From: Greg Kroah-Hartman Date: Tue, 12 May 2020 08:55:23 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v4.19.123~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3079f3c2153761cd16ff6417b4d7164995e2976a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: bnxt_en-fix-vf-anti-spoof-filter-setup.patch bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch bnxt_en-improve-aer-slot-reset.patch bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch bnxt_en-return-error-when-allocating-zero-size-context-memory.patch cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch devlink-fix-reporter-s-recovery-condition.patch devlink-fix-return-value-after-hitting-end-in-region-read.patch dp83640-reverse-arguments-to-list_add_tail.patch fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch neigh-send-protocol-value-in-neighbor-create-notification.patch net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch net-dsa-do-not-make-user-port-errors-fatal.patch net-enetc-fix-an-issue-about-leak-system-resources.patch net-macb-fix-an-issue-about-leak-related-system-resources.patch net-macsec-preserve-ingress-frame-ordering.patch net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch net-mlx5-fix-command-entry-leak-in-internal-error-state.patch net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch net-mlx5e-fix-q-counters-on-uplink-representors.patch net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch net-phy-marvell10g-fix-temperature-sensor-on-2110.patch net-stricter-validation-of-untrusted-gso-packets.patch net-tc35815-fix-phydev-supported-advertising-mask.patch net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch net-usb-qmi_wwan-add-support-for-dw5816e.patch net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch nfp-abm-fix-a-memory-leak-bug.patch sch_choke-avoid-potential-panic-in-choke_reset.patch sch_sfq-validate-silly-quantum-values.patch selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch tipc-fix-partial-topology-connection-closure.patch tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch wireguard-socket-remove-errant-restriction-on-looping-to-self.patch --- diff --git a/queue-5.6/bnxt_en-fix-vf-anti-spoof-filter-setup.patch b/queue-5.6/bnxt_en-fix-vf-anti-spoof-filter-setup.patch new file mode 100644 index 00000000000..856733572d2 --- /dev/null +++ b/queue-5.6/bnxt_en-fix-vf-anti-spoof-filter-setup.patch @@ -0,0 +1,96 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:38 -0400 +Subject: bnxt_en: Fix VF anti-spoof filter setup. + +From: Michael Chan + +[ Upstream commit c71c4e49afe173823a2a85b0cabc9b3f1176ffa2 ] + +Fix the logic that sets the enable/disable flag for the source MAC +filter according to firmware spec 1.7.1. + +In the original firmware spec. before 1.7.1, the VF spoof check flags +were not latched after making the HWRM_FUNC_CFG call, so there was a +need to keep the func_flags so that subsequent calls would perserve +the VF spoof check setting. A change was made in the 1.7.1 spec +so that the flags became latched. So we now set or clear the anti- +spoof setting directly without retrieving the old settings in the +stored vf->func_flags which are no longer valid. We also remove the +unneeded vf->func_flags. + +Fixes: 8eb992e876a8 ("bnxt_en: Update firmware interface spec to 1.7.6.2.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 - + drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 10 ++-------- + 2 files changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1064,7 +1064,6 @@ struct bnxt_vf_info { + #define BNXT_VF_LINK_FORCED 0x4 + #define BNXT_VF_LINK_UP 0x8 + #define BNXT_VF_TRUST 0x10 +- u32 func_flags; /* func cfg flags */ + u32 min_tx_rate; + u32 max_tx_rate; + void *hwrm_cmd_req_addr; +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +@@ -85,11 +85,10 @@ int bnxt_set_vf_spoofchk(struct net_devi + if (old_setting == setting) + return 0; + +- func_flags = vf->func_flags; + if (setting) +- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE; ++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE; + else +- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE; ++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE; + /*TODO: if the driver supports VLAN filter on guest VLAN, + * the spoof check should also include vlan anti-spoofing + */ +@@ -98,7 +97,6 @@ int bnxt_set_vf_spoofchk(struct net_devi + req.flags = cpu_to_le32(func_flags); + rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); + if (!rc) { +- vf->func_flags = func_flags; + if (setting) + vf->flags |= BNXT_VF_SPOOFCHK; + else +@@ -230,7 +228,6 @@ int bnxt_set_vf_mac(struct net_device *d + memcpy(vf->mac_addr, mac, ETH_ALEN); + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR); + memcpy(req.dflt_mac_addr, mac, ETH_ALEN); + return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); +@@ -268,7 +265,6 @@ int bnxt_set_vf_vlan(struct net_device * + + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.dflt_vlan = cpu_to_le16(vlan_tag); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_VLAN); + rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT); +@@ -307,7 +303,6 @@ int bnxt_set_vf_bw(struct net_device *de + return 0; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_MAX_BW); + req.max_bw = cpu_to_le32(max_tx_rate); + req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_MIN_BW); +@@ -479,7 +474,6 @@ static void __bnxt_set_vf_params(struct + vf = &bp->pf.vf[vf_id]; + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1); + req.fid = cpu_to_le16(vf->fw_fid); +- req.flags = cpu_to_le32(vf->func_flags); + + if (is_valid_ether_addr(vf->mac_addr)) { + req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR); diff --git a/queue-5.6/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch b/queue-5.6/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch new file mode 100644 index 00000000000..f32b11eab81 --- /dev/null +++ b/queue-5.6/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:42 -0400 +Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). + +From: Michael Chan + +[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ] + +The current logic in bnxt_fix_features() will inadvertently turn on both +CTAG and STAG VLAN offload if the user tries to disable both. Fix it +by checking that the user is trying to enable CTAG or STAG before +enabling both. The logic is supposed to enable or disable both CTAG and +STAG together. + +Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9794,6 +9794,7 @@ static netdev_features_t bnxt_fix_featur + netdev_features_t features) + { + struct bnxt *bp = netdev_priv(dev); ++ netdev_features_t vlan_features; + + if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp)) + features &= ~NETIF_F_NTUPLE; +@@ -9810,12 +9811,14 @@ static netdev_features_t bnxt_fix_featur + /* Both CTAG and STAG VLAN accelaration on the RX side have to be + * turned on or off together. + */ +- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) != +- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) { ++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX); ++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX)) { + if (dev->features & NETIF_F_HW_VLAN_CTAG_RX) + features &= ~(NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX); +- else ++ else if (vlan_features) + features |= NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX; + } diff --git a/queue-5.6/bnxt_en-improve-aer-slot-reset.patch b/queue-5.6/bnxt_en-improve-aer-slot-reset.patch new file mode 100644 index 00000000000..6a5f838cd07 --- /dev/null +++ b/queue-5.6/bnxt_en-improve-aer-slot-reset.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:40 -0400 +Subject: bnxt_en: Improve AER slot reset. + +From: Michael Chan + +[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ] + +Improve the slot reset sequence by disabling the device to prevent bad +DMAs if slot reset fails. Return the proper result instead of always +PCI_ERS_RESULT_RECOVERED to the caller. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12173,12 +12173,15 @@ static pci_ers_result_t bnxt_io_slot_res + bnxt_ulp_start(bp, err); + } + +- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev)) +- dev_close(netdev); ++ if (result != PCI_ERS_RESULT_RECOVERED) { ++ if (netif_running(netdev)) ++ dev_close(netdev); ++ pci_disable_device(pdev); ++ } + + rtnl_unlock(); + +- return PCI_ERS_RESULT_RECOVERED; ++ return result; + } + + /** diff --git a/queue-5.6/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch b/queue-5.6/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch new file mode 100644 index 00000000000..63cd1e82ada --- /dev/null +++ b/queue-5.6/bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Vasundhara Volam +Date: Sun, 26 Apr 2020 16:24:39 -0400 +Subject: bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF. + +From: Vasundhara Volam + +[ Upstream commit 9e68cb0359b20f99c7b070f1d3305e5e0a9fae6d ] + +Broadcom adapters support only maximum of 512 CQs per PF. If user sets +MSIx vectors more than supported CQs, firmware is setting incorrect value +for msix_vec_per_pf_max parameter. Fix it by reducing the BNXT_MSIX_VEC_MAX +value to 512, even though the maximum # of MSIx vectors supported by adapter +are 1280. + +Fixes: f399e8497826 ("bnxt_en: Use msix_vec_per_pf_max and msix_vec_per_pf_min devlink params.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h +@@ -43,7 +43,7 @@ static inline void bnxt_link_bp_to_dl(st + #define BNXT_NVM_CFG_VER_BITS 24 + #define BNXT_NVM_CFG_VER_BYTES 4 + +-#define BNXT_MSIX_VEC_MAX 1280 ++#define BNXT_MSIX_VEC_MAX 512 + #define BNXT_MSIX_VEC_MIN_MAX 128 + + enum bnxt_nvm_dir_type { diff --git a/queue-5.6/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch b/queue-5.6/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch new file mode 100644 index 00000000000..db74d12c3bc --- /dev/null +++ b/queue-5.6/bnxt_en-return-error-when-allocating-zero-size-context-memory.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:41 -0400 +Subject: bnxt_en: Return error when allocating zero size context memory. + +From: Michael Chan + +[ Upstream commit bbf211b1ecb891c7e0cc7888834504183fc8b534 ] + +bnxt_alloc_ctx_pg_tbls() should return error when the memory size of the +context memory to set up is zero. By returning success (0), the caller +may proceed normally and may crash later when it tries to set up the +memory. + +Fixes: 08fe9d181606 ("bnxt_en: Add Level 2 context memory paging support.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6662,7 +6662,7 @@ static int bnxt_alloc_ctx_pg_tbls(struct + int rc; + + if (!mem_size) +- return 0; ++ return -EINVAL; + + ctx_pg->nr_pages = DIV_ROUND_UP(mem_size, BNXT_PAGE_SIZE); + if (ctx_pg->nr_pages > MAX_CTX_TOTAL_PAGES) { diff --git a/queue-5.6/cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch b/queue-5.6/cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch new file mode 100644 index 00000000000..1596864a959 --- /dev/null +++ b/queue-5.6/cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch @@ -0,0 +1,89 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Rahul Lakkireddy +Date: Thu, 30 Apr 2020 00:22:19 +0530 +Subject: cxgb4: fix EOTID leak when disabling TC-MQPRIO offload + +From: Rahul Lakkireddy + +[ Upstream commit 69422a7e5d578aab277091f4ebb7c1b387f3e355 ] + +Under heavy load, the EOTID termination FLOWC request fails to get +enqueued to the end of the Tx ring due to lack of credits. This +results in EOTID leak. + +When disabling TC-MQPRIO offload, the link is already brought down +to cleanup EOTIDs. So, flush any pending enqueued skbs that can't be +sent outside the wire, to make room for FLOWC request. Also, move the +FLOWC descriptor consumption logic closer to when the FLOWC request is +actually posted to hardware. + +Fixes: 0e395b3cb1fb ("cxgb4: add FLOWC based QoS offload") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/sge.c | 39 ++++++++++++++++++++++++++++--- + 1 file changed, 36 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c +@@ -2202,6 +2202,9 @@ static void ethofld_hard_xmit(struct net + if (unlikely(skip_eotx_wr)) { + start = (u64 *)wr; + eosw_txq->state = next_state; ++ eosw_txq->cred -= wrlen16; ++ eosw_txq->ncompl++; ++ eosw_txq->last_compl = 0; + goto write_wr_headers; + } + +@@ -2360,6 +2363,34 @@ netdev_tx_t t4_start_xmit(struct sk_buff + return cxgb4_eth_xmit(skb, dev); + } + ++static void eosw_txq_flush_pending_skbs(struct sge_eosw_txq *eosw_txq) ++{ ++ int pktcount = eosw_txq->pidx - eosw_txq->last_pidx; ++ int pidx = eosw_txq->pidx; ++ struct sk_buff *skb; ++ ++ if (!pktcount) ++ return; ++ ++ if (pktcount < 0) ++ pktcount += eosw_txq->ndesc; ++ ++ while (pktcount--) { ++ pidx--; ++ if (pidx < 0) ++ pidx += eosw_txq->ndesc; ++ ++ skb = eosw_txq->desc[pidx].skb; ++ if (skb) { ++ dev_consume_skb_any(skb); ++ eosw_txq->desc[pidx].skb = NULL; ++ eosw_txq->inuse--; ++ } ++ } ++ ++ eosw_txq->pidx = eosw_txq->last_pidx + 1; ++} ++ + /** + * cxgb4_ethofld_send_flowc - Send ETHOFLD flowc request to bind eotid to tc. + * @dev - netdevice +@@ -2435,9 +2466,11 @@ int cxgb4_ethofld_send_flowc(struct net_ + FW_FLOWC_MNEM_EOSTATE_CLOSING : + FW_FLOWC_MNEM_EOSTATE_ESTABLISHED); + +- eosw_txq->cred -= len16; +- eosw_txq->ncompl++; +- eosw_txq->last_compl = 0; ++ /* Free up any pending skbs to ensure there's room for ++ * termination FLOWC. ++ */ ++ if (tc == FW_SCHED_CLS_NONE) ++ eosw_txq_flush_pending_skbs(eosw_txq); + + ret = eosw_txq_enqueue(eosw_txq, skb); + if (ret) { diff --git a/queue-5.6/devlink-fix-reporter-s-recovery-condition.patch b/queue-5.6/devlink-fix-reporter-s-recovery-condition.patch new file mode 100644 index 00000000000..8a8800d0de3 --- /dev/null +++ b/queue-5.6/devlink-fix-reporter-s-recovery-condition.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Aya Levin +Date: Mon, 4 May 2020 11:27:46 +0300 +Subject: devlink: Fix reporter's recovery condition + +From: Aya Levin + +[ Upstream commit bea0c5c942d3b4e9fb6ed45f6a7de74c6b112437 ] + +Devlink health core conditions the reporter's recovery with the +expiration of the grace period. This is not relevant for the first +recovery. Explicitly demand that the grace period will only apply to +recoveries other than the first. + +Fixes: c8e1da0bf923 ("devlink: Add health report functionality") +Signed-off-by: Aya Levin +Reviewed-by: Moshe Shemesh +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -5029,6 +5029,7 @@ int devlink_health_report(struct devlink + { + enum devlink_health_reporter_state prev_health_state; + struct devlink *devlink = reporter->devlink; ++ unsigned long recover_ts_threshold; + + /* write a log message of the current error */ + WARN_ON(!msg); +@@ -5039,10 +5040,12 @@ int devlink_health_report(struct devlink + devlink_recover_notify(reporter, DEVLINK_CMD_HEALTH_REPORTER_RECOVER); + + /* abort if the previous error wasn't recovered */ ++ recover_ts_threshold = reporter->last_recovery_ts + ++ msecs_to_jiffies(reporter->graceful_period); + if (reporter->auto_recover && + (prev_health_state != DEVLINK_HEALTH_REPORTER_STATE_HEALTHY || +- jiffies - reporter->last_recovery_ts < +- msecs_to_jiffies(reporter->graceful_period))) { ++ (reporter->last_recovery_ts && reporter->recovery_count && ++ time_is_after_jiffies(recover_ts_threshold)))) { + trace_devlink_health_recover_aborted(devlink, + reporter->ops->name, + reporter->health_state, diff --git a/queue-5.6/devlink-fix-return-value-after-hitting-end-in-region-read.patch b/queue-5.6/devlink-fix-return-value-after-hitting-end-in-region-read.patch new file mode 100644 index 00000000000..8b0fa3f8072 --- /dev/null +++ b/queue-5.6/devlink-fix-return-value-after-hitting-end-in-region-read.patch @@ -0,0 +1,50 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Jakub Kicinski +Date: Tue, 28 Apr 2020 19:01:58 -0700 +Subject: devlink: fix return value after hitting end in region read + +From: Jakub Kicinski + +[ Upstream commit 610a9346c138b9c2c93d38bf5f3728e74ae9cbd5 ] + +Commit d5b90e99e1d5 ("devlink: report 0 after hitting end in region read") +fixed region dump, but region read still returns a spurious error: + +$ devlink region read netdevsim/netdevsim1/dummy snapshot 0 addr 0 len 128 +0000000000000000 a6 f4 c4 1c 21 35 95 a6 9d 34 c3 5b 87 5b 35 79 +0000000000000010 f3 a0 d7 ee 4f 2f 82 7f c6 dd c4 f6 a5 c3 1b ae +0000000000000020 a4 fd c8 62 07 59 48 03 70 3b c7 09 86 88 7f 68 +0000000000000030 6f 45 5d 6d 7d 0e 16 38 a9 d0 7a 4b 1e 1e 2e a6 +0000000000000040 e6 1d ae 06 d6 18 00 85 ca 62 e8 7e 11 7e f6 0f +0000000000000050 79 7e f7 0f f3 94 68 bd e6 40 22 85 b6 be 6f b1 +0000000000000060 af db ef 5e 34 f0 98 4b 62 9a e3 1b 8b 93 fc 17 +devlink answers: Invalid argument +0000000000000070 61 e8 11 11 66 10 a5 f7 b1 ea 8d 40 60 53 ed 12 + +This is a minimal fix, I'll follow up with a restructuring +so we don't have two checks for the same condition. + +Fixes: fdd41ec21e15 ("devlink: Return right error code in case of errors for region read") +Signed-off-by: Jakub Kicinski +Reviewed-by: Jacob Keller +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/devlink.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -4030,6 +4030,11 @@ static int devlink_nl_cmd_region_read_du + end_offset = nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_ADDR]); + end_offset += nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_LEN]); + dump = false; ++ ++ if (start_offset == end_offset) { ++ err = 0; ++ goto nla_put_failure; ++ } + } + + err = devlink_nl_region_read_snapshot_fill(skb, devlink, diff --git a/queue-5.6/dp83640-reverse-arguments-to-list_add_tail.patch b/queue-5.6/dp83640-reverse-arguments-to-list_add_tail.patch new file mode 100644 index 00000000000..575eb548551 --- /dev/null +++ b/queue-5.6/dp83640-reverse-arguments-to-list_add_tail.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Julia Lawall +Date: Thu, 30 Apr 2020 21:51:32 +0200 +Subject: dp83640: reverse arguments to list_add_tail + +From: Julia Lawall + +[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] + +In this code, it appears that phyter_clocks is a list head, based on +the previous list_for_each, and that clock->list is intended to be a +list element, given that it has just been initialized in +dp83640_clock_init. Accordingly, switch the arguments to +list_add_tail, which takes the list head as the second argument. + +Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Julia Lawall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1120,7 +1120,7 @@ static struct dp83640_clock *dp83640_clo + goto out; + } + dp83640_clock_init(clock, bus); +- list_add_tail(&phyter_clocks, &clock->list); ++ list_add_tail(&clock->list, &phyter_clocks); + out: + mutex_unlock(&phyter_clocks_lock); + diff --git a/queue-5.6/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch b/queue-5.6/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch new file mode 100644 index 00000000000..71f6c3eadaa --- /dev/null +++ b/queue-5.6/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 12:40:25 -0700 +Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks + +From: Eric Dumazet + +[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ] + +My intent was to not let users set a zero drop_batch_size, +it seems I once again messed with min()/max(). + +Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()") +Signed-off-by: Eric Dumazet +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq_codel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -416,7 +416,7 @@ static int fq_codel_change(struct Qdisc + q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM])); + + if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]) +- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); ++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); + + if (tb[TCA_FQ_CODEL_MEMORY_LIMIT]) + q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT])); diff --git a/queue-5.6/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch b/queue-5.6/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch new file mode 100644 index 00000000000..ff235362114 --- /dev/null +++ b/queue-5.6/ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch @@ -0,0 +1,175 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: David Ahern +Date: Fri, 1 May 2020 08:53:08 -0600 +Subject: ipv6: Use global sernum for dst validation with nexthop objects + +From: David Ahern + +[ Upstream commit 8f34e53b60b337e559f1ea19e2780ff95ab2fa65 ] + +Nik reported a bug with pcpu dst cache when nexthop objects are +used illustrated by the following: + $ ip netns add foo + $ ip -netns foo li set lo up + $ ip -netns foo addr add 2001:db8:11::1/128 dev lo + $ ip netns exec foo sysctl net.ipv6.conf.all.forwarding=1 + $ ip li add veth1 type veth peer name veth2 + $ ip li set veth1 up + $ ip addr add 2001:db8:10::1/64 dev veth1 + $ ip li set dev veth2 netns foo + $ ip -netns foo li set veth2 up + $ ip -netns foo addr add 2001:db8:10::2/64 dev veth2 + $ ip -6 nexthop add id 100 via 2001:db8:10::2 dev veth1 + $ ip -6 route add 2001:db8:11::1/128 nhid 100 + + Create a pcpu entry on cpu 0: + $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 + + Re-add the route entry: + $ ip -6 ro del 2001:db8:11::1 + $ ip -6 route add 2001:db8:11::1/128 nhid 100 + + Route get on cpu 0 returns the stale pcpu: + $ taskset -a -c 0 ip -6 route get 2001:db8:11::1 + RTNETLINK answers: Network is unreachable + + While cpu 1 works: + $ taskset -a -c 1 ip -6 route get 2001:db8:11::1 + 2001:db8:11::1 from :: via 2001:db8:10::2 dev veth1 src 2001:db8:10::1 metric 1024 pref medium + +Conversion of FIB entries to work with external nexthop objects +missed an important difference between IPv4 and IPv6 - how dst +entries are invalidated when the FIB changes. IPv4 has a per-network +namespace generation id (rt_genid) that is bumped on changes to the FIB. +Checking if a dst_entry is still valid means comparing rt_genid in the +rtable to the current value of rt_genid for the namespace. + +IPv6 also has a per network namespace counter, fib6_sernum, but the +count is saved per fib6_node. With the per-node counter only dst_entries +based on fib entries under the node are invalidated when changes are +made to the routes - limiting the scope of invalidations. IPv6 uses a +reference in the rt6_info, 'from', to track the corresponding fib entry +used to create the dst_entry. When validating a dst_entry, the 'from' +is used to backtrack to the fib6_node and check the sernum of it to the +cookie passed to the dst_check operation. + +With the inline format (nexthop definition inline with the fib6_info), +dst_entries cached in the fib6_nh have a 1:1 correlation between fib +entries, nexthop data and dst_entries. With external nexthops, IPv6 +looks more like IPv4 which means multiple fib entries across disparate +fib6_nodes can all reference the same fib6_nh. That means validation +of dst_entries based on external nexthops needs to use the IPv4 format +- the per-network namespace counter. + +Add sernum to rt6_info and set it when creating a pcpu dst entry. Update +rt6_get_cookie to return sernum if it is set and update dst_check for +IPv6 to look for sernum set and based the check on it if so. Finally, +rt6_get_pcpu_route needs to validate the cached entry before returning +a pcpu entry (similar to the rt_cache_valid calls in __mkroute_input and +__mkroute_output for IPv4). + +This problem only affects routes using the new, external nexthops. + +Thanks to the kbuild test robot for catching the IS_ENABLED needed +around rt_genid_ipv6 before I sent this out. + +Fixes: 5b98324ebe29 ("ipv6: Allow routes to use nexthop objects") +Reported-by: Nikolay Aleksandrov +Signed-off-by: David Ahern +Reviewed-by: Nikolay Aleksandrov +Tested-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_fib.h | 4 ++++ + include/net/net_namespace.h | 7 +++++++ + net/ipv6/route.c | 25 +++++++++++++++++++++++++ + 3 files changed, 36 insertions(+) + +--- a/include/net/ip6_fib.h ++++ b/include/net/ip6_fib.h +@@ -204,6 +204,7 @@ struct fib6_info { + struct rt6_info { + struct dst_entry dst; + struct fib6_info __rcu *from; ++ int sernum; + + struct rt6key rt6i_dst; + struct rt6key rt6i_src; +@@ -292,6 +293,9 @@ static inline u32 rt6_get_cookie(const s + struct fib6_info *from; + u32 cookie = 0; + ++ if (rt->sernum) ++ return rt->sernum; ++ + rcu_read_lock(); + + from = rcu_dereference(rt->from); +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -432,6 +432,13 @@ static inline int rt_genid_ipv4(const st + return atomic_read(&net->ipv4.rt_genid); + } + ++#if IS_ENABLED(CONFIG_IPV6) ++static inline int rt_genid_ipv6(const struct net *net) ++{ ++ return atomic_read(&net->ipv6.fib6_sernum); ++} ++#endif ++ + static inline void rt_genid_bump_ipv4(struct net *net) + { + atomic_inc(&net->ipv4.rt_genid); +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1388,9 +1388,18 @@ static struct rt6_info *ip6_rt_pcpu_allo + } + ip6_rt_copy_init(pcpu_rt, res); + pcpu_rt->rt6i_flags |= RTF_PCPU; ++ ++ if (f6i->nh) ++ pcpu_rt->sernum = rt_genid_ipv6(dev_net(dev)); ++ + return pcpu_rt; + } + ++static bool rt6_is_valid(const struct rt6_info *rt6) ++{ ++ return rt6->sernum == rt_genid_ipv6(dev_net(rt6->dst.dev)); ++} ++ + /* It should be called with rcu_read_lock() acquired */ + static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res) + { +@@ -1398,6 +1407,19 @@ static struct rt6_info *rt6_get_pcpu_rou + + pcpu_rt = this_cpu_read(*res->nh->rt6i_pcpu); + ++ if (pcpu_rt && pcpu_rt->sernum && !rt6_is_valid(pcpu_rt)) { ++ struct rt6_info *prev, **p; ++ ++ p = this_cpu_ptr(res->nh->rt6i_pcpu); ++ prev = xchg(p, NULL); ++ if (prev) { ++ dst_dev_put(&prev->dst); ++ dst_release(&prev->dst); ++ } ++ ++ pcpu_rt = NULL; ++ } ++ + return pcpu_rt; + } + +@@ -2596,6 +2618,9 @@ static struct dst_entry *ip6_dst_check(s + + rt = container_of(dst, struct rt6_info, dst); + ++ if (rt->sernum) ++ return rt6_is_valid(rt) ? dst : NULL; ++ + rcu_read_lock(); + + /* All IPV6 dsts are created with ->obsolete set to the value diff --git a/queue-5.6/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch b/queue-5.6/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch new file mode 100644 index 00000000000..3725e652095 --- /dev/null +++ b/queue-5.6/mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch @@ -0,0 +1,53 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Jiri Pirko +Date: Mon, 27 Apr 2020 18:05:47 +0300 +Subject: mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly + +From: Jiri Pirko + +[ Upstream commit 6ef4889fc0b3aa6ab928e7565935ac6f762cee6e ] + +Vregion helpers to get min and max priority depend on the correct +ordering of vchunks in the vregion list. However, the current code +always adds new chunk to the end of the list, no matter what the +priority is. Fix this by finding the correct place in the list and put +vchunk there. + +Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation") +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -986,8 +986,9 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m + unsigned int priority, + struct mlxsw_afk_element_usage *elusage) + { ++ struct mlxsw_sp_acl_tcam_vchunk *vchunk, *vchunk2; + struct mlxsw_sp_acl_tcam_vregion *vregion; +- struct mlxsw_sp_acl_tcam_vchunk *vchunk; ++ struct list_head *pos; + int err; + + if (priority == MLXSW_SP_ACL_TCAM_CATCHALL_PRIO) +@@ -1025,7 +1026,14 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m + } + + mlxsw_sp_acl_tcam_rehash_ctx_vregion_changed(vregion); +- list_add_tail(&vchunk->list, &vregion->vchunk_list); ++ ++ /* Position the vchunk inside the list according to priority */ ++ list_for_each(pos, &vregion->vchunk_list) { ++ vchunk2 = list_entry(pos, typeof(*vchunk2), list); ++ if (vchunk2->priority > priority) ++ break; ++ } ++ list_add_tail(&vchunk->list, pos); + mutex_unlock(&vregion->lock); + + return vchunk; diff --git a/queue-5.6/neigh-send-protocol-value-in-neighbor-create-notification.patch b/queue-5.6/neigh-send-protocol-value-in-neighbor-create-notification.patch new file mode 100644 index 00000000000..b9a270515f8 --- /dev/null +++ b/queue-5.6/neigh-send-protocol-value-in-neighbor-create-notification.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Roman Mashak +Date: Fri, 1 May 2020 21:34:18 -0400 +Subject: neigh: send protocol value in neighbor create notification + +From: Roman Mashak + +[ Upstream commit 38212bb31fe923d0a2c6299bd2adfbb84cddef2a ] + +When a new neighbor entry has been added, event is generated but it does not +include protocol, because its value is assigned after the event notification +routine has run, so move protocol assignment code earlier. + +Fixes: df9b0e30d44c ("neighbor: Add protocol attribute") +Cc: David Ahern +Signed-off-by: Roman Mashak +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1954,6 +1954,9 @@ static int neigh_add(struct sk_buff *skb + NEIGH_UPDATE_F_OVERRIDE_ISROUTER); + } + ++ if (protocol) ++ neigh->protocol = protocol; ++ + if (ndm->ndm_flags & NTF_EXT_LEARNED) + flags |= NEIGH_UPDATE_F_EXT_LEARNED; + +@@ -1967,9 +1970,6 @@ static int neigh_add(struct sk_buff *skb + err = __neigh_update(neigh, lladdr, ndm->ndm_state, flags, + NETLINK_CB(skb).portid, extack); + +- if (protocol) +- neigh->protocol = protocol; +- + neigh_release(neigh); + + out: diff --git a/queue-5.6/net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch b/queue-5.6/net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch new file mode 100644 index 00000000000..e45cafc8676 --- /dev/null +++ b/queue-5.6/net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch @@ -0,0 +1,43 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Ido Schimmel +Date: Thu, 30 Apr 2020 22:38:45 +0300 +Subject: net: bridge: vlan: Add a schedule point during VLAN processing + +From: Ido Schimmel + +[ Upstream commit 7979457b1d3a069cd857f5bd69e070e30223dd0c ] + +User space can request to delete a range of VLANs from a bridge slave in +one netlink request. For each deleted VLAN the FDB needs to be traversed +in order to flush all the affected entries. + +If a large range of VLANs is deleted and the number of FDB entries is +large or the FDB lock is contented, it is possible for the kernel to +loop through the deleted VLANs for a long time. In case preemption is +disabled, this can result in a soft lockup. + +Fix this by adding a schedule point after each VLAN is deleted to yield +the CPU, if needed. This is safe because the VLANs are traversed in +process context. + +Fixes: bdced7ef7838 ("bridge: support for multiple vlans and vlan ranges in setlink and dellink requests") +Signed-off-by: Ido Schimmel +Reported-by: Stefan Priebe - Profihost AG +Tested-by: Stefan Priebe - Profihost AG +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -612,6 +612,7 @@ int br_process_vlan_info(struct net_brid + v - 1, rtm_cmd); + v_change_start = 0; + } ++ cond_resched(); + } + /* v_change_start is set only if the last/whole range changed */ + if (v_change_start) diff --git a/queue-5.6/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch b/queue-5.6/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch new file mode 100644 index 00000000000..3859a894087 --- /dev/null +++ b/queue-5.6/net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Florian Fainelli +Date: Mon, 4 May 2020 13:18:06 -0700 +Subject: net: dsa: Do not leave DSA master with NULL netdev_ops + +From: Florian Fainelli + +[ Upstream commit 050569fc8384c8056bacefcc246bcb2dfe574936 ] + +When ndo_get_phys_port_name() for the CPU port was added we introduced +an early check for when the DSA master network device in +dsa_master_ndo_setup() already implements ndo_get_phys_port_name(). When +we perform the teardown operation in dsa_master_ndo_teardown() we would +not be checking that cpu_dp->orig_ndo_ops was successfully allocated and +non-NULL initialized. + +With network device drivers such as virtio_net, this leads to a NPD as +soon as the DSA switch hanging off of it gets torn down because we are +now assigning the virtio_net device's netdev_ops a NULL pointer. + +Fixes: da7b9e9b00d4 ("net: dsa: Add ndo_get_phys_port_name() for CPU port") +Reported-by: Allen Pais +Signed-off-by: Florian Fainelli +Tested-by: Allen Pais +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/dsa/master.c ++++ b/net/dsa/master.c +@@ -289,7 +289,8 @@ static void dsa_master_ndo_teardown(stru + { + struct dsa_port *cpu_dp = dev->dsa_ptr; + +- dev->netdev_ops = cpu_dp->orig_ndo_ops; ++ if (cpu_dp->orig_ndo_ops) ++ dev->netdev_ops = cpu_dp->orig_ndo_ops; + cpu_dp->orig_ndo_ops = NULL; + } + diff --git a/queue-5.6/net-dsa-do-not-make-user-port-errors-fatal.patch b/queue-5.6/net-dsa-do-not-make-user-port-errors-fatal.patch new file mode 100644 index 00000000000..3bdfd48ee44 --- /dev/null +++ b/queue-5.6/net-dsa-do-not-make-user-port-errors-fatal.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Florian Fainelli +Date: Sun, 3 May 2020 20:50:57 -0700 +Subject: net: dsa: Do not make user port errors fatal + +From: Florian Fainelli + +[ Upstream commit 86f8b1c01a0a537a73d2996615133be63cdf75db ] + +Prior to 1d27732f411d ("net: dsa: setup and teardown ports"), we would +not treat failures to set-up an user port as fatal, but after this +commit we would, which is a regression for some systems where interfaces +may be declared in the Device Tree, but the underlying hardware may not +be present (pluggable daughter cards for instance). + +Fixes: 1d27732f411d ("net: dsa: setup and teardown ports") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -459,7 +459,7 @@ static int dsa_tree_setup_switches(struc + list_for_each_entry(dp, &dst->ports, list) { + err = dsa_port_setup(dp); + if (err) +- goto teardown; ++ continue; + } + + return 0; diff --git a/queue-5.6/net-enetc-fix-an-issue-about-leak-system-resources.patch b/queue-5.6/net-enetc-fix-an-issue-about-leak-system-resources.patch new file mode 100644 index 00000000000..cecddd61023 --- /dev/null +++ b/queue-5.6/net-enetc-fix-an-issue-about-leak-system-resources.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Dejin Zheng +Date: Mon, 4 May 2020 20:01:27 +0800 +Subject: net: enetc: fix an issue about leak system resources + +From: Dejin Zheng + +[ Upstream commit d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8 ] + +the related system resources were not released when enetc_hw_alloc() +return error in the enetc_pci_mdio_probe(), add iounmap() for error +handling label "err_hw_alloc" to fix it. + +Fixes: 6517798dd3432a ("enetc: Make MDIO accessors more generic and export to include/linux/fsl") +Cc: Andy Shevchenko +Signed-off-by: Dejin Zheng +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c +@@ -74,8 +74,8 @@ err_pci_mem_reg: + pci_disable_device(pdev); + err_pci_enable: + err_mdiobus_alloc: +- iounmap(port_regs); + err_hw_alloc: ++ iounmap(port_regs); + err_ioremap: + return err; + } diff --git a/queue-5.6/net-macb-fix-an-issue-about-leak-related-system-resources.patch b/queue-5.6/net-macb-fix-an-issue-about-leak-related-system-resources.patch new file mode 100644 index 00000000000..23fe47c77d0 --- /dev/null +++ b/queue-5.6/net-macb-fix-an-issue-about-leak-related-system-resources.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Dejin Zheng +Date: Sun, 3 May 2020 20:32:26 +0800 +Subject: net: macb: fix an issue about leak related system resources + +From: Dejin Zheng + +[ Upstream commit b959c77dac09348955f344104c6a921ebe104753 ] + +A call of the function macb_init() can fail in the function +fu540_c000_init. The related system resources were not released +then. use devm_platform_ioremap_resource() to replace ioremap() +to fix it. + +Fixes: c218ad559020ff9 ("macb: Add support for SiFive FU540-C000") +Cc: Andy Shevchenko +Reviewed-by: Yash Shah +Suggested-by: Nicolas Ferre +Suggested-by: Andy Shevchenko +Signed-off-by: Dejin Zheng +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4165,15 +4165,9 @@ static int fu540_c000_clk_init(struct pl + + static int fu540_c000_init(struct platform_device *pdev) + { +- struct resource *res; +- +- res = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- if (!res) +- return -ENODEV; +- +- mgmt->reg = ioremap(res->start, resource_size(res)); +- if (!mgmt->reg) +- return -ENOMEM; ++ mgmt->reg = devm_platform_ioremap_resource(pdev, 1); ++ if (IS_ERR(mgmt->reg)) ++ return PTR_ERR(mgmt->reg); + + return macb_init(pdev); + } diff --git a/queue-5.6/net-macsec-preserve-ingress-frame-ordering.patch b/queue-5.6/net-macsec-preserve-ingress-frame-ordering.patch new file mode 100644 index 00000000000..fce96fa4336 --- /dev/null +++ b/queue-5.6/net-macsec-preserve-ingress-frame-ordering.patch @@ -0,0 +1,75 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Scott Dial +Date: Fri, 24 Apr 2020 18:51:08 -0400 +Subject: net: macsec: preserve ingress frame ordering + +From: Scott Dial + +[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ] + +MACsec decryption always occurs in a softirq context. Since +the FPU may not be usable in the softirq context, the call to +decrypt may be scheduled on the cryptd work queue. The cryptd +work queue does not provide ordering guarantees. Therefore, +preserving order requires masking out ASYNC implementations +of gcm(aes). + +For instance, an Intel CPU with AES-NI makes available the +generic-gcm-aesni driver from the aesni_intel module to +implement gcm(aes). However, this implementation requires +the FPU, so it is not always available to use from a softirq +context, and will fallback to the cryptd work queue, which +does not preserve frame ordering. With this change, such a +system would select gcm_base(ctr(aes-aesni),ghash-generic). +While the aes-aesni implementation prefers to use the FPU, it +will fallback to the aes-asm implementation if unavailable. + +By using a synchronous version of gcm(aes), the decryption +will complete before returning from crypto_aead_decrypt(). +Therefore, the macsec_decrypt_done() callback will be called +before returning from macsec_decrypt(). Thus, the order of +calls to macsec_post_decrypt() for the frames is preserved. + +While it's presumable that the pure AES-NI version of gcm(aes) +is more performant, the hybrid solution is capable of gigabit +speeds on modest hardware. Regardless, preserving the order +of frames is paramount for many network protocols (e.g., +triggering TCP retries). Within the MACsec driver itself, the +replay protection is tripped by the out-of-order frames, and +can cause frames to be dropped. + +This bug has been present in this code since it was added in +v4.6, however it may not have been noticed since not all CPUs +have FPU offload available. Additionally, the bug manifests +as occasional out-of-order packets that are easily +misattributed to other network phenomena. + +When this code was added in v4.6, the crypto/gcm.c code did +not restrict selection of the ghash function based on the +ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would +select the ghash-clmulni driver instead of ghash-generic, +which submits to the cryptd work queue if the FPU is busy. +However, this bug was was corrected in v4.8 by commit +b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported +all the way back to the v3.14 stable branch, so this patch +should be applicable back to the v4.6 stable branch. + +Signed-off-by: Scott Dial +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1226,7 +1226,8 @@ static struct crypto_aead *macsec_alloc_ + struct crypto_aead *tfm; + int ret; + +- tfm = crypto_alloc_aead("gcm(aes)", 0, 0); ++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */ ++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); + + if (IS_ERR(tfm)) + return tfm; diff --git a/queue-5.6/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch b/queue-5.6/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch new file mode 100644 index 00000000000..c8c43c65b25 --- /dev/null +++ b/queue-5.6/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Tariq Toukan +Date: Mon, 4 May 2020 11:36:02 +0300 +Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() + +From: Tariq Toukan + +[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] + +When ENOSPC is set the idx is still valid and gets set to the global +MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that +ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be +used uninitialized in this function [-Wmaybe-uninitialized] + 2552 | priv->def_counter[port] = idx; + +Also, when ENOSPC is returned mlx4_allocate_default_counters should not +fail. + +Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -2550,6 +2550,7 @@ static int mlx4_allocate_default_counter + + if (!err || err == -ENOSPC) { + priv->def_counter[port] = idx; ++ err = 0; + } else if (err == -ENOENT) { + err = 0; + continue; +@@ -2600,7 +2601,8 @@ int mlx4_counter_alloc(struct mlx4_dev * + MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED); + if (!err) + *idx = get_param_l(&out_param); +- ++ if (WARN_ON(err == -ENOSPC)) ++ err = -EINVAL; + return err; + } + return __mlx4_counter_alloc(dev, idx); diff --git a/queue-5.6/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch b/queue-5.6/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch new file mode 100644 index 00000000000..b8a05141859 --- /dev/null +++ b/queue-5.6/net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch @@ -0,0 +1,62 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Erez Shitrit +Date: Wed, 25 Mar 2020 17:19:43 +0200 +Subject: net/mlx5: DR, On creation set CQ's arm_db member to right value + +From: Erez Shitrit + +[ Upstream commit 8075411d93b6efe143d9f606f6531077795b7fbf ] + +In polling mode, set arm_db member to a value that will avoid CQ +event recovery by the HW. +Otherwise we might get event without completion function. +In addition,empty completion function to was added to protect from +unexpected events. + +Fixes: 297cccebdc5a ("net/mlx5: DR, Expose an internal API to issue RDMA operations") +Signed-off-by: Erez Shitrit +Reviewed-by: Tariq Toukan +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c | 14 ++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c +@@ -689,6 +689,12 @@ static void dr_cq_event(struct mlx5_core + pr_info("CQ event %u on CQ #%u\n", event, mcq->cqn); + } + ++static void dr_cq_complete(struct mlx5_core_cq *mcq, ++ struct mlx5_eqe *eqe) ++{ ++ pr_err("CQ completion CQ: #%u\n", mcq->cqn); ++} ++ + static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev, + struct mlx5_uars_page *uar, + size_t ncqe) +@@ -750,6 +756,7 @@ static struct mlx5dr_cq *dr_create_cq(st + mlx5_fill_page_frag_array(&cq->wq_ctrl.buf, pas); + + cq->mcq.event = dr_cq_event; ++ cq->mcq.comp = dr_cq_complete; + + err = mlx5_core_create_cq(mdev, &cq->mcq, in, inlen, out, sizeof(out)); + kvfree(in); +@@ -761,7 +768,12 @@ static struct mlx5dr_cq *dr_create_cq(st + cq->mcq.set_ci_db = cq->wq_ctrl.db.db; + cq->mcq.arm_db = cq->wq_ctrl.db.db + 1; + *cq->mcq.set_ci_db = 0; +- *cq->mcq.arm_db = 0; ++ ++ /* set no-zero value, in order to avoid the HW to run db-recovery on ++ * CQ that used in polling mode. ++ */ ++ *cq->mcq.arm_db = cpu_to_be32(2 << 28); ++ + cq->mcq.vector = 0; + cq->mcq.irqn = irqn; + cq->mcq.uar = uar; diff --git a/queue-5.6/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch b/queue-5.6/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch new file mode 100644 index 00000000000..16f58cb5e34 --- /dev/null +++ b/queue-5.6/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Moshe Shemesh +Date: Sun, 23 Feb 2020 03:27:41 +0200 +Subject: net/mlx5: Fix command entry leak in Internal Error State + +From: Moshe Shemesh + +[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ] + +Processing commands by cmd_work_handler() while already in Internal +Error State will result in entry leak, since the handler process force +completion without doorbell. Forced completion doesn't release the entry +and event completion will never arrive, so entry should be released. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -922,6 +922,10 @@ static void cmd_work_handler(struct work + MLX5_SET(mbox_out, ent->out, syndrome, drv_synd); + + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); ++ /* no doorbell, no need to keep the entry */ ++ free_ent(cmd, ent->idx); ++ if (ent->callback) ++ free_cmd(ent); + return; + } + diff --git a/queue-5.6/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch b/queue-5.6/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch new file mode 100644 index 00000000000..20cf42bf869 --- /dev/null +++ b/queue-5.6/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Moshe Shemesh +Date: Sun, 21 Jul 2019 08:40:13 +0300 +Subject: net/mlx5: Fix forced completion access non initialized command entry + +From: Moshe Shemesh + +[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ] + +mlx5_cmd_flush() will trigger forced completions to all valid command +entries. Triggered by an asynch event such as fast teardown it can +happen at any stage of the command, including command initialization. +It will trigger forced completion and that can lead to completion on an +uninitialized command entry. + +Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is +initialized will ensure force completion is treated only if command +entry is initialized. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -888,7 +888,6 @@ static void cmd_work_handler(struct work + } + + cmd->ent_arr[ent->idx] = ent; +- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -910,6 +909,7 @@ static void cmd_work_handler(struct work + + if (ent->callback) + schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); ++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + + /* Skip sending command to fw if internal error */ + if (pci_channel_offline(dev->pdev) || diff --git a/queue-5.6/net-mlx5e-fix-q-counters-on-uplink-representors.patch b/queue-5.6/net-mlx5e-fix-q-counters-on-uplink-representors.patch new file mode 100644 index 00000000000..20148a9906a --- /dev/null +++ b/queue-5.6/net-mlx5e-fix-q-counters-on-uplink-representors.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Roi Dayan +Date: Thu, 23 Apr 2020 12:37:21 +0300 +Subject: net/mlx5e: Fix q counters on uplink representors + +From: Roi Dayan + +[ Upstream commit 67b38de646894c9a94fe4d6d17719e70cc6028eb ] + +Need to allocate the q counters before init_rx which needs them +when creating the rq. + +Fixes: 8520fa57a4e9 ("net/mlx5e: Create q counters on uplink representors") +Signed-off-by: Roi Dayan +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1692,19 +1692,14 @@ static void mlx5e_cleanup_rep_rx(struct + + static int mlx5e_init_ul_rep_rx(struct mlx5e_priv *priv) + { +- int err = mlx5e_init_rep_rx(priv); +- +- if (err) +- return err; +- + mlx5e_create_q_counters(priv); +- return 0; ++ return mlx5e_init_rep_rx(priv); + } + + static void mlx5e_cleanup_ul_rep_rx(struct mlx5e_priv *priv) + { +- mlx5e_destroy_q_counters(priv); + mlx5e_cleanup_rep_rx(priv); ++ mlx5e_destroy_q_counters(priv); + } + + static int mlx5e_init_uplink_rep_tx(struct mlx5e_rep_priv *rpriv) diff --git a/queue-5.6/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch b/queue-5.6/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch new file mode 100644 index 00000000000..0a25ceff780 --- /dev/null +++ b/queue-5.6/net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Dan Carpenter +Date: Wed, 6 May 2020 13:16:56 +0300 +Subject: net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() + +From: Dan Carpenter + +[ Upstream commit 722c0f00d4feea77475a5dc943b53d60824a1e4e ] + +The "info->fs.location" is a u32 that comes from the user via the +ethtool_set_rxnfc() function. We need to check for invalid values to +prevent a buffer overflow. + +I copy and pasted this check from the mvpp2_ethtool_cls_rule_ins() +function. + +Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c +@@ -1422,6 +1422,9 @@ int mvpp2_ethtool_cls_rule_del(struct mv + struct mvpp2_ethtool_fs *efs; + int ret; + ++ if (info->fs.location >= MVPP2_N_RFS_ENTRIES_PER_FLOW) ++ return -EINVAL; ++ + efs = port->rfs_rules[info->fs.location]; + if (!efs) + return -EINVAL; diff --git a/queue-5.6/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch b/queue-5.6/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch new file mode 100644 index 00000000000..7edc2db210e --- /dev/null +++ b/queue-5.6/net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Dan Carpenter +Date: Wed, 6 May 2020 13:16:22 +0300 +Subject: net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx() + +From: Dan Carpenter + +[ Upstream commit 39bd16df7c31bb8cf5dfd0c88e42abd5ae10029d ] + +The "rss_context" variable comes from the user via ethtool_get_rxfh(). +It can be any u32 value except zero. Eventually it gets passed to +mvpp22_rss_ctx() and if it is over MVPP22_N_RSS_TABLES (8) then it +results in an array overflow. + +Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4325,6 +4325,8 @@ static int mvpp2_ethtool_get_rxfh_contex + + if (!mvpp22_rss_is_supported()) + return -EOPNOTSUPP; ++ if (rss_context >= MVPP22_N_RSS_TABLES) ++ return -EINVAL; + + if (hfunc) + *hfunc = ETH_RSS_HASH_CRC32; diff --git a/queue-5.6/net-phy-marvell10g-fix-temperature-sensor-on-2110.patch b/queue-5.6/net-phy-marvell10g-fix-temperature-sensor-on-2110.patch new file mode 100644 index 00000000000..e37da182b8e --- /dev/null +++ b/queue-5.6/net-phy-marvell10g-fix-temperature-sensor-on-2110.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Baruch Siach +Date: Sun, 26 Apr 2020 09:22:06 +0300 +Subject: net: phy: marvell10g: fix temperature sensor on 2110 + +From: Baruch Siach + +[ Upstream commit c3e302edca2457bbd0c958c445a7538fbf6a6ac8 ] + +Read the temperature sensor register from the correct location for the +88E2110 PHY. There is no enable/disable bit on 2110, so make +mv3310_hwmon_config() run on 88X3310 only. + +Fixes: 62d01535474b61 ("net: phy: marvell10g: add support for the 88x2110 PHY") +Cc: Maxime Chevallier +Reviewed-by: Andrew Lunn +Signed-off-by: Baruch Siach +Reviewed-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell10g.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/marvell10g.c ++++ b/drivers/net/phy/marvell10g.c +@@ -44,6 +44,9 @@ enum { + MV_PCS_PAIRSWAP_AB = 0x0002, + MV_PCS_PAIRSWAP_NONE = 0x0003, + ++ /* Temperature read register (88E2110 only) */ ++ MV_PCS_TEMP = 0x8042, ++ + /* These registers appear at 0x800X and 0xa00X - the 0xa00X control + * registers appear to set themselves to the 0x800X when AN is + * restarted, but status registers appear readable from either. +@@ -54,6 +57,7 @@ enum { + /* Vendor2 MMD registers */ + MV_V2_PORT_CTRL = 0xf001, + MV_V2_PORT_CTRL_PWRDOWN = 0x0800, ++ /* Temperature control/read registers (88X3310 only) */ + MV_V2_TEMP_CTRL = 0xf08a, + MV_V2_TEMP_CTRL_MASK = 0xc000, + MV_V2_TEMP_CTRL_SAMPLE = 0x0000, +@@ -79,6 +83,24 @@ static umode_t mv3310_hwmon_is_visible(c + return 0; + } + ++static int mv3310_hwmon_read_temp_reg(struct phy_device *phydev) ++{ ++ return phy_read_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP); ++} ++ ++static int mv2110_hwmon_read_temp_reg(struct phy_device *phydev) ++{ ++ return phy_read_mmd(phydev, MDIO_MMD_PCS, MV_PCS_TEMP); ++} ++ ++static int mv10g_hwmon_read_temp_reg(struct phy_device *phydev) ++{ ++ if (phydev->drv->phy_id == MARVELL_PHY_ID_88X3310) ++ return mv3310_hwmon_read_temp_reg(phydev); ++ else /* MARVELL_PHY_ID_88E2110 */ ++ return mv2110_hwmon_read_temp_reg(phydev); ++} ++ + static int mv3310_hwmon_read(struct device *dev, enum hwmon_sensor_types type, + u32 attr, int channel, long *value) + { +@@ -91,7 +113,7 @@ static int mv3310_hwmon_read(struct devi + } + + if (type == hwmon_temp && attr == hwmon_temp_input) { +- temp = phy_read_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP); ++ temp = mv10g_hwmon_read_temp_reg(phydev); + if (temp < 0) + return temp; + +@@ -144,6 +166,9 @@ static int mv3310_hwmon_config(struct ph + u16 val; + int ret; + ++ if (phydev->drv->phy_id != MARVELL_PHY_ID_88X3310) ++ return 0; ++ + ret = phy_write_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP, + MV_V2_TEMP_UNKNOWN); + if (ret < 0) diff --git a/queue-5.6/net-stricter-validation-of-untrusted-gso-packets.patch b/queue-5.6/net-stricter-validation-of-untrusted-gso-packets.patch new file mode 100644 index 00000000000..3a956ca9513 --- /dev/null +++ b/queue-5.6/net-stricter-validation-of-untrusted-gso-packets.patch @@ -0,0 +1,105 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Willem de Bruijn +Date: Mon, 4 May 2020 12:48:54 -0400 +Subject: net: stricter validation of untrusted gso packets + +From: Willem de Bruijn + +[ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ] + +Syzkaller again found a path to a kernel crash through bad gso input: +a packet with transport header extending beyond skb_headlen(skb). + +Tighten validation at kernel entry: + +- Verify that the transport header lies within the linear section. + + To avoid pulling linux/tcp.h, verify just sizeof tcphdr. + tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use. + +- Match the gso_type against the ip_proto found by the flow dissector. + +Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -3,6 +3,8 @@ + #define _LINUX_VIRTIO_NET_H + + #include ++#include ++#include + #include + + static inline int virtio_net_hdr_set_proto(struct sk_buff *skb, +@@ -28,17 +30,25 @@ static inline int virtio_net_hdr_to_skb( + bool little_endian) + { + unsigned int gso_type = 0; ++ unsigned int thlen = 0; ++ unsigned int ip_proto; + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { + case VIRTIO_NET_HDR_GSO_TCPV4: + gso_type = SKB_GSO_TCPV4; ++ ip_proto = IPPROTO_TCP; ++ thlen = sizeof(struct tcphdr); + break; + case VIRTIO_NET_HDR_GSO_TCPV6: + gso_type = SKB_GSO_TCPV6; ++ ip_proto = IPPROTO_TCP; ++ thlen = sizeof(struct tcphdr); + break; + case VIRTIO_NET_HDR_GSO_UDP: + gso_type = SKB_GSO_UDP; ++ ip_proto = IPPROTO_UDP; ++ thlen = sizeof(struct udphdr); + break; + default: + return -EINVAL; +@@ -57,16 +67,22 @@ static inline int virtio_net_hdr_to_skb( + + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; ++ ++ if (skb_transport_offset(skb) + thlen > skb_headlen(skb)) ++ return -EINVAL; + } else { + /* gso packets without NEEDS_CSUM do not set transport_offset. + * probe and drop if does not match one of the above types. + */ + if (gso_type && skb->network_header) { ++ struct flow_keys_basic keys; ++ + if (!skb->protocol) + virtio_net_hdr_set_proto(skb, hdr); + retry: +- skb_probe_transport_header(skb); +- if (!skb_transport_header_was_set(skb)) { ++ if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys, ++ NULL, 0, 0, 0, ++ 0)) { + /* UFO does not specify ipv4 or 6: try both */ + if (gso_type & SKB_GSO_UDP && + skb->protocol == htons(ETH_P_IP)) { +@@ -75,6 +91,12 @@ retry: + } + return -EINVAL; + } ++ ++ if (keys.control.thoff + thlen > skb_headlen(skb) || ++ keys.basic.ip_proto != ip_proto) ++ return -EINVAL; ++ ++ skb_set_transport_header(skb, keys.control.thoff); + } + } + diff --git a/queue-5.6/net-tc35815-fix-phydev-supported-advertising-mask.patch b/queue-5.6/net-tc35815-fix-phydev-supported-advertising-mask.patch new file mode 100644 index 00000000000..81b38b29b7f --- /dev/null +++ b/queue-5.6/net-tc35815-fix-phydev-supported-advertising-mask.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Anthony Felice +Date: Sun, 26 Apr 2020 22:00:59 -0400 +Subject: net: tc35815: Fix phydev supported/advertising mask + +From: Anthony Felice + +[ Upstream commit 4b5b71f770e2edefbfe74203777264bfe6a9927c ] + +Commit 3c1bcc8614db ("net: ethernet: Convert phydev advertize and +supported from u32 to link mode") updated ethernet drivers to use a +linkmode bitmap. It mistakenly dropped a bitwise negation in the +tc35815 ethernet driver on a bitmask to set the supported/advertising +flags. + +Found by Anthony via code inspection, not tested as I do not have the +required hardware. + +Fixes: 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode") +Signed-off-by: Anthony Felice +Reviewed-by: Akshay Bhat +Reviewed-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/toshiba/tc35815.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/toshiba/tc35815.c ++++ b/drivers/net/ethernet/toshiba/tc35815.c +@@ -643,7 +643,7 @@ static int tc_mii_probe(struct net_devic + linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Half_BIT, mask); + linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, mask); + } +- linkmode_and(phydev->supported, phydev->supported, mask); ++ linkmode_andnot(phydev->supported, phydev->supported, mask); + linkmode_copy(phydev->advertising, phydev->supported); + + lp->link = 0; diff --git a/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch b/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch new file mode 100644 index 00000000000..197fee11d9c --- /dev/null +++ b/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Xiyu Yang +Date: Sat, 25 Apr 2020 20:54:37 +0800 +Subject: net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() + +From: Xiyu Yang + +[ Upstream commit 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced ] + +bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference +of the specified sk_psock object to "psock" with increased refcnt. + +When bpf_exec_tx_verdict() returns, local variable "psock" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not +NULL, the function forgets to decrease the refcnt increased by +sk_psock_get(), causing a refcnt leak. + +Fix this issue by calling sk_psock_put() on this error path before +bpf_exec_tx_verdict() returns. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -800,6 +800,8 @@ static int bpf_exec_tx_verdict(struct sk + *copied -= sk_msg_free(sk, msg); + tls_free_open_rec(sk); + } ++ if (psock) ++ sk_psock_put(sk, psock); + return err; + } + more_data: diff --git a/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch b/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch new file mode 100644 index 00000000000..2944423ff7d --- /dev/null +++ b/queue-5.6/net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Xiyu Yang +Date: Sat, 25 Apr 2020 21:10:23 +0800 +Subject: net/tls: Fix sk_psock refcnt leak when in tls_data_ready() + +From: Xiyu Yang + +[ Upstream commit 62b4011fa7bef9fa00a6aeec26e69685dc1cc21e ] + +tls_data_ready() invokes sk_psock_get(), which returns a reference of +the specified sk_psock object to "psock" with increased refcnt. + +When tls_data_ready() returns, local variable "psock" becomes invalid, +so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +tls_data_ready(). When "psock->ingress_msg" is empty but "psock" is not +NULL, the function forgets to decrease the refcnt increased by +sk_psock_get(), causing a refcnt leak. + +Fix this issue by calling sk_psock_put() on all paths when "psock" is +not NULL. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2083,8 +2083,9 @@ static void tls_data_ready(struct sock * + strp_data_ready(&ctx->strp); + + psock = sk_psock_get(sk); +- if (psock && !list_empty(&psock->ingress_msg)) { +- ctx->saved_data_ready(sk); ++ if (psock) { ++ if (!list_empty(&psock->ingress_msg)) ++ ctx->saved_data_ready(sk); + sk_psock_put(sk, psock); + } + } diff --git a/queue-5.6/net-usb-qmi_wwan-add-support-for-dw5816e.patch b/queue-5.6/net-usb-qmi_wwan-add-support-for-dw5816e.patch new file mode 100644 index 00000000000..2cb61aa71b4 --- /dev/null +++ b/queue-5.6/net-usb-qmi_wwan-add-support-for-dw5816e.patch @@ -0,0 +1,29 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Matt Jolly +Date: Sun, 3 May 2020 01:52:28 +1000 +Subject: net: usb: qmi_wwan: add support for DW5816e + +From: Matt Jolly + +[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ] + +Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c + +Signed-off-by: Matt Jolly +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1359,6 +1359,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ ++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */ + {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/ diff --git a/queue-5.6/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch b/queue-5.6/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch new file mode 100644 index 00000000000..2207590549d --- /dev/null +++ b/queue-5.6/net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Sat, 2 May 2020 20:09:25 -0700 +Subject: net_sched: sch_skbprio: add message validation to skbprio_change() + +From: Eric Dumazet + +[ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ] + +Do not assume the attribute has the right size. + +Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_skbprio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sched/sch_skbprio.c ++++ b/net/sched/sch_skbprio.c +@@ -169,6 +169,9 @@ static int skbprio_change(struct Qdisc * + { + struct tc_skbprio_qopt *ctl = nla_data(opt); + ++ if (opt->nla_len != nla_attr_size(sizeof(*ctl))) ++ return -EINVAL; ++ + sch->limit = ctl->limit; + return 0; + } diff --git a/queue-5.6/nfp-abm-fix-a-memory-leak-bug.patch b/queue-5.6/nfp-abm-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..a2f51a075cb --- /dev/null +++ b/queue-5.6/nfp-abm-fix-a-memory-leak-bug.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Qiushi Wu +Date: Sat, 2 May 2020 17:42:59 -0500 +Subject: nfp: abm: fix a memory leak bug + +From: Qiushi Wu + +[ Upstream commit bd4af432cc71b5fbfe4833510359a6ad3ada250d ] + +In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open. +But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released, +which can lead to a memory leak bug. Fix this issue by adding +nfp_nsp_close(nsp) in the error path. + +Fixes: f6e71efdf9fb1 ("nfp: abm: look up MAC addresses via management FW") +Signed-off-by: Qiushi Wu +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/abm/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/netronome/nfp/abm/main.c ++++ b/drivers/net/ethernet/netronome/nfp/abm/main.c +@@ -283,6 +283,7 @@ nfp_abm_vnic_set_mac(struct nfp_pf *pf, + if (!nfp_nsp_has_hwinfo_lookup(nsp)) { + nfp_warn(pf->cpp, "NSP doesn't support PF MAC generation\n"); + eth_hw_addr_random(nn->dp.netdev); ++ nfp_nsp_close(nsp); + return; + } + diff --git a/queue-5.6/sch_choke-avoid-potential-panic-in-choke_reset.patch b/queue-5.6/sch_choke-avoid-potential-panic-in-choke_reset.patch new file mode 100644 index 00000000000..1e597ffce56 --- /dev/null +++ b/queue-5.6/sch_choke-avoid-potential-panic-in-choke_reset.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 15:19:51 -0700 +Subject: sch_choke: avoid potential panic in choke_reset() + +From: Eric Dumazet + +[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] + +If choke_init() could not allocate q->tab, we would crash later +in choke_reset(). + +BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] +BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 +Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 + +CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + check_memory_region_inline mm/kasan/generic.c:187 [inline] + check_memory_region+0x141/0x190 mm/kasan/generic.c:193 + memset+0x20/0x40 mm/kasan/common.c:85 + memset include/linux/string.h:366 [inline] + choke_reset+0x208/0x340 net/sched/sch_choke.c:326 + qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 + dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 + netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] + dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 + dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 + qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 + tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 + netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + +Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_choke.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -323,7 +323,8 @@ static void choke_reset(struct Qdisc *sc + + sch->q.qlen = 0; + sch->qstats.backlog = 0; +- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); ++ if (q->tab) ++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); + q->head = q->tail = 0; + red_restart(&q->vars); + } diff --git a/queue-5.6/sch_sfq-validate-silly-quantum-values.patch b/queue-5.6/sch_sfq-validate-silly-quantum-values.patch new file mode 100644 index 00000000000..a69484513d0 --- /dev/null +++ b/queue-5.6/sch_sfq-validate-silly-quantum-values.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Sun, 26 Apr 2020 18:19:07 -0700 +Subject: sch_sfq: validate silly quantum values + +From: Eric Dumazet + +[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ] + +syzbot managed to set up sfq so that q->scaled_quantum was zero, +triggering an infinite loop in sfq_dequeue() + +More generally, we must only accept quantum between 1 and 2^18 - 7, +meaning scaled_quantum must be in [1, 0x7FFF] range. + +Otherwise, we also could have a loop in sfq_dequeue() +if scaled_quantum happens to be 0x8000, since slot->allot +could indefinitely switch between 0 and 0x8000. + +Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com +Cc: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -637,6 +637,15 @@ static int sfq_change(struct Qdisc *sch, + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ ++ /* slot->allot is a short, make sure quantum is not too big. */ ++ if (ctl->quantum) { ++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum); ++ ++ if (scaled <= 0 || scaled > SHRT_MAX) ++ return -EINVAL; ++ } ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog)) + return -EINVAL; diff --git a/queue-5.6/selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch b/queue-5.6/selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch new file mode 100644 index 00000000000..c7e923ff250 --- /dev/null +++ b/queue-5.6/selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Tue, 5 May 2020 20:51:06 -0700 +Subject: selftests: net: tcp_mmap: clear whole tcp_zerocopy_receive struct + +From: Eric Dumazet + +[ Upstream commit bf5525f3a8e3248be5aa5defe5aaadd60e1c1ba1 ] + +We added fields in tcp_zerocopy_receive structure, +so make sure to clear all fields to not pass garbage to the kernel. + +We were lucky because recent additions added 'out' parameters, +still we need to clean our reference implementation, before folks +copy/paste it. + +Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.") +Fixes: 33946518d493 ("tcp-zerocopy: Return sk_err (if set) along with tcp receive zerocopy.") +Signed-off-by: Eric Dumazet +Cc: Arjun Roy +Cc: Soheil Hassas Yeganeh +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/tcp_mmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/tcp_mmap.c ++++ b/tools/testing/selftests/net/tcp_mmap.c +@@ -165,9 +165,10 @@ void *child_thread(void *arg) + socklen_t zc_len = sizeof(zc); + int res; + ++ memset(&zc, 0, sizeof(zc)); + zc.address = (__u64)((unsigned long)addr); + zc.length = chunk_size; +- zc.recv_skip_hint = 0; ++ + res = getsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, + &zc, &zc_len); + if (res == -1) diff --git a/queue-5.6/selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch b/queue-5.6/selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch new file mode 100644 index 00000000000..a973a5a9403 --- /dev/null +++ b/queue-5.6/selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch @@ -0,0 +1,43 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Eric Dumazet +Date: Wed, 6 May 2020 09:21:15 -0700 +Subject: selftests: net: tcp_mmap: fix SO_RCVLOWAT setting + +From: Eric Dumazet + +[ Upstream commit a84724178bd7081cf3bd5b558616dd6a9a4ca63b ] + +Since chunk_size is no longer an integer, we can not +use it directly as an argument of setsockopt(). + +This patch should fix tcp_mmap for Big Endian kernels. + +Fixes: 597b01edafac ("selftests: net: avoid ptl lock contention in tcp_mmap") +Signed-off-by: Eric Dumazet +Cc: Soheil Hassas Yeganeh +Cc: Arjun Roy +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/tcp_mmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/tcp_mmap.c ++++ b/tools/testing/selftests/net/tcp_mmap.c +@@ -282,12 +282,14 @@ static void setup_sockaddr(int domain, c + static void do_accept(int fdlisten) + { + pthread_attr_t attr; ++ int rcvlowat; + + pthread_attr_init(&attr); + pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); + ++ rcvlowat = chunk_size; + if (setsockopt(fdlisten, SOL_SOCKET, SO_RCVLOWAT, +- &chunk_size, sizeof(chunk_size)) == -1) { ++ &rcvlowat, sizeof(rcvlowat)) == -1) { + perror("setsockopt SO_RCVLOWAT"); + } + diff --git a/queue-5.6/series b/queue-5.6/series index c7c20b6153f..6ba903b7462 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -10,3 +10,47 @@ nvme-refactor-nvme_identify_ns_descs-error-handling.patch nvme-fix-possible-hang-when-ns-scanning-fails-during.patch tracing-kprobes-fix-a-double-initialization-typo.patch net-macb-fix-runtime-pm-refcounting.patch +cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch +devlink-fix-reporter-s-recovery-condition.patch +devlink-fix-return-value-after-hitting-end-in-region-read.patch +dp83640-reverse-arguments-to-list_add_tail.patch +fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch +ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch +mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch +neigh-send-protocol-value-in-neighbor-create-notification.patch +net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch +net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch +net-dsa-do-not-make-user-port-errors-fatal.patch +net-macb-fix-an-issue-about-leak-related-system-resources.patch +net-macsec-preserve-ingress-frame-ordering.patch +net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch +net-phy-marvell10g-fix-temperature-sensor-on-2110.patch +net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch +net-stricter-validation-of-untrusted-gso-packets.patch +net-tc35815-fix-phydev-supported-advertising-mask.patch +net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch +net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch +net-usb-qmi_wwan-add-support-for-dw5816e.patch +nfp-abm-fix-a-memory-leak-bug.patch +sch_choke-avoid-potential-panic-in-choke_reset.patch +sch_sfq-validate-silly-quantum-values.patch +selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch +selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch +tipc-fix-partial-topology-connection-closure.patch +tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch +bnxt_en-fix-vf-anti-spoof-filter-setup.patch +bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch +bnxt_en-improve-aer-slot-reset.patch +bnxt_en-return-error-when-allocating-zero-size-context-memory.patch +bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch +net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch +net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch +net-mlx5-fix-command-entry-leak-in-internal-error-state.patch +net-mlx5e-fix-q-counters-on-uplink-representors.patch +net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch +net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch +wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch +wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch +net-enetc-fix-an-issue-about-leak-system-resources.patch +wireguard-socket-remove-errant-restriction-on-looping-to-self.patch +wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch diff --git a/queue-5.6/tipc-fix-partial-topology-connection-closure.patch b/queue-5.6/tipc-fix-partial-topology-connection-closure.patch new file mode 100644 index 00000000000..fb44b5e52e1 --- /dev/null +++ b/queue-5.6/tipc-fix-partial-topology-connection-closure.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: Tuong Lien +Date: Mon, 4 May 2020 11:15:54 +0700 +Subject: tipc: fix partial topology connection closure + +From: Tuong Lien + +[ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ] + +When an application connects to the TIPC topology server and subscribes +to some services, a new connection is created along with some objects - +'tipc_subscription' to store related data correspondingly... +However, there is one omission in the connection handling that when the +connection or application is orderly shutdown (e.g. via SIGQUIT, etc.), +the connection is not closed in kernel, the 'tipc_subscription' objects +are not freed too. +This results in: +- The maximum number of subscriptions (65535) will be reached soon, new +subscriptions will be rejected; +- TIPC module cannot be removed (unless the objects are somehow forced +to release first); + +The commit fixes the issue by closing the connection if the 'recvmsg()' +returns '0' i.e. when the peer is shutdown gracefully. It also includes +the other unexpected cases. + +Acked-by: Jon Maloy +Acked-by: Ying Xue +Signed-off-by: Tuong Lien +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/topsrv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -402,10 +402,11 @@ static int tipc_conn_rcv_from_sock(struc + read_lock_bh(&sk->sk_callback_lock); + ret = tipc_conn_rcv_sub(srv, con, &s); + read_unlock_bh(&sk->sk_callback_lock); ++ if (!ret) ++ return 0; + } +- if (ret < 0) +- tipc_conn_close(con); + ++ tipc_conn_close(con); + return ret; + } + diff --git a/queue-5.6/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch b/queue-5.6/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch new file mode 100644 index 00000000000..832a3502a36 --- /dev/null +++ b/queue-5.6/tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch @@ -0,0 +1,113 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: "Toke Høiland-Jørgensen" +Date: Mon, 27 Apr 2020 16:11:05 +0200 +Subject: tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit b723748750ece7d844cdf2f52c01d37f83387208 ] + +RFC 6040 recommends propagating an ECT(1) mark from an outer tunnel header +to the inner header if that inner header is already marked as ECT(0). When +RFC 6040 decapsulation was implemented, this case of propagation was not +added. This simply appears to be an oversight, so let's fix that. + +Fixes: eccc1bb8d4b4 ("tunnel: drop packet if ECN present with not-ECT") +Reported-by: Bob Briscoe +Reported-by: Olivier Tilmans +Cc: Dave Taht +Cc: Stephen Hemminger +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_ecn.h | 57 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 55 insertions(+), 2 deletions(-) + +--- a/include/net/inet_ecn.h ++++ b/include/net/inet_ecn.h +@@ -99,6 +99,20 @@ static inline int IP_ECN_set_ce(struct i + return 1; + } + ++static inline int IP_ECN_set_ect1(struct iphdr *iph) ++{ ++ u32 check = (__force u32)iph->check; ++ ++ if ((iph->tos & INET_ECN_MASK) != INET_ECN_ECT_0) ++ return 0; ++ ++ check += (__force u16)htons(0x100); ++ ++ iph->check = (__force __sum16)(check + (check>=0xFFFF)); ++ iph->tos ^= INET_ECN_MASK; ++ return 1; ++} ++ + static inline void IP_ECN_clear(struct iphdr *iph) + { + iph->tos &= ~INET_ECN_MASK; +@@ -134,6 +148,22 @@ static inline int IP6_ECN_set_ce(struct + return 1; + } + ++static inline int IP6_ECN_set_ect1(struct sk_buff *skb, struct ipv6hdr *iph) ++{ ++ __be32 from, to; ++ ++ if ((ipv6_get_dsfield(iph) & INET_ECN_MASK) != INET_ECN_ECT_0) ++ return 0; ++ ++ from = *(__be32 *)iph; ++ to = from ^ htonl(INET_ECN_MASK << 20); ++ *(__be32 *)iph = to; ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from), ++ (__force __wsum)to); ++ return 1; ++} ++ + static inline void ipv6_copy_dscp(unsigned int dscp, struct ipv6hdr *inner) + { + dscp &= ~INET_ECN_MASK; +@@ -159,6 +189,25 @@ static inline int INET_ECN_set_ce(struct + return 0; + } + ++static inline int INET_ECN_set_ect1(struct sk_buff *skb) ++{ ++ switch (skb->protocol) { ++ case cpu_to_be16(ETH_P_IP): ++ if (skb_network_header(skb) + sizeof(struct iphdr) <= ++ skb_tail_pointer(skb)) ++ return IP_ECN_set_ect1(ip_hdr(skb)); ++ break; ++ ++ case cpu_to_be16(ETH_P_IPV6): ++ if (skb_network_header(skb) + sizeof(struct ipv6hdr) <= ++ skb_tail_pointer(skb)) ++ return IP6_ECN_set_ect1(skb, ipv6_hdr(skb)); ++ break; ++ } ++ ++ return 0; ++} ++ + /* + * RFC 6040 4.2 + * To decapsulate the inner header at the tunnel egress, a compliant +@@ -208,8 +257,12 @@ static inline int INET_ECN_decapsulate(s + int rc; + + rc = __INET_ECN_decapsulate(outer, inner, &set_ce); +- if (!rc && set_ce) +- INET_ECN_set_ce(skb); ++ if (!rc) { ++ if (set_ce) ++ INET_ECN_set_ce(skb); ++ else if ((outer & INET_ECN_MASK) == INET_ECN_ECT_1) ++ INET_ECN_set_ect1(skb); ++ } + + return rc; + } diff --git a/queue-5.6/wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch b/queue-5.6/wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch new file mode 100644 index 00000000000..05242aa716e --- /dev/null +++ b/queue-5.6/wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: "Jason A. Donenfeld" +Date: Wed, 29 Apr 2020 14:59:21 -0600 +Subject: wireguard: queueing: cleanup ptr_ring in error path of packet_queue_init + +From: "Jason A. Donenfeld" + +[ Upstream commit 130c58606171326c81841a49cc913cd354113dd9 ] + +Prior, if the alloc_percpu of packet_percpu_multicore_worker_alloc +failed, the previously allocated ptr_ring wouldn't be freed. This commit +adds the missing call to ptr_ring_cleanup in the error case. + +Reported-by: Sultan Alsawaf +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/queueing.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireguard/queueing.c ++++ b/drivers/net/wireguard/queueing.c +@@ -35,8 +35,10 @@ int wg_packet_queue_init(struct crypt_qu + if (multicore) { + queue->worker = wg_packet_percpu_multicore_worker_alloc( + function, queue); +- if (!queue->worker) ++ if (!queue->worker) { ++ ptr_ring_cleanup(&queue->ring, NULL); + return -ENOMEM; ++ } + } else { + INIT_WORK(&queue->work, function); + } diff --git a/queue-5.6/wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch b/queue-5.6/wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch new file mode 100644 index 00000000000..698ba76c959 --- /dev/null +++ b/queue-5.6/wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: "Toke Høiland-Jørgensen" +Date: Wed, 29 Apr 2020 14:59:22 -0600 +Subject: wireguard: receive: use tunnel helpers for decapsulating ECN markings + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit eebabcb26ea1e3295704477c6cd4e772c96a9559 ] + +WireGuard currently only propagates ECN markings on tunnel decap according +to the old RFC3168 specification. However, the spec has since been updated +in RFC6040 to recommend slightly different decapsulation semantics. This +was implemented in the kernel as a set of common helpers for ECN +decapsulation, so let's just switch over WireGuard to using those, so it +can benefit from this enhancement and any future tweaks. We do not drop +packets with invalid ECN marking combinations, because WireGuard is +frequently used to work around broken ISPs, which could be doing that. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Reported-by: Olivier Tilmans +Cc: Dave Taht +Cc: Rodney W. Grimes +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/receive.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireguard/receive.c ++++ b/drivers/net/wireguard/receive.c +@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done( + len = ntohs(ip_hdr(skb)->tot_len); + if (unlikely(len < sizeof(struct iphdr))) + goto dishonest_packet_size; +- if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) +- IP_ECN_set_ce(ip_hdr(skb)); ++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos); + } else if (skb->protocol == htons(ETH_P_IPV6)) { + len = ntohs(ipv6_hdr(skb)->payload_len) + + sizeof(struct ipv6hdr); +- if (INET_ECN_is_ce(PACKET_CB(skb)->ds)) +- IP6_ECN_set_ce(skb, ipv6_hdr(skb)); ++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb))); + } else { + goto dishonest_packet_type; + } diff --git a/queue-5.6/wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch b/queue-5.6/wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch new file mode 100644 index 00000000000..fd464e506eb --- /dev/null +++ b/queue-5.6/wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch @@ -0,0 +1,59 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: "Jason A. Donenfeld" +Date: Wed, 6 May 2020 15:33:04 -0600 +Subject: wireguard: send/receive: cond_resched() when processing worker ringbuffers + +From: "Jason A. Donenfeld" + +[ Upstream commit 4005f5c3c9d006157ba716594e0d70c88a235c5e ] + +Users with pathological hardware reported CPU stalls on CONFIG_ +PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning +these workers would never terminate. That turned out not to be okay on +systems without forced preemption, which Sultan observed. This commit +adds a cond_resched() to the bottom of each loop iteration, so that +these workers don't hog the core. Note that we don't need this on the +napi poll worker, since that terminates after its budget is expended. + +Suggested-by: Sultan Alsawaf +Reported-by: Wang Jian +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/receive.c | 2 ++ + drivers/net/wireguard/send.c | 4 ++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/net/wireguard/receive.c ++++ b/drivers/net/wireguard/receive.c +@@ -516,6 +516,8 @@ void wg_packet_decrypt_worker(struct wor + &PACKET_CB(skb)->keypair->receiving)) ? + PACKET_STATE_CRYPTED : PACKET_STATE_DEAD; + wg_queue_enqueue_per_peer_napi(skb, state); ++ if (need_resched()) ++ cond_resched(); + } + } + +--- a/drivers/net/wireguard/send.c ++++ b/drivers/net/wireguard/send.c +@@ -281,6 +281,8 @@ void wg_packet_tx_worker(struct work_str + + wg_noise_keypair_put(keypair, false); + wg_peer_put(peer); ++ if (need_resched()) ++ cond_resched(); + } + } + +@@ -305,6 +307,8 @@ void wg_packet_encrypt_worker(struct wor + wg_queue_enqueue_per_peer(&PACKET_PEER(first)->tx_queue, first, + state); + ++ if (need_resched()) ++ cond_resched(); + } + } + diff --git a/queue-5.6/wireguard-socket-remove-errant-restriction-on-looping-to-self.patch b/queue-5.6/wireguard-socket-remove-errant-restriction-on-looping-to-self.patch new file mode 100644 index 00000000000..e818ee92bce --- /dev/null +++ b/queue-5.6/wireguard-socket-remove-errant-restriction-on-looping-to-self.patch @@ -0,0 +1,163 @@ +From foo@baz Tue 12 May 2020 10:54:57 AM CEST +From: "Jason A. Donenfeld" +Date: Wed, 6 May 2020 15:33:03 -0600 +Subject: wireguard: socket: remove errant restriction on looping to self + +From: "Jason A. Donenfeld" + +[ Upstream commit b673e24aad36981f327a6570412ffa7754de8911 ] + +It's already possible to create two different interfaces and loop +packets between them. This has always been possible with tunnels in the +kernel, and isn't specific to wireguard. Therefore, the networking stack +already needs to deal with that. At the very least, the packet winds up +exceeding the MTU and is discarded at that point. So, since this is +already something that happens, there's no need to forbid the not very +exceptional case of routing a packet back to the same interface; this +loop is no different than others, and we shouldn't special case it, but +rather rely on generic handling of loops in general. This also makes it +easier to do interesting things with wireguard such as onion routing. + +At the same time, we add a selftest for this, ensuring that both onion +routing works and infinite routing loops do not crash the kernel. We +also add a test case for wireguard interfaces nesting packets and +sending traffic between each other, as well as the loop in this case +too. We make sure to send some throughput-heavy traffic for this use +case, to stress out any possible recursion issues with the locks around +workqueues. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/socket.c | 12 ------ + tools/testing/selftests/wireguard/netns.sh | 54 +++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireguard/socket.c ++++ b/drivers/net/wireguard/socket.c +@@ -76,12 +76,6 @@ static int send4(struct wg_device *wg, s + net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n", + wg->dev->name, &endpoint->addr, ret); + goto err; +- } else if (unlikely(rt->dst.dev == skb->dev)) { +- ip_rt_put(rt); +- ret = -ELOOP; +- net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n", +- wg->dev->name, &endpoint->addr); +- goto err; + } + if (cache) + dst_cache_set_ip4(cache, &rt->dst, fl.saddr); +@@ -149,12 +143,6 @@ static int send6(struct wg_device *wg, s + net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n", + wg->dev->name, &endpoint->addr, ret); + goto err; +- } else if (unlikely(dst->dev == skb->dev)) { +- dst_release(dst); +- ret = -ELOOP; +- net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n", +- wg->dev->name, &endpoint->addr); +- goto err; + } + if (cache) + dst_cache_set_ip6(cache, dst, &fl.saddr); +--- a/tools/testing/selftests/wireguard/netns.sh ++++ b/tools/testing/selftests/wireguard/netns.sh +@@ -48,8 +48,11 @@ cleanup() { + exec 2>/dev/null + printf "$orig_message_cost" > /proc/sys/net/core/message_cost + ip0 link del dev wg0 ++ ip0 link del dev wg1 + ip1 link del dev wg0 ++ ip1 link del dev wg1 + ip2 link del dev wg0 ++ ip2 link del dev wg1 + local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)" + [[ -n $to_kill ]] && kill $to_kill + pp ip netns del $netns1 +@@ -77,18 +80,20 @@ ip0 link set wg0 netns $netns2 + key1="$(pp wg genkey)" + key2="$(pp wg genkey)" + key3="$(pp wg genkey)" ++key4="$(pp wg genkey)" + pub1="$(pp wg pubkey <<<"$key1")" + pub2="$(pp wg pubkey <<<"$key2")" + pub3="$(pp wg pubkey <<<"$key3")" ++pub4="$(pp wg pubkey <<<"$key4")" + psk="$(pp wg genpsk)" + [[ -n $key1 && -n $key2 && -n $psk ]] + + configure_peers() { + ip1 addr add 192.168.241.1/24 dev wg0 +- ip1 addr add fd00::1/24 dev wg0 ++ ip1 addr add fd00::1/112 dev wg0 + + ip2 addr add 192.168.241.2/24 dev wg0 +- ip2 addr add fd00::2/24 dev wg0 ++ ip2 addr add fd00::2/112 dev wg0 + + n1 wg set wg0 \ + private-key <(echo "$key1") \ +@@ -230,9 +235,38 @@ n1 ping -W 1 -c 1 192.168.241.2 + n1 wg set wg0 private-key <(echo "$key3") + n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove + n1 ping -W 1 -c 1 192.168.241.2 ++n2 wg set wg0 peer "$pub3" remove + +-ip1 link del wg0 ++# Test that we can route wg through wg ++ip1 addr flush dev wg0 ++ip2 addr flush dev wg0 ++ip1 addr add fd00::5:1/112 dev wg0 ++ip2 addr add fd00::5:2/112 dev wg0 ++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2 ++n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998 ++ip1 link add wg1 type wireguard ++ip2 link add wg1 type wireguard ++ip1 addr add 192.168.241.1/24 dev wg1 ++ip1 addr add fd00::1/112 dev wg1 ++ip2 addr add 192.168.241.2/24 dev wg1 ++ip2 addr add fd00::2/112 dev wg1 ++ip1 link set mtu 1340 up dev wg1 ++ip2 link set mtu 1340 up dev wg1 ++n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5 ++n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5 ++tests ++# Try to set up a routing loop between the two namespaces ++ip1 link set netns $netns0 dev wg1 ++ip0 addr add 192.168.241.1/24 dev wg1 ++ip0 link set up dev wg1 ++n0 ping -W 1 -c 1 192.168.241.2 ++n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7 + ip2 link del wg0 ++ip2 link del wg1 ++! n0 ping -W 1 -c 10 -f 192.168.241.2 || false # Should not crash kernel ++ ++ip0 link del wg1 ++ip1 link del wg0 + + # Test using NAT. We now change the topology to this: + # ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐ +@@ -282,6 +316,20 @@ pp sleep 3 + n2 ping -W 1 -c 1 192.168.241.1 + n1 wg set wg0 peer "$pub2" persistent-keepalive 0 + ++# Test that onion routing works, even when it loops ++n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5 ++ip1 addr add 192.168.242.1/24 dev wg0 ++ip2 link add wg1 type wireguard ++ip2 addr add 192.168.242.2/24 dev wg1 ++n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32 ++ip2 link set wg1 up ++n1 ping -W 1 -c 1 192.168.242.2 ++ip2 link del wg1 ++n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5 ++! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel ++n1 wg set wg0 peer "$pub3" remove ++ip1 addr del 192.168.242.1/24 dev wg0 ++ + # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs. + ip1 -6 addr add fc00::9/96 dev vethc + ip1 -6 route add default via fc00::1