From f8f89b5df20074bfffa08feab339381f5e792935 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 Mar 2019 21:54:59 +0100 Subject: [PATCH] 5.0-stable patches added patches: dccp-do-not-use-ipv6-header-for-ipv4-flow.patch genetlink-fix-a-memory-leak-on-error-path.patch gtp-change-net_udp_tunnel-dependency-to-select.patch ila-fix-rhashtable-walker-list-corruption.patch ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch mac8390-fix-mmio-access-size-probe.patch misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch net-phy-meson-gxl-fix-interrupt-support.patch net-rose-fix-a-possible-stack-overflow.patch net-stmmac-fix-memory-corruption-with-large-mtus.patch net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch net-usb-aqc111-extend-hwid-table-by-qnap-device.patch packets-always-register-packet-sk-in-the-same-order.patch r8169-fix-cable-re-plugging-issue.patch rhashtable-still-do-rehash-when-we-get-eexist.patch sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch sctp-use-memdup_user-instead-of-vmemdup_user.patch tcp-do-not-use-ipv6-header-for-ipv4-flow.patch thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch thunderx-enable-page-recycling-for-non-xdp-case.patch tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch tipc-fix-cancellation-of-topology-subscriptions.patch tun-properly-test-for-iff_up.patch vrf-prevent-adding-upper-devices.patch vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch --- ...do-not-use-ipv6-header-for-ipv4-flow.patch | 34 +++++ ...link-fix-a-memory-leak-on-error-path.patch | 42 ++++++ ...-net_udp_tunnel-dependency-to-select.patch | 37 +++++ ...ix-rhashtable-walker-list-corruption.patch | 34 +++++ ...eturn-ip6_null_entry-instead-of-null.patch | 84 +++++++++++ .../mac8390-fix-mmio-access-size-probe.patch | 74 ++++++++++ ...th-vendor-device-id-for-digium-hfc4s.patch | 36 +++++ ...ecksum-offload-for-udp-tcp-over-ipv6.patch | 41 ++++++ ...nded-loop-in-__skb_try_recv_datagram.patch | 37 +++++ ...-issues-in-mv88e6390x_port_set_cmode.patch | 95 +++++++++++++ ...rom-linkmode_adv_to_lcl_adv_t-helper.patch | 34 +++++ ...warn-upon-allocation-in-alloc_pg_vec.patch | 81 +++++++++++ ...on-t-clear-bmcr-in-genphy_soft_reset.patch | 41 ++++++ ...-phy-meson-gxl-fix-interrupt-support.patch | 45 ++++++ ...t-rose-fix-a-possible-stack-overflow.patch | 131 ++++++++++++++++++ ...ix-memory-corruption-with-large-mtus.patch | 64 +++++++++ ...hold-if-kobject_init_and_add-success.patch | 62 +++++++++ ...mory-leak-in-netdev_register_kobject.patch | 86 ++++++++++++ ...111-extend-hwid-table-by-qnap-device.patch | 68 +++++++++ ...register-packet-sk-in-the-same-order.patch | 71 ++++++++++ .../r8169-fix-cable-re-plugging-issue.patch | 38 +++++ ...e-still-do-rehash-when-we-get-eexist.patch | 48 +++++++ ...phdr-by-offset-in-sctp_compute_cksum.patch | 40 ++++++ ...-memdup_user-instead-of-vmemdup_user.patch | 92 ++++++++++++ queue-5.0/series | 33 +++++ ...do-not-use-ipv6-header-for-ipv4-flow.patch | 40 ++++++ ...ut_page-for-pages-held-for-recycling.patch | 58 ++++++++ ...able-page-recycling-for-non-xdp-case.patch | 59 ++++++++ ...ranges-to-be-connect-ed-on-rdm-dgram.patch | 65 +++++++++ ...pc_own_id-to-return-in-tipc_net_stop.patch | 63 +++++++++ ...ncellation-of-topology-subscriptions.patch | 33 +++++ queue-5.0/tun-properly-test-for-iff_up.patch | 96 +++++++++++++ .../vrf-prevent-adding-upper-devices.patch | 38 +++++ ...estroy-before-device-is-unregistered.patch | 47 +++++++ 34 files changed, 1947 insertions(+) create mode 100644 queue-5.0/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch create mode 100644 queue-5.0/genetlink-fix-a-memory-leak-on-error-path.patch create mode 100644 queue-5.0/gtp-change-net_udp_tunnel-dependency-to-select.patch create mode 100644 queue-5.0/ila-fix-rhashtable-walker-list-corruption.patch create mode 100644 queue-5.0/ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch create mode 100644 queue-5.0/mac8390-fix-mmio-access-size-probe.patch create mode 100644 queue-5.0/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch create mode 100644 queue-5.0/net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch create mode 100644 queue-5.0/net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch create mode 100644 queue-5.0/net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch create mode 100644 queue-5.0/net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch create mode 100644 queue-5.0/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch create mode 100644 queue-5.0/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch create mode 100644 queue-5.0/net-phy-meson-gxl-fix-interrupt-support.patch create mode 100644 queue-5.0/net-rose-fix-a-possible-stack-overflow.patch create mode 100644 queue-5.0/net-stmmac-fix-memory-corruption-with-large-mtus.patch create mode 100644 queue-5.0/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch create mode 100644 queue-5.0/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch create mode 100644 queue-5.0/net-usb-aqc111-extend-hwid-table-by-qnap-device.patch create mode 100644 queue-5.0/packets-always-register-packet-sk-in-the-same-order.patch create mode 100644 queue-5.0/r8169-fix-cable-re-plugging-issue.patch create mode 100644 queue-5.0/rhashtable-still-do-rehash-when-we-get-eexist.patch create mode 100644 queue-5.0/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch create mode 100644 queue-5.0/sctp-use-memdup_user-instead-of-vmemdup_user.patch create mode 100644 queue-5.0/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch create mode 100644 queue-5.0/thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch create mode 100644 queue-5.0/thunderx-enable-page-recycling-for-non-xdp-case.patch create mode 100644 queue-5.0/tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch create mode 100644 queue-5.0/tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch create mode 100644 queue-5.0/tipc-fix-cancellation-of-topology-subscriptions.patch create mode 100644 queue-5.0/tun-properly-test-for-iff_up.patch create mode 100644 queue-5.0/vrf-prevent-adding-upper-devices.patch create mode 100644 queue-5.0/vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch diff --git a/queue-5.0/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-5.0/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 00000000000..689b531fcbd --- /dev/null +++ b/queue-5.0/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Eric Dumazet +Date: Tue, 19 Mar 2019 05:46:18 -0700 +Subject: dccp: do not use ipv6 header for ipv4 flow + +From: Eric Dumazet + +[ Upstream commit e0aa67709f89d08c8d8e5bdd9e0b649df61d0090 ] + +When a dual stack dccp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or +inet6_iif() helper. + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv6.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -436,8 +436,8 @@ static struct sock *dccp_v6_request_recv + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; +- newnp->mcast_oif = inet6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-5.0/genetlink-fix-a-memory-leak-on-error-path.patch b/queue-5.0/genetlink-fix-a-memory-leak-on-error-path.patch new file mode 100644 index 00000000000..b2e1835a668 --- /dev/null +++ b/queue-5.0/genetlink-fix-a-memory-leak-on-error-path.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: YueHaibing +Date: Thu, 21 Mar 2019 15:02:50 +0800 +Subject: genetlink: Fix a memory leak on error path + +From: YueHaibing + +[ Upstream commit ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2 ] + +In genl_register_family(), when idr_alloc() fails, +we forget to free the memory we possibly allocate for +family->attrbuf. + +Reported-by: Hulk Robot +Fixes: 2ae0f17df1cd ("genetlink: use idr to track families") +Signed-off-by: YueHaibing +Reviewed-by: Kirill Tkhai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/genetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netlink/genetlink.c ++++ b/net/netlink/genetlink.c +@@ -366,7 +366,7 @@ int genl_register_family(struct genl_fam + start, end + 1, GFP_KERNEL); + if (family->id < 0) { + err = family->id; +- goto errout_locked; ++ goto errout_free; + } + + err = genl_validate_assign_mc_groups(family); +@@ -385,6 +385,7 @@ int genl_register_family(struct genl_fam + + errout_remove: + idr_remove(&genl_fam_idr, family->id); ++errout_free: + kfree(family->attrbuf); + errout_locked: + genl_unlock_all(); diff --git a/queue-5.0/gtp-change-net_udp_tunnel-dependency-to-select.patch b/queue-5.0/gtp-change-net_udp_tunnel-dependency-to-select.patch new file mode 100644 index 00000000000..513c1e4c26e --- /dev/null +++ b/queue-5.0/gtp-change-net_udp_tunnel-dependency-to-select.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Matteo Croce +Date: Sat, 16 Mar 2019 01:00:50 +0100 +Subject: gtp: change NET_UDP_TUNNEL dependency to select + +From: Matteo Croce + +[ Upstream commit c22da36688d6298f2e546dcc43fdc1ad35036467 ] + +Similarly to commit a7603ac1fc8c ("geneve: change NET_UDP_TUNNEL +dependency to select"), GTP has a dependency on NET_UDP_TUNNEL which +makes impossible to compile it if no other protocol depending on +NET_UDP_TUNNEL is selected. + +Fix this by changing the depends to a select, and drop NET_IP_TUNNEL from +the select list, as it already depends on NET_UDP_TUNNEL. + +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -213,8 +213,8 @@ config GENEVE + + config GTP + tristate "GPRS Tunneling Protocol datapath (GTP-U)" +- depends on INET && NET_UDP_TUNNEL +- select NET_IP_TUNNEL ++ depends on INET ++ select NET_UDP_TUNNEL + ---help--- + This allows one to create gtp virtual interfaces that provide + the GPRS Tunneling Protocol datapath (GTP-U). This tunneling protocol diff --git a/queue-5.0/ila-fix-rhashtable-walker-list-corruption.patch b/queue-5.0/ila-fix-rhashtable-walker-list-corruption.patch new file mode 100644 index 00000000000..32deb20c3a0 --- /dev/null +++ b/queue-5.0/ila-fix-rhashtable-walker-list-corruption.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Herbert Xu +Date: Tue, 26 Mar 2019 13:50:14 +0800 +Subject: ila: Fix rhashtable walker list corruption + +From: Herbert Xu + +[ Upstream commit b5f9bd15b88563b55a99ed588416881367a0ce5f ] + +ila_xlat_nl_cmd_flush uses rhashtable walkers allocated from the +stack but it never frees them. This corrupts the walker list of +the hash table. + +This patch fixes it. + +Reported-by: syzbot+dae72a112334aa65a159@syzkaller.appspotmail.com +Fixes: b6e71bdebb12 ("ila: Flush netlink command to clear xlat...") +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ila/ila_xlat.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -420,6 +420,7 @@ int ila_xlat_nl_cmd_flush(struct sk_buff + + done: + rhashtable_walk_stop(&iter); ++ rhashtable_walk_exit(&iter); + return ret; + } + diff --git a/queue-5.0/ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch b/queue-5.0/ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch new file mode 100644 index 00000000000..5d9b89f1f61 --- /dev/null +++ b/queue-5.0/ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch @@ -0,0 +1,84 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Xin Long +Date: Wed, 20 Mar 2019 14:45:48 +0800 +Subject: ipv6: make ip6_create_rt_rcu return ip6_null_entry instead of NULL + +From: Xin Long + +[ Upstream commit 1c87e79a002f6a159396138cd3f3ab554a2a8887 ] + +Jianlin reported a crash: + + [ 381.484332] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068 + [ 381.619802] RIP: 0010:fib6_rule_lookup+0xa3/0x160 + [ 382.009615] Call Trace: + [ 382.020762] + [ 382.030174] ip6_route_redirect.isra.52+0xc9/0xf0 + [ 382.050984] ip6_redirect+0xb6/0xf0 + [ 382.066731] icmpv6_notify+0xca/0x190 + [ 382.083185] ndisc_redirect_rcv+0x10f/0x160 + [ 382.102569] ndisc_rcv+0xfb/0x100 + [ 382.117725] icmpv6_rcv+0x3f2/0x520 + [ 382.133637] ip6_input_finish+0xbf/0x460 + [ 382.151634] ip6_input+0x3b/0xb0 + [ 382.166097] ipv6_rcv+0x378/0x4e0 + +It was caused by the lookup function __ip6_route_redirect() returns NULL in +fib6_rule_lookup() when ip6_create_rt_rcu() returns NULL. + +So we fix it by simply making ip6_create_rt_rcu() return ip6_null_entry +instead of NULL. + +v1->v2: + - move down 'fallback:' to make it more readable. + +Fixes: e873e4b9cc7e ("ipv6: use fib6_info_hold_safe() when necessary") +Reported-by: Jianlin Shi +Suggested-by: Paolo Abeni +Signed-off-by: Xin Long +Reviewed-by: David Ahern +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1040,14 +1040,20 @@ static struct rt6_info *ip6_create_rt_rc + struct rt6_info *nrt; + + if (!fib6_info_hold_safe(rt)) +- return NULL; ++ goto fallback; + + nrt = ip6_dst_alloc(dev_net(dev), dev, flags); +- if (nrt) +- ip6_rt_copy_init(nrt, rt); +- else ++ if (!nrt) { + fib6_info_release(rt); ++ goto fallback; ++ } ++ ++ ip6_rt_copy_init(nrt, rt); ++ return nrt; + ++fallback: ++ nrt = dev_net(dev)->ipv6.ip6_null_entry; ++ dst_hold(&nrt->dst); + return nrt; + } + +@@ -1096,10 +1102,6 @@ restart: + dst_hold(&rt->dst); + } else { + rt = ip6_create_rt_rcu(f6i); +- if (!rt) { +- rt = net->ipv6.ip6_null_entry; +- dst_hold(&rt->dst); +- } + } + + rcu_read_unlock(); diff --git a/queue-5.0/mac8390-fix-mmio-access-size-probe.patch b/queue-5.0/mac8390-fix-mmio-access-size-probe.patch new file mode 100644 index 00000000000..f39a6a47adc --- /dev/null +++ b/queue-5.0/mac8390-fix-mmio-access-size-probe.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Finn Thain +Date: Sat, 16 Mar 2019 14:21:19 +1100 +Subject: mac8390: Fix mmio access size probe + +From: Finn Thain + +[ Upstream commit bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb ] + +The bug that Stan reported is as follows. After a restart, a 16-bit NIC +may be incorrectly identified as a 32-bit NIC and stop working. + +mac8390 slot.E: Memory length resource not found, probing +mac8390 slot.E: Farallon EtherMac II-C (type farallon) +mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access. + +The bug never arises after a cold start and only intermittently after a +warm start. (I didn't investigate why the bug is intermittent.) + +It turns out that memcpy_toio() is deprecated and memcmp_withio() also +has issues. Replacing these calls with mmio accessors fixes the problem. + +Reported-and-tested-by: Stan Johnson +Fixes: 2964db0f5904 ("m68k: Mac DP8390 update") +Signed-off-by: Finn Thain +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -153,8 +153,6 @@ static void dayna_block_input(struct net + static void dayna_block_output(struct net_device *dev, int count, + const unsigned char *buf, int start_page); + +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) +- + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ + static void slow_sane_get_8390_hdr(struct net_device *dev, + struct e8390_pkt_hdr *hdr, int ring_page); +@@ -233,19 +231,26 @@ static enum mac8390_type mac8390_ident(s + + static enum mac8390_access mac8390_testio(unsigned long membase) + { +- unsigned long outdata = 0xA5A0B5B0; +- unsigned long indata = 0x00000000; ++ u32 outdata = 0xA5A0B5B0; ++ u32 indata = 0; ++ + /* Try writing 32 bits */ +- memcpy_toio((void __iomem *)membase, &outdata, 4); +- /* Now compare them */ +- if (memcmp_withio(&outdata, membase, 4) == 0) ++ nubus_writel(outdata, membase); ++ /* Now read it back */ ++ indata = nubus_readl(membase); ++ if (outdata == indata) + return ACCESS_32; ++ ++ outdata = 0xC5C0D5D0; ++ indata = 0; ++ + /* Write 16 bit output */ + word_memcpy_tocard(membase, &outdata, 4); + /* Now read it back */ + word_memcpy_fromcard(&indata, membase, 4); + if (outdata == indata) + return ACCESS_16; ++ + return ACCESS_UNKNOWN; + } + diff --git a/queue-5.0/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch b/queue-5.0/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch new file mode 100644 index 00000000000..e7f9e51e14d --- /dev/null +++ b/queue-5.0/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Bjorn Helgaas +Date: Mon, 18 Mar 2019 08:51:06 -0500 +Subject: mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S + +From: Bjorn Helgaas + +[ Upstream commit fae846e2b7124d4b076ef17791c73addf3b26350 ] + +The device ID alone does not uniquely identify a device. Test both the +vendor and device ID to make sure we don't mistakenly think some other +vendor's 0xB410 device is a Digium HFC4S. Also, instead of the bare hex +ID, use the same constant (PCI_DEVICE_ID_DIGIUM_HFC4S) used in the device +ID table. + +No functional change intended. + +Signed-off-by: Bjorn Helgaas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -4365,7 +4365,8 @@ setup_pci(struct hfc_multi *hc, struct p + if (m->clock2) + test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip); + +- if (ent->device == 0xB410) { ++ if (ent->vendor == PCI_VENDOR_ID_DIGIUM && ++ ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) { + test_and_set_bit(HFC_CHIP_B410P, &hc->chip); + test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip); + test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip); diff --git a/queue-5.0/net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch b/queue-5.0/net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch new file mode 100644 index 00000000000..c36acde2f25 --- /dev/null +++ b/queue-5.0/net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Dmitry Bogdanov +Date: Sat, 16 Mar 2019 08:28:18 +0000 +Subject: net: aquantia: fix rx checksum offload for UDP/TCP over IPv6 + +From: Dmitry Bogdanov + +[ Upstream commit a7faaa0c5dc7d091cc9f72b870d7edcdd6f43f12 ] + +TCP/UDP checksum validity was propagated to skb +only if IP checksum is valid. +But for IPv6 there is no validity as there is no checksum in IPv6. +This patch propagates TCP/UDP checksum validity regardless of IP checksum. + +Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code") +Signed-off-by: Igor Russkikh +Signed-off-by: Nikita Danilov +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -186,11 +186,12 @@ static void aq_rx_checksum(struct aq_rin + } + if (buff->is_ip_cso) { + __skb_incr_checksum_unnecessary(skb); +- if (buff->is_udp_cso || buff->is_tcp_cso) +- __skb_incr_checksum_unnecessary(skb); + } else { + skb->ip_summed = CHECKSUM_NONE; + } ++ ++ if (buff->is_udp_cso || buff->is_tcp_cso) ++ __skb_incr_checksum_unnecessary(skb); + } + + #define AQ_SKB_ALIGN SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) diff --git a/queue-5.0/net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch b/queue-5.0/net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch new file mode 100644 index 00000000000..8e5f1d62697 --- /dev/null +++ b/queue-5.0/net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Paolo Abeni +Date: Mon, 25 Mar 2019 14:18:06 +0100 +Subject: net: datagram: fix unbounded loop in __skb_try_recv_datagram() + +From: Paolo Abeni + +[ Upstream commit 0b91bce1ebfc797ff3de60c8f4a1e6219a8a3187 ] + +Christoph reported a stall while peeking datagram with an offset when +busy polling is enabled. __skb_try_recv_datagram() uses as the loop +termination condition 'queue empty'. When peeking, the socket +queue can be not empty, even when no additional packets are received. + +Address the issue explicitly checking for receive queue changes, +as currently done by __skb_wait_for_more_packets(). + +Fixes: 2b5cd0dfa384 ("net: Change return type of sk_busy_loop from bool to void") +Reported-and-tested-by: Christoph Paasch +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -279,7 +279,7 @@ struct sk_buff *__skb_try_recv_datagram( + break; + + sk_busy_loop(sk, flags & MSG_DONTWAIT); +- } while (!skb_queue_empty(&sk->sk_receive_queue)); ++ } while (sk->sk_receive_queue.prev != *last); + + error = -EAGAIN; + diff --git a/queue-5.0/net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch b/queue-5.0/net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch new file mode 100644 index 00000000000..b31195c89b7 --- /dev/null +++ b/queue-5.0/net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Heiner Kallweit +Date: Sat, 23 Mar 2019 19:41:32 +0100 +Subject: net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode + +From: Heiner Kallweit + +[ Upstream commit 5ceaeb99ffb4dc002d20f6ac243c19a85e2c7a76 ] + +This patches fixes few issues in mv88e6390x_port_set_cmode(). + +1. When entering the function the old cmode may be 0, in this case + mv88e6390x_serdes_get_lane() returns -ENODEV. As result we bail + out and have no chance to set a new mode. Therefore deal properly + with -ENODEV. + +2. Once we have disabled power and irq, let's set the cached cmode to 0. + This reflects the actual status and is cleaner if we bail out with an + error in the following function calls. + +3. The cached cmode is used by mv88e6390x_serdes_get_lane(), + mv88e6390_serdes_power_lane() and mv88e6390_serdes_irq_enable(). + Currently we set the cached mode to the new one at the very end of + the function only, means until then we use the old one what may be + wrong. + +4. When calling mv88e6390_serdes_irq_enable() we use the lane value + belonging to the old cmode. Get the lane belonging to the new cmode + before calling this function. + +It's hard to provide a good "Fixes" tag because quite a few smaller +changes have been done to the code in question recently. + +Fixes: d235c48b40d3 ("net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X") +Signed-off-by: Heiner Kallweit +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/port.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -427,18 +427,22 @@ int mv88e6390x_port_set_cmode(struct mv8 + return 0; + + lane = mv88e6390x_serdes_get_lane(chip, port); +- if (lane < 0) ++ if (lane < 0 && lane != -ENODEV) + return lane; + +- if (chip->ports[port].serdes_irq) { +- err = mv88e6390_serdes_irq_disable(chip, port, lane); ++ if (lane >= 0) { ++ if (chip->ports[port].serdes_irq) { ++ err = mv88e6390_serdes_irq_disable(chip, port, lane); ++ if (err) ++ return err; ++ } ++ ++ err = mv88e6390x_serdes_power(chip, port, false); + if (err) + return err; + } + +- err = mv88e6390x_serdes_power(chip, port, false); +- if (err) +- return err; ++ chip->ports[port].cmode = 0; + + if (cmode) { + err = mv88e6xxx_port_read(chip, port, MV88E6XXX_PORT_STS, ®); +@@ -452,6 +456,12 @@ int mv88e6390x_port_set_cmode(struct mv8 + if (err) + return err; + ++ chip->ports[port].cmode = cmode; ++ ++ lane = mv88e6390x_serdes_get_lane(chip, port); ++ if (lane < 0) ++ return lane; ++ + err = mv88e6390x_serdes_power(chip, port, true); + if (err) + return err; +@@ -463,8 +473,6 @@ int mv88e6390x_port_set_cmode(struct mv8 + } + } + +- chip->ports[port].cmode = cmode; +- + return 0; + } + diff --git a/queue-5.0/net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch b/queue-5.0/net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch new file mode 100644 index 00000000000..5c168c59aec --- /dev/null +++ b/queue-5.0/net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Claudiu Manoil +Date: Tue, 26 Mar 2019 11:48:57 +0200 +Subject: net: mii: Fix PAUSE cap advertisement from linkmode_adv_to_lcl_adv_t() helper + +From: Claudiu Manoil + +[ Upstream commit 7f07e5f1f778605e98cf2156d4db1ff3a3a1a74a ] + +With a recent link mode advertisement code update this helper +providing local pause capability translation used for flow +control link mode negotiation got broken. +For eth drivers using this helper, the issue is apparent only +if either PAUSE or ASYM_PAUSE is being advertised. + +Fixes: 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode") +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mii.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mii.h ++++ b/include/linux/mii.h +@@ -469,7 +469,7 @@ static inline u32 linkmode_adv_to_lcl_ad + if (linkmode_test_bit(ETHTOOL_LINK_MODE_Pause_BIT, + advertising)) + lcl_adv |= ADVERTISE_PAUSE_CAP; +- if (linkmode_test_bit(ETHTOOL_LINK_MODE_Pause_BIT, ++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, + advertising)) + lcl_adv |= ADVERTISE_PAUSE_ASYM; + diff --git a/queue-5.0/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch b/queue-5.0/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch new file mode 100644 index 00000000000..a225508367a --- /dev/null +++ b/queue-5.0/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch @@ -0,0 +1,81 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Christoph Paasch +Date: Mon, 18 Mar 2019 23:14:52 -0700 +Subject: net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec + +From: Christoph Paasch + +[ Upstream commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 ] + +Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") +one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller +found that that triggers a warning: + +[ 21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0 +[ 21.101490] Modules linked in: +[ 21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146 +[ 21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 +[ 21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630 +[ 21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3 +[ 21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246 +[ 21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000 +[ 21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 +[ 21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67 +[ 21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d +[ 21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d +[ 21.112552] FS: 00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000 +[ 21.113612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0 +[ 21.115367] Call Trace: +[ 21.115705] ? __alloc_pages_slowpath+0x21c0/0x21c0 +[ 21.116362] alloc_pages_current+0xac/0x1e0 +[ 21.116923] kmalloc_order+0x18/0x70 +[ 21.117393] kmalloc_order_trace+0x18/0x110 +[ 21.117949] packet_set_ring+0x9d5/0x1770 +[ 21.118524] ? packet_rcv_spkt+0x440/0x440 +[ 21.119094] ? lock_downgrade+0x620/0x620 +[ 21.119646] ? __might_fault+0x177/0x1b0 +[ 21.120177] packet_setsockopt+0x981/0x2940 +[ 21.120753] ? __fget+0x2fb/0x4b0 +[ 21.121209] ? packet_release+0xab0/0xab0 +[ 21.121740] ? sock_has_perm+0x1cd/0x260 +[ 21.122297] ? selinux_secmark_relabel_packet+0xd0/0xd0 +[ 21.123013] ? __fget+0x324/0x4b0 +[ 21.123451] ? selinux_netlbl_socket_setsockopt+0x101/0x320 +[ 21.124186] ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0 +[ 21.124908] ? __lock_acquire+0x529/0x3200 +[ 21.125453] ? selinux_socket_setsockopt+0x5d/0x70 +[ 21.126075] ? __sys_setsockopt+0x131/0x210 +[ 21.126533] ? packet_release+0xab0/0xab0 +[ 21.127004] __sys_setsockopt+0x131/0x210 +[ 21.127449] ? kernel_accept+0x2f0/0x2f0 +[ 21.127911] ? ret_from_fork+0x8/0x50 +[ 21.128313] ? do_raw_spin_lock+0x11b/0x280 +[ 21.128800] __x64_sys_setsockopt+0xba/0x150 +[ 21.129271] ? lockdep_hardirqs_on+0x37f/0x560 +[ 21.129769] do_syscall_64+0x9f/0x450 +[ 21.130182] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +We should allocate with __GFP_NOWARN to handle this. + +Cc: Kal Conley +Cc: Andrey Konovalov +Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") +Signed-off-by: Christoph Paasch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4211,7 +4211,7 @@ static struct pgv *alloc_pg_vec(struct t + struct pgv *pg_vec; + int i; + +- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); ++ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); + if (unlikely(!pg_vec)) + goto out; + diff --git a/queue-5.0/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch b/queue-5.0/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch new file mode 100644 index 00000000000..452e6171a51 --- /dev/null +++ b/queue-5.0/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Heiner Kallweit +Date: Fri, 22 Mar 2019 20:00:20 +0100 +Subject: net: phy: don't clear BMCR in genphy_soft_reset + +From: Heiner Kallweit + +[ Upstream commit d29f5aa0bc0c321e1b9e4658a2a7e08e885da52a ] + +So far we effectively clear the BMCR register. Some PHY's can deal +with this (e.g. because they reset BMCR to a default as part of a +soft-reset) whilst on others this causes issues because e.g. the +autoneg bit is cleared. Marvell is an example, see also thread [0]. +So let's be a little bit more gentle and leave all bits we're not +interested in as-is. This change is needed for PHY drivers to +properly deal with the original patch. + +[0] https://marc.info/?t=155264050700001&r=1&w=2 + +Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") +Tested-by: Phil Reid +Tested-by: liweihang +Signed-off-by: Heiner Kallweit +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1827,7 +1827,7 @@ int genphy_soft_reset(struct phy_device + { + int ret; + +- ret = phy_write(phydev, MII_BMCR, BMCR_RESET); ++ ret = phy_set_bits(phydev, MII_BMCR, BMCR_RESET); + if (ret < 0) + return ret; + diff --git a/queue-5.0/net-phy-meson-gxl-fix-interrupt-support.patch b/queue-5.0/net-phy-meson-gxl-fix-interrupt-support.patch new file mode 100644 index 00000000000..c832912ba1f --- /dev/null +++ b/queue-5.0/net-phy-meson-gxl-fix-interrupt-support.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Jerome Brunet +Date: Thu, 14 Mar 2019 14:49:45 +0100 +Subject: net: phy: meson-gxl: fix interrupt support + +From: Jerome Brunet + +[ Upstream commit daa5c4d0167a308306525fd5ab9a5e18e21f4f74 ] + +If an interrupt is already pending when the interrupt is enabled on the +GXL phy, no IRQ will ever be triggered. + +The fix is simply to make sure pending IRQs are cleared before setting +up the irq mask. + +Fixes: cf127ff20af1 ("net: phy: meson-gxl: add interrupt support") +Signed-off-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/meson-gxl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -211,6 +211,7 @@ static int meson_gxl_ack_interrupt(struc + static int meson_gxl_config_intr(struct phy_device *phydev) + { + u16 val; ++ int ret; + + if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { + val = INTSRC_ANEG_PR +@@ -223,6 +224,11 @@ static int meson_gxl_config_intr(struct + val = 0; + } + ++ /* Ack any pending IRQ */ ++ ret = meson_gxl_ack_interrupt(phydev); ++ if (ret) ++ return ret; ++ + return phy_write(phydev, INTSRC_MASK, val); + } + diff --git a/queue-5.0/net-rose-fix-a-possible-stack-overflow.patch b/queue-5.0/net-rose-fix-a-possible-stack-overflow.patch new file mode 100644 index 00000000000..e69ebfeee0f --- /dev/null +++ b/queue-5.0/net-rose-fix-a-possible-stack-overflow.patch @@ -0,0 +1,131 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Mar 2019 10:41:14 -0700 +Subject: net: rose: fix a possible stack overflow + +From: Eric Dumazet + +[ Upstream commit e5dcc0c3223c45c94100f05f28d8ef814db3d82c ] + +rose_write_internal() uses a temp buffer of 100 bytes, but a manual +inspection showed that given arbitrary input, rose_create_facilities() +can fill up to 110 bytes. + +Lets use a tailroom of 256 bytes for peace of mind, and remove +the bounce buffer : we can simply allocate a big enough skb +and adjust its length as needed. + +syzbot report : + +BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:352 [inline] +BUG: KASAN: stack-out-of-bounds in rose_create_facilities net/rose/rose_subr.c:521 [inline] +BUG: KASAN: stack-out-of-bounds in rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116 +Write of size 7 at addr ffff88808b1ffbef by task syz-executor.0/24854 + +CPU: 0 PID: 24854 Comm: syz-executor.0 Not tainted 5.0.0+ #97 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 + kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x123/0x190 mm/kasan/generic.c:191 + memcpy+0x38/0x50 mm/kasan/common.c:131 + memcpy include/linux/string.h:352 [inline] + rose_create_facilities net/rose/rose_subr.c:521 [inline] + rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116 + rose_connect+0x7cb/0x1510 net/rose/af_rose.c:826 + __sys_connect+0x266/0x330 net/socket.c:1685 + __do_sys_connect net/socket.c:1696 [inline] + __se_sys_connect net/socket.c:1693 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:1693 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458079 +Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f47b8d9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458079 +RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000004 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f47b8d9e6d4 +R13: 00000000004be4a4 R14: 00000000004ceca8 R15: 00000000ffffffff + +The buggy address belongs to the page: +page:ffffea00022c7fc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x1fffc0000000000() +raw: 01fffc0000000000 0000000000000000 ffffffff022c0101 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88808b1ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88808b1ffb00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 03 +>ffff88808b1ffb80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 04 f3 + ^ + ffff88808b1ffc00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88808b1ffc80: 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 01 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/rose_subr.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/rose/rose_subr.c ++++ b/net/rose/rose_subr.c +@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk + struct sk_buff *skb; + unsigned char *dptr; + unsigned char lci1, lci2; +- char buffer[100]; +- int len, faclen = 0; ++ int maxfaclen = 0; ++ int len, faclen; ++ int reserve; + +- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1; ++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1; ++ len = ROSE_MIN_LEN; + + switch (frametype) { + case ROSE_CALL_REQUEST: + len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN; +- faclen = rose_create_facilities(buffer, rose); +- len += faclen; ++ maxfaclen = 256; + break; + case ROSE_CALL_ACCEPTED: + case ROSE_CLEAR_REQUEST: +@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk + break; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC); ++ if (!skb) + return; + + /* + * Space for AX.25 header and PID. + */ +- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1); ++ skb_reserve(skb, reserve); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + lci1 = (rose->lci >> 8) & 0x0F; + lci2 = (rose->lci >> 0) & 0xFF; +@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk + dptr += ROSE_ADDR_LEN; + memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); + dptr += ROSE_ADDR_LEN; +- memcpy(dptr, buffer, faclen); ++ faclen = rose_create_facilities(dptr, rose); ++ skb_put(skb, faclen); + dptr += faclen; + break; + diff --git a/queue-5.0/net-stmmac-fix-memory-corruption-with-large-mtus.patch b/queue-5.0/net-stmmac-fix-memory-corruption-with-large-mtus.patch new file mode 100644 index 00000000000..c3c00ce74ee --- /dev/null +++ b/queue-5.0/net-stmmac-fix-memory-corruption-with-large-mtus.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Aaro Koskinen +Date: Mon, 18 Mar 2019 23:36:08 +0200 +Subject: net: stmmac: fix memory corruption with large MTUs + +From: Aaro Koskinen + +[ Upstream commit 223a960c01227e4dbcb6f9fa06b47d73bda21274 ] + +When using 16K DMA buffers and ring mode, the DES3 refill is not working +correctly as the function is using a bogus pointer for checking the +private data. As a result stale pointers will remain in the RX descriptor +ring, so DMA will now likely overwrite/corrupt some already freed memory. + +As simple reproducer, just receive some UDP traffic: + + # ifconfig eth0 down; ifconfig eth0 mtu 9000; ifconfig eth0 up + # iperf3 -c 192.168.253.40 -u -b 0 -R + +If you didn't crash by now check the RX descriptors to find non-contiguous +RX buffers: + + cat /sys/kernel/debug/stmmaceth/eth0/descriptors_status + [...] + 1 [0x2be5020]: 0xa3220321 0x9ffc1ffc 0x72d70082 0x130e207e + ^^^^^^^^^^^^^^^^^^^^^ + 2 [0x2be5040]: 0xa3220321 0x9ffc1ffc 0x72998082 0x1311a07e + ^^^^^^^^^^^^^^^^^^^^^ + +A simple ping test will now report bad data: + + # ping -s 8200 192.168.253.40 + PING 192.168.253.40 (192.168.253.40) 8200(8228) bytes of data. + 8208 bytes from 192.168.253.40: icmp_seq=1 ttl=64 time=1.00 ms + wrong data byte #8144 should be 0xd0 but was 0x88 + +Fix the wrong pointer. Also we must refill DES3 only if the DMA buffer +size is 16K. + +Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx") +Signed-off-by: Aaro Koskinen +Acked-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +@@ -111,10 +111,11 @@ static unsigned int is_jumbo_frm(int len + + static void refill_desc3(void *priv_ptr, struct dma_desc *p) + { +- struct stmmac_priv *priv = (struct stmmac_priv *)priv_ptr; ++ struct stmmac_rx_queue *rx_q = priv_ptr; ++ struct stmmac_priv *priv = rx_q->priv_data; + + /* Fill DES3 in case of RING mode */ +- if (priv->dma_buf_sz >= BUF_SIZE_8KiB) ++ if (priv->dma_buf_sz == BUF_SIZE_16KiB) + p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB); + } + diff --git a/queue-5.0/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch b/queue-5.0/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch new file mode 100644 index 00000000000..4f0d33bb225 --- /dev/null +++ b/queue-5.0/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: YueHaibing +Date: Tue, 19 Mar 2019 10:16:53 +0800 +Subject: net-sysfs: call dev_hold if kobject_init_and_add success + +From: YueHaibing + +[ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ] + +In netdev_queue_add_kobject and rx_queue_add_kobject, +if sysfs_create_group failed, kobject_put will call +netdev_queue_release to decrease dev refcont, however +dev_hold has not be called. So we will see this while +unregistering dev: + +unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 + +Reported-by: Hulk Robot +Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -934,6 +934,8 @@ static int rx_queue_add_kobject(struct n + if (error) + return error; + ++ dev_hold(queue->dev); ++ + if (dev->sysfs_rx_queue_group) { + error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); + if (error) { +@@ -943,7 +945,6 @@ static int rx_queue_add_kobject(struct n + } + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return error; + } +@@ -1472,6 +1473,8 @@ static int netdev_queue_add_kobject(stru + if (error) + return error; + ++ dev_hold(queue->dev); ++ + #ifdef CONFIG_BQL + error = sysfs_create_group(kobj, &dql_group); + if (error) { +@@ -1481,7 +1484,6 @@ static int netdev_queue_add_kobject(stru + #endif + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return 0; + } diff --git a/queue-5.0/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch b/queue-5.0/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch new file mode 100644 index 00000000000..4d0ca04f498 --- /dev/null +++ b/queue-5.0/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch @@ -0,0 +1,86 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Wang Hai +Date: Wed, 20 Mar 2019 14:25:05 -0400 +Subject: net-sysfs: Fix memory leak in netdev_register_kobject + +From: Wang Hai + +[ Upstream commit 6b70fc94afd165342876e53fc4b2f7d085009945 ] + +When registering struct net_device, it will call + register_netdevice -> + netdev_register_kobject -> + device_initialize(dev); + dev_set_name(dev, "%s", ndev->name) + device_add(dev) + register_queue_kobjects(ndev) + +In netdev_register_kobject(), if device_add(dev) or +register_queue_kobjects(ndev) failed. Register_netdevice() +will return error, causing netdev_freemem(ndev) to be +called to free net_device, however put_device(&dev->dev)->..-> +kobject_cleanup() won't be called, resulting in a memory leak. + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffff8881f4fad168 (size 8): +comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) +hex dump (first 8 bytes): + 77 70 61 6e 30 00 ff ff wpan0... +backtrace: + [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 + [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 + [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 + [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 + [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 + [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] + [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] + [<00000000e4b3df51>] 0xffffffffc1500e0e + [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 + [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 + [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 + [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 + [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 + [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 + [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 + +Reported-by: Hulk Robot +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Hai +Reviewed-by: Andy Shevchenko +Reviewed-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1755,16 +1755,20 @@ int netdev_register_kobject(struct net_d + + error = device_add(dev); + if (error) +- return error; ++ goto error_put_device; + + error = register_queue_kobjects(ndev); +- if (error) { +- device_del(dev); +- return error; +- } ++ if (error) ++ goto error_device_del; + + pm_runtime_set_memalloc_noio(dev, true); + ++ return 0; ++ ++error_device_del: ++ device_del(dev); ++error_put_device: ++ put_device(dev); + return error; + } + diff --git a/queue-5.0/net-usb-aqc111-extend-hwid-table-by-qnap-device.patch b/queue-5.0/net-usb-aqc111-extend-hwid-table-by-qnap-device.patch new file mode 100644 index 00000000000..40e9faaebe7 --- /dev/null +++ b/queue-5.0/net-usb-aqc111-extend-hwid-table-by-qnap-device.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Dmitry Bezrukov +Date: Sat, 23 Mar 2019 13:59:53 +0000 +Subject: net: usb: aqc111: Extend HWID table by QNAP device + +From: Dmitry Bezrukov + +[ Upstream commit b7ebee2f95fb0fa2862d5ed2de707f872c311393 ] + +New device of QNAP based on aqc111u +Add this ID to blacklist of cdc_ether driver as well + +Signed-off-by: Dmitry Bezrukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/aqc111.c | 15 +++++++++++++++ + drivers/net/usb/cdc_ether.c | 8 ++++++++ + 2 files changed, 23 insertions(+) + +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1301,6 +1301,20 @@ static const struct driver_info trendnet + .tx_fixup = aqc111_tx_fixup, + }; + ++static const struct driver_info qnap_info = { ++ .description = "QNAP QNA-UC5G1T USB to 5GbE Adapter", ++ .bind = aqc111_bind, ++ .unbind = aqc111_unbind, ++ .status = aqc111_status, ++ .link_reset = aqc111_link_reset, ++ .reset = aqc111_reset, ++ .stop = aqc111_stop, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | ++ FLAG_AVOID_UNLINK_URBS | FLAG_MULTI_PACKET, ++ .rx_fixup = aqc111_rx_fixup, ++ .tx_fixup = aqc111_tx_fixup, ++}; ++ + static int aqc111_suspend(struct usb_interface *intf, pm_message_t message) + { + struct usbnet *dev = usb_get_intfdata(intf); +@@ -1455,6 +1469,7 @@ static const struct usb_device_id produc + {AQC111_USB_ETH_DEV(0x0b95, 0x2790, asix111_info)}, + {AQC111_USB_ETH_DEV(0x0b95, 0x2791, asix112_info)}, + {AQC111_USB_ETH_DEV(0x20f4, 0xe05a, trendnet_info)}, ++ {AQC111_USB_ETH_DEV(0x1c04, 0x0015, qnap_info)}, + { },/* END */ + }; + MODULE_DEVICE_TABLE(usb, products); +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -851,6 +851,14 @@ static const struct usb_device_id produc + .driver_info = 0, + }, + ++/* QNAP QNA-UC5G1T USB to 5GbE Adapter (based on AQC111U) */ ++{ ++ USB_DEVICE_AND_INTERFACE_INFO(0x1c04, 0x0015, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, ++ USB_CDC_PROTO_NONE), ++ .driver_info = 0, ++}, ++ + /* WHITELIST!!! + * + * CDC Ether uses two interfaces, not necessarily consecutive. diff --git a/queue-5.0/packets-always-register-packet-sk-in-the-same-order.patch b/queue-5.0/packets-always-register-packet-sk-in-the-same-order.patch new file mode 100644 index 00000000000..8d5f4f5e725 --- /dev/null +++ b/queue-5.0/packets-always-register-packet-sk-in-the-same-order.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Maxime Chevallier +Date: Sat, 16 Mar 2019 14:41:30 +0100 +Subject: packets: Always register packet sk in the same order + +From: Maxime Chevallier + +[ Upstream commit a4dc6a49156b1f8d6e17251ffda17c9e6a5db78a ] + +When using fanouts with AF_PACKET, the demux functions such as +fanout_demux_cpu will return an index in the fanout socket array, which +corresponds to the selected socket. + +The ordering of this array depends on the order the sockets were added +to a given fanout group, so for FANOUT_CPU this means sockets are bound +to cpus in the order they are configured, which is OK. + +However, when stopping then restarting the interface these sockets are +bound to, the sockets are reassigned to the fanout group in the reverse +order, due to the fact that they were inserted at the head of the +interface's AF_PACKET socket list. + +This means that traffic that was directed to the first socket in the +fanout group is now directed to the last one after an interface restart. + +In the case of FANOUT_CPU, traffic from CPU0 will be directed to the +socket that used to receive traffic from the last CPU after an interface +restart. + +This commit introduces a helper to add a socket at the tail of a list, +then uses it to register AF_PACKET sockets. + +Note that this changes the order in which sockets are listed in /proc and +with sock_diag. + +Fixes: dc99f600698d ("packet: Add fanout support") +Signed-off-by: Maxime Chevallier +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 6 ++++++ + net/packet/af_packet.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -710,6 +710,12 @@ static inline void sk_add_node_rcu(struc + hlist_add_head_rcu(&sk->sk_node, list); + } + ++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list) ++{ ++ sock_hold(sk); ++ hlist_add_tail_rcu(&sk->sk_node, list); ++} ++ + static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list) + { + hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list); +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3245,7 +3245,7 @@ static int packet_create(struct net *net + } + + mutex_lock(&net->packet.sklist_lock); +- sk_add_node_rcu(sk, &net->packet.sklist); ++ sk_add_node_tail_rcu(sk, &net->packet.sklist); + mutex_unlock(&net->packet.sklist_lock); + + preempt_disable(); diff --git a/queue-5.0/r8169-fix-cable-re-plugging-issue.patch b/queue-5.0/r8169-fix-cable-re-plugging-issue.patch new file mode 100644 index 00000000000..64dc22cb355 --- /dev/null +++ b/queue-5.0/r8169-fix-cable-re-plugging-issue.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Heiner Kallweit +Date: Fri, 22 Mar 2019 07:39:35 +0100 +Subject: r8169: fix cable re-plugging issue + +From: Heiner Kallweit + +[ Upstream commit 23c78343ec36990709b636a9e02bad814f4384ad ] + +Bartek reported that after few cable unplug/replug cycles suddenly +replug isn't detected any longer. His system uses a RTL8106, I wasn't +able to reproduce the issue with RTL8168g. According to his bisect +the referenced commit caused the regression. As Realtek doesn't +release datasheets or errata it's hard to say what's the actual root +cause, but this change was reported to fix the issue. + +Fixes: 38caff5a445b ("r8169: handle all interrupt events in the hard irq handler") +Reported-by: Bartosz Skrzypczak +Suggested-by: Bartosz Skrzypczak +Tested-by: Bartosz Skrzypczak +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -6435,7 +6435,7 @@ static irqreturn_t rtl8169_interrupt(int + set_bit(RTL_FLAG_TASK_RESET_PENDING, tp->wk.flags); + } + +- if (status & RTL_EVENT_NAPI) { ++ if (status & (RTL_EVENT_NAPI | LinkChg)) { + rtl_irq_disable(tp); + napi_schedule_irqoff(&tp->napi); + } diff --git a/queue-5.0/rhashtable-still-do-rehash-when-we-get-eexist.patch b/queue-5.0/rhashtable-still-do-rehash-when-we-get-eexist.patch new file mode 100644 index 00000000000..9a72651a756 --- /dev/null +++ b/queue-5.0/rhashtable-still-do-rehash-when-we-get-eexist.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Herbert Xu +Date: Thu, 21 Mar 2019 09:39:52 +0800 +Subject: rhashtable: Still do rehash when we get EEXIST + +From: Herbert Xu + +[ Upstream commit 408f13ef358aa5ad56dc6230c2c7deb92cf462b1 ] + +As it stands if a shrink is delayed because of an outstanding +rehash, we will go into a rescheduling loop without ever doing +the rehash. + +This patch fixes this by still carrying out the rehash and then +rescheduling so that we can shrink after the completion of the +rehash should it still be necessary. + +The return value of EEXIST captures this case and other cases +(e.g., another thread expanded/rehashed the table at the same +time) where we should still proceed with the rehash. + +Fixes: da20420f83ea ("rhashtable: Add nested tables") +Reported-by: Josh Elsasser +Signed-off-by: Herbert Xu +Tested-by: Josh Elsasser +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -416,8 +416,12 @@ static void rht_deferred_worker(struct w + else if (tbl->nest) + err = rhashtable_rehash_alloc(ht, tbl, tbl->size); + +- if (!err) +- err = rhashtable_rehash_table(ht); ++ if (!err || err == -EEXIST) { ++ int nerr; ++ ++ nerr = rhashtable_rehash_table(ht); ++ err = err ?: nerr; ++ } + + mutex_unlock(&ht->mutex); + diff --git a/queue-5.0/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch b/queue-5.0/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch new file mode 100644 index 00000000000..6bec36dcc13 --- /dev/null +++ b/queue-5.0/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Xin Long +Date: Mon, 18 Mar 2019 19:47:00 +0800 +Subject: sctp: get sctphdr by offset in sctp_compute_cksum + +From: Xin Long + +[ Upstream commit 273160ffc6b993c7c91627f5a84799c66dfe4dee ] + +sctp_hdr(skb) only works when skb->transport_header is set properly. + +But in Netfilter, skb->transport_header for ipv6 is not guaranteed +to be right value for sctphdr. It would cause to fail to check the +checksum for sctp packets. + +So fix it by using offset, which is always right in all places. + +v1->v2: + - Fix the changelog. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/checksum.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(_ + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, + unsigned int offset) + { +- struct sctphdr *sh = sctp_hdr(skb); ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); + const struct skb_checksum_ops ops = { + .update = sctp_csum_update, + .combine = sctp_csum_combine, diff --git a/queue-5.0/sctp-use-memdup_user-instead-of-vmemdup_user.patch b/queue-5.0/sctp-use-memdup_user-instead-of-vmemdup_user.patch new file mode 100644 index 00000000000..c57d057d0e3 --- /dev/null +++ b/queue-5.0/sctp-use-memdup_user-instead-of-vmemdup_user.patch @@ -0,0 +1,92 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Xin Long +Date: Wed, 20 Mar 2019 14:49:38 +0800 +Subject: sctp: use memdup_user instead of vmemdup_user + +From: Xin Long + +[ Upstream commit ef82bcfa671b9a635bab5fa669005663d8b177c5 ] + +In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates +memory with addrs_size which is passed from userspace. We used flag +GFP_USER to put some more restrictions on it in Commit cacc06215271 +("sctp: use GFP_USER for user-controlled kmalloc"). + +However, since Commit c981f254cc82 ("sctp: use vmemdup_user() rather +than badly open-coding memdup_user()"), vmemdup_user() has been used, +which doesn't check GFP_USER flag when goes to vmalloc_*(). So when +addrs_size is a huge value, it could exhaust memory and even trigger +oom killer. + +This patch is to use memdup_user() instead, in which GFP_USER would +work to limit the memory allocation with a huge addrs_size. + +Note we can't fix it by limiting 'addrs_size', as there's no demand +for it from RFC. + +Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com +Fixes: c981f254cc82 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()") +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -999,7 +999,7 @@ static int sctp_setsockopt_bindx(struct + if (unlikely(addrs_size <= 0)) + return -EINVAL; + +- kaddrs = vmemdup_user(addrs, addrs_size); ++ kaddrs = memdup_user(addrs, addrs_size); + if (unlikely(IS_ERR(kaddrs))) + return PTR_ERR(kaddrs); + +@@ -1007,7 +1007,7 @@ static int sctp_setsockopt_bindx(struct + addr_buf = kaddrs; + while (walk_size < addrs_size) { + if (walk_size + sizeof(sa_family_t) > addrs_size) { +- kvfree(kaddrs); ++ kfree(kaddrs); + return -EINVAL; + } + +@@ -1018,7 +1018,7 @@ static int sctp_setsockopt_bindx(struct + * causes the address buffer to overflow return EINVAL. + */ + if (!af || (walk_size + af->sockaddr_len) > addrs_size) { +- kvfree(kaddrs); ++ kfree(kaddrs); + return -EINVAL; + } + addrcnt++; +@@ -1054,7 +1054,7 @@ static int sctp_setsockopt_bindx(struct + } + + out: +- kvfree(kaddrs); ++ kfree(kaddrs); + + return err; + } +@@ -1329,7 +1329,7 @@ static int __sctp_setsockopt_connectx(st + if (unlikely(addrs_size <= 0)) + return -EINVAL; + +- kaddrs = vmemdup_user(addrs, addrs_size); ++ kaddrs = memdup_user(addrs, addrs_size); + if (unlikely(IS_ERR(kaddrs))) + return PTR_ERR(kaddrs); + +@@ -1349,7 +1349,7 @@ static int __sctp_setsockopt_connectx(st + err = __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id); + + out_free: +- kvfree(kaddrs); ++ kfree(kaddrs); + + return err; + } diff --git a/queue-5.0/series b/queue-5.0/series index 725754a54cd..4b036596028 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -1,3 +1,36 @@ bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch +dccp-do-not-use-ipv6-header-for-ipv4-flow.patch +genetlink-fix-a-memory-leak-on-error-path.patch +gtp-change-net_udp_tunnel-dependency-to-select.patch +ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch +mac8390-fix-mmio-access-size-probe.patch +misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch +net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch +net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch +net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch +net-phy-meson-gxl-fix-interrupt-support.patch +net-rose-fix-a-possible-stack-overflow.patch +net-stmmac-fix-memory-corruption-with-large-mtus.patch +net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch +net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch +net-usb-aqc111-extend-hwid-table-by-qnap-device.patch +packets-always-register-packet-sk-in-the-same-order.patch +rhashtable-still-do-rehash-when-we-get-eexist.patch +sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch +sctp-use-memdup_user-instead-of-vmemdup_user.patch +tcp-do-not-use-ipv6-header-for-ipv4-flow.patch +tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch +tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch +tipc-fix-cancellation-of-topology-subscriptions.patch +tun-properly-test-for-iff_up.patch +vrf-prevent-adding-upper-devices.patch +vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch +thunderx-enable-page-recycling-for-non-xdp-case.patch +thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch +net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch +net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch +net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch +r8169-fix-cable-re-plugging-issue.patch +ila-fix-rhashtable-walker-list-corruption.patch diff --git a/queue-5.0/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-5.0/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 00000000000..f1e4f380cfb --- /dev/null +++ b/queue-5.0/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Eric Dumazet +Date: Tue, 19 Mar 2019 05:45:35 -0700 +Subject: tcp: do not use ipv6 header for ipv4 flow + +From: Eric Dumazet + +[ Upstream commit 89e4130939a20304f4059ab72179da81f5347528 ] + +When a dual stack tcp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or tcp_v6_iif() helper. + +Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases") +Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1112,11 +1112,11 @@ static struct sock *tcp_v6_syn_recv_sock + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; +- newnp->mcast_oif = tcp_v6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; ++ newnp->rcv_flowinfo = 0; + if (np->repflow) +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); ++ newnp->flow_label = 0; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-5.0/thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch b/queue-5.0/thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch new file mode 100644 index 00000000000..2f41d654af6 --- /dev/null +++ b/queue-5.0/thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch @@ -0,0 +1,58 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Dean Nelson +Date: Tue, 26 Mar 2019 11:53:26 -0400 +Subject: thunderx: eliminate extra calls to put_page() for pages held for recycling + +From: Dean Nelson + +[ Upstream commit cd35ef91490ad8049dd180bb060aff7ee192eda9 ] + +For the non-XDP case, commit 773225388dae15e72790 ("net: thunderx: Optimize +page recycling for XDP") added code to nicvf_free_rbdr() that, when releasing +the additional receive buffer page reference held for recycling, repeatedly +calls put_page() until the page's _refcount goes to zero. Which results in +the page being freed. + +This is not okay if the page's _refcount was greater than 1 (in the non-XDP +case), because nicvf_free_rbdr() should not be subtracting more than what +nicvf_alloc_page() had previously added to the page's _refcount, which was +only 1 (in the non-XDP case). + +This can arise if a received packet is still being processed and the receive +buffer (i.e., skb->head) has not yet been freed via skb_free_head() when +nicvf_free_rbdr() is spinning through the aforementioned put_page() loop. + +If this should occur, when the received packet finishes processing and +skb_free_head() is called, various problems can ensue. Exactly what, depends on +whether the page has already been reallocated or not, anything from "BUG: Bad +page state ... ", to "Unable to handle kernel NULL pointer dereference ..." or +"Unable to handle kernel paging request...". + +So this patch changes nicvf_free_rbdr() to only call put_page() once for pages +held for recycling (in the non-XDP case). + +Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP") +Signed-off-by: Dean Nelson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c +@@ -364,11 +364,10 @@ static void nicvf_free_rbdr(struct nicvf + while (head < rbdr->pgcnt) { + pgcache = &rbdr->pgcache[head]; + if (pgcache->page && page_ref_count(pgcache->page) != 0) { +- if (!rbdr->is_xdp) { +- put_page(pgcache->page); +- continue; ++ if (rbdr->is_xdp) { ++ page_ref_sub(pgcache->page, ++ pgcache->ref_count - 1); + } +- page_ref_sub(pgcache->page, pgcache->ref_count - 1); + put_page(pgcache->page); + } + head++; diff --git a/queue-5.0/thunderx-enable-page-recycling-for-non-xdp-case.patch b/queue-5.0/thunderx-enable-page-recycling-for-non-xdp-case.patch new file mode 100644 index 00000000000..288a3bbc172 --- /dev/null +++ b/queue-5.0/thunderx-enable-page-recycling-for-non-xdp-case.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Dean Nelson +Date: Tue, 26 Mar 2019 11:53:19 -0400 +Subject: thunderx: enable page recycling for non-XDP case + +From: Dean Nelson + +[ Upstream commit b3e208069477588c06f4d5d986164b435bb06e6d ] + +Commit 773225388dae15e72790 ("net: thunderx: Optimize page recycling for XDP") +added code to nicvf_alloc_page() that inadvertently disables receive buffer +page recycling for the non-XDP case by always NULL'ng the page pointer. + +This patch corrects two if-conditionals to allow for the recycling of non-XDP +mode pages by only setting the page pointer to NULL when the page is not ready +for recycling. + +Fixes: 773225388dae ("net: thunderx: Optimize page recycling for XDP") +Signed-off-by: Dean Nelson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 23 ++++++++++----------- + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c +@@ -105,20 +105,19 @@ static inline struct pgcache *nicvf_allo + /* Check if page can be recycled */ + if (page) { + ref_count = page_ref_count(page); +- /* Check if this page has been used once i.e 'put_page' +- * called after packet transmission i.e internal ref_count +- * and page's ref_count are equal i.e page can be recycled. ++ /* This page can be recycled if internal ref_count and page's ++ * ref_count are equal, indicating that the page has been used ++ * once for packet transmission. For non-XDP mode, internal ++ * ref_count is always '1'. + */ +- if (rbdr->is_xdp && (ref_count == pgcache->ref_count)) +- pgcache->ref_count--; +- else +- page = NULL; +- +- /* In non-XDP mode, page's ref_count needs to be '1' for it +- * to be recycled. +- */ +- if (!rbdr->is_xdp && (ref_count != 1)) ++ if (rbdr->is_xdp) { ++ if (ref_count == pgcache->ref_count) ++ pgcache->ref_count--; ++ else ++ page = NULL; ++ } else if (ref_count != 1) { + page = NULL; ++ } + } + + if (!page) { diff --git a/queue-5.0/tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch b/queue-5.0/tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch new file mode 100644 index 00000000000..8e274b978fc --- /dev/null +++ b/queue-5.0/tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Erik Hugne +Date: Sun, 17 Mar 2019 18:46:42 +0100 +Subject: tipc: allow service ranges to be connect()'ed on RDM/DGRAM + +From: Erik Hugne + +[ Upstream commit ea239314fe42ace880bdd834256834679346c80e ] + +We move the check that prevents connecting service ranges to after +the RDM/DGRAM check, and move address sanity control to a separate +function that also validates the service range. + +Fixes: 23998835be98 ("tipc: improve address sanity check in tipc_connect()") +Signed-off-by: Erik Hugne +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2349,6 +2349,16 @@ static int tipc_wait_for_connect(struct + return 0; + } + ++static bool tipc_sockaddr_is_sane(struct sockaddr_tipc *addr) ++{ ++ if (addr->family != AF_TIPC) ++ return false; ++ if (addr->addrtype == TIPC_SERVICE_RANGE) ++ return (addr->addr.nameseq.lower <= addr->addr.nameseq.upper); ++ return (addr->addrtype == TIPC_SERVICE_ADDR || ++ addr->addrtype == TIPC_SOCKET_ADDR); ++} ++ + /** + * tipc_connect - establish a connection to another TIPC port + * @sock: socket structure +@@ -2384,18 +2394,18 @@ static int tipc_connect(struct socket *s + if (!tipc_sk_type_connectionless(sk)) + res = -EINVAL; + goto exit; +- } else if (dst->family != AF_TIPC) { +- res = -EINVAL; + } +- if (dst->addrtype != TIPC_ADDR_ID && dst->addrtype != TIPC_ADDR_NAME) ++ if (!tipc_sockaddr_is_sane(dst)) { + res = -EINVAL; +- if (res) + goto exit; +- ++ } + /* DGRAM/RDM connect(), just save the destaddr */ + if (tipc_sk_type_connectionless(sk)) { + memcpy(&tsk->peer, dest, destlen); + goto exit; ++ } else if (dst->addrtype == TIPC_SERVICE_RANGE) { ++ res = -EINVAL; ++ goto exit; + } + + previous = sk->sk_state; diff --git a/queue-5.0/tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch b/queue-5.0/tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch new file mode 100644 index 00000000000..9eb62acbbcc --- /dev/null +++ b/queue-5.0/tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Xin Long +Date: Sun, 24 Mar 2019 00:48:22 +0800 +Subject: tipc: change to check tipc_own_id to return in tipc_net_stop + +From: Xin Long + +[ Upstream commit 9926cb5f8b0f0aea535735185600d74db7608550 ] + +When running a syz script, a panic occurred: + +[ 156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc] +[ 156.094315] Call Trace: +[ 156.094844] +[ 156.095306] dump_stack+0x7c/0xc0 +[ 156.097346] print_address_description+0x65/0x22e +[ 156.100445] kasan_report.cold.3+0x37/0x7a +[ 156.102402] tipc_disc_timeout+0x9c9/0xb20 [tipc] +[ 156.106517] call_timer_fn+0x19a/0x610 +[ 156.112749] run_timer_softirq+0xb51/0x1090 + +It was caused by the netns freed without deleting the discoverer timer, +while later on the netns would be accessed in the timer handler. + +The timer should have been deleted by tipc_net_stop() when cleaning up a +netns. However, tipc has been able to enable a bearer and start d->timer +without the local node_addr set since Commit 52dfae5c85a4 ("tipc: obtain +node identity from interface by default"), which caused the timer not to +be deleted in tipc_net_stop() then. + +So fix it in tipc_net_stop() by changing to check local node_id instead +of local node_addr, as Jon suggested. + +While at it, remove the calling of tipc_nametbl_withdraw() there, since +tipc_nametbl_stop() will take of the nametbl's freeing after. + +Fixes: 52dfae5c85a4 ("tipc: obtain node identity from interface by default") +Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Ying Xue +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/net.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/tipc/net.c ++++ b/net/tipc/net.c +@@ -163,12 +163,9 @@ void tipc_sched_net_finalize(struct net + + void tipc_net_stop(struct net *net) + { +- u32 self = tipc_own_addr(net); +- +- if (!self) ++ if (!tipc_own_id(net)) + return; + +- tipc_nametbl_withdraw(net, TIPC_CFG_SRV, self, self, self); + rtnl_lock(); + tipc_bearer_stop(net); + tipc_node_stop(net); diff --git a/queue-5.0/tipc-fix-cancellation-of-topology-subscriptions.patch b/queue-5.0/tipc-fix-cancellation-of-topology-subscriptions.patch new file mode 100644 index 00000000000..385071be6c3 --- /dev/null +++ b/queue-5.0/tipc-fix-cancellation-of-topology-subscriptions.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Erik Hugne +Date: Thu, 21 Mar 2019 09:11:59 +0100 +Subject: tipc: fix cancellation of topology subscriptions + +From: Erik Hugne + +[ Upstream commit 33872d79f5d1cbedaaab79669cc38f16097a9450 ] + +When cancelling a subscription, we have to clear the cancel bit in the +request before iterating over any established subscriptions with memcmp. +Otherwise no subscription will ever be found, and it will not be +possible to explicitly unsubscribe individual subscriptions. + +Fixes: 8985ecc7c1e0 ("tipc: simplify endianness handling in topology subscriber") +Signed-off-by: Erik Hugne +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/topsrv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -365,6 +365,7 @@ static int tipc_conn_rcv_sub(struct tipc + struct tipc_subscription *sub; + + if (tipc_sub_read(s, filter) & TIPC_SUB_CANCEL) { ++ s->filter &= __constant_ntohl(~TIPC_SUB_CANCEL); + tipc_conn_delete_sub(con, s); + return 0; + } diff --git a/queue-5.0/tun-properly-test-for-iff_up.patch b/queue-5.0/tun-properly-test-for-iff_up.patch new file mode 100644 index 00000000000..886cb853260 --- /dev/null +++ b/queue-5.0/tun-properly-test-for-iff_up.patch @@ -0,0 +1,96 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Eric Dumazet +Date: Thu, 14 Mar 2019 20:19:47 -0700 +Subject: tun: properly test for IFF_UP + +From: Eric Dumazet + +[ Upstream commit 4477138fa0ae4e1b699786ef0600863ea6e6c61c ] + +Same reasons than the ones explained in commit 4179cb5a4c92 +("vxlan: test dev->flags & IFF_UP before calling netif_rx()") + +netif_rx_ni() or napi_gro_frags() must be called under a strict contract. + +At device dismantle phase, core networking clears IFF_UP +and flush_all_backlogs() is called after rcu grace period +to make sure no incoming packet might be in a cpu backlog +and still referencing the device. + +A similar protocol is used for gro layer. + +Most drivers call netif_rx() from their interrupt handler, +and since the interrupts are disabled at device dismantle, +netif_rx() does not have to check dev->flags & IFF_UP + +Virtual drivers do not have this guarantee, and must +therefore make the check themselves. + +Fixes: 1bd4978a88ac ("tun: honor IFF_UP in tun_get_user()") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1763,9 +1763,6 @@ static ssize_t tun_get_user(struct tun_s + int skb_xdp = 1; + bool frags = tun_napi_frags_enabled(tfile); + +- if (!(tun->dev->flags & IFF_UP)) +- return -EIO; +- + if (!(tun->flags & IFF_NO_PI)) { + if (len < sizeof(pi)) + return -EINVAL; +@@ -1867,6 +1864,8 @@ static ssize_t tun_get_user(struct tun_s + err = skb_copy_datagram_from_iter(skb, 0, from, len); + + if (err) { ++ err = -EFAULT; ++drop: + this_cpu_inc(tun->pcpu_stats->rx_dropped); + kfree_skb(skb); + if (frags) { +@@ -1874,7 +1873,7 @@ static ssize_t tun_get_user(struct tun_s + mutex_unlock(&tfile->napi_mutex); + } + +- return -EFAULT; ++ return err; + } + } + +@@ -1958,6 +1957,12 @@ static ssize_t tun_get_user(struct tun_s + !tfile->detached) + rxhash = __skb_get_hash_symmetric(skb); + ++ rcu_read_lock(); ++ if (unlikely(!(tun->dev->flags & IFF_UP))) { ++ err = -EIO; ++ goto drop; ++ } ++ + if (frags) { + /* Exercise flow dissector code path. */ + u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb)); +@@ -1965,6 +1970,7 @@ static ssize_t tun_get_user(struct tun_s + if (unlikely(headlen > skb_headlen(skb))) { + this_cpu_inc(tun->pcpu_stats->rx_dropped); + napi_free_frags(&tfile->napi); ++ rcu_read_unlock(); + mutex_unlock(&tfile->napi_mutex); + WARN_ON(1); + return -ENOMEM; +@@ -1992,6 +1998,7 @@ static ssize_t tun_get_user(struct tun_s + } else { + netif_rx_ni(skb); + } ++ rcu_read_unlock(); + + stats = get_cpu_ptr(tun->pcpu_stats); + u64_stats_update_begin(&stats->syncp); diff --git a/queue-5.0/vrf-prevent-adding-upper-devices.patch b/queue-5.0/vrf-prevent-adding-upper-devices.patch new file mode 100644 index 00000000000..208f4cbbb6f --- /dev/null +++ b/queue-5.0/vrf-prevent-adding-upper-devices.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Sabrina Dubroca +Date: Tue, 26 Mar 2019 18:22:16 +0100 +Subject: vrf: prevent adding upper devices + +From: Sabrina Dubroca + +[ Upstream commit 1017e0987117c32783ba7c10fe2e7ff1456ba1dc ] + +VRF devices don't work with upper devices. Currently, it's possible to +add a VRF device to a bridge or team, and to create macvlan, macsec, or +ipvlan devices on top of a VRF (bond and vlan are prevented respectively +by the lack of an ndo_set_mac_address op and the NETIF_F_VLAN_CHALLENGED +feature flag). + +Fix this by setting the IFF_NO_RX_HANDLER flag (introduced in commit +f5426250a6ec ("net: introduce IFF_NO_RX_HANDLER")). + +Cc: David Ahern +Fixes: 193125dbd8eb ("net: Introduce VRF device driver") +Signed-off-by: Sabrina Dubroca +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -1273,6 +1273,7 @@ static void vrf_setup(struct net_device + + /* default to no qdisc; user can add if desired */ + dev->priv_flags |= IFF_NO_QUEUE; ++ dev->priv_flags |= IFF_NO_RX_HANDLER; + + dev->min_mtu = 0; + dev->max_mtu = 0; diff --git a/queue-5.0/vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch b/queue-5.0/vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch new file mode 100644 index 00000000000..3281d17abf5 --- /dev/null +++ b/queue-5.0/vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 28 21:53:58 CET 2019 +From: Zhiqiang Liu +Date: Sat, 16 Mar 2019 17:02:54 +0800 +Subject: vxlan: Don't call gro_cells_destroy() before device is unregistered + +From: Zhiqiang Liu + +[ Upstream commit cc4807bb609230d8959fd732b0bf3bd4c2de8eac ] + +Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between +receive and link delete") fixed a race condition for the typical case a vxlan +device is dismantled from the current netns. But if a netns is dismantled, +vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue() +of all the vxlan tunnels that are related to this netns. + +In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before +unregister_netdevice_queue(). This means that the gro_cells_destroy() call is +done too soon, for the same reasons explained in above commit. + +So we need to fully respect the RCU rules, and thus must remove the +gro_cells_destroy() call or risk use after-free. + +Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer") +Signed-off-by: Suanming.Mou +Suggested-by: Eric Dumazet +Reviewed-by: Stefano Brivio +Reviewed-by: Zhiqiang Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -4184,10 +4184,8 @@ static void vxlan_destroy_tunnels(struct + /* If vxlan->dev is in the same netns, it has already been added + * to the list by the previous loop. + */ +- if (!net_eq(dev_net(vxlan->dev), net)) { +- gro_cells_destroy(&vxlan->gro_cells); ++ if (!net_eq(dev_net(vxlan->dev), net)) + unregister_netdevice_queue(vxlan->dev, head); +- } + } + + for (h = 0; h < PORT_HASH_SIZE; ++h) -- 2.47.2