frags() uses ~0U as return value when the sk_buff is not able +to cache extra fragments. This is incorrect because the return type of +xennet_fill_frags() is RING_IDX and 0xffffffff is an expected value for +ring buffer index. + +In the situation when the rsp_cons is approaching 0xffffffff, the return +value of xennet_fill_frags() may become 0xffffffff which xennet_poll() (the +caller) would regard as error. As a result, queue->rx.rsp_cons is set +incorrectly because it is updated only when there is error. If there is no +error, xennet_poll() would be responsible to update queue->rx.rsp_cons. +Finally, queue->rx.rsp_cons would point to the rx ring buffer entries whose +queue->rx_skbs[i] and queue->grant_rx_ref[i] are already cleared to NULL. +This leads to NULL pointer access in the next iteration to process rx ring +buffer entries. + +The symptom is similar to the one fixed in +commit 00b368502d18 ("xen-netfront: do not assume sk_buff_head list is +empty in error handling"). + +This patch changes the return type of xennet_fill_frags() to indicate +whether it is successful or failed. The queue->rx.rsp_cons will be +always updated inside this function. + +Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags") +Signed-off-by: Dongli Zhang +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -887,9 +887,9 @@ static int xennet_set_skb_gso(struct sk_ + return 0; + } + +-static RING_IDX xennet_fill_frags(struct netfront_queue *queue, +- struct sk_buff *skb, +- struct sk_buff_head *list) ++static int xennet_fill_frags(struct netfront_queue *queue, ++ struct sk_buff *skb, ++ struct sk_buff_head *list) + { + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *nskb; +@@ -908,7 +908,7 @@ static RING_IDX xennet_fill_frags(struct + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { + queue->rx.rsp_cons = ++cons + skb_queue_len(list); + kfree_skb(nskb); +- return ~0U; ++ return -ENOENT; + } + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, +@@ -919,7 +919,9 @@ static RING_IDX xennet_fill_frags(struct + kfree_skb(nskb); + } + +- return cons; ++ queue->rx.rsp_cons = cons; ++ ++ return 0; + } + + static int checksum_setup(struct net_device *dev, struct sk_buff *skb) +@@ -1045,8 +1047,7 @@ err: + skb->data_len = rx->status; + skb->len += rx->status; + +- i = xennet_fill_frags(queue, skb, &tmpq); +- if (unlikely(i == ~0U)) ++ if (unlikely(xennet_fill_frags(queue, skb, &tmpq))) + goto err; + + if (rx->flags & XEN_NETRXF_csum_blank) +@@ -1056,7 +1057,7 @@ err: + + __skb_queue_tail(&rxq, skb); + +- queue->rx.rsp_cons = ++i; ++ i = ++queue->rx.rsp_cons; + work_done++; + } + -- 2.47.2