From f32ce87c9448f908f9021878c437e85da4d00c3c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Aug 2020 15:19:29 +0200 Subject: [PATCH] 4.19-stable patches added patches: hv_netvsc-do-not-use-vf-device-if-link-is-down.patch ipv4-silence-suspicious-rcu-usage-warning.patch ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch net-lan78xx-replace-bogus-endpoint-lookup.patch net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch revert-vxlan-fix-tos-value-before-xmit.patch rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch vxlan-ensure-fdb-dump-is-performed-under-rcu.patch --- ...do-not-use-vf-device-if-link-is-down.patch | 45 +++++ ...silence-suspicious-rcu-usage-warning.patch | 80 ++++++++ ...x-memory-leaks-on-ipv6_addrform-path.patch | 115 +++++++++++ ...thernet-mtk_eth_soc-fix-mtu-warnings.patch | 38 ++++ ...e-gre-csum-for-sctp-over-gre-tunnels.patch | 69 +++++++ ...an78xx-replace-bogus-endpoint-lookup.patch | 189 ++++++++++++++++++ ...in_lock_bh-in-nicvf_set_rx_mode_task.patch | 60 ++++++ ...nt-kernel-infoleak-in-ovs_ct_put_key.patch | 81 ++++++++ ...vert-vxlan-fix-tos-value-before-xmit.patch | 65 ++++++ ...nd-sendmsg-on-immediate-call-failure.patch | 166 +++++++++++++++ ...ity-requirement-in-msg_zerocopy-test.patch | 46 +++++ queue-4.19/series | 12 ++ ...sure-fdb-dump-is-performed-under-rcu.patch | 96 +++++++++ 13 files changed, 1062 insertions(+) create mode 100644 queue-4.19/hv_netvsc-do-not-use-vf-device-if-link-is-down.patch create mode 100644 queue-4.19/ipv4-silence-suspicious-rcu-usage-warning.patch create mode 100644 queue-4.19/ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch create mode 100644 queue-4.19/net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch create mode 100644 queue-4.19/net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch create mode 100644 queue-4.19/net-lan78xx-replace-bogus-endpoint-lookup.patch create mode 100644 queue-4.19/net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch create mode 100644 queue-4.19/openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch create mode 100644 queue-4.19/revert-vxlan-fix-tos-value-before-xmit.patch create mode 100644 queue-4.19/rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch create mode 100644 queue-4.19/selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch create mode 100644 queue-4.19/vxlan-ensure-fdb-dump-is-performed-under-rcu.patch diff --git a/queue-4.19/hv_netvsc-do-not-use-vf-device-if-link-is-down.patch b/queue-4.19/hv_netvsc-do-not-use-vf-device-if-link-is-down.patch new file mode 100644 index 00000000000..1f6786dde56 --- /dev/null +++ b/queue-4.19/hv_netvsc-do-not-use-vf-device-if-link-is-down.patch @@ -0,0 +1,45 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Stephen Hemminger +Date: Tue, 4 Aug 2020 09:54:15 -0700 +Subject: hv_netvsc: do not use VF device if link is down + +From: Stephen Hemminger + +[ Upstream commit 7c9864bbccc23e1812ac82966555d68c13ea4006 ] + +If the accelerated networking SRIOV VF device has lost carrier +use the synthetic network device which is available as backup +path. This is a rare case since if VF link goes down, normally +the VMBus device will also loose external connectivity as well. +But if the communication is between two VM's on the same host +the VMBus device will still work. + +Reported-by: "Shah, Ashish N" +Fixes: 0c195567a8f6 ("netvsc: transparent VF management") +Signed-off-by: Stephen Hemminger +Reviewed-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -543,12 +543,13 @@ static int netvsc_start_xmit(struct sk_b + u32 hash; + struct hv_page_buffer pb[MAX_PAGE_BUFFER_COUNT]; + +- /* if VF is present and up then redirect packets +- * already called with rcu_read_lock_bh ++ /* If VF is present and up then redirect packets to it. ++ * Skip the VF if it is marked down or has no carrier. ++ * If netpoll is in uses, then VF can not be used either. + */ + vf_netdev = rcu_dereference_bh(net_device_ctx->vf_netdev); + if (vf_netdev && netif_running(vf_netdev) && +- !netpoll_tx_running(net)) ++ netif_carrier_ok(vf_netdev) && !netpoll_tx_running(net)) + return netvsc_vf_xmit(net, vf_netdev, skb); + + /* We will atmost need two pages to describe the rndis diff --git a/queue-4.19/ipv4-silence-suspicious-rcu-usage-warning.patch b/queue-4.19/ipv4-silence-suspicious-rcu-usage-warning.patch new file mode 100644 index 00000000000..b10ca03a80c --- /dev/null +++ b/queue-4.19/ipv4-silence-suspicious-rcu-usage-warning.patch @@ -0,0 +1,80 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Ido Schimmel +Date: Wed, 29 Jul 2020 11:37:13 +0300 +Subject: ipv4: Silence suspicious RCU usage warning + +From: Ido Schimmel + +[ Upstream commit 83f3522860f702748143e022f1a546547314c715 ] + +fib_trie_unmerge() is called with RTNL held, but not from an RCU +read-side critical section. This leads to the following warning [1] when +the FIB alias list in a leaf is traversed with +hlist_for_each_entry_rcu(). + +Since the function is always called with RTNL held and since +modification of the list is protected by RTNL, simply use +hlist_for_each_entry() and silence the warning. + +[1] +WARNING: suspicious RCU usage +5.8.0-rc4-custom-01520-gc1f937f3f83b #30 Not tainted +----------------------------- +net/ipv4/fib_trie.c:1867 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/164: + #0: ffffffff85a27850 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x49a/0xbd0 + +stack backtrace: +CPU: 0 PID: 164 Comm: ip Not tainted 5.8.0-rc4-custom-01520-gc1f937f3f83b #30 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 +Call Trace: + dump_stack+0x100/0x184 + lockdep_rcu_suspicious+0x153/0x15d + fib_trie_unmerge+0x608/0xdb0 + fib_unmerge+0x44/0x360 + fib4_rule_configure+0xc8/0xad0 + fib_nl_newrule+0x37a/0x1dd0 + rtnetlink_rcv_msg+0x4f7/0xbd0 + netlink_rcv_skb+0x17a/0x480 + rtnetlink_rcv+0x22/0x30 + netlink_unicast+0x5ae/0x890 + netlink_sendmsg+0x98a/0xf40 + ____sys_sendmsg+0x879/0xa00 + ___sys_sendmsg+0x122/0x190 + __sys_sendmsg+0x103/0x1d0 + __x64_sys_sendmsg+0x7d/0xb0 + do_syscall_64+0x54/0xa0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fc80a234e97 +Code: Bad RIP value. +RSP: 002b:00007ffef8b66798 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc80a234e97 +RDX: 0000000000000000 RSI: 00007ffef8b66800 RDI: 0000000000000003 +RBP: 000000005f141b1c R08: 0000000000000001 R09: 0000000000000000 +R10: 00007fc80a2a8ac0 R11: 0000000000000246 R12: 0000000000000001 +R13: 0000000000000000 R14: 00007ffef8b67008 R15: 0000556fccb10020 + +Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_trie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1749,7 +1749,7 @@ struct fib_table *fib_trie_unmerge(struc + while ((l = leaf_walk_rcu(&tp, key)) != NULL) { + struct key_vector *local_l = NULL, *local_tp; + +- hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { ++ hlist_for_each_entry(fa, &l->leaf, fa_list) { + struct fib_alias *new_fa; + + if (local_tb->tb_id != fa->tb_id) diff --git a/queue-4.19/ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch b/queue-4.19/ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch new file mode 100644 index 00000000000..39f800696ca --- /dev/null +++ b/queue-4.19/ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch @@ -0,0 +1,115 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Cong Wang +Date: Sat, 25 Jul 2020 15:40:53 -0700 +Subject: ipv6: fix memory leaks on IPV6_ADDRFORM path + +From: Cong Wang + +[ Upstream commit 8c0de6e96c9794cb523a516c465991a70245da1c ] + +IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket +to IPv4, particularly struct ipv6_ac_socklist. Similar to +struct ipv6_mc_socklist, we should just close it on this path. + +This bug can be easily reproduced with the following C program: + + #include + #include + #include + #include + #include + + int main() + { + int s, value; + struct sockaddr_in6 addr; + struct ipv6_mreq m6; + + s = socket(AF_INET6, SOCK_DGRAM, 0); + addr.sin6_family = AF_INET6; + addr.sin6_port = htons(5000); + inet_pton(AF_INET6, "::ffff:192.168.122.194", &addr.sin6_addr); + connect(s, (struct sockaddr *)&addr, sizeof(addr)); + + inet_pton(AF_INET6, "fe80::AAAA", &m6.ipv6mr_multiaddr); + m6.ipv6mr_interface = 5; + setsockopt(s, SOL_IPV6, IPV6_JOIN_ANYCAST, &m6, sizeof(m6)); + + value = AF_INET; + setsockopt(s, SOL_IPV6, IPV6_ADDRFORM, &value, sizeof(value)); + + close(s); + return 0; + } + +Reported-by: ch3332xr@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 1 + + net/ipv6/anycast.c | 17 ++++++++++++----- + net/ipv6/ipv6_sockglue.c | 1 + + 3 files changed, 14 insertions(+), 5 deletions(-) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -305,6 +305,7 @@ int ipv6_sock_ac_join(struct sock *sk, i + const struct in6_addr *addr); + int ipv6_sock_ac_drop(struct sock *sk, int ifindex, + const struct in6_addr *addr); ++void __ipv6_sock_ac_close(struct sock *sk); + void ipv6_sock_ac_close(struct sock *sk); + + int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr); +--- a/net/ipv6/anycast.c ++++ b/net/ipv6/anycast.c +@@ -173,7 +173,7 @@ int ipv6_sock_ac_drop(struct sock *sk, i + return 0; + } + +-void ipv6_sock_ac_close(struct sock *sk) ++void __ipv6_sock_ac_close(struct sock *sk) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct net_device *dev = NULL; +@@ -181,10 +181,7 @@ void ipv6_sock_ac_close(struct sock *sk) + struct net *net = sock_net(sk); + int prev_index; + +- if (!np->ipv6_ac_list) +- return; +- +- rtnl_lock(); ++ ASSERT_RTNL(); + pac = np->ipv6_ac_list; + np->ipv6_ac_list = NULL; + +@@ -201,6 +198,16 @@ void ipv6_sock_ac_close(struct sock *sk) + sock_kfree_s(sk, pac, sizeof(*pac)); + pac = next; + } ++} ++ ++void ipv6_sock_ac_close(struct sock *sk) ++{ ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (!np->ipv6_ac_list) ++ return; ++ rtnl_lock(); ++ __ipv6_sock_ac_close(sk); + rtnl_unlock(); + } + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -207,6 +207,7 @@ static int do_ipv6_setsockopt(struct soc + + fl6_free_socklist(sk); + __ipv6_sock_mc_close(sk); ++ __ipv6_sock_ac_close(sk); + + /* + * Sock is moving from IPv6 to IPv4 (sk_prot), so diff --git a/queue-4.19/net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch b/queue-4.19/net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch new file mode 100644 index 00000000000..dd8349a446c --- /dev/null +++ b/queue-4.19/net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch @@ -0,0 +1,38 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Landen Chao +Date: Wed, 29 Jul 2020 10:15:17 +0200 +Subject: net: ethernet: mtk_eth_soc: fix MTU warnings + +From: Landen Chao + +[ Upstream commit 555a893303872e044fb86f0a5834ce78d41ad2e2 ] + +in recent kernel versions there are warnings about incorrect MTU size +like these: + +eth0: mtu greater than device maximum +mtk_soc_eth 1b100000.ethernet eth0: error -22 setting MTU to include DSA overhead + +Fixes: bfcb813203e6 ("net: dsa: configure the MTU for switch ports") +Fixes: 72579e14a1d3 ("net: dsa: don't fail to probe if we couldn't set the MTU") +Fixes: 7a4c53bee332 ("net: report invalid mtu value via netlink extack") +Signed-off-by: Landen Chao +Signed-off-by: Frank Wunderlich +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2452,6 +2452,8 @@ static int mtk_add_mac(struct mtk_eth *e + eth->netdev[id]->irq = eth->irq[0]; + eth->netdev[id]->dev.of_node = np; + ++ eth->netdev[id]->max_mtu = MTK_MAX_RX_LENGTH - MTK_RX_ETH_HLEN; ++ + return 0; + + free_netdev: diff --git a/queue-4.19/net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch b/queue-4.19/net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch new file mode 100644 index 00000000000..a011111e1d7 --- /dev/null +++ b/queue-4.19/net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch @@ -0,0 +1,69 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Lorenzo Bianconi +Date: Fri, 31 Jul 2020 20:12:05 +0200 +Subject: net: gre: recompute gre csum for sctp over gre tunnels + +From: Lorenzo Bianconi + +[ Upstream commit 622e32b7d4a6492cf5c1f759ef833f817418f7b3 ] + +The GRE tunnel can be used to transport traffic that does not rely on a +Internet checksum (e.g. SCTP). The issue can be triggered creating a GRE +or GRETAP tunnel and transmitting SCTP traffic ontop of it where CRC +offload has been disabled. In order to fix the issue we need to +recompute the GRE csum in gre_gso_segment() not relying on the inner +checksum. +The issue is still present when we have the CRC offload enabled. +In this case we need to disable the CRC offload if we require GRE +checksum since otherwise skb_checksum() will report a wrong value. + +Fixes: 90017accff61 ("sctp: Add GSO support") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/gre_offload.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -19,12 +19,12 @@ static struct sk_buff *gre_gso_segment(s + netdev_features_t features) + { + int tnl_hlen = skb_inner_mac_header(skb) - skb_transport_header(skb); ++ bool need_csum, need_recompute_csum, gso_partial; + struct sk_buff *segs = ERR_PTR(-EINVAL); + u16 mac_offset = skb->mac_header; + __be16 protocol = skb->protocol; + u16 mac_len = skb->mac_len; + int gre_offset, outer_hlen; +- bool need_csum, gso_partial; + + if (!skb->encapsulation) + goto out; +@@ -45,6 +45,7 @@ static struct sk_buff *gre_gso_segment(s + skb->protocol = skb->inner_protocol; + + need_csum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_GRE_CSUM); ++ need_recompute_csum = skb->csum_not_inet; + skb->encap_hdr_csum = need_csum; + + features &= skb->dev->hw_enc_features; +@@ -102,7 +103,15 @@ static struct sk_buff *gre_gso_segment(s + } + + *(pcsum + 1) = 0; +- *pcsum = gso_make_checksum(skb, 0); ++ if (need_recompute_csum && !skb_is_gso(skb)) { ++ __wsum csum; ++ ++ csum = skb_checksum(skb, gre_offset, ++ skb->len - gre_offset, 0); ++ *pcsum = csum_fold(csum); ++ } else { ++ *pcsum = gso_make_checksum(skb, 0); ++ } + } while ((skb = skb->next)); + out: + return segs; diff --git a/queue-4.19/net-lan78xx-replace-bogus-endpoint-lookup.patch b/queue-4.19/net-lan78xx-replace-bogus-endpoint-lookup.patch new file mode 100644 index 00000000000..9fa36fc8800 --- /dev/null +++ b/queue-4.19/net-lan78xx-replace-bogus-endpoint-lookup.patch @@ -0,0 +1,189 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Johan Hovold +Date: Tue, 28 Jul 2020 14:10:31 +0200 +Subject: net: lan78xx: replace bogus endpoint lookup + +From: Johan Hovold + +[ Upstream commit ea060b352654a8de1e070140d25fe1b7e4d50310 ] + +Drop the bogus endpoint-lookup helper which could end up accepting +interfaces based on endpoints belonging to unrelated altsettings. + +Note that the returned bulk pipes and interrupt endpoint descriptor +were never actually used. Instead the bulk-endpoint numbers are +hardcoded to 1 and 2 (matching the specification), while the interrupt- +endpoint descriptor was assumed to be the third descriptor created by +USB core. + +Try to bring some order to this by dropping the bogus lookup helper and +adding the missing endpoint sanity checks while keeping the interrupt- +descriptor assumption for now. + +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 117 +++++++++++----------------------------------- + 1 file changed, 30 insertions(+), 87 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -388,10 +388,6 @@ struct lan78xx_net { + struct tasklet_struct bh; + struct delayed_work wq; + +- struct usb_host_endpoint *ep_blkin; +- struct usb_host_endpoint *ep_blkout; +- struct usb_host_endpoint *ep_intr; +- + int msg_enable; + + struct urb *urb_intr; +@@ -2883,78 +2879,12 @@ lan78xx_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + +-static int +-lan78xx_get_endpoints(struct lan78xx_net *dev, struct usb_interface *intf) +-{ +- int tmp; +- struct usb_host_interface *alt = NULL; +- struct usb_host_endpoint *in = NULL, *out = NULL; +- struct usb_host_endpoint *status = NULL; +- +- for (tmp = 0; tmp < intf->num_altsetting; tmp++) { +- unsigned ep; +- +- in = NULL; +- out = NULL; +- status = NULL; +- alt = intf->altsetting + tmp; +- +- for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) { +- struct usb_host_endpoint *e; +- int intr = 0; +- +- e = alt->endpoint + ep; +- switch (e->desc.bmAttributes) { +- case USB_ENDPOINT_XFER_INT: +- if (!usb_endpoint_dir_in(&e->desc)) +- continue; +- intr = 1; +- /* FALLTHROUGH */ +- case USB_ENDPOINT_XFER_BULK: +- break; +- default: +- continue; +- } +- if (usb_endpoint_dir_in(&e->desc)) { +- if (!intr && !in) +- in = e; +- else if (intr && !status) +- status = e; +- } else { +- if (!out) +- out = e; +- } +- } +- if (in && out) +- break; +- } +- if (!alt || !in || !out) +- return -EINVAL; +- +- dev->pipe_in = usb_rcvbulkpipe(dev->udev, +- in->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- dev->pipe_out = usb_sndbulkpipe(dev->udev, +- out->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- dev->ep_intr = status; +- +- return 0; +-} +- + static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) + { + struct lan78xx_priv *pdata = NULL; + int ret; + int i; + +- ret = lan78xx_get_endpoints(dev, intf); +- if (ret) { +- netdev_warn(dev->net, "lan78xx_get_endpoints failed: %d\n", +- ret); +- return ret; +- } +- + dev->data[0] = (unsigned long)kzalloc(sizeof(*pdata), GFP_KERNEL); + + pdata = (struct lan78xx_priv *)(dev->data[0]); +@@ -3726,6 +3656,7 @@ static void lan78xx_stat_monitor(struct + static int lan78xx_probe(struct usb_interface *intf, + const struct usb_device_id *id) + { ++ struct usb_host_endpoint *ep_blkin, *ep_blkout, *ep_intr; + struct lan78xx_net *dev; + struct net_device *netdev; + struct usb_device *udev; +@@ -3774,6 +3705,34 @@ static int lan78xx_probe(struct usb_inte + + mutex_init(&dev->stats.access_lock); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); ++ ep_blkin = usb_pipe_endpoint(udev, dev->pipe_in); ++ if (!ep_blkin || !usb_endpoint_is_bulk_in(&ep_blkin->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); ++ ep_blkout = usb_pipe_endpoint(udev, dev->pipe_out); ++ if (!ep_blkout || !usb_endpoint_is_bulk_out(&ep_blkout->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ ep_intr = &intf->cur_altsetting->endpoint[2]; ++ if (!usb_endpoint_is_int_in(&ep_intr->desc)) { ++ ret = -ENODEV; ++ goto out2; ++ } ++ ++ dev->pipe_intr = usb_rcvintpipe(dev->udev, ++ usb_endpoint_num(&ep_intr->desc)); ++ + ret = lan78xx_bind(dev, intf); + if (ret < 0) + goto out2; +@@ -3786,23 +3745,7 @@ static int lan78xx_probe(struct usb_inte + netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; + netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + +- if (intf->cur_altsetting->desc.bNumEndpoints < 3) { +- ret = -ENODEV; +- goto out3; +- } +- +- dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; +- dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; +- dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; +- +- dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); +- dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); +- +- dev->pipe_intr = usb_rcvintpipe(dev->udev, +- dev->ep_intr->desc.bEndpointAddress & +- USB_ENDPOINT_NUMBER_MASK); +- period = dev->ep_intr->desc.bInterval; +- ++ period = ep_intr->desc.bInterval; + maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); + buf = kmalloc(maxp, GFP_KERNEL); + if (buf) { diff --git a/queue-4.19/net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch b/queue-4.19/net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch new file mode 100644 index 00000000000..f30445b2818 --- /dev/null +++ b/queue-4.19/net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch @@ -0,0 +1,60 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Xin Long +Date: Tue, 4 Aug 2020 15:02:30 +0800 +Subject: net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task() + +From: Xin Long + +[ Upstream commit bab9693a9a8c6dd19f670408ec1e78e12a320682 ] + +A dead lock was triggered on thunderx driver: + + CPU0 CPU1 + ---- ---- + [01] lock(&(&nic->rx_mode_wq_lock)->rlock); + [11] lock(&(&mc->mca_lock)->rlock); + [12] lock(&(&nic->rx_mode_wq_lock)->rlock); + [02] lock(&(&mc->mca_lock)->rlock); + +The path for each is: + + [01] worker_thread() -> process_one_work() -> nicvf_set_rx_mode_task() + [02] mld_ifc_timer_expire() + [11] ipv6_add_dev() -> ipv6_dev_mc_inc() -> igmp6_group_added() -> + [12] dev_mc_add() -> __dev_set_rx_mode() -> nicvf_set_rx_mode() + +To fix it, it needs to disable bh on [1], so that the timer on [2] +wouldn't be triggered until rx_mode_wq_lock is released. So change +to use spin_lock_bh() instead of spin_lock(). + +Thanks to Paolo for helping with this. + +v1->v2: + - post to netdev. + +Reported-by: Rafael P. +Tested-by: Dean Nelson +Fixes: 469998c861fa ("net: thunderx: prevent concurrent data re-writing by nicvf_set_rx_mode") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -2015,11 +2015,11 @@ static void nicvf_set_rx_mode_task(struc + /* Save message data locally to prevent them from + * being overwritten by next ndo_set_rx_mode call(). + */ +- spin_lock(&nic->rx_mode_wq_lock); ++ spin_lock_bh(&nic->rx_mode_wq_lock); + mode = vf_work->mode; + mc = vf_work->mc; + vf_work->mc = NULL; +- spin_unlock(&nic->rx_mode_wq_lock); ++ spin_unlock_bh(&nic->rx_mode_wq_lock); + + __nicvf_set_rx_mode_task(mode, mc, nic); + } diff --git a/queue-4.19/openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch b/queue-4.19/openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch new file mode 100644 index 00000000000..9d8d5652e09 --- /dev/null +++ b/queue-4.19/openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch @@ -0,0 +1,81 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Peilin Ye +Date: Fri, 31 Jul 2020 00:48:38 -0400 +Subject: openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() + +From: Peilin Ye + +[ Upstream commit 9aba6c5b49254d5bee927d81593ed4429e91d4ae ] + +ovs_ct_put_key() is potentially copying uninitialized kernel stack memory +into socket buffers, since the compiler may leave a 3-byte hole at the end +of `struct ovs_key_ct_tuple_ipv4` and `struct ovs_key_ct_tuple_ipv6`. Fix +it by initializing `orig` with memset(). + +Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") +Suggested-by: Dan Carpenter +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -283,10 +283,6 @@ void ovs_ct_fill_key(const struct sk_buf + ovs_ct_update_key(skb, NULL, key, false, false); + } + +-#define IN6_ADDR_INITIALIZER(ADDR) \ +- { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \ +- (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] } +- + int ovs_ct_put_key(const struct sw_flow_key *swkey, + const struct sw_flow_key *output, struct sk_buff *skb) + { +@@ -308,24 +304,30 @@ int ovs_ct_put_key(const struct sw_flow_ + + if (swkey->ct_orig_proto) { + if (swkey->eth.type == htons(ETH_P_IP)) { +- struct ovs_key_ct_tuple_ipv4 orig = { +- output->ipv4.ct_orig.src, +- output->ipv4.ct_orig.dst, +- output->ct.orig_tp.src, +- output->ct.orig_tp.dst, +- output->ct_orig_proto, +- }; ++ struct ovs_key_ct_tuple_ipv4 orig; ++ ++ memset(&orig, 0, sizeof(orig)); ++ orig.ipv4_src = output->ipv4.ct_orig.src; ++ orig.ipv4_dst = output->ipv4.ct_orig.dst; ++ orig.src_port = output->ct.orig_tp.src; ++ orig.dst_port = output->ct.orig_tp.dst; ++ orig.ipv4_proto = output->ct_orig_proto; ++ + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, + sizeof(orig), &orig)) + return -EMSGSIZE; + } else if (swkey->eth.type == htons(ETH_P_IPV6)) { +- struct ovs_key_ct_tuple_ipv6 orig = { +- IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src), +- IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst), +- output->ct.orig_tp.src, +- output->ct.orig_tp.dst, +- output->ct_orig_proto, +- }; ++ struct ovs_key_ct_tuple_ipv6 orig; ++ ++ memset(&orig, 0, sizeof(orig)); ++ memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, ++ sizeof(orig.ipv6_src)); ++ memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, ++ sizeof(orig.ipv6_dst)); ++ orig.src_port = output->ct.orig_tp.src; ++ orig.dst_port = output->ct.orig_tp.dst; ++ orig.ipv6_proto = output->ct_orig_proto; ++ + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, + sizeof(orig), &orig)) + return -EMSGSIZE; diff --git a/queue-4.19/revert-vxlan-fix-tos-value-before-xmit.patch b/queue-4.19/revert-vxlan-fix-tos-value-before-xmit.patch new file mode 100644 index 00000000000..a2cf8c2c4c2 --- /dev/null +++ b/queue-4.19/revert-vxlan-fix-tos-value-before-xmit.patch @@ -0,0 +1,65 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Hangbin Liu +Date: Wed, 5 Aug 2020 10:41:31 +0800 +Subject: Revert "vxlan: fix tos value before xmit" + +From: Hangbin Liu + +[ Upstream commit a0dced17ad9dc08b1b25e0065b54c97a318e6e8b ] + +This reverts commit 71130f29979c7c7956b040673e6b9d5643003176. + +In commit 71130f29979c ("vxlan: fix tos value before xmit") we want to +make sure the tos value are filtered by RT_TOS() based on RFC1349. + + 0 1 2 3 4 5 6 7 + +-----+-----+-----+-----+-----+-----+-----+-----+ + | PRECEDENCE | TOS | MBZ | + +-----+-----+-----+-----+-----+-----+-----+-----+ + +But RFC1349 has been obsoleted by RFC2474. The new DSCP field defined like + + 0 1 2 3 4 5 6 7 + +-----+-----+-----+-----+-----+-----+-----+-----+ + | DS FIELD, DSCP | ECN FIELD | + +-----+-----+-----+-----+-----+-----+-----+-----+ + +So with + +IPTOS_TOS_MASK 0x1E +RT_TOS(tos) ((tos)&IPTOS_TOS_MASK) + +the first 3 bits DSCP info will get lost. + +To take all the DSCP info in xmit, we should revert the patch and just push +all tos bits to ip_tunnel_ecn_encap(), which will handling ECN field later. + +Fixes: 71130f29979c ("vxlan: fix tos value before xmit") +Signed-off-by: Hangbin Liu +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2223,7 +2223,7 @@ static void vxlan_xmit_one(struct sk_buf + ndst = &rt->dst; + skb_tunnel_check_pmtu(skb, ndst, VXLAN_HEADROOM); + +- tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); ++ tos = ip_tunnel_ecn_encap(tos, old_iph, skb); + ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); + err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr), + vni, md, flags, udp_sum); +@@ -2260,7 +2260,7 @@ static void vxlan_xmit_one(struct sk_buf + + skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM); + +- tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); ++ tos = ip_tunnel_ecn_encap(tos, old_iph, skb); + ttl = ttl ? : ip6_dst_hoplimit(ndst); + skb_scrub_packet(skb, xnet); + err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr), diff --git a/queue-4.19/rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch b/queue-4.19/rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch new file mode 100644 index 00000000000..871a8df3258 --- /dev/null +++ b/queue-4.19/rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch @@ -0,0 +1,166 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: David Howells +Date: Wed, 29 Jul 2020 00:03:56 +0100 +Subject: rxrpc: Fix race between recvmsg and sendmsg on immediate call failure + +From: David Howells + +[ Upstream commit 65550098c1c4db528400c73acf3e46bfa78d9264 ] + +There's a race between rxrpc_sendmsg setting up a call, but then failing to +send anything on it due to an error, and recvmsg() seeing the call +completion occur and trying to return the state to the user. + +An assertion fails in rxrpc_recvmsg() because the call has already been +released from the socket and is about to be released again as recvmsg deals +with it. (The recvmsg_q queue on the socket holds a ref, so there's no +problem with use-after-free.) + +We also have to be careful not to end up reporting an error twice, in such +a way that both returns indicate to userspace that the user ID supplied +with the call is no longer in use - which could cause the client to +malfunction if it recycles the user ID fast enough. + +Fix this by the following means: + + (1) When sendmsg() creates a call after the point that the call has been + successfully added to the socket, don't return any errors through + sendmsg(), but rather complete the call and let recvmsg() retrieve + them. Make sendmsg() return 0 at this point. Further calls to + sendmsg() for that call will fail with ESHUTDOWN. + + Note that at this point, we haven't send any packets yet, so the + server doesn't yet know about the call. + + (2) If sendmsg() returns an error when it was expected to create a new + call, it means that the user ID wasn't used. + + (3) Mark the call disconnected before marking it completed to prevent an + oops in rxrpc_release_call(). + + (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate + that the user ID is no longer known by the kernel. + +An oops like the following is produced: + + kernel BUG at net/rxrpc/recvmsg.c:605! + ... + RIP: 0010:rxrpc_recvmsg+0x256/0x5ae + ... + Call Trace: + ? __init_waitqueue_head+0x2f/0x2f + ____sys_recvmsg+0x8a/0x148 + ? import_iovec+0x69/0x9c + ? copy_msghdr_from_user+0x5c/0x86 + ___sys_recvmsg+0x72/0xaa + ? __fget_files+0x22/0x57 + ? __fget_light+0x46/0x51 + ? fdget+0x9/0x1b + do_recvmmsg+0x15e/0x232 + ? _raw_spin_unlock+0xa/0xb + ? vtime_delta+0xf/0x25 + __x64_sys_recvmmsg+0x2c/0x2f + do_syscall_64+0x4c/0x78 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()") +Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_object.c | 27 +++++++++++++++++++-------- + net/rxrpc/conn_object.c | 8 +++++--- + net/rxrpc/recvmsg.c | 2 +- + net/rxrpc/sendmsg.c | 3 +++ + 4 files changed, 28 insertions(+), 12 deletions(-) + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -290,7 +290,7 @@ struct rxrpc_call *rxrpc_new_client_call + */ + ret = rxrpc_connect_call(rx, call, cp, srx, gfp); + if (ret < 0) +- goto error; ++ goto error_attached_to_socket; + + trace_rxrpc_call(call, rxrpc_call_connected, atomic_read(&call->usage), + here, NULL); +@@ -310,18 +310,29 @@ struct rxrpc_call *rxrpc_new_client_call + error_dup_user_ID: + write_unlock(&rx->call_lock); + release_sock(&rx->sk); +- ret = -EEXIST; +- +-error: + __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, +- RX_CALL_DEAD, ret); ++ RX_CALL_DEAD, -EEXIST); + trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), +- here, ERR_PTR(ret)); ++ here, ERR_PTR(-EEXIST)); + rxrpc_release_call(rx, call); + mutex_unlock(&call->user_mutex); + rxrpc_put_call(call, rxrpc_call_put); +- _leave(" = %d", ret); +- return ERR_PTR(ret); ++ _leave(" = -EEXIST"); ++ return ERR_PTR(-EEXIST); ++ ++ /* We got an error, but the call is attached to the socket and is in ++ * need of release. However, we might now race with recvmsg() when ++ * completing the call queues it. Return 0 from sys_sendmsg() and ++ * leave the error to recvmsg() to deal with. ++ */ ++error_attached_to_socket: ++ trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), ++ here, ERR_PTR(ret)); ++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags); ++ __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, ++ RX_CALL_DEAD, ret); ++ _leave(" = c=%08x [err]", call->debug_id); ++ return call; + } + + /* +--- a/net/rxrpc/conn_object.c ++++ b/net/rxrpc/conn_object.c +@@ -215,9 +215,11 @@ void rxrpc_disconnect_call(struct rxrpc_ + + call->peer->cong_cwnd = call->cong_cwnd; + +- spin_lock_bh(&conn->params.peer->lock); +- hlist_del_rcu(&call->error_link); +- spin_unlock_bh(&conn->params.peer->lock); ++ if (!hlist_unhashed(&call->error_link)) { ++ spin_lock_bh(&call->peer->lock); ++ hlist_del_rcu(&call->error_link); ++ spin_unlock_bh(&call->peer->lock); ++ } + + if (rxrpc_is_client_call(call)) + return rxrpc_disconnect_client_call(call); +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -530,7 +530,7 @@ try_again: + goto error_unlock_call; + } + +- if (msg->msg_name) { ++ if (msg->msg_name && call->peer) { + struct sockaddr_rxrpc *srx = msg->msg_name; + size_t len = sizeof(call->peer->srx); + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -654,6 +654,9 @@ int rxrpc_do_sendmsg(struct rxrpc_sock * + if (IS_ERR(call)) + return PTR_ERR(call); + /* ... and we have the call lock. */ ++ ret = 0; ++ if (READ_ONCE(call->state) == RXRPC_CALL_COMPLETE) ++ goto out_put_unlock; + } else { + switch (READ_ONCE(call->state)) { + case RXRPC_CALL_UNINITIALISED: diff --git a/queue-4.19/selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch b/queue-4.19/selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch new file mode 100644 index 00000000000..79ba91dcb2f --- /dev/null +++ b/queue-4.19/selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch @@ -0,0 +1,46 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Willem de Bruijn +Date: Wed, 5 Aug 2020 04:40:45 -0400 +Subject: selftests/net: relax cpu affinity requirement in msg_zerocopy test + +From: Willem de Bruijn + +[ Upstream commit 16f6458f2478b55e2b628797bc81a4455045c74e ] + +The msg_zerocopy test pins the sender and receiver threads to separate +cores to reduce variance between runs. + +But it hardcodes the cores and skips core 0, so it fails on machines +with the selected cores offline, or simply fewer cores. + +The test mainly gives code coverage in automated runs. The throughput +of zerocopy ('-z') and non-zerocopy runs is logged for manual +inspection. + +Continue even when sched_setaffinity fails. Just log to warn anyone +interpreting the data. + +Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") +Reported-by: Colin Ian King +Signed-off-by: Willem de Bruijn +Acked-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/msg_zerocopy.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -125,9 +125,8 @@ static int do_setcpu(int cpu) + CPU_ZERO(&mask); + CPU_SET(cpu, &mask); + if (sched_setaffinity(0, sizeof(mask), &mask)) +- error(1, 0, "setaffinity %d", cpu); +- +- if (cfg_verbose) ++ fprintf(stderr, "cpu: unable to pin, may increase variance.\n"); ++ else if (cfg_verbose) + fprintf(stderr, "cpu: %u\n", cpu); + + return 0; diff --git a/queue-4.19/series b/queue-4.19/series index 59f470b4a0d..145e280b515 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -29,3 +29,15 @@ atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch xattr-break-delegations-in-set-remove-xattr.patch +ipv4-silence-suspicious-rcu-usage-warning.patch +ipv6-fix-memory-leaks-on-ipv6_addrform-path.patch +net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch +vxlan-ensure-fdb-dump-is-performed-under-rcu.patch +net-lan78xx-replace-bogus-endpoint-lookup.patch +hv_netvsc-do-not-use-vf-device-if-link-is-down.patch +net-gre-recompute-gre-csum-for-sctp-over-gre-tunnels.patch +net-thunderx-use-spin_lock_bh-in-nicvf_set_rx_mode_task.patch +openvswitch-prevent-kernel-infoleak-in-ovs_ct_put_key.patch +revert-vxlan-fix-tos-value-before-xmit.patch +selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch +rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch diff --git a/queue-4.19/vxlan-ensure-fdb-dump-is-performed-under-rcu.patch b/queue-4.19/vxlan-ensure-fdb-dump-is-performed-under-rcu.patch new file mode 100644 index 00000000000..b6299b81d8d --- /dev/null +++ b/queue-4.19/vxlan-ensure-fdb-dump-is-performed-under-rcu.patch @@ -0,0 +1,96 @@ +From foo@baz Mon 10 Aug 2020 03:13:13 PM CEST +From: Ido Schimmel +Date: Wed, 29 Jul 2020 11:34:36 +0300 +Subject: vxlan: Ensure FDB dump is performed under RCU + +From: Ido Schimmel + +[ Upstream commit b5141915b5aec3b29a63db869229e3741ebce258 ] + +The commit cited below removed the RCU read-side critical section from +rtnl_fdb_dump() which means that the ndo_fdb_dump() callback is invoked +without RCU protection. + +This results in the following warning [1] in the VXLAN driver, which +relied on the callback being invoked from an RCU read-side critical +section. + +Fix this by calling rcu_read_lock() in the VXLAN driver, as already done +in the bridge driver. + +[1] +WARNING: suspicious RCU usage +5.8.0-rc4-custom-01521-g481007553ce6 #29 Not tainted +----------------------------- +drivers/net/vxlan.c:1379 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by bridge/166: + #0: ffffffff85a27850 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xea/0x1090 + +stack backtrace: +CPU: 1 PID: 166 Comm: bridge Not tainted 5.8.0-rc4-custom-01521-g481007553ce6 #29 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 +Call Trace: + dump_stack+0x100/0x184 + lockdep_rcu_suspicious+0x153/0x15d + vxlan_fdb_dump+0x51e/0x6d0 + rtnl_fdb_dump+0x4dc/0xad0 + netlink_dump+0x540/0x1090 + __netlink_dump_start+0x695/0x950 + rtnetlink_rcv_msg+0x802/0xbd0 + netlink_rcv_skb+0x17a/0x480 + rtnetlink_rcv+0x22/0x30 + netlink_unicast+0x5ae/0x890 + netlink_sendmsg+0x98a/0xf40 + __sys_sendto+0x279/0x3b0 + __x64_sys_sendto+0xe6/0x1a0 + do_syscall_64+0x54/0xa0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fe14fa2ade0 +Code: Bad RIP value. +RSP: 002b:00007fff75bb5b88 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00005614b1ba0020 RCX: 00007fe14fa2ade0 +RDX: 000000000000011c RSI: 00007fff75bb5b90 RDI: 0000000000000003 +RBP: 00007fff75bb5b90 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00005614b1b89160 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 5e6d24358799 ("bridge: netlink dump interface at par with brctl") +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -975,6 +975,7 @@ static int vxlan_fdb_dump(struct sk_buff + for (h = 0; h < FDB_HASH_SIZE; ++h) { + struct vxlan_fdb *f; + ++ rcu_read_lock(); + hlist_for_each_entry_rcu(f, &vxlan->fdb_head[h], hlist) { + struct vxlan_rdst *rd; + +@@ -987,12 +988,15 @@ static int vxlan_fdb_dump(struct sk_buff + cb->nlh->nlmsg_seq, + RTM_NEWNEIGH, + NLM_F_MULTI, rd); +- if (err < 0) ++ if (err < 0) { ++ rcu_read_unlock(); + goto out; ++ } + skip: + *idx += 1; + } + } ++ rcu_read_unlock(); + } + out: + return err; -- 2.47.3