From de717f85d90b4d8c98a91dd614131ff3d00ebf2c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Aug 2022 10:31:05 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...not-call-xfrm_probe_algs-in-parallel.patch | 42 ++++++ ...2.3ad-fix-no-transmission-of-lacpdus.patch | 137 ++++++++++++++++++ ...ting-systime-in-ixgbe_ptp_start_cycl.patch | 137 ++++++++++++++++++ ...ata-race-around-sysctl_net_busy_poll.patch | 36 +++++ ...ata-race-around-sysctl_net_busy_read.patch | 36 +++++ ...-a-data-race-around-sysctl_somaxconn.patch | 36 +++++ ...race-around-sysctl_tstamp_allow_data.patch | 36 +++++ ...yload-report-erange-for-too-long-off.patch | 49 +++++++ ...limit-fix-data-races-in-___ratelimit.patch | 64 ++++++++ ...ck-null-rose_loopback_neigh-loopback.patch | 69 +++++++++ queue-4.9/series | 11 ++ ...refcount-leak-in-__xfrm_policy_check.patch | 41 ++++++ 12 files changed, 694 insertions(+) create mode 100644 queue-4.9/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch create mode 100644 queue-4.9/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch create mode 100644 queue-4.9/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch create mode 100644 queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_poll.patch create mode 100644 queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_read.patch create mode 100644 queue-4.9/net-fix-a-data-race-around-sysctl_somaxconn.patch create mode 100644 queue-4.9/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch create mode 100644 queue-4.9/netfilter-nft_payload-report-erange-for-too-long-off.patch create mode 100644 queue-4.9/ratelimit-fix-data-races-in-___ratelimit.patch create mode 100644 queue-4.9/rose-check-null-rose_loopback_neigh-loopback.patch create mode 100644 queue-4.9/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch diff --git a/queue-4.9/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch b/queue-4.9/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch new file mode 100644 index 00000000000..4402a10106d --- /dev/null +++ b/queue-4.9/af_key-do-not-call-xfrm_probe_algs-in-parallel.patch @@ -0,0 +1,42 @@ +From 4eb6411e0be4e03e49512e00d70c57446cba77f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 18:03:46 +0800 +Subject: af_key: Do not call xfrm_probe_algs in parallel + +From: Herbert Xu + +[ Upstream commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5 ] + +When namespace support was added to xfrm/afkey, it caused the +previously single-threaded call to xfrm_probe_algs to become +multi-threaded. This is buggy and needs to be fixed with a mutex. + +Reported-by: Abhishek Shah +Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 0737fc7b7ebdb..88d4a3a02ab72 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1724,9 +1724,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad + pfk->registered |= (1<sadb_msg_satype); + } + ++ mutex_lock(&pfkey_mutex); + xfrm_probe_algs(); + + supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); ++ mutex_unlock(&pfkey_mutex); ++ + if (!supp_skb) { + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) + pfk->registered &= ~(1<sadb_msg_satype); +-- +2.35.1 + diff --git a/queue-4.9/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch b/queue-4.9/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch new file mode 100644 index 00000000000..7c7a5b3dd9f --- /dev/null +++ b/queue-4.9/bonding-802.3ad-fix-no-transmission-of-lacpdus.patch @@ -0,0 +1,137 @@ +From 2fd9e62c1753de4cbbf5240cc77061825f1f9254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 11:15:13 -0400 +Subject: bonding: 802.3ad: fix no transmission of LACPDUs + +From: Jonathan Toppins + +[ Upstream commit d745b5062ad2b5da90a5e728d7ca884fc07315fd ] + +This is caused by the global variable ad_ticks_per_sec being zero as +demonstrated by the reproducer script discussed below. This causes +all timer values in __ad_timer_to_ticks to be zero, resulting +in the periodic timer to never fire. + +To reproduce: +Run the script in +`tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh` which +puts bonding into a state where it never transmits LACPDUs. + +line 44: ip link add fbond type bond mode 4 miimon 200 \ + xmit_hash_policy 1 ad_actor_sys_prio 65535 lacp_rate fast +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 48: ip link set fbond address 52:54:00:3B:7C:A6 +setting bond MAC addr +call stack: + bond->dev->dev_addr = new_mac + +line 52: ip link set fbond type bond ad_actor_sys_prio 65535 +setting bond param: ad_actor_sys_prio +given: + params.ad_actor_system = 0 +call stack: + bond_option_ad_actor_sys_prio() + -> bond_3ad_update_ad_actor_settings() + -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio + -> ad.system.sys_mac_addr = bond->dev->dev_addr; because + params.ad_actor_system == 0 +results: + ad.system.sys_mac_addr = bond->dev->dev_addr + +line 60: ip link set veth1-bond down master fbond +given: + params.ad_actor_system = 0 + params.mode = BOND_MODE_8023AD + ad.system.sys_mac_addr == bond->dev->dev_addr +call stack: + bond_enslave + -> bond_3ad_initialize(); because first slave + -> if ad.system.sys_mac_addr != bond->dev->dev_addr + return +results: + Nothing is run in bond_3ad_initialize() because dev_addr equals + sys_mac_addr leaving the global ad_ticks_per_sec zero as it is + never initialized anywhere else. + +The if check around the contents of bond_3ad_initialize() is no longer +needed due to commit 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings +changes immediately") which sets ad.system.sys_mac_addr if any one of +the bonding parameters whos set function calls +bond_3ad_update_ad_actor_settings(). This is because if +ad.system.sys_mac_addr is zero it will be set to the current bond mac +address, this causes the if check to never be true. + +Fixes: 5ee14e6d336f ("bonding: 3ad: apply ad_actor settings changes immediately") +Signed-off-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_3ad.c | 38 ++++++++++++++-------------------- + 1 file changed, 16 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index 8ec0671f97113..7ba724ecef302 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -1941,30 +1941,24 @@ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + */ + void bond_3ad_initialize(struct bonding *bond, u16 tick_resolution) + { +- /* check that the bond is not initialized yet */ +- if (!MAC_ADDRESS_EQUAL(&(BOND_AD_INFO(bond).system.sys_mac_addr), +- bond->dev->dev_addr)) { +- +- BOND_AD_INFO(bond).aggregator_identifier = 0; +- +- BOND_AD_INFO(bond).system.sys_priority = +- bond->params.ad_actor_sys_prio; +- if (is_zero_ether_addr(bond->params.ad_actor_system)) +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->dev->dev_addr); +- else +- BOND_AD_INFO(bond).system.sys_mac_addr = +- *((struct mac_addr *)bond->params.ad_actor_system); ++ BOND_AD_INFO(bond).aggregator_identifier = 0; ++ BOND_AD_INFO(bond).system.sys_priority = ++ bond->params.ad_actor_sys_prio; ++ if (is_zero_ether_addr(bond->params.ad_actor_system)) ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->dev->dev_addr); ++ else ++ BOND_AD_INFO(bond).system.sys_mac_addr = ++ *((struct mac_addr *)bond->params.ad_actor_system); + +- /* initialize how many times this module is called in one +- * second (should be about every 100ms) +- */ +- ad_ticks_per_sec = tick_resolution; ++ /* initialize how many times this module is called in one ++ * second (should be about every 100ms) ++ */ ++ ad_ticks_per_sec = tick_resolution; + +- bond_3ad_initiate_agg_selection(bond, +- AD_AGGREGATOR_SELECTION_TIMER * +- ad_ticks_per_sec); +- } ++ bond_3ad_initiate_agg_selection(bond, ++ AD_AGGREGATOR_SELECTION_TIMER * ++ ad_ticks_per_sec); + } + + /** +-- +2.35.1 + diff --git a/queue-4.9/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch b/queue-4.9/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch new file mode 100644 index 00000000000..4e2986d6191 --- /dev/null +++ b/queue-4.9/ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch @@ -0,0 +1,137 @@ +From 3588910e127f755f2f63c286a2d798c2792f6620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 17:24:19 -0700 +Subject: ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter + +From: Jacob Keller + +[ Upstream commit 25d7a5f5a6bb15a2dae0a3f39ea5dda215024726 ] + +The ixgbe_ptp_start_cyclecounter is intended to be called whenever the +cyclecounter parameters need to be changed. + +Since commit a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x +devices"), this function has cleared the SYSTIME registers and reset the +TSAUXC DISABLE_SYSTIME bit. + +While these need to be cleared during ixgbe_ptp_reset, it is wrong to clear +them during ixgbe_ptp_start_cyclecounter. This function may be called +during both reset and link status change. When link changes, the SYSTIME +counter is still operating normally, but the cyclecounter should be updated +to account for the possibly changed parameters. + +Clearing SYSTIME when link changes causes the timecounter to jump because +the cycle counter now reads zero. + +Extract the SYSTIME initialization out to a new function and call this +during ixgbe_ptp_reset. This prevents the timecounter adjustment and avoids +an unnecessary reset of the current time. + +This also restores the original SYSTIME clearing that occurred during +ixgbe_ptp_reset before the commit above. + +Reported-by: Steve Payne +Reported-by: Ilya Evenbach +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices") +Signed-off-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 59 +++++++++++++++----- + 1 file changed, 46 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +index a93a1b3bb8e4d..2ae59af3e16f0 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c +@@ -1080,7 +1080,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + struct cyclecounter cc; + unsigned long flags; + u32 incval = 0; +- u32 tsauxc = 0; + u32 fuse0 = 0; + + /* For some of the boards below this mask is technically incorrect. +@@ -1115,18 +1114,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + case ixgbe_mac_x550em_a: + case ixgbe_mac_X550: + cc.read = ixgbe_ptp_read_X550; +- +- /* enable SYSTIME counter */ +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); +- tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); +- IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, +- tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); +- IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); +- IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); +- +- IXGBE_WRITE_FLUSH(hw); + break; + case ixgbe_mac_X540: + cc.read = ixgbe_ptp_read_82599; +@@ -1158,6 +1145,50 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter) + spin_unlock_irqrestore(&adapter->tmreg_lock, flags); + } + ++/** ++ * ixgbe_ptp_init_systime - Initialize SYSTIME registers ++ * @adapter: the ixgbe private board structure ++ * ++ * Initialize and start the SYSTIME registers. ++ */ ++static void ixgbe_ptp_init_systime(struct ixgbe_adapter *adapter) ++{ ++ struct ixgbe_hw *hw = &adapter->hw; ++ u32 tsauxc; ++ ++ switch (hw->mac.type) { ++ case ixgbe_mac_X550EM_x: ++ case ixgbe_mac_x550em_a: ++ case ixgbe_mac_X550: ++ tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC); ++ ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ ++ /* Reset interrupt settings */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS); ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC); ++ ++ /* Activate the SYSTIME counter */ ++ IXGBE_WRITE_REG(hw, IXGBE_TSAUXC, ++ tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME); ++ break; ++ case ixgbe_mac_X540: ++ case ixgbe_mac_82599EB: ++ /* Reset SYSTIME registers to 0 */ ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0); ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0); ++ break; ++ default: ++ /* Other devices aren't supported */ ++ return; ++ }; ++ ++ IXGBE_WRITE_FLUSH(hw); ++} ++ + /** + * ixgbe_ptp_reset + * @adapter: the ixgbe private board structure +@@ -1184,6 +1215,8 @@ void ixgbe_ptp_reset(struct ixgbe_adapter *adapter) + + ixgbe_ptp_start_cyclecounter(adapter); + ++ ixgbe_ptp_init_systime(adapter); ++ + spin_lock_irqsave(&adapter->tmreg_lock, flags); + timecounter_init(&adapter->hw_tc, &adapter->hw_cc, + ktime_to_ns(ktime_get_real())); +-- +2.35.1 + diff --git a/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_poll.patch b/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_poll.patch new file mode 100644 index 00000000000..d861edd592a --- /dev/null +++ b/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_poll.patch @@ -0,0 +1,36 @@ +From 6903e1ff67c5efd3523e40fb62abac493083d38b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:51 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_poll. + +From: Kuniyuki Iwashima + +[ Upstream commit c42b7cddea47503411bfb5f2f93a4154aaffa2d9 ] + +While reading sysctl_net_busy_poll, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 060212928670 ("net: add low latency socket poll") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/busy_poll.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h +index 2fbeb1313c0f4..e522187cb6935 100644 +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -39,7 +39,7 @@ extern unsigned int sysctl_net_busy_poll __read_mostly; + + static inline bool net_busy_loop_on(void) + { +- return sysctl_net_busy_poll; ++ return READ_ONCE(sysctl_net_busy_poll); + } + + static inline u64 busy_loop_us_clock(void) +-- +2.35.1 + diff --git a/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_read.patch b/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_read.patch new file mode 100644 index 00000000000..e31489ececb --- /dev/null +++ b/queue-4.9/net-fix-a-data-race-around-sysctl_net_busy_read.patch @@ -0,0 +1,36 @@ +From bacef6bad880c82f422d7aa8d0fde88dce677a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:52 -0700 +Subject: net: Fix a data-race around sysctl_net_busy_read. + +From: Kuniyuki Iwashima + +[ Upstream commit e59ef36f0795696ab229569c153936bfd068d21c ] + +While reading sysctl_net_busy_read, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 2d48d67fa8cd ("net: poll/select low latency socket support") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 1845a37d9f7e1..e4b28c10901ec 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2508,7 +2508,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) + + #ifdef CONFIG_NET_RX_BUSY_POLL + sk->sk_napi_id = 0; +- sk->sk_ll_usec = sysctl_net_busy_read; ++ sk->sk_ll_usec = READ_ONCE(sysctl_net_busy_read); + #endif + + sk->sk_max_pacing_rate = ~0U; +-- +2.35.1 + diff --git a/queue-4.9/net-fix-a-data-race-around-sysctl_somaxconn.patch b/queue-4.9/net-fix-a-data-race-around-sysctl_somaxconn.patch new file mode 100644 index 00000000000..71112616207 --- /dev/null +++ b/queue-4.9/net-fix-a-data-race-around-sysctl_somaxconn.patch @@ -0,0 +1,36 @@ +From de0841610f90b3473ebbbcbcd07af0e8a1a27560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:47:00 -0700 +Subject: net: Fix a data-race around sysctl_somaxconn. + +From: Kuniyuki Iwashima + +[ Upstream commit 3c9ba81d72047f2e81bb535d42856517b613aba7 ] + +While reading sysctl_somaxconn, it can be changed concurrently. +Thus, we need to add READ_ONCE() to its reader. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/socket.c b/net/socket.c +index ab64ae80ca2cd..6f1abcba0e360 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1403,7 +1403,7 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) + + sock = sockfd_lookup_light(fd, &err, &fput_needed); + if (sock) { +- somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn; ++ somaxconn = READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn); + if ((unsigned int)backlog > somaxconn) + backlog = somaxconn; + +-- +2.35.1 + diff --git a/queue-4.9/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch b/queue-4.9/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch new file mode 100644 index 00000000000..023603ecc67 --- /dev/null +++ b/queue-4.9/net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch @@ -0,0 +1,36 @@ +From f7abbc5629f5656940b9b9bbf6b08aefc10e3463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:50 -0700 +Subject: net: Fix a data-race around sysctl_tstamp_allow_data. + +From: Kuniyuki Iwashima + +[ Upstream commit d2154b0afa73c0159b2856f875c6b4fe7cf6a95e ] + +While reading sysctl_tstamp_allow_data, it can be changed +concurrently. Thus, we need to add READ_ONCE() to its reader. + +Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 22b216629f9bc..022e26c180241 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3905,7 +3905,7 @@ static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly) + { + bool ret; + +- if (likely(sysctl_tstamp_allow_data || tsonly)) ++ if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly)) + return true; + + read_lock_bh(&sk->sk_callback_lock); +-- +2.35.1 + diff --git a/queue-4.9/netfilter-nft_payload-report-erange-for-too-long-off.patch b/queue-4.9/netfilter-nft_payload-report-erange-for-too-long-off.patch new file mode 100644 index 00000000000..62dffcb23c0 --- /dev/null +++ b/queue-4.9/netfilter-nft_payload-report-erange-for-too-long-off.patch @@ -0,0 +1,49 @@ +From 261f0c0844f3264bd2c00809da42c563343864d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 11:47:04 +0200 +Subject: netfilter: nft_payload: report ERANGE for too long offset and length + +From: Pablo Neira Ayuso + +[ Upstream commit 94254f990c07e9ddf1634e0b727fab821c3b5bf9 ] + +Instead of offset and length are truncation to u8, report ERANGE. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index f73d47b3ffb72..82bcd14fbcb3d 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -287,6 +287,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + { + enum nft_payload_bases base; + unsigned int offset, len; ++ int err; + + if (tb[NFTA_PAYLOAD_BASE] == NULL || + tb[NFTA_PAYLOAD_OFFSET] == NULL || +@@ -312,8 +313,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx, + if (tb[NFTA_PAYLOAD_DREG] == NULL) + return ERR_PTR(-EINVAL); + +- offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); +- len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset); ++ if (err < 0) ++ return ERR_PTR(err); ++ ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len); ++ if (err < 0) ++ return ERR_PTR(err); + + if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && + base != NFT_PAYLOAD_LL_HEADER) +-- +2.35.1 + diff --git a/queue-4.9/ratelimit-fix-data-races-in-___ratelimit.patch b/queue-4.9/ratelimit-fix-data-races-in-___ratelimit.patch new file mode 100644 index 00000000000..11df4ea3264 --- /dev/null +++ b/queue-4.9/ratelimit-fix-data-races-in-___ratelimit.patch @@ -0,0 +1,64 @@ +From dd31ce2d8ed9f296ad766e55abcd46f9c2ddef32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:46:48 -0700 +Subject: ratelimit: Fix data-races in ___ratelimit(). + +From: Kuniyuki Iwashima + +[ Upstream commit 6bae8ceb90ba76cdba39496db936164fa672b9be ] + +While reading rs->interval and rs->burst, they can be changed +concurrently via sysctl (e.g. net_ratelimit_state). Thus, we +need to add READ_ONCE() to their readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + lib/ratelimit.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/ratelimit.c b/lib/ratelimit.c +index d01f471352390..b805702de84dd 100644 +--- a/lib/ratelimit.c ++++ b/lib/ratelimit.c +@@ -27,10 +27,16 @@ + */ + int ___ratelimit(struct ratelimit_state *rs, const char *func) + { ++ /* Paired with WRITE_ONCE() in .proc_handler(). ++ * Changing two values seperately could be inconsistent ++ * and some message could be lost. (See: net_ratelimit_state). ++ */ ++ int interval = READ_ONCE(rs->interval); ++ int burst = READ_ONCE(rs->burst); + unsigned long flags; + int ret; + +- if (!rs->interval) ++ if (!interval) + return 1; + + /* +@@ -45,7 +51,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + if (!rs->begin) + rs->begin = jiffies; + +- if (time_is_before_jiffies(rs->begin + rs->interval)) { ++ if (time_is_before_jiffies(rs->begin + interval)) { + if (rs->missed) { + if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) { + printk_deferred(KERN_WARNING +@@ -57,7 +63,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) + rs->begin = jiffies; + rs->printed = 0; + } +- if (rs->burst && rs->burst > rs->printed) { ++ if (burst && burst > rs->printed) { + rs->printed++; + ret = 1; + } else { +-- +2.35.1 + diff --git a/queue-4.9/rose-check-null-rose_loopback_neigh-loopback.patch b/queue-4.9/rose-check-null-rose_loopback_neigh-loopback.patch new file mode 100644 index 00000000000..2d8e5983271 --- /dev/null +++ b/queue-4.9/rose-check-null-rose_loopback_neigh-loopback.patch @@ -0,0 +1,69 @@ +From ab9c858aa4b4ddff36865ad84bdc012d2f4e1e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 02:02:13 +0200 +Subject: rose: check NULL rose_loopback_neigh->loopback + +From: Bernard Pidoux + +[ Upstream commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ] + +Commit 3b3fd068c56e3fbea30090859216a368398e39bf added NULL check for +`rose_loopback_neigh->dev` in rose_loopback_timer() but omitted to +check rose_loopback_neigh->loopback. + +It thus prevents *all* rose connect. + +The reason is that a special rose_neigh loopback has a NULL device. + +/proc/net/rose_neigh illustrates it via rose_neigh_show() function : +[...] +seq_printf(seq, "%05d %-9s %-4s %3d %3d %3s %3s %3lu %3lu", + rose_neigh->number, + (rose_neigh->loopback) ? "RSLOOP-0" : ax2asc(buf, &rose_neigh->callsign), + rose_neigh->dev ? rose_neigh->dev->name : "???", + rose_neigh->count, + +/proc/net/rose_neigh displays special rose_loopback_neigh->loopback as +callsign RSLOOP-0: + +addr callsign dev count use mode restart t0 tf digipeaters +00001 RSLOOP-0 ??? 1 2 DCE yes 0 0 + +By checking rose_loopback_neigh->loopback, rose_rx_call_request() is called +even in case rose_loopback_neigh->dev is NULL. This repairs rose connections. + +Verification with rose client application FPAC: + +FPAC-Node v 4.1.3 (built Aug 5 2022) for LINUX (help = h) +F6BVP-4 (Commands = ?) : u +Users - AX.25 Level 2 sessions : +Port Callsign Callsign AX.25 state ROSE state NetRom status +axudp F6BVP-5 -> F6BVP-9 Connected Connected --------- + +Fixes: 3b3fd068c56e ("rose: Fix Null pointer dereference in rose_send_frame()") +Signed-off-by: Bernard Pidoux +Suggested-by: Francois Romieu +Cc: Thomas DL9SAU Osterried +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rose/rose_loopback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c +index 0f371e50d9c4e..e6526c8ecacc0 100644 +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -99,7 +99,8 @@ static void rose_loopback_timer(unsigned long param) + } + + if (frametype == ROSE_CALL_REQUEST) { +- if (!rose_loopback_neigh->dev) { ++ if (!rose_loopback_neigh->dev && ++ !rose_loopback_neigh->loopback) { + kfree_skb(skb); + continue; + } +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 68cd2e6f2e9..fb7d6776fc2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,12 @@ parisc-fix-exception-handler-for-fldw-and-fstw-instructions.patch +xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch +af_key-do-not-call-xfrm_probe_algs-in-parallel.patch +rose-check-null-rose_loopback_neigh-loopback.patch +bonding-802.3ad-fix-no-transmission-of-lacpdus.patch +netfilter-nft_payload-report-erange-for-too-long-off.patch +ratelimit-fix-data-races-in-___ratelimit.patch +net-fix-a-data-race-around-sysctl_tstamp_allow_data.patch +net-fix-a-data-race-around-sysctl_net_busy_poll.patch +net-fix-a-data-race-around-sysctl_net_busy_read.patch +net-fix-a-data-race-around-sysctl_somaxconn.patch +ixgbe-stop-resetting-systime-in-ixgbe_ptp_start_cycl.patch diff --git a/queue-4.9/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch b/queue-4.9/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch new file mode 100644 index 00000000000..75fdc9a992c --- /dev/null +++ b/queue-4.9/xfrm-fix-refcount-leak-in-__xfrm_policy_check.patch @@ -0,0 +1,41 @@ +From c92e43db33549a3dd8b260e878b96ad7e1fde07e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 17:55:58 +0800 +Subject: xfrm: fix refcount leak in __xfrm_policy_check() + +From: Xin Xiong + +[ Upstream commit 9c9cb23e00ddf45679b21b4dacc11d1ae7961ebe ] + +The issue happens on an error path in __xfrm_policy_check(). When the +fetching process of the object `pols[1]` fails, the function simply +returns 0, forgetting to decrement the reference count of `pols[0]`, +which is incremented earlier by either xfrm_sk_policy_lookup() or +xfrm_policy_lookup(). This may result in memory leaks. + +Fix it by decreasing the reference count of `pols[0]` in that path. + +Fixes: 134b0fc544ba ("IPsec: propagate security module errors up from flow_cache_lookup") +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 0894108f561cb..ae90a273475c0 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2538,6 +2538,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + if (pols[1]) { + if (IS_ERR(pols[1])) { + XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); ++ xfrm_pol_put(pols[0]); + return 0; + } + pols[1]->curlft.use_time = get_seconds(); +-- +2.35.1 + -- 2.47.2