From: Greg Kroah-Hartman Date: Sat, 16 May 2020 12:05:43 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v4.4.224~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=193c9be96f7a387420631158675bc557892cb4c3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: dpaa2-eth-prevent-array-underflow-in-update_cls_rule.patch dpaa2-eth-properly-handle-buffer-size-restrictions.patch hinic-fix-a-bug-of-ndo_stop.patch mptcp-set-correct-vfs-info-for-subflows.patch net-broadcom-select-broadcom_phy-for-bcmgenet.patch net-dsa-loop-add-module-soft-dependency.patch net-fix-a-potential-recursive-netdev_feat_change.patch net-ipv4-really-enforce-backoff-for-redirects.patch net-phy-fix-aneg-restart-in-phy_ethtool_set_eee.patch net-stmmac-fix-num_por-initialization.patch net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch netlabel-cope-with-null-catmap.patch netprio_cgroup-fix-unlimited-memory-leak-of-v2-cgroups.patch nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch pppoe-only-process-padt-targeted-at-local-interfaces.patch r8169-re-establish-support-for-rtl8401-chip-version.patch revert-ipv6-add-mtu-lock-check-in-__ip6_rt_update_pmtu.patch tcp-fix-error-recovery-in-tcp_zerocopy_receive.patch tcp-fix-so_rcvlowat-hangs-with-fat-skbs.patch umh-fix-memory-leak-on-execve-failure.patch virtio_net-fix-lockdep-warning-on-32-bit.patch --- diff --git a/queue-5.6/dpaa2-eth-prevent-array-underflow-in-update_cls_rule.patch b/queue-5.6/dpaa2-eth-prevent-array-underflow-in-update_cls_rule.patch new file mode 100644 index 00000000000..a2bd64b7142 --- /dev/null +++ b/queue-5.6/dpaa2-eth-prevent-array-underflow-in-update_cls_rule.patch @@ -0,0 +1,33 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Dan Carpenter +Date: Fri, 8 May 2020 17:37:20 +0300 +Subject: dpaa2-eth: prevent array underflow in update_cls_rule() + +From: Dan Carpenter + +[ Upstream commit 6d32a5119811d2e9b5caa284181944c6f1f192ed ] + +The "location" is controlled by the user via the ethtool_set_rxnfc() +function. This update_cls_rule() function checks for array overflows +but it doesn't check if the value is negative. I have changed the type +to unsigned to prevent array underflows. + +Fixes: afb90dbb5f78 ("dpaa2-eth: Add ethtool support for flow classification") +Signed-off-by: Dan Carpenter +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c +@@ -625,7 +625,7 @@ static int num_rules(struct dpaa2_eth_pr + + static int update_cls_rule(struct net_device *net_dev, + struct ethtool_rx_flow_spec *new_fs, +- int location) ++ unsigned int location) + { + struct dpaa2_eth_priv *priv = netdev_priv(net_dev); + struct dpaa2_eth_cls_rule *rule; diff --git a/queue-5.6/dpaa2-eth-properly-handle-buffer-size-restrictions.patch b/queue-5.6/dpaa2-eth-properly-handle-buffer-size-restrictions.patch new file mode 100644 index 00000000000..1e3ce303911 --- /dev/null +++ b/queue-5.6/dpaa2-eth-properly-handle-buffer-size-restrictions.patch @@ -0,0 +1,153 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Ioana Ciornei +Date: Fri, 15 May 2020 15:30:22 +0300 +Subject: dpaa2-eth: properly handle buffer size restrictions + +From: Ioana Ciornei + +[ Upstream commit efa6a7d07523ffbbf6503c1a7eeb52201c15c0e3 ] + +Depending on the WRIOP version, the buffer size on the RX path must by a +multiple of 64 or 256. Handle this restriction properly by aligning down +the buffer size to the necessary value. Also, use the new buffer size +dynamically computed instead of the compile time one. + +Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer") +Signed-off-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 29 +++++++++++++---------- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 1 + 2 files changed, 18 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -86,7 +86,7 @@ static void free_rx_fd(struct dpaa2_eth_ + for (i = 1; i < DPAA2_ETH_MAX_SG_ENTRIES; i++) { + addr = dpaa2_sg_get_addr(&sgt[i]); + sg_vaddr = dpaa2_iova_to_virt(priv->iommu_domain, addr); +- dma_unmap_page(dev, addr, DPAA2_ETH_RX_BUF_SIZE, ++ dma_unmap_page(dev, addr, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + + free_pages((unsigned long)sg_vaddr, 0); +@@ -144,7 +144,7 @@ static struct sk_buff *build_frag_skb(st + /* Get the address and length from the S/G entry */ + sg_addr = dpaa2_sg_get_addr(sge); + sg_vaddr = dpaa2_iova_to_virt(priv->iommu_domain, sg_addr); +- dma_unmap_page(dev, sg_addr, DPAA2_ETH_RX_BUF_SIZE, ++ dma_unmap_page(dev, sg_addr, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + + sg_length = dpaa2_sg_get_len(sge); +@@ -185,7 +185,7 @@ static struct sk_buff *build_frag_skb(st + (page_address(page) - page_address(head_page)); + + skb_add_rx_frag(skb, i - 1, head_page, page_offset, +- sg_length, DPAA2_ETH_RX_BUF_SIZE); ++ sg_length, priv->rx_buf_size); + } + + if (dpaa2_sg_is_final(sge)) +@@ -211,7 +211,7 @@ static void free_bufs(struct dpaa2_eth_p + + for (i = 0; i < count; i++) { + vaddr = dpaa2_iova_to_virt(priv->iommu_domain, buf_array[i]); +- dma_unmap_page(dev, buf_array[i], DPAA2_ETH_RX_BUF_SIZE, ++ dma_unmap_page(dev, buf_array[i], priv->rx_buf_size, + DMA_BIDIRECTIONAL); + free_pages((unsigned long)vaddr, 0); + } +@@ -335,7 +335,7 @@ static u32 run_xdp(struct dpaa2_eth_priv + break; + case XDP_REDIRECT: + dma_unmap_page(priv->net_dev->dev.parent, addr, +- DPAA2_ETH_RX_BUF_SIZE, DMA_BIDIRECTIONAL); ++ priv->rx_buf_size, DMA_BIDIRECTIONAL); + ch->buf_count--; + xdp.data_hard_start = vaddr; + err = xdp_do_redirect(priv->net_dev, &xdp, xdp_prog); +@@ -374,7 +374,7 @@ static void dpaa2_eth_rx(struct dpaa2_et + trace_dpaa2_rx_fd(priv->net_dev, fd); + + vaddr = dpaa2_iova_to_virt(priv->iommu_domain, addr); +- dma_sync_single_for_cpu(dev, addr, DPAA2_ETH_RX_BUF_SIZE, ++ dma_sync_single_for_cpu(dev, addr, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + + fas = dpaa2_get_fas(vaddr, false); +@@ -393,13 +393,13 @@ static void dpaa2_eth_rx(struct dpaa2_et + return; + } + +- dma_unmap_page(dev, addr, DPAA2_ETH_RX_BUF_SIZE, ++ dma_unmap_page(dev, addr, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + skb = build_linear_skb(ch, fd, vaddr); + } else if (fd_format == dpaa2_fd_sg) { + WARN_ON(priv->xdp_prog); + +- dma_unmap_page(dev, addr, DPAA2_ETH_RX_BUF_SIZE, ++ dma_unmap_page(dev, addr, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + skb = build_frag_skb(priv, ch, buf_data); + free_pages((unsigned long)vaddr, 0); +@@ -974,7 +974,7 @@ static int add_bufs(struct dpaa2_eth_pri + if (!page) + goto err_alloc; + +- addr = dma_map_page(dev, page, 0, DPAA2_ETH_RX_BUF_SIZE, ++ addr = dma_map_page(dev, page, 0, priv->rx_buf_size, + DMA_BIDIRECTIONAL); + if (unlikely(dma_mapping_error(dev, addr))) + goto err_map; +@@ -984,7 +984,7 @@ static int add_bufs(struct dpaa2_eth_pri + /* tracing point */ + trace_dpaa2_eth_buf_seed(priv->net_dev, + page, DPAA2_ETH_RX_BUF_RAW_SIZE, +- addr, DPAA2_ETH_RX_BUF_SIZE, ++ addr, priv->rx_buf_size, + bpid); + } + +@@ -1715,7 +1715,7 @@ static bool xdp_mtu_valid(struct dpaa2_e + int mfl, linear_mfl; + + mfl = DPAA2_ETH_L2_MAX_FRM(mtu); +- linear_mfl = DPAA2_ETH_RX_BUF_SIZE - DPAA2_ETH_RX_HWA_SIZE - ++ linear_mfl = priv->rx_buf_size - DPAA2_ETH_RX_HWA_SIZE - + dpaa2_eth_rx_head_room(priv) - XDP_PACKET_HEADROOM; + + if (mfl > linear_mfl) { +@@ -2457,6 +2457,11 @@ static int set_buffer_layout(struct dpaa + else + rx_buf_align = DPAA2_ETH_RX_BUF_ALIGN; + ++ /* We need to ensure that the buffer size seen by WRIOP is a multiple ++ * of 64 or 256 bytes depending on the WRIOP version. ++ */ ++ priv->rx_buf_size = ALIGN_DOWN(DPAA2_ETH_RX_BUF_SIZE, rx_buf_align); ++ + /* tx buffer */ + buf_layout.private_data_size = DPAA2_ETH_SWA_SIZE; + buf_layout.pass_timestamp = true; +@@ -3121,7 +3126,7 @@ static int bind_dpni(struct dpaa2_eth_pr + pools_params.num_dpbp = 1; + pools_params.pools[0].dpbp_id = priv->dpbp_dev->obj_desc.id; + pools_params.pools[0].backup_pool = 0; +- pools_params.pools[0].buffer_size = DPAA2_ETH_RX_BUF_SIZE; ++ pools_params.pools[0].buffer_size = priv->rx_buf_size; + err = dpni_set_pools(priv->mc_io, 0, priv->mc_token, &pools_params); + if (err) { + dev_err(dev, "dpni_set_pools() failed\n"); +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h +@@ -382,6 +382,7 @@ struct dpaa2_eth_priv { + u16 tx_data_offset; + + struct fsl_mc_device *dpbp_dev; ++ u16 rx_buf_size; + u16 bpid; + struct iommu_domain *iommu_domain; + diff --git a/queue-5.6/hinic-fix-a-bug-of-ndo_stop.patch b/queue-5.6/hinic-fix-a-bug-of-ndo_stop.patch new file mode 100644 index 00000000000..9b95821603e --- /dev/null +++ b/queue-5.6/hinic-fix-a-bug-of-ndo_stop.patch @@ -0,0 +1,119 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Luo bin +Date: Sun, 10 May 2020 19:01:08 +0000 +Subject: hinic: fix a bug of ndo_stop + +From: Luo bin + +[ Upstream commit e8a1b0efd632d1c9db7d4e93da66377c7b524862 ] + +if some function in ndo_stop interface returns failure because of +hardware fault, must go on excuting rest steps rather than return +failure directly, otherwise will cause memory leak.And bump the +timeout for SET_FUNC_STATE to ensure that cmd won't return failure +when hw is busy. Otherwise hw may stomp host memory if we free +memory regardless of the return value of SET_FUNC_STATE. + +Fixes: 51ba902a16e6 ("net-next/hinic: Initialize hw interface") +Signed-off-by: Luo bin +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/huawei/hinic/hinic_hw_mgmt.c | 16 ++++++++++++---- + drivers/net/ethernet/huawei/hinic/hinic_main.c | 18 +++--------------- + 2 files changed, 15 insertions(+), 19 deletions(-) + +--- a/drivers/net/ethernet/huawei/hinic/hinic_hw_mgmt.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_hw_mgmt.c +@@ -45,6 +45,8 @@ + + #define MGMT_MSG_TIMEOUT 5000 + ++#define SET_FUNC_PORT_MGMT_TIMEOUT 25000 ++ + #define mgmt_to_pfhwdev(pf_mgmt) \ + container_of(pf_mgmt, struct hinic_pfhwdev, pf_to_mgmt) + +@@ -238,12 +240,13 @@ static int msg_to_mgmt_sync(struct hinic + u8 *buf_in, u16 in_size, + u8 *buf_out, u16 *out_size, + enum mgmt_direction_type direction, +- u16 resp_msg_id) ++ u16 resp_msg_id, u32 timeout) + { + struct hinic_hwif *hwif = pf_to_mgmt->hwif; + struct pci_dev *pdev = hwif->pdev; + struct hinic_recv_msg *recv_msg; + struct completion *recv_done; ++ unsigned long timeo; + u16 msg_id; + int err; + +@@ -267,8 +270,9 @@ static int msg_to_mgmt_sync(struct hinic + goto unlock_sync_msg; + } + +- if (!wait_for_completion_timeout(recv_done, +- msecs_to_jiffies(MGMT_MSG_TIMEOUT))) { ++ timeo = msecs_to_jiffies(timeout ? timeout : MGMT_MSG_TIMEOUT); ++ ++ if (!wait_for_completion_timeout(recv_done, timeo)) { + dev_err(&pdev->dev, "MGMT timeout, MSG id = %d\n", msg_id); + err = -ETIMEDOUT; + goto unlock_sync_msg; +@@ -342,6 +346,7 @@ int hinic_msg_to_mgmt(struct hinic_pf_to + { + struct hinic_hwif *hwif = pf_to_mgmt->hwif; + struct pci_dev *pdev = hwif->pdev; ++ u32 timeout = 0; + + if (sync != HINIC_MGMT_MSG_SYNC) { + dev_err(&pdev->dev, "Invalid MGMT msg type\n"); +@@ -353,9 +358,12 @@ int hinic_msg_to_mgmt(struct hinic_pf_to + return -EINVAL; + } + ++ if (cmd == HINIC_PORT_CMD_SET_FUNC_STATE) ++ timeout = SET_FUNC_PORT_MGMT_TIMEOUT; ++ + return msg_to_mgmt_sync(pf_to_mgmt, mod, cmd, buf_in, in_size, + buf_out, out_size, MGMT_DIRECT_SEND, +- MSG_NOT_RESP); ++ MSG_NOT_RESP, timeout); + } + + /** +--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c +@@ -483,7 +483,6 @@ static int hinic_close(struct net_device + { + struct hinic_dev *nic_dev = netdev_priv(netdev); + unsigned int flags; +- int err; + + down(&nic_dev->mgmt_lock); + +@@ -497,20 +496,9 @@ static int hinic_close(struct net_device + + up(&nic_dev->mgmt_lock); + +- err = hinic_port_set_func_state(nic_dev, HINIC_FUNC_PORT_DISABLE); +- if (err) { +- netif_err(nic_dev, drv, netdev, +- "Failed to set func port state\n"); +- nic_dev->flags |= (flags & HINIC_INTF_UP); +- return err; +- } +- +- err = hinic_port_set_state(nic_dev, HINIC_PORT_DISABLE); +- if (err) { +- netif_err(nic_dev, drv, netdev, "Failed to set port state\n"); +- nic_dev->flags |= (flags & HINIC_INTF_UP); +- return err; +- } ++ hinic_port_set_state(nic_dev, HINIC_PORT_DISABLE); ++ ++ hinic_port_set_func_state(nic_dev, HINIC_FUNC_PORT_DISABLE); + + if (nic_dev->flags & HINIC_RSS_ENABLE) { + hinic_rss_deinit(nic_dev); diff --git a/queue-5.6/mptcp-set-correct-vfs-info-for-subflows.patch b/queue-5.6/mptcp-set-correct-vfs-info-for-subflows.patch new file mode 100644 index 00000000000..2cdb3efa737 --- /dev/null +++ b/queue-5.6/mptcp-set-correct-vfs-info-for-subflows.patch @@ -0,0 +1,53 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Paolo Abeni +Date: Thu, 7 May 2020 18:53:24 +0200 +Subject: mptcp: set correct vfs info for subflows + +From: Paolo Abeni + +[ Upstream commit 7d14b0d2b9b317cfc14161143e2006b95a5da9b1 ] + +When a subflow is created via mptcp_subflow_create_socket(), +a new 'struct socket' is allocated, with a new i_ino value. + +When inspecting TCP sockets via the procfs and or the diag +interface, the above ones are not related to the process owning +the MPTCP master socket, even if they are a logical part of it +('ss -p' shows an empty process field) + +Additionally, subflows created by the path manager get +the uid/gid from the running workqueue. + +Subflows are part of the owning MPTCP master socket, let's +adjust the vfs info to reflect this. + +After this patch, 'ss' correctly displays subflows as belonging +to the msk socket creator. + +Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -633,6 +633,16 @@ int mptcp_subflow_create_socket(struct s + if (err) + return err; + ++ /* the newly created socket really belongs to the owning MPTCP master ++ * socket, even if for additional subflows the allocation is performed ++ * by a kernel workqueue. Adjust inode references, so that the ++ * procfs/diag interaces really show this one belonging to the correct ++ * user. ++ */ ++ SOCK_INODE(sf)->i_ino = SOCK_INODE(sk->sk_socket)->i_ino; ++ SOCK_INODE(sf)->i_uid = SOCK_INODE(sk->sk_socket)->i_uid; ++ SOCK_INODE(sf)->i_gid = SOCK_INODE(sk->sk_socket)->i_gid; ++ + subflow = mptcp_subflow_ctx(sf->sk); + pr_debug("subflow=%p", subflow); + diff --git a/queue-5.6/net-broadcom-select-broadcom_phy-for-bcmgenet.patch b/queue-5.6/net-broadcom-select-broadcom_phy-for-bcmgenet.patch new file mode 100644 index 00000000000..cd4967e2d52 --- /dev/null +++ b/queue-5.6/net-broadcom-select-broadcom_phy-for-bcmgenet.patch @@ -0,0 +1,34 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Florian Fainelli +Date: Wed, 13 May 2020 08:51:51 -0700 +Subject: net: broadcom: Select BROADCOM_PHY for BCMGENET + +From: Florian Fainelli + +[ Upstream commit 99addbe31f5524494f4d7077bcb3f6fa64c5d160 ] + +The GENET controller on the Raspberry Pi 4 (2711) is typically +interfaced with an external Broadcom PHY via a RGMII electrical +interface. To make sure that delays are properly configured at the PHY +side, ensure that we the dedicated Broadcom PHY driver +(CONFIG_BROADCOM_PHY) is enabled for this to happen. + +Fixes: 402482a6a78e ("net: bcmgenet: Clear ID_MODE_DIS in EXT_RGMII_OOB_CTRL when not needed") +Reported-by: Marek Szyprowski +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/Kconfig ++++ b/drivers/net/ethernet/broadcom/Kconfig +@@ -69,6 +69,7 @@ config BCMGENET + select BCM7XXX_PHY + select MDIO_BCM_UNIMAC + select DIMLIB ++ select BROADCOM_PHY if ARCH_BCM2835 + help + This driver supports the built-in Ethernet MACs found in the + Broadcom BCM7xxx Set Top Box family chipset. diff --git a/queue-5.6/net-dsa-loop-add-module-soft-dependency.patch b/queue-5.6/net-dsa-loop-add-module-soft-dependency.patch new file mode 100644 index 00000000000..32da569aaff --- /dev/null +++ b/queue-5.6/net-dsa-loop-add-module-soft-dependency.patch @@ -0,0 +1,32 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Florian Fainelli +Date: Sat, 9 May 2020 16:45:44 -0700 +Subject: net: dsa: loop: Add module soft dependency + +From: Florian Fainelli + +[ Upstream commit 3047211ca11bf77b3ecbce045c0aa544d934b945 ] + +There is a soft dependency against dsa_loop_bdinfo.ko which sets up the +MDIO device registration, since there are no symbols referenced by +dsa_loop.ko, there is no automatic loading of dsa_loop_bdinfo.ko which +is needed. + +Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") +Signed-off-by: Florian Fainelli +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/dsa_loop.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/dsa_loop.c ++++ b/drivers/net/dsa/dsa_loop.c +@@ -360,6 +360,7 @@ static void __exit dsa_loop_exit(void) + } + module_exit(dsa_loop_exit); + ++MODULE_SOFTDEP("pre: dsa_loop_bdinfo"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Florian Fainelli"); + MODULE_DESCRIPTION("DSA loopback driver"); diff --git a/queue-5.6/net-fix-a-potential-recursive-netdev_feat_change.patch b/queue-5.6/net-fix-a-potential-recursive-netdev_feat_change.patch new file mode 100644 index 00000000000..69c7c1055ce --- /dev/null +++ b/queue-5.6/net-fix-a-potential-recursive-netdev_feat_change.patch @@ -0,0 +1,66 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Cong Wang +Date: Thu, 7 May 2020 12:19:03 -0700 +Subject: net: fix a potential recursive NETDEV_FEAT_CHANGE + +From: Cong Wang + +[ Upstream commit dd912306ff008891c82cd9f63e8181e47a9cb2fb ] + +syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event +between bonding master and slave. I managed to find a reproducer +for this: + + ip li set bond0 up + ifenslave bond0 eth0 + brctl addbr br0 + ethtool -K eth0 lro off + brctl addif br0 bond0 + ip li set br0 up + +When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave, +it captures this and calls bond_compute_features() to fixup its +master's and other slaves' features. However, when syncing with +its lower devices by netdev_sync_lower_features() this event is +triggered again on slaves when the LRO feature fails to change, +so it goes back and forth recursively until the kernel stack is +exhausted. + +Commit 17b85d29e82c intentionally lets __netdev_update_features() +return -1 for such a failure case, so we have to just rely on +the existing check inside netdev_sync_lower_features() and skip +NETDEV_FEAT_CHANGE event only for this specific failure case. + +Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") +Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com +Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com +Cc: Jarod Wilson +Cc: Nikolay Aleksandrov +Cc: Josh Poimboeuf +Cc: Jann Horn +Reviewed-by: Jay Vosburgh +Signed-off-by: Cong Wang +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8890,11 +8890,13 @@ static void netdev_sync_lower_features(s + netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n", + &feature, lower->name); + lower->wanted_features &= ~feature; +- netdev_update_features(lower); ++ __netdev_update_features(lower); + + if (unlikely(lower->features & feature)) + netdev_WARN(upper, "failed to disable %pNF on %s!\n", + &feature, lower->name); ++ else ++ netdev_features_change(lower); + } + } + } diff --git a/queue-5.6/net-ipv4-really-enforce-backoff-for-redirects.patch b/queue-5.6/net-ipv4-really-enforce-backoff-for-redirects.patch new file mode 100644 index 00000000000..9ff64e1dc20 --- /dev/null +++ b/queue-5.6/net-ipv4-really-enforce-backoff-for-redirects.patch @@ -0,0 +1,48 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Paolo Abeni +Date: Fri, 8 May 2020 19:28:34 +0200 +Subject: net: ipv4: really enforce backoff for redirects + +From: Paolo Abeni + +[ Upstream commit 57644431a6c2faac5d754ebd35780cf43a531b1a ] + +In commit b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and +rate_tokens usage") I missed the fact that a 0 'rate_tokens' will +bypass the backoff algorithm. + +Since rate_tokens is cleared after a redirect silence, and never +incremented on redirects, if the host keeps receiving packets +requiring redirect it will reply ignoring the backoff. + +Additionally, the 'rate_last' field will be updated with the +cadence of the ingress packet requiring redirect. If that rate is +high enough, that will prevent the host from generating any +other kind of ICMP messages + +The check for a zero 'rate_tokens' value was likely a shortcut +to avoid the more complex backoff algorithm after a redirect +silence period. Address the issue checking for 'n_redirects' +instead, which is incremented on successful redirect, and +does not interfere with other ICMP replies. + +Fixes: b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage") +Reported-and-tested-by: Colin Walters +Signed-off-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -915,7 +915,7 @@ void ip_rt_send_redirect(struct sk_buff + /* Check for load limit; set rate_last to the latest sent + * redirect. + */ +- if (peer->rate_tokens == 0 || ++ if (peer->n_redirects == 0 || + time_after(jiffies, + (peer->rate_last + + (ip_rt_redirect_load << peer->n_redirects)))) { diff --git a/queue-5.6/net-mscc-ocelot-ana_autoage_age_period-holds-a-value.patch b/queue-5.6/net-mscc-ocelot-ana_autoage_age_period-holds-a-value.patch index 3406e4d87f5..b76c12d511a 100644 --- a/queue-5.6/net-mscc-ocelot-ana_autoage_age_period-holds-a-value.patch +++ b/queue-5.6/net-mscc-ocelot-ana_autoage_age_period-holds-a-value.patch @@ -20,14 +20,12 @@ Reviewed-by: Florian Faineli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- - drivers/net/ethernet/mscc/ocelot.c | 11 +++++++++-- + drivers/net/ethernet/mscc/ocelot.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c -index 33ef8690eafe9..419e2ce2eac07 100644 --- a/drivers/net/ethernet/mscc/ocelot.c +++ b/drivers/net/ethernet/mscc/ocelot.c -@@ -1444,8 +1444,15 @@ static void ocelot_port_attr_stp_state_set(struct ocelot *ocelot, int port, +@@ -1444,8 +1444,15 @@ static void ocelot_port_attr_stp_state_s void ocelot_set_ageing_time(struct ocelot *ocelot, unsigned int msecs) { @@ -45,6 +43,3 @@ index 33ef8690eafe9..419e2ce2eac07 100644 } EXPORT_SYMBOL(ocelot_set_ageing_time); --- -2.20.1 - diff --git a/queue-5.6/net-phy-fix-aneg-restart-in-phy_ethtool_set_eee.patch b/queue-5.6/net-phy-fix-aneg-restart-in-phy_ethtool_set_eee.patch new file mode 100644 index 00000000000..cf269a8012b --- /dev/null +++ b/queue-5.6/net-phy-fix-aneg-restart-in-phy_ethtool_set_eee.patch @@ -0,0 +1,39 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Heiner Kallweit +Date: Tue, 12 May 2020 21:45:53 +0200 +Subject: net: phy: fix aneg restart in phy_ethtool_set_eee + +From: Heiner Kallweit + +[ Upstream commit 9de5d235b60a7cdfcdd5461e70c5663e713fde87 ] + +phy_restart_aneg() enables aneg in the PHY. That's not what we want +if phydev->autoneg is disabled. In this case still update EEE +advertisement register, but don't enable aneg and don't trigger an +aneg restart. + +Fixes: f75abeb8338e ("net: phy: restart phy autonegotiation after EEE advertisment change") +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -1132,9 +1132,11 @@ int phy_ethtool_set_eee(struct phy_devic + /* Restart autonegotiation so the new modes get sent to the + * link partner. + */ +- ret = phy_restart_aneg(phydev); +- if (ret < 0) +- return ret; ++ if (phydev->autoneg == AUTONEG_ENABLE) { ++ ret = phy_restart_aneg(phydev); ++ if (ret < 0) ++ return ret; ++ } + } + + return 0; diff --git a/queue-5.6/net-stmmac-fix-num_por-initialization.patch b/queue-5.6/net-stmmac-fix-num_por-initialization.patch new file mode 100644 index 00000000000..7028db8cf7b --- /dev/null +++ b/queue-5.6/net-stmmac-fix-num_por-initialization.patch @@ -0,0 +1,78 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Vinod Koul +Date: Thu, 14 May 2020 11:58:36 +0530 +Subject: net: stmmac: fix num_por initialization + +From: Vinod Koul + +[ Upstream commit fd4a5177382230d39e0d95632d98103fb2938383 ] + +Driver missed initializing num_por which is one of the por values that +driver configures to hardware. In order to get these values, add a new +structure ethqos_emac_driver_data which holds por and num_por values +and populate that in driver probe. + +Fixes: a7c30e62d4b8 ("net: stmmac: Add driver for Qualcomm ethqos") +Reported-by: Rahul Ankushrao Kawadgave +Signed-off-by: Vinod Koul +Reviewed-by: Amit Kucheria +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 17 ++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +@@ -75,6 +75,11 @@ struct ethqos_emac_por { + unsigned int value; + }; + ++struct ethqos_emac_driver_data { ++ const struct ethqos_emac_por *por; ++ unsigned int num_por; ++}; ++ + struct qcom_ethqos { + struct platform_device *pdev; + void __iomem *rgmii_base; +@@ -171,6 +176,11 @@ static const struct ethqos_emac_por emac + { .offset = RGMII_IO_MACRO_CONFIG2, .value = 0x00002060 }, + }; + ++static const struct ethqos_emac_driver_data emac_v2_3_0_data = { ++ .por = emac_v2_3_0_por, ++ .num_por = ARRAY_SIZE(emac_v2_3_0_por), ++}; ++ + static int ethqos_dll_configure(struct qcom_ethqos *ethqos) + { + unsigned int val; +@@ -442,6 +452,7 @@ static int qcom_ethqos_probe(struct plat + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat_dat; + struct stmmac_resources stmmac_res; ++ const struct ethqos_emac_driver_data *data; + struct qcom_ethqos *ethqos; + struct resource *res; + int ret; +@@ -471,7 +482,9 @@ static int qcom_ethqos_probe(struct plat + goto err_mem; + } + +- ethqos->por = of_device_get_match_data(&pdev->dev); ++ data = of_device_get_match_data(&pdev->dev); ++ ethqos->por = data->por; ++ ethqos->num_por = data->num_por; + + ethqos->rgmii_clk = devm_clk_get(&pdev->dev, "rgmii"); + if (IS_ERR(ethqos->rgmii_clk)) { +@@ -526,7 +539,7 @@ static int qcom_ethqos_remove(struct pla + } + + static const struct of_device_id qcom_ethqos_match[] = { +- { .compatible = "qcom,qcs404-ethqos", .data = &emac_v2_3_0_por}, ++ { .compatible = "qcom,qcs404-ethqos", .data = &emac_v2_3_0_data}, + { } + }; + MODULE_DEVICE_TABLE(of, qcom_ethqos_match); diff --git a/queue-5.6/net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch b/queue-5.6/net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch new file mode 100644 index 00000000000..7d719f55439 --- /dev/null +++ b/queue-5.6/net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch @@ -0,0 +1,51 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Kelly Littlepage +Date: Fri, 8 May 2020 19:58:46 +0000 +Subject: net: tcp: fix rx timestamp behavior for tcp_recvmsg + +From: Kelly Littlepage + +[ Upstream commit cc4de047b33be247f9c8150d3e496743a49642b8 ] + +The stated intent of the original commit is to is to "return the timestamp +corresponding to the highest sequence number data returned." The current +implementation returns the timestamp for the last byte of the last fully +read skb, which is not necessarily the last byte in the recv buffer. This +patch converts behavior to the original definition, and to the behavior of +the previous draft versions of commit 98aaa913b4ed ("tcp: Extend +SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") which also match this +behavior. + +Fixes: 98aaa913b4ed ("tcp: Extend SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") +Co-developed-by: Iris Liu +Signed-off-by: Iris Liu +Signed-off-by: Kelly Littlepage +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2163,13 +2163,15 @@ skip_copy: + tp->urg_data = 0; + tcp_fast_path_check(sk); + } +- if (used + offset < skb->len) +- continue; + + if (TCP_SKB_CB(skb)->has_rxtstamp) { + tcp_update_recv_tstamps(skb, &tss); + cmsg_flags |= 2; + } ++ ++ if (used + offset < skb->len) ++ continue; ++ + if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) + goto found_fin_ok; + if (!(flags & MSG_PEEK)) diff --git a/queue-5.6/netlabel-cope-with-null-catmap.patch b/queue-5.6/netlabel-cope-with-null-catmap.patch new file mode 100644 index 00000000000..e265f93100d --- /dev/null +++ b/queue-5.6/netlabel-cope-with-null-catmap.patch @@ -0,0 +1,84 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Paolo Abeni +Date: Tue, 12 May 2020 14:43:14 +0200 +Subject: netlabel: cope with NULL catmap + +From: Paolo Abeni + +[ Upstream commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 ] + +The cipso and calipso code can set the MLS_CAT attribute on +successful parsing, even if the corresponding catmap has +not been allocated, as per current configuration and external +input. + +Later, selinux code tries to access the catmap if the MLS_CAT flag +is present via netlbl_catmap_getlong(). That may cause null ptr +dereference while processing incoming network traffic. + +Address the issue setting the MLS_CAT flag only if the catmap is +really allocated. Additionally let netlbl_catmap_getlong() cope +with NULL catmap. + +Reported-by: Matthew Sheets +Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Signed-off-by: Paolo Abeni +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 6 ++++-- + net/ipv6/calipso.c | 3 ++- + net/netlabel/netlabel_kapi.c | 6 ++++++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const s + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const s + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const uns + goto getattr_return; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + secattr->type = NETLBL_NLTYPE_CALIPSO; +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_ + if ((off & (BITS_PER_LONG - 1)) != 0) + return -EINVAL; + ++ /* a null catmap is equivalent to an empty one */ ++ if (!catmap) { ++ *offset = (u32)-1; ++ return 0; ++ } ++ + if (off < catmap->startbit) { + off = catmap->startbit; + *offset = off; diff --git a/queue-5.6/netprio_cgroup-fix-unlimited-memory-leak-of-v2-cgroups.patch b/queue-5.6/netprio_cgroup-fix-unlimited-memory-leak-of-v2-cgroups.patch new file mode 100644 index 00000000000..30cc3417970 --- /dev/null +++ b/queue-5.6/netprio_cgroup-fix-unlimited-memory-leak-of-v2-cgroups.patch @@ -0,0 +1,50 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Zefan Li +Date: Sat, 9 May 2020 11:32:10 +0800 +Subject: netprio_cgroup: Fix unlimited memory leak of v2 cgroups + +From: Zefan Li + +[ Upstream commit 090e28b229af92dc5b40786ca673999d59e73056 ] + +If systemd is configured to use hybrid mode which enables the use of +both cgroup v1 and v2, systemd will create new cgroup on both the default +root (v2) and netprio_cgroup hierarchy (v1) for a new session and attach +task to the two cgroups. If the task does some network thing then the v2 +cgroup can never be freed after the session exited. + +One of our machines ran into OOM due to this memory leak. + +In the scenario described above when sk_alloc() is called +cgroup_sk_alloc() thought it's in v2 mode, so it stores +the cgroup pointer in sk->sk_cgrp_data and increments +the cgroup refcnt, but then sock_update_netprioidx() +thought it's in v1 mode, so it stores netprioidx value +in sk->sk_cgrp_data, so the cgroup refcnt will never be freed. + +Currently we do the mode switch when someone writes to the ifpriomap +cgroup control file. The easiest fix is to also do the switch when +a task is attached to a new cgroup. + +Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") +Reported-by: Yang Yingliang +Tested-by: Yang Yingliang +Signed-off-by: Zefan Li +Acked-by: Tejun Heo +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netprio_cgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/netprio_cgroup.c ++++ b/net/core/netprio_cgroup.c +@@ -236,6 +236,8 @@ static void net_prio_attach(struct cgrou + struct task_struct *p; + struct cgroup_subsys_state *css; + ++ cgroup_sk_alloc_disable(); ++ + cgroup_taskset_for_each(p, css, tset) { + void *v = (void *)(unsigned long)css->id; + diff --git a/queue-5.6/nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch b/queue-5.6/nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch new file mode 100644 index 00000000000..bfcc09549df --- /dev/null +++ b/queue-5.6/nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch @@ -0,0 +1,35 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Wei Yongjun +Date: Fri, 8 May 2020 07:27:35 +0000 +Subject: nfp: abm: fix error return code in nfp_abm_vnic_alloc() + +From: Wei Yongjun + +[ Upstream commit 5099dea0a59f1c89525bb0ceac36689178a4c125 ] + +Fix to return negative error code -ENOMEM from the kzalloc() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: 174ab544e3bc ("nfp: abm: add cls_u32 offload for simple band classification") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/abm/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/abm/main.c ++++ b/drivers/net/ethernet/netronome/nfp/abm/main.c +@@ -333,8 +333,10 @@ nfp_abm_vnic_alloc(struct nfp_app *app, + goto err_free_alink; + + alink->prio_map = kzalloc(abm->prio_map_len, GFP_KERNEL); +- if (!alink->prio_map) ++ if (!alink->prio_map) { ++ err = -ENOMEM; + goto err_free_alink; ++ } + + /* This is a multi-host app, make sure MAC/PHY is up, but don't + * make the MAC/PHY state follow the state of any of the ports. diff --git a/queue-5.6/pppoe-only-process-padt-targeted-at-local-interfaces.patch b/queue-5.6/pppoe-only-process-padt-targeted-at-local-interfaces.patch new file mode 100644 index 00000000000..b1348fa1ca7 --- /dev/null +++ b/queue-5.6/pppoe-only-process-padt-targeted-at-local-interfaces.patch @@ -0,0 +1,35 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Guillaume Nault +Date: Thu, 14 May 2020 12:15:39 +0200 +Subject: pppoe: only process PADT targeted at local interfaces + +From: Guillaume Nault + +[ Upstream commit b8c158395119be62294da73646a3953c29ac974b ] + +We don't want to disconnect a session because of a stray PADT arriving +while the interface is in promiscuous mode. +Furthermore, multicast and broadcast packets make no sense here, so +only PACKET_HOST is accepted. + +Reported-by: David Balažic +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -490,6 +490,9 @@ static int pppoe_disc_rcv(struct sk_buff + if (!skb) + goto out; + ++ if (skb->pkt_type != PACKET_HOST) ++ goto abort; ++ + if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) + goto abort; + diff --git a/queue-5.6/r8169-re-establish-support-for-rtl8401-chip-version.patch b/queue-5.6/r8169-re-establish-support-for-rtl8401-chip-version.patch new file mode 100644 index 00000000000..1d60a9f33f9 --- /dev/null +++ b/queue-5.6/r8169-re-establish-support-for-rtl8401-chip-version.patch @@ -0,0 +1,35 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Heiner Kallweit +Date: Fri, 8 May 2020 08:24:14 +0200 +Subject: r8169: re-establish support for RTL8401 chip version + +From: Heiner Kallweit + +[ Upstream commit 1f8492df081bd66255764f3ce82ba1b2c37def49 ] + +r8169 never had native support for the RTL8401, however it reportedly +worked with the fallback to RTL8101e [0]. Therefore let's add this +as an explicit assignment. + +[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956868 + +Fixes: b4cc2dcc9c7c ("r8169: remove default chip versions") +Reported-by: Camaleón +Signed-off-by: Heiner Kallweit +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2127,6 +2127,8 @@ static void rtl8169_get_mac_version(stru + { 0x7cf, 0x348, RTL_GIGA_MAC_VER_07 }, + { 0x7cf, 0x248, RTL_GIGA_MAC_VER_07 }, + { 0x7cf, 0x340, RTL_GIGA_MAC_VER_13 }, ++ /* RTL8401, reportedly works if treated as RTL8101e */ ++ { 0x7cf, 0x240, RTL_GIGA_MAC_VER_13 }, + { 0x7cf, 0x343, RTL_GIGA_MAC_VER_10 }, + { 0x7cf, 0x342, RTL_GIGA_MAC_VER_16 }, + { 0x7c8, 0x348, RTL_GIGA_MAC_VER_09 }, diff --git a/queue-5.6/revert-ipv6-add-mtu-lock-check-in-__ip6_rt_update_pmtu.patch b/queue-5.6/revert-ipv6-add-mtu-lock-check-in-__ip6_rt_update_pmtu.patch new file mode 100644 index 00000000000..0487129f061 --- /dev/null +++ b/queue-5.6/revert-ipv6-add-mtu-lock-check-in-__ip6_rt_update_pmtu.patch @@ -0,0 +1,63 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: "Maciej Å»enczykowski" +Date: Tue, 5 May 2020 11:57:23 -0700 +Subject: Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" + +From: "Maciej Å»enczykowski" + +[ Upstream commit 09454fd0a4ce23cb3d8af65066c91a1bf27120dd ] + +This reverts commit 19bda36c4299ce3d7e5bce10bebe01764a655a6d: + +| ipv6: add mtu lock check in __ip6_rt_update_pmtu +| +| Prior to this patch, ipv6 didn't do mtu lock check in ip6_update_pmtu. +| It leaded to that mtu lock doesn't really work when receiving the pkt +| of ICMPV6_PKT_TOOBIG. +| +| This patch is to add mtu lock check in __ip6_rt_update_pmtu just as ipv4 +| did in __ip_rt_update_pmtu. + +The above reasoning is incorrect. IPv6 *requires* icmp based pmtu to work. +There's already a comment to this effect elsewhere in the kernel: + + $ git grep -p -B1 -A3 'RTAX_MTU lock' + net/ipv6/route.c=4813= + + static int rt6_mtu_change_route(struct fib6_info *f6i, void *p_arg) + ... + /* In IPv6 pmtu discovery is not optional, + so that RTAX_MTU lock cannot disable it. + We still use this lock to block changes + caused by addrconf/ndisc. + */ + +This reverts to the pre-4.9 behaviour. + +Cc: Eric Dumazet +Cc: Willem de Bruijn +Cc: Xin Long +Cc: Hannes Frederic Sowa +Signed-off-by: Maciej Å»enczykowski +Fixes: 19bda36c4299 ("ipv6: add mtu lock check in __ip6_rt_update_pmtu") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2725,8 +2725,10 @@ static void __ip6_rt_update_pmtu(struct + const struct in6_addr *daddr, *saddr; + struct rt6_info *rt6 = (struct rt6_info *)dst; + +- if (dst_metric_locked(dst, RTAX_MTU)) +- return; ++ /* Note: do *NOT* check dst_metric_locked(dst, RTAX_MTU) ++ * IPv6 pmtu discovery isn't optional, so 'mtu lock' cannot disable it. ++ * [see also comment in rt6_mtu_change_route()] ++ */ + + if (iph) { + daddr = &iph->daddr; diff --git a/queue-5.6/series b/queue-5.6/series index c47027b8693..9e187e452c7 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -27,3 +27,24 @@ iommu-amd-update-device-table-in-increase_address_sp.patch net-dsa-ocelot-the-mac-table-on-felix-is-twice-as-la.patch net-mscc-ocelot-ana_autoage_age_period-holds-a-value.patch mmc-sdhci-acpi-add-sdhci_quirk2_broken_64_bit_dma-fo.patch +dpaa2-eth-properly-handle-buffer-size-restrictions.patch +mptcp-set-correct-vfs-info-for-subflows.patch +net-fix-a-potential-recursive-netdev_feat_change.patch +netlabel-cope-with-null-catmap.patch +net-phy-fix-aneg-restart-in-phy_ethtool_set_eee.patch +net-stmmac-fix-num_por-initialization.patch +pppoe-only-process-padt-targeted-at-local-interfaces.patch +revert-ipv6-add-mtu-lock-check-in-__ip6_rt_update_pmtu.patch +tcp-fix-error-recovery-in-tcp_zerocopy_receive.patch +tcp-fix-so_rcvlowat-hangs-with-fat-skbs.patch +virtio_net-fix-lockdep-warning-on-32-bit.patch +dpaa2-eth-prevent-array-underflow-in-update_cls_rule.patch +hinic-fix-a-bug-of-ndo_stop.patch +net-dsa-loop-add-module-soft-dependency.patch +net-ipv4-really-enforce-backoff-for-redirects.patch +netprio_cgroup-fix-unlimited-memory-leak-of-v2-cgroups.patch +net-tcp-fix-rx-timestamp-behavior-for-tcp_recvmsg.patch +nfp-abm-fix-error-return-code-in-nfp_abm_vnic_alloc.patch +r8169-re-establish-support-for-rtl8401-chip-version.patch +umh-fix-memory-leak-on-execve-failure.patch +net-broadcom-select-broadcom_phy-for-bcmgenet.patch diff --git a/queue-5.6/tcp-fix-error-recovery-in-tcp_zerocopy_receive.patch b/queue-5.6/tcp-fix-error-recovery-in-tcp_zerocopy_receive.patch new file mode 100644 index 00000000000..b9ec4f74c78 --- /dev/null +++ b/queue-5.6/tcp-fix-error-recovery-in-tcp_zerocopy_receive.patch @@ -0,0 +1,76 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Eric Dumazet +Date: Thu, 14 May 2020 13:58:13 -0700 +Subject: tcp: fix error recovery in tcp_zerocopy_receive() + +From: Eric Dumazet + +[ Upstream commit e776af608f692a7a647455106295fa34469e7475 ] + +If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE +operation we want to return -EINVAL error. + +But depending on zc->recv_skip_hint content, we might return +-EIO error if the socket has SOCK_DONE set. + +Make sure to return -EINVAL in this case. + +BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] +BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 +CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] + do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 + tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728 + sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131 + __sys_getsockopt+0x533/0x7b0 net/socket.c:2177 + __do_sys_getsockopt net/socket.c:2192 [inline] + __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189 + __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45c829 +Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829 +RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009 +RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000 +R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4 + +Local variable ----zc@do_tcp_getsockopt created at: + do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 + do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 + +Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1756,10 +1756,11 @@ static int tcp_zerocopy_receive(struct s + + down_read(¤t->mm->mmap_sem); + +- ret = -EINVAL; + vma = find_vma(current->mm, address); +- if (!vma || vma->vm_start > address || vma->vm_ops != &tcp_vm_ops) +- goto out; ++ if (!vma || vma->vm_start > address || vma->vm_ops != &tcp_vm_ops) { ++ up_read(¤t->mm->mmap_sem); ++ return -EINVAL; ++ } + zc->length = min_t(unsigned long, zc->length, vma->vm_end - address); + + tp = tcp_sk(sk); diff --git a/queue-5.6/tcp-fix-so_rcvlowat-hangs-with-fat-skbs.patch b/queue-5.6/tcp-fix-so_rcvlowat-hangs-with-fat-skbs.patch new file mode 100644 index 00000000000..8129f8e5adb --- /dev/null +++ b/queue-5.6/tcp-fix-so_rcvlowat-hangs-with-fat-skbs.patch @@ -0,0 +1,95 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Eric Dumazet +Date: Tue, 12 May 2020 06:54:30 -0700 +Subject: tcp: fix SO_RCVLOWAT hangs with fat skbs + +From: Eric Dumazet + +[ Upstream commit 24adbc1676af4e134e709ddc7f34cf2adc2131e4 ] + +We autotune rcvbuf whenever SO_RCVLOWAT is set to account for 100% +overhead in tcp_set_rcvlowat() + +This works well when skb->len/skb->truesize ratio is bigger than 0.5 + +But if we receive packets with small MSS, we can end up in a situation +where not enough bytes are available in the receive queue to satisfy +RCVLOWAT setting. +As our sk_rcvbuf limit is hit, we send zero windows in ACK packets, +preventing remote peer from sending more data. + +Even autotuning does not help, because it only triggers at the time +user process drains the queue. If no EPOLLIN is generated, this +can not happen. + +Note poll() has a similar issue, after commit +c7004482e8dc ("tcp: Respect SO_RCVLOWAT in tcp_poll().") + +Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 13 +++++++++++++ + net/ipv4/tcp.c | 14 +++++++++++--- + net/ipv4/tcp_input.c | 3 ++- + 3 files changed, 26 insertions(+), 4 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1421,6 +1421,19 @@ static inline int tcp_full_space(const s + return tcp_win_from_space(sk, READ_ONCE(sk->sk_rcvbuf)); + } + ++/* We provision sk_rcvbuf around 200% of sk_rcvlowat. ++ * If 87.5 % (7/8) of the space has been consumed, we want to override ++ * SO_RCVLOWAT constraint, since we are receiving skbs with too small ++ * len/truesize ratio. ++ */ ++static inline bool tcp_rmem_pressure(const struct sock *sk) ++{ ++ int rcvbuf = READ_ONCE(sk->sk_rcvbuf); ++ int threshold = rcvbuf - (rcvbuf >> 3); ++ ++ return atomic_read(&sk->sk_rmem_alloc) > threshold; ++} ++ + extern void tcp_openreq_init_rwin(struct request_sock *req, + const struct sock *sk_listener, + const struct dst_entry *dst); +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -476,9 +476,17 @@ static void tcp_tx_timestamp(struct sock + static inline bool tcp_stream_is_readable(const struct tcp_sock *tp, + int target, struct sock *sk) + { +- return (READ_ONCE(tp->rcv_nxt) - READ_ONCE(tp->copied_seq) >= target) || +- (sk->sk_prot->stream_memory_read ? +- sk->sk_prot->stream_memory_read(sk) : false); ++ int avail = READ_ONCE(tp->rcv_nxt) - READ_ONCE(tp->copied_seq); ++ ++ if (avail > 0) { ++ if (avail >= target) ++ return true; ++ if (tcp_rmem_pressure(sk)) ++ return true; ++ } ++ if (sk->sk_prot->stream_memory_read) ++ return sk->sk_prot->stream_memory_read(sk); ++ return false; + } + + /* +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4761,7 +4761,8 @@ void tcp_data_ready(struct sock *sk) + const struct tcp_sock *tp = tcp_sk(sk); + int avail = tp->rcv_nxt - tp->copied_seq; + +- if (avail < sk->sk_rcvlowat && !sock_flag(sk, SOCK_DONE)) ++ if (avail < sk->sk_rcvlowat && !tcp_rmem_pressure(sk) && ++ !sock_flag(sk, SOCK_DONE)) + return; + + sk->sk_data_ready(sk); diff --git a/queue-5.6/umh-fix-memory-leak-on-execve-failure.patch b/queue-5.6/umh-fix-memory-leak-on-execve-failure.patch new file mode 100644 index 00000000000..46c7849ed3d --- /dev/null +++ b/queue-5.6/umh-fix-memory-leak-on-execve-failure.patch @@ -0,0 +1,40 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: Vincent Minet +Date: Fri, 8 May 2020 00:14:22 +0200 +Subject: umh: fix memory leak on execve failure + +From: Vincent Minet + +[ Upstream commit db803036ada7d61d096783726f9771b3fc540370 ] + +If a UMH process created by fork_usermode_blob() fails to execute, +a pair of struct file allocated by umh_pipe_setup() will leak. + +Under normal conditions, the caller (like bpfilter) needs to manage the +lifetime of the UMH and its two pipes. But when fork_usermode_blob() +fails, the caller doesn't really have a way to know what needs to be +done. It seems better to do the cleanup ourselves in this case. + +Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") +Signed-off-by: Vincent Minet +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + kernel/umh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -475,6 +475,12 @@ static void umh_clean_and_save_pid(struc + { + struct umh_info *umh_info = info->data; + ++ /* cleanup if umh_pipe_setup() was successful but exec failed */ ++ if (info->pid && info->retval) { ++ fput(umh_info->pipe_to_umh); ++ fput(umh_info->pipe_from_umh); ++ } ++ + argv_free(info->argv); + umh_info->pid = info->pid; + } diff --git a/queue-5.6/virtio_net-fix-lockdep-warning-on-32-bit.patch b/queue-5.6/virtio_net-fix-lockdep-warning-on-32-bit.patch new file mode 100644 index 00000000000..338cb7cbc59 --- /dev/null +++ b/queue-5.6/virtio_net-fix-lockdep-warning-on-32-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Sat 16 May 2020 02:04:40 PM CEST +From: "Michael S. Tsirkin" +Date: Thu, 7 May 2020 03:25:56 -0400 +Subject: virtio_net: fix lockdep warning on 32 bit + +From: "Michael S. Tsirkin" + +[ Upstream commit 01c3259818a11f3cc3cd767adbae6b45849c03c1 ] + +When we fill up a receive VQ, try_fill_recv currently tries to count +kicks using a 64 bit stats counter. Turns out, on a 32 bit kernel that +uses a seqcount. sequence counts are "lock" constructs where you need to +make sure that writers are serialized. + +In turn, this means that we mustn't run two try_fill_recv concurrently. +Which of course we don't. We do run try_fill_recv sometimes from a +softirq napi context, and sometimes from a fully preemptible context, +but the later always runs with napi disabled. + +However, when it comes to the seqcount, lockdep is trying to enforce the +rule that the same lock isn't accessed from preemptible and softirq +context - it doesn't know about napi being enabled/disabled. This causes +a false-positive warning: + +WARNING: inconsistent lock state +... +inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. + +As a work around, shut down the warning by switching +to u64_stats_update_begin_irqsave - that works by disabling +interrupts on 32 bit only, is a NOP on 64 bit. + +Reported-by: Thomas Gleixner +Suggested-by: Eric Dumazet +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1231,9 +1231,11 @@ static bool try_fill_recv(struct virtnet + break; + } while (rq->vq->num_free); + if (virtqueue_kick_prepare(rq->vq) && virtqueue_notify(rq->vq)) { +- u64_stats_update_begin(&rq->stats.syncp); ++ unsigned long flags; ++ ++ flags = u64_stats_update_begin_irqsave(&rq->stats.syncp); + rq->stats.kicks++; +- u64_stats_update_end(&rq->stats.syncp); ++ u64_stats_update_end_irqrestore(&rq->stats.syncp, flags); + } + + return !oom;