From: Greg Kroah-Hartman Date: Mon, 27 Apr 2020 12:01:25 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.119~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3310c8834ad07d04953314601f7c0b587d97ad50;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch cxgb4-fix-large-delays-in-ptp-synchronization.patch ipv6-fix-restrict-ipv6_addrform-operation.patch macsec-avoid-to-set-wrong-mtu.patch macvlan-fix-null-dereference-in-macvlan_device_event.patch mlxsw-fix-some-is_err-vs-null-bugs.patch net-bcmgenet-correct-per-tx-rx-ring-statistics.patch net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch net-dsa-b53-fix-arl-register-definitions.patch net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch net-dsa-b53-rework-arl-bin-logic.patch net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch sched-etf-do-not-assume-all-sockets-are-full-blown.patch tcp-cache-line-align-max_tcp_header.patch team-fix-hang-in-team_mode_get.patch vrf-check-skb-for-xfrm_transformed-flag.patch vrf-fix-ipv6-with-qdisc-and-xfrm.patch xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch --- diff --git a/queue-4.19/cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch b/queue-4.19/cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch new file mode 100644 index 00000000000..1061b951c36 --- /dev/null +++ b/queue-4.19/cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch @@ -0,0 +1,79 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Vishal Kulkarni +Date: Wed, 22 Apr 2020 21:20:07 +0530 +Subject: cxgb4: fix adapter crash due to wrong MC size + +From: Vishal Kulkarni + +[ Upstream commit ce222748078592afb51b810dc154531aeba4f512 ] + +In the absence of MC1, the size calculation function +cudbg_mem_region_size() was returing wrong MC size and +resulted in adapter crash. This patch adds new argument +to cudbg_mem_region_size() which will have actual size +and returns error to caller in the absence of MC1. + +Fixes: a1c69520f785 ("cxgb4: collect MC memory dump") +Signed-off-by: Vishal Kulkarni " +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c | 27 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c +@@ -1065,9 +1065,9 @@ static void cudbg_t4_fwcache(struct cudb + } + } + +-static unsigned long cudbg_mem_region_size(struct cudbg_init *pdbg_init, +- struct cudbg_error *cudbg_err, +- u8 mem_type) ++static int cudbg_mem_region_size(struct cudbg_init *pdbg_init, ++ struct cudbg_error *cudbg_err, ++ u8 mem_type, unsigned long *region_size) + { + struct adapter *padap = pdbg_init->adap; + struct cudbg_meminfo mem_info; +@@ -1076,15 +1076,23 @@ static unsigned long cudbg_mem_region_si + + memset(&mem_info, 0, sizeof(struct cudbg_meminfo)); + rc = cudbg_fill_meminfo(padap, &mem_info); +- if (rc) ++ if (rc) { ++ cudbg_err->sys_err = rc; + return rc; ++ } + + cudbg_t4_fwcache(pdbg_init, cudbg_err); + rc = cudbg_meminfo_get_mem_index(padap, &mem_info, mem_type, &mc_idx); +- if (rc) ++ if (rc) { ++ cudbg_err->sys_err = rc; + return rc; ++ } ++ ++ if (region_size) ++ *region_size = mem_info.avail[mc_idx].limit - ++ mem_info.avail[mc_idx].base; + +- return mem_info.avail[mc_idx].limit - mem_info.avail[mc_idx].base; ++ return 0; + } + + static int cudbg_collect_mem_region(struct cudbg_init *pdbg_init, +@@ -1092,7 +1100,12 @@ static int cudbg_collect_mem_region(stru + struct cudbg_error *cudbg_err, + u8 mem_type) + { +- unsigned long size = cudbg_mem_region_size(pdbg_init, cudbg_err, mem_type); ++ unsigned long size = 0; ++ int rc; ++ ++ rc = cudbg_mem_region_size(pdbg_init, cudbg_err, mem_type, &size); ++ if (rc) ++ return rc; + + return cudbg_read_fw_mem(pdbg_init, dbg_buff, mem_type, size, + cudbg_err); diff --git a/queue-4.19/cxgb4-fix-large-delays-in-ptp-synchronization.patch b/queue-4.19/cxgb4-fix-large-delays-in-ptp-synchronization.patch new file mode 100644 index 00000000000..4d9beacf639 --- /dev/null +++ b/queue-4.19/cxgb4-fix-large-delays-in-ptp-synchronization.patch @@ -0,0 +1,76 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Rahul Lakkireddy +Date: Mon, 20 Apr 2020 15:26:54 +0530 +Subject: cxgb4: fix large delays in PTP synchronization + +From: Rahul Lakkireddy + +[ Upstream commit bd019427bf3623ee3c7d2845cf921bbf4c14846c ] + +Fetching PTP sync information from mailbox is slow and can take +up to 10 milliseconds. Reduce this unnecessary delay by directly +reading the information from the corresponding registers. + +Fixes: 9c33e4208bce ("cxgb4: Add PTP Hardware Clock (PHC) support") +Signed-off-by: Manoj Malviya +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c | 27 +++++-------------------- + drivers/net/ethernet/chelsio/cxgb4/t4_regs.h | 3 ++ + 2 files changed, 9 insertions(+), 21 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c +@@ -311,32 +311,17 @@ static int cxgb4_ptp_adjtime(struct ptp_ + */ + static int cxgb4_ptp_gettime(struct ptp_clock_info *ptp, struct timespec64 *ts) + { +- struct adapter *adapter = (struct adapter *)container_of(ptp, +- struct adapter, ptp_clock_info); +- struct fw_ptp_cmd c; ++ struct adapter *adapter = container_of(ptp, struct adapter, ++ ptp_clock_info); + u64 ns; +- int err; + +- memset(&c, 0, sizeof(c)); +- c.op_to_portid = cpu_to_be32(FW_CMD_OP_V(FW_PTP_CMD) | +- FW_CMD_REQUEST_F | +- FW_CMD_READ_F | +- FW_PTP_CMD_PORTID_V(0)); +- c.retval_len16 = cpu_to_be32(FW_CMD_LEN16_V(sizeof(c) / 16)); +- c.u.ts.sc = FW_PTP_SC_GET_TIME; +- +- err = t4_wr_mbox(adapter, adapter->mbox, &c, sizeof(c), &c); +- if (err < 0) { +- dev_err(adapter->pdev_dev, +- "PTP: %s error %d\n", __func__, -err); +- return err; +- } ++ ns = t4_read_reg(adapter, T5_PORT_REG(0, MAC_PORT_PTP_SUM_LO_A)); ++ ns |= (u64)t4_read_reg(adapter, ++ T5_PORT_REG(0, MAC_PORT_PTP_SUM_HI_A)) << 32; + + /* convert to timespec*/ +- ns = be64_to_cpu(c.u.ts.tm); + *ts = ns_to_timespec64(ns); +- +- return err; ++ return 0; + } + + /** +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_regs.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_regs.h +@@ -1896,6 +1896,9 @@ + + #define MAC_PORT_CFG2_A 0x818 + ++#define MAC_PORT_PTP_SUM_LO_A 0x990 ++#define MAC_PORT_PTP_SUM_HI_A 0x994 ++ + #define MPS_CMN_CTL_A 0x9000 + + #define COUNTPAUSEMCRX_S 5 diff --git a/queue-4.19/ipv6-fix-restrict-ipv6_addrform-operation.patch b/queue-4.19/ipv6-fix-restrict-ipv6_addrform-operation.patch new file mode 100644 index 00000000000..a636b764c42 --- /dev/null +++ b/queue-4.19/ipv6-fix-restrict-ipv6_addrform-operation.patch @@ -0,0 +1,49 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: John Haxby +Date: Sat, 18 Apr 2020 16:30:49 +0100 +Subject: ipv6: fix restrict IPV6_ADDRFORM operation + +From: John Haxby + +[ Upstream commit 82c9ae440857840c56e05d4fb1427ee032531346 ] + +Commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation") fixed a +problem found by syzbot an unfortunate logic error meant that it +also broke IPV6_ADDRFORM. + +Rearrange the checks so that the earlier test is just one of the series +of checks made before moving the socket from IPv6 to IPv4. + +Fixes: b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation") +Signed-off-by: John Haxby +Cc: stable@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ipv6_sockglue.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -185,15 +185,14 @@ static int do_ipv6_setsockopt(struct soc + retv = -EBUSY; + break; + } +- } else if (sk->sk_protocol == IPPROTO_TCP) { +- if (sk->sk_prot != &tcpv6_prot) { +- retv = -EBUSY; +- break; +- } +- break; +- } else { ++ } ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_prot != &tcpv6_prot) { ++ retv = -EBUSY; + break; + } ++ if (sk->sk_protocol != IPPROTO_TCP) ++ break; + if (sk->sk_state != TCP_ESTABLISHED) { + retv = -ENOTCONN; + break; diff --git a/queue-4.19/macsec-avoid-to-set-wrong-mtu.patch b/queue-4.19/macsec-avoid-to-set-wrong-mtu.patch new file mode 100644 index 00000000000..2491603c5e0 --- /dev/null +++ b/queue-4.19/macsec-avoid-to-set-wrong-mtu.patch @@ -0,0 +1,64 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Taehee Yoo +Date: Thu, 23 Apr 2020 13:40:47 +0000 +Subject: macsec: avoid to set wrong mtu + +From: Taehee Yoo + +[ Upstream commit 7f327080364abccf923fa5a5b24e038eb0ba1407 ] + +When a macsec interface is created, the mtu is calculated with the lower +interface's mtu value. +If the mtu of lower interface is lower than the length, which is needed +by macsec interface, macsec's mtu value will be overflowed. +So, if the lower interface's mtu is too low, macsec interface's mtu +should be set to 0. + +Test commands: + ip link add dummy0 mtu 10 type dummy + ip link add macsec0 link dummy0 type macsec + ip link show macsec0 + +Before: + 11: macsec0@dummy0: mtu 4294967274 +After: + 11: macsec0@dummy0: mtu 0 + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3238,11 +3238,11 @@ static int macsec_newlink(struct net *ne + struct netlink_ext_ack *extack) + { + struct macsec_dev *macsec = macsec_priv(dev); ++ rx_handler_func_t *rx_handler; ++ u8 icv_len = DEFAULT_ICV_LEN; + struct net_device *real_dev; +- int err; ++ int err, mtu; + sci_t sci; +- u8 icv_len = DEFAULT_ICV_LEN; +- rx_handler_func_t *rx_handler; + + if (!tb[IFLA_LINK]) + return -EINVAL; +@@ -3258,7 +3258,11 @@ static int macsec_newlink(struct net *ne + + if (data && data[IFLA_MACSEC_ICV_LEN]) + icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); +- dev->mtu = real_dev->mtu - icv_len - macsec_extra_len(true); ++ mtu = real_dev->mtu - icv_len - macsec_extra_len(true); ++ if (mtu < 0) ++ dev->mtu = 0; ++ else ++ dev->mtu = mtu; + + rx_handler = rtnl_dereference(real_dev->rx_handler); + if (rx_handler && rx_handler != macsec_handle_frame) diff --git a/queue-4.19/macvlan-fix-null-dereference-in-macvlan_device_event.patch b/queue-4.19/macvlan-fix-null-dereference-in-macvlan_device_event.patch new file mode 100644 index 00000000000..954f53eeeb2 --- /dev/null +++ b/queue-4.19/macvlan-fix-null-dereference-in-macvlan_device_event.patch @@ -0,0 +1,134 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Taehee Yoo +Date: Mon, 20 Apr 2020 13:29:40 +0000 +Subject: macvlan: fix null dereference in macvlan_device_event() + +From: Taehee Yoo + +[ Upstream commit 4dee15b4fd0d61ec6bbd179238191e959d34cf7a ] + +In the macvlan_device_event(), the list_first_entry_or_null() is used. +This function could return null pointer if there is no node. +But, the macvlan module doesn't check the null pointer. +So, null-ptr-deref would occur. + + bond0 + | + +----+-----+ + | | +macvlan0 macvlan1 + | | + dummy0 dummy1 + +The problem scenario. +If dummy1 is removed, +1. ->dellink() of dummy1 is called. +2. NETDEV_UNREGISTER of dummy1 notification is sent to macvlan module. +3. ->dellink() of macvlan1 is called. +4. NETDEV_UNREGISTER of macvlan1 notification is sent to bond module. +5. __bond_release_one() is called and it internally calls + dev_set_mac_address(). +6. dev_set_mac_address() calls the ->ndo_set_mac_address() of macvlan1, + which is macvlan_set_mac_address(). +7. macvlan_set_mac_address() calls the dev_set_mac_address() with dummy1. +8. NETDEV_CHANGEADDR of dummy1 is sent to macvlan module. +9. In the macvlan_device_event(), it calls list_first_entry_or_null(). +At this point, dummy1 and macvlan1 were removed. +So, list_first_entry_or_null() will return NULL. + +Test commands: + ip netns add nst + ip netns exec nst ip link add bond0 type bond + for i in {0..10} + do + ip netns exec nst ip link add dummy$i type dummy + ip netns exec nst ip link add macvlan$i link dummy$i \ + type macvlan mode passthru + ip netns exec nst ip link set macvlan$i master bond0 + done + ip netns del nst + +Splat looks like: +[ 40.585687][ T146] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEI +[ 40.587249][ T146] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 40.588342][ T146] CPU: 1 PID: 146 Comm: kworker/u8:2 Not tainted 5.7.0-rc1+ #532 +[ 40.589299][ T146] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 40.590469][ T146] Workqueue: netns cleanup_net +[ 40.591045][ T146] RIP: 0010:macvlan_device_event+0x4e2/0x900 [macvlan] +[ 40.591905][ T146] Code: 00 00 00 00 00 fc ff df 80 3c 06 00 0f 85 45 02 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff d2 +[ 40.594126][ T146] RSP: 0018:ffff88806116f4a0 EFLAGS: 00010246 +[ 40.594783][ T146] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 40.595653][ T146] RDX: 0000000000000000 RSI: ffff88806547ddd8 RDI: ffff8880540f1360 +[ 40.596495][ T146] RBP: ffff88804011a808 R08: fffffbfff4fb8421 R09: fffffbfff4fb8421 +[ 40.597377][ T146] R10: ffffffffa7dc2107 R11: 0000000000000000 R12: 0000000000000008 +[ 40.598186][ T146] R13: ffff88804011a000 R14: ffff8880540f1000 R15: 1ffff1100c22de9a +[ 40.599012][ T146] FS: 0000000000000000(0000) GS:ffff888067800000(0000) knlGS:0000000000000000 +[ 40.600004][ T146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 40.600665][ T146] CR2: 00005572d3a807b8 CR3: 000000005fcf4003 CR4: 00000000000606e0 +[ 40.601485][ T146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 40.602461][ T146] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 40.603443][ T146] Call Trace: +[ 40.603871][ T146] ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables] +[ 40.604587][ T146] ? macvlan_uninit+0x100/0x100 [macvlan] +[ 40.605212][ T146] ? __module_text_address+0x13/0x140 +[ 40.605842][ T146] notifier_call_chain+0x90/0x160 +[ 40.606477][ T146] dev_set_mac_address+0x28e/0x3f0 +[ 40.607117][ T146] ? netdev_notify_peers+0xc0/0xc0 +[ 40.607762][ T146] ? __module_text_address+0x13/0x140 +[ 40.608440][ T146] ? notifier_call_chain+0x90/0x160 +[ 40.609097][ T146] ? dev_set_mac_address+0x1f0/0x3f0 +[ 40.609758][ T146] dev_set_mac_address+0x1f0/0x3f0 +[ 40.610402][ T146] ? __local_bh_enable_ip+0xe9/0x1b0 +[ 40.611071][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding] +[ 40.611823][ T146] ? netdev_notify_peers+0xc0/0xc0 +[ 40.612461][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding] +[ 40.613213][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding] +[ 40.613963][ T146] ? __local_bh_enable_ip+0xe9/0x1b0 +[ 40.614631][ T146] ? bond_time_in_interval.isra.31+0x90/0x90 [bonding] +[ 40.615484][ T146] ? __bond_release_one+0x9f0/0x12c0 [bonding] +[ 40.616230][ T146] __bond_release_one+0x9f0/0x12c0 [bonding] +[ 40.616949][ T146] ? bond_enslave+0x47c0/0x47c0 [bonding] +[ 40.617642][ T146] ? lock_downgrade+0x730/0x730 +[ 40.618218][ T146] ? check_flags.part.42+0x450/0x450 +[ 40.618850][ T146] ? __mutex_unlock_slowpath+0xd0/0x670 +[ 40.619519][ T146] ? trace_hardirqs_on+0x30/0x180 +[ 40.620117][ T146] ? wait_for_completion+0x250/0x250 +[ 40.620754][ T146] bond_netdev_event+0x822/0x970 [bonding] +[ 40.621460][ T146] ? __module_text_address+0x13/0x140 +[ 40.622097][ T146] notifier_call_chain+0x90/0x160 +[ 40.622806][ T146] rollback_registered_many+0x660/0xcf0 +[ 40.623522][ T146] ? netif_set_real_num_tx_queues+0x780/0x780 +[ 40.624290][ T146] ? notifier_call_chain+0x90/0x160 +[ 40.624957][ T146] ? netdev_upper_dev_unlink+0x114/0x180 +[ 40.625686][ T146] ? __netdev_adjacent_dev_unlink_neighbour+0x30/0x30 +[ 40.626421][ T146] ? mutex_is_locked+0x13/0x50 +[ 40.627016][ T146] ? unregister_netdevice_queue+0xf2/0x240 +[ 40.627663][ T146] unregister_netdevice_many.part.134+0x13/0x1b0 +[ 40.628362][ T146] default_device_exit_batch+0x2d9/0x390 +[ 40.628987][ T146] ? unregister_netdevice_many+0x40/0x40 +[ 40.629615][ T146] ? dev_change_net_namespace+0xcb0/0xcb0 +[ 40.630279][ T146] ? prepare_to_wait_exclusive+0x2e0/0x2e0 +[ 40.630943][ T146] ? ops_exit_list.isra.9+0x97/0x140 +[ 40.631554][ T146] cleanup_net+0x441/0x890 +[ ... ] + +Fixes: e289fd28176b ("macvlan: fix the problem when mac address changes for passthru mode") +Reported-by: syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1676,7 +1676,7 @@ static int macvlan_device_event(struct n + struct macvlan_dev, + list); + +- if (macvlan_sync_address(vlan->dev, dev->dev_addr)) ++ if (vlan && macvlan_sync_address(vlan->dev, dev->dev_addr)) + return NOTIFY_BAD; + + break; diff --git a/queue-4.19/mlxsw-fix-some-is_err-vs-null-bugs.patch b/queue-4.19/mlxsw-fix-some-is_err-vs-null-bugs.patch new file mode 100644 index 00000000000..8e7048eacc6 --- /dev/null +++ b/queue-4.19/mlxsw-fix-some-is_err-vs-null-bugs.patch @@ -0,0 +1,88 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Dan Carpenter +Date: Wed, 22 Apr 2020 12:36:41 +0300 +Subject: mlxsw: Fix some IS_ERR() vs NULL bugs + +From: Dan Carpenter + +[ Upstream commit c391eb8366ae052d571bb2841f1ccb4d39f3ceb8 ] + +The mlxsw_sp_acl_rulei_create() function is supposed to return an error +pointer from mlxsw_afa_block_create(). The problem is that these +functions both return NULL instead of error pointers. Half the callers +expect NULL and half expect error pointers so it could lead to a NULL +dereference on failure. + +This patch changes both of them to return error pointers and changes all +the callers which checked for NULL to check for IS_ERR() instead. + +Fixes: 4cda7d8d7098 ("mlxsw: core: Introduce flexible actions support") +Signed-off-by: Dan Carpenter +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 4 ++-- + drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c | 4 ++-- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 3 ++- + drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c | 4 ++-- + 4 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c +@@ -316,7 +316,7 @@ struct mlxsw_afa_block *mlxsw_afa_block_ + + block = kzalloc(sizeof(*block), GFP_KERNEL); + if (!block) +- return NULL; ++ return ERR_PTR(-ENOMEM); + INIT_LIST_HEAD(&block->resource_list); + block->afa = mlxsw_afa; + +@@ -344,7 +344,7 @@ err_second_set_create: + mlxsw_afa_set_destroy(block->first_set); + err_first_set_create: + kfree(block); +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + EXPORT_SYMBOL(mlxsw_afa_block_create); + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c +@@ -88,8 +88,8 @@ static int mlxsw_sp2_acl_tcam_init(struc + * to be written using PEFA register to all indexes for all regions. + */ + afa_block = mlxsw_afa_block_create(mlxsw_sp->afa); +- if (!afa_block) { +- err = -ENOMEM; ++ if (IS_ERR(afa_block)) { ++ err = PTR_ERR(afa_block); + goto err_afa_block; + } + err = mlxsw_afa_block_continue(afa_block); +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c +@@ -442,7 +442,8 @@ mlxsw_sp_acl_rulei_create(struct mlxsw_s + + rulei = kzalloc(sizeof(*rulei), GFP_KERNEL); + if (!rulei) +- return NULL; ++ return ERR_PTR(-ENOMEM); ++ + rulei->act_block = mlxsw_afa_block_create(acl->mlxsw_sp->afa); + if (IS_ERR(rulei->act_block)) { + err = PTR_ERR(rulei->act_block); +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c +@@ -199,8 +199,8 @@ mlxsw_sp_mr_tcam_afa_block_create(struct + int err; + + afa_block = mlxsw_afa_block_create(mlxsw_sp->afa); +- if (!afa_block) +- return ERR_PTR(-ENOMEM); ++ if (IS_ERR(afa_block)) ++ return afa_block; + + err = mlxsw_afa_block_append_allocated_counter(afa_block, + counter_index); diff --git a/queue-4.19/net-bcmgenet-correct-per-tx-rx-ring-statistics.patch b/queue-4.19/net-bcmgenet-correct-per-tx-rx-ring-statistics.patch new file mode 100644 index 00000000000..a808fdc097e --- /dev/null +++ b/queue-4.19/net-bcmgenet-correct-per-tx-rx-ring-statistics.patch @@ -0,0 +1,43 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Doug Berger +Date: Thu, 23 Apr 2020 15:44:17 -0700 +Subject: net: bcmgenet: correct per TX/RX ring statistics + +From: Doug Berger + +[ Upstream commit a6d0b83f25073bdf08b8547aeff961a62c6ab229 ] + +The change to track net_device_stats per ring to better support SMP +missed updating the rx_dropped member. + +The ndo_get_stats method is also needed to combine the results for +ethtool statistics (-S) before filling in the ethtool structure. + +Fixes: 37a30b435b92 ("net: bcmgenet: Track per TX/RX rings statistics") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -998,6 +998,8 @@ static void bcmgenet_get_ethtool_stats(s + if (netif_running(dev)) + bcmgenet_update_mib_counters(priv); + ++ dev->netdev_ops->ndo_get_stats(dev); ++ + for (i = 0; i < BCMGENET_STATS_LEN; i++) { + const struct bcmgenet_stats *s; + char *p; +@@ -3211,6 +3213,7 @@ static struct net_device_stats *bcmgenet + dev->stats.rx_packets = rx_packets; + dev->stats.rx_errors = rx_errors; + dev->stats.rx_missed_errors = rx_errors; ++ dev->stats.rx_dropped = rx_dropped; + return &dev->stats; + } + diff --git a/queue-4.19/net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch b/queue-4.19/net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch new file mode 100644 index 00000000000..6c33dd2bc86 --- /dev/null +++ b/queue-4.19/net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch @@ -0,0 +1,45 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:55 -0700 +Subject: net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL + +From: Florian Fainelli + +[ Upstream commit 64fec9493f7dc9bdd7233bcfe98985c45bd0e3c1 ] + +Flip the IVL_SVL_SELECT bit correctly based on the VLAN enable status, +the default is to perform Shared VLAN learning instead of Individual +learning. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 4 ++++ + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 5 insertions(+) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1253,6 +1253,10 @@ static int b53_arl_rw_op(struct b53_devi + reg |= ARLTBL_RW; + else + reg &= ~ARLTBL_RW; ++ if (dev->vlan_enabled) ++ reg &= ~ARLTBL_IVL_SVL_SELECT; ++ else ++ reg |= ARLTBL_IVL_SVL_SELECT; + b53_write8(dev, B53_ARLIO_PAGE, B53_ARLTBL_RW_CTRL, reg); + + return b53_arl_op_wait(dev); +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -292,6 +292,7 @@ + /* ARL Table Read/Write Register (8 bit) */ + #define B53_ARLTBL_RW_CTRL 0x00 + #define ARLTBL_RW BIT(0) ++#define ARLTBL_IVL_SVL_SELECT BIT(6) + #define ARLTBL_START_DONE BIT(7) + + /* MAC Address Index Register (48 bit) */ diff --git a/queue-4.19/net-dsa-b53-fix-arl-register-definitions.patch b/queue-4.19/net-dsa-b53-fix-arl-register-definitions.patch new file mode 100644 index 00000000000..25e629dd593 --- /dev/null +++ b/queue-4.19/net-dsa-b53-fix-arl-register-definitions.patch @@ -0,0 +1,42 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:53 -0700 +Subject: net: dsa: b53: Fix ARL register definitions + +From: Florian Fainelli + +[ Upstream commit c2e77a18a7ed65eb48f6e389b6a59a0fd753646a ] + +The ARL {MAC,VID} tuple and the forward entry were off by 0x10 bytes, +which means that when we read/wrote from/to ARL bin index 0, we were +actually accessing the ARLA_RWCTRL register. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Reviewed-by: Andrew Lunn +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_regs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -304,7 +304,7 @@ + * + * BCM5325 and BCM5365 share most definitions below + */ +-#define B53_ARLTBL_MAC_VID_ENTRY(n) (0x10 * (n)) ++#define B53_ARLTBL_MAC_VID_ENTRY(n) ((0x10 * (n)) + 0x10) + #define ARLTBL_MAC_MASK 0xffffffffffffULL + #define ARLTBL_VID_S 48 + #define ARLTBL_VID_MASK_25 0xff +@@ -316,7 +316,7 @@ + #define ARLTBL_VALID_25 BIT(63) + + /* ARL Table Data Entry N Registers (32 bit) */ +-#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x08) ++#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x18) + #define ARLTBL_DATA_PORT_ID_MASK 0x1ff + #define ARLTBL_TC(tc) ((3 & tc) << 11) + #define ARLTBL_AGE BIT(14) diff --git a/queue-4.19/net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch b/queue-4.19/net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch new file mode 100644 index 00000000000..acd73db206c --- /dev/null +++ b/queue-4.19/net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch @@ -0,0 +1,34 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:51 -0700 +Subject: net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled + +From: Florian Fainelli + +[ Upstream commit 2e97b0cd1651a270f3a3fcf42115c51f3284c049 ] + +When VLAN is enabled, and an ARL search is issued, we also need to +compare the full {MAC,VID} tuple before returning a successful search +result. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Reviewed-by: Andrew Lunn +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1284,6 +1284,9 @@ static int b53_arl_read(struct b53_devic + continue; + if ((mac_vid & ARLTBL_MAC_MASK) != mac) + continue; ++ if (dev->vlan_enabled && ++ ((mac_vid >> ARLTBL_VID_S) & ARLTBL_VID_MASK) != vid) ++ continue; + *idx = i; + } + diff --git a/queue-4.19/net-dsa-b53-rework-arl-bin-logic.patch b/queue-4.19/net-dsa-b53-rework-arl-bin-logic.patch new file mode 100644 index 00000000000..04ba17e6b5c --- /dev/null +++ b/queue-4.19/net-dsa-b53-rework-arl-bin-logic.patch @@ -0,0 +1,115 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Florian Fainelli +Date: Mon, 20 Apr 2020 20:26:54 -0700 +Subject: net: dsa: b53: Rework ARL bin logic + +From: Florian Fainelli + +[ Upstream commit 6344dbde6a27d10d16246d734b968f84887841e2 ] + +When asking the ARL to read a MAC address, we will get a number of bins +returned in a single read. Out of those bins, there can essentially be 3 +states: + +- all bins are full, we have no space left, and we can either replace an + existing address or return that full condition + +- the MAC address was found, then we need to return its bin index and + modify that one, and only that one + +- the MAC address was not found and we have a least one bin free, we use + that bin index location then + +The code would unfortunately fail on all counts. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 30 ++++++++++++++++++++++++++---- + drivers/net/dsa/b53/b53_regs.h | 3 +++ + 2 files changed, 29 insertions(+), 4 deletions(-) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1262,6 +1262,7 @@ static int b53_arl_read(struct b53_devic + u16 vid, struct b53_arl_entry *ent, u8 *idx, + bool is_valid) + { ++ DECLARE_BITMAP(free_bins, B53_ARLTBL_MAX_BIN_ENTRIES); + unsigned int i; + int ret; + +@@ -1269,6 +1270,8 @@ static int b53_arl_read(struct b53_devic + if (ret) + return ret; + ++ bitmap_zero(free_bins, dev->num_arl_entries); ++ + /* Read the bins */ + for (i = 0; i < dev->num_arl_entries; i++) { + u64 mac_vid; +@@ -1280,16 +1283,24 @@ static int b53_arl_read(struct b53_devic + B53_ARLTBL_DATA_ENTRY(i), &fwd_entry); + b53_arl_to_entry(ent, mac_vid, fwd_entry); + +- if (!(fwd_entry & ARLTBL_VALID)) ++ if (!(fwd_entry & ARLTBL_VALID)) { ++ set_bit(i, free_bins); + continue; ++ } + if ((mac_vid & ARLTBL_MAC_MASK) != mac) + continue; + if (dev->vlan_enabled && + ((mac_vid >> ARLTBL_VID_S) & ARLTBL_VID_MASK) != vid) + continue; + *idx = i; ++ return 0; + } + ++ if (bitmap_weight(free_bins, dev->num_arl_entries) == 0) ++ return -ENOSPC; ++ ++ *idx = find_first_bit(free_bins, dev->num_arl_entries); ++ + return -ENOENT; + } + +@@ -1319,10 +1330,21 @@ static int b53_arl_op(struct b53_device + if (op) + return ret; + +- /* We could not find a matching MAC, so reset to a new entry */ +- if (ret) { ++ switch (ret) { ++ case -ENOSPC: ++ dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n", ++ addr, vid); ++ return is_valid ? ret : 0; ++ case -ENOENT: ++ /* We could not find a matching MAC, so reset to a new entry */ ++ dev_dbg(dev->dev, "{%pM,%.4d} not found, using idx: %d\n", ++ addr, vid, idx); + fwd_entry = 0; +- idx = 1; ++ break; ++ default: ++ dev_dbg(dev->dev, "{%pM,%.4d} found, using idx: %d\n", ++ addr, vid, idx); ++ break; + } + + memset(&ent, 0, sizeof(ent)); +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -323,6 +323,9 @@ + #define ARLTBL_STATIC BIT(15) + #define ARLTBL_VALID BIT(16) + ++/* Maximum number of bin entries in the ARL for all switches */ ++#define B53_ARLTBL_MAX_BIN_ENTRIES 4 ++ + /* ARL Search Control Register (8 bit) */ + #define B53_ARL_SRCH_CTL 0x50 + #define B53_ARL_SRCH_CTL_25 0x20 diff --git a/queue-4.19/net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch b/queue-4.19/net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch new file mode 100644 index 00000000000..29ebf315b0c --- /dev/null +++ b/queue-4.19/net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch @@ -0,0 +1,41 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Xiyu Yang +Date: Wed, 15 Apr 2020 16:36:19 +0800 +Subject: net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node + +From: Xiyu Yang + +[ Upstream commit d03f228470a8c0a22b774d1f8d47071e0de4f6dd ] + +nr_add_node() invokes nr_neigh_get_dev(), which returns a local +reference of the nr_neigh object to "nr_neigh" with increased refcnt. + +When nr_add_node() returns, "nr_neigh" becomes invalid, so the refcount +should be decreased to keep refcount balanced. + +The issue happens in one normal path of nr_add_node(), which forgets to +decrease the refcnt increased by nr_neigh_get_dev() and causes a refcnt +leak. It should decrease the refcnt before the function returns like +other normal paths do. + +Fix this issue by calling nr_neigh_put() before the nr_add_node() +returns. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/nr_route.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -211,6 +211,7 @@ static int __must_check nr_add_node(ax25 + /* refcount initialized at 1 */ + spin_unlock_bh(&nr_node_list_lock); + ++ nr_neigh_put(nr_neigh); + return 0; + } + nr_node_lock(nr_node); diff --git a/queue-4.19/net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch b/queue-4.19/net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch new file mode 100644 index 00000000000..14044d80e7d --- /dev/null +++ b/queue-4.19/net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch @@ -0,0 +1,98 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Marc Zyngier +Date: Sat, 18 Apr 2020 19:14:57 +0100 +Subject: net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array + +From: Marc Zyngier + +[ Upstream commit f0212a5ebfa6cd789ab47666b9cc169e6e688732 ] + +Running with KASAN on a VIM3L systems leads to the following splat +when probing the Ethernet device: + +================================================================== +BUG: KASAN: global-out-of-bounds in _get_maxdiv+0x74/0xd8 +Read of size 4 at addr ffffa000090615f4 by task systemd-udevd/139 +CPU: 1 PID: 139 Comm: systemd-udevd Tainted: G E 5.7.0-rc1-00101-g8624b7577b9c #781 +Hardware name: amlogic w400/w400, BIOS 2020.01-rc5 03/12/2020 +Call trace: + dump_backtrace+0x0/0x2a0 + show_stack+0x20/0x30 + dump_stack+0xec/0x148 + print_address_description.isra.12+0x70/0x35c + __kasan_report+0xfc/0x1d4 + kasan_report+0x4c/0x68 + __asan_load4+0x9c/0xd8 + _get_maxdiv+0x74/0xd8 + clk_divider_bestdiv+0x74/0x5e0 + clk_divider_round_rate+0x80/0x1a8 + clk_core_determine_round_nolock.part.9+0x9c/0xd0 + clk_core_round_rate_nolock+0xf0/0x108 + clk_hw_round_rate+0xac/0xf0 + clk_factor_round_rate+0xb8/0xd0 + clk_core_determine_round_nolock.part.9+0x9c/0xd0 + clk_core_round_rate_nolock+0xf0/0x108 + clk_core_round_rate_nolock+0xbc/0x108 + clk_core_set_rate_nolock+0xc4/0x2e8 + clk_set_rate+0x58/0xe0 + meson8b_dwmac_probe+0x588/0x72c [dwmac_meson8b] + platform_drv_probe+0x78/0xd8 + really_probe+0x158/0x610 + driver_probe_device+0x140/0x1b0 + device_driver_attach+0xa4/0xb0 + __driver_attach+0xcc/0x1c8 + bus_for_each_dev+0xf4/0x168 + driver_attach+0x3c/0x50 + bus_add_driver+0x238/0x2e8 + driver_register+0xc8/0x1e8 + __platform_driver_register+0x88/0x98 + meson8b_dwmac_driver_init+0x28/0x1000 [dwmac_meson8b] + do_one_initcall+0xa8/0x328 + do_init_module+0xe8/0x368 + load_module+0x3300/0x36b0 + __do_sys_finit_module+0x120/0x1a8 + __arm64_sys_finit_module+0x4c/0x60 + el0_svc_common.constprop.2+0xe4/0x268 + do_el0_svc+0x98/0xa8 + el0_svc+0x24/0x68 + el0_sync_handler+0x12c/0x318 + el0_sync+0x158/0x180 + +The buggy address belongs to the variable: + div_table.63646+0x34/0xfffffffffffffa40 [dwmac_meson8b] + +Memory state around the buggy address: + ffffa00009061480: fa fa fa fa 00 00 00 01 fa fa fa fa 00 00 00 00 + ffffa00009061500: 05 fa fa fa fa fa fa fa 00 04 fa fa fa fa fa fa +>ffffa00009061580: 00 03 fa fa fa fa fa fa 00 00 00 00 00 00 fa fa + ^ + ffffa00009061600: fa fa fa fa 00 01 fa fa fa fa fa fa 01 fa fa fa + ffffa00009061680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa +================================================================== + +Digging into this indeed shows that the clock divider array is +lacking a final fence, and that the clock subsystems goes in the +weeds. Oh well. + +Let's add the empty structure that indicates the end of the array. + +Fixes: bd6f48546b9c ("net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs") +Signed-off-by: Marc Zyngier +Cc: Martin Blumenstingl +Reviewed-by: Martin Blumenstingl +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -125,6 +125,7 @@ static int meson8b_init_rgmii_tx_clk(str + { .div = 5, .val = 5, }, + { .div = 6, .val = 6, }, + { .div = 7, .val = 7, }, ++ { /* end of array */ } + }; + + clk_configs = devm_kzalloc(dev, sizeof(*clk_configs), GFP_KERNEL); diff --git a/queue-4.19/net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch b/queue-4.19/net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch new file mode 100644 index 00000000000..b42667a81d8 --- /dev/null +++ b/queue-4.19/net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch @@ -0,0 +1,47 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Xiyu Yang +Date: Thu, 23 Apr 2020 13:13:03 +0800 +Subject: net/x25: Fix x25_neigh refcnt leak when receiving frame + +From: Xiyu Yang + +[ Upstream commit f35d12971b4d814cdb2f659d76b42f0c545270b6 ] + +x25_lapb_receive_frame() invokes x25_get_neigh(), which returns a +reference of the specified x25_neigh object to "nb" with increased +refcnt. + +When x25_lapb_receive_frame() returns, local variable "nb" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one path of +x25_lapb_receive_frame(). When pskb_may_pull() returns false, the +function forgets to decrease the refcnt increased by x25_get_neigh(), +causing a refcnt leak. + +Fix this issue by calling x25_neigh_put() when pskb_may_pull() returns +false. + +Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/x25_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/x25/x25_dev.c ++++ b/net/x25/x25_dev.c +@@ -120,8 +120,10 @@ int x25_lapb_receive_frame(struct sk_buf + goto drop; + } + +- if (!pskb_may_pull(skb, 1)) ++ if (!pskb_may_pull(skb, 1)) { ++ x25_neigh_put(nb); + return 0; ++ } + + switch (skb->data[0]) { + diff --git a/queue-4.19/sched-etf-do-not-assume-all-sockets-are-full-blown.patch b/queue-4.19/sched-etf-do-not-assume-all-sockets-are-full-blown.patch new file mode 100644 index 00000000000..19130addcd1 --- /dev/null +++ b/queue-4.19/sched-etf-do-not-assume-all-sockets-are-full-blown.patch @@ -0,0 +1,133 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Eric Dumazet +Date: Tue, 21 Apr 2020 10:00:28 -0700 +Subject: sched: etf: do not assume all sockets are full blown + +From: Eric Dumazet + +[ Upstream commit a1211bf9a7774706722ba3b18c6157d980319f79 ] + +skb->sk does not always point to a full blown socket, +we need to use sk_fullsock() before accessing fields which +only make sense on full socket. + +BUG: KASAN: use-after-free in report_sock_error+0x286/0x300 net/sched/sch_etf.c:141 +Read of size 1 at addr ffff88805eb9b245 by task syz-executor.5/9630 + +CPU: 1 PID: 9630 Comm: syz-executor.5 Not tainted 5.7.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382 + __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + report_sock_error+0x286/0x300 net/sched/sch_etf.c:141 + etf_enqueue_timesortedlist+0x389/0x740 net/sched/sch_etf.c:170 + __dev_xmit_skb net/core/dev.c:3710 [inline] + __dev_queue_xmit+0x154a/0x30a0 net/core/dev.c:4021 + neigh_hh_output include/net/neighbour.h:499 [inline] + neigh_output include/net/neighbour.h:508 [inline] + ip6_finish_output2+0xfb5/0x25b0 net/ipv6/ip6_output.c:117 + __ip6_finish_output+0x442/0xab0 net/ipv6/ip6_output.c:143 + ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x239/0x810 net/ipv6/ip6_output.c:176 + dst_output include/net/dst.h:435 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ip6_xmit+0xe1a/0x2090 net/ipv6/ip6_output.c:280 + tcp_v6_send_synack+0x4e7/0x960 net/ipv6/tcp_ipv6.c:521 + tcp_rtx_synack+0x10d/0x1a0 net/ipv4/tcp_output.c:3916 + inet_rtx_syn_ack net/ipv4/inet_connection_sock.c:669 [inline] + reqsk_timer_handler+0x4c2/0xb40 net/ipv4/inet_connection_sock.c:763 + call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1405 + expire_timers kernel/time/timer.c:1450 [inline] + __run_timers kernel/time/timer.c:1774 [inline] + __run_timers kernel/time/timer.c:1741 [inline] + run_timer_softirq+0x623/0x1600 kernel/time/timer.c:1787 + __do_softirq+0x26c/0x9f7 kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0x192/0x1d0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:546 [inline] + smp_apic_timer_interrupt+0x19e/0x600 arch/x86/kernel/apic/apic.c:1140 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +RIP: 0010:des_encrypt+0x157/0x9c0 lib/crypto/des.c:792 +Code: 85 22 06 00 00 41 31 dc 41 8b 4d 04 44 89 e2 41 83 e4 3f 4a 8d 3c a5 60 72 72 88 81 e2 3f 3f 3f 3f 48 89 f8 48 c1 e8 03 31 d9 <0f> b6 34 28 48 89 f8 c1 c9 04 83 e0 07 83 c0 03 40 38 f0 7c 09 40 +RSP: 0018:ffffc90003b5f6c0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 +RAX: 1ffffffff10e4e55 RBX: 00000000d2f846d0 RCX: 00000000d2f846d0 +RDX: 0000000012380612 RSI: ffffffff839863ca RDI: ffffffff887272a8 +RBP: dffffc0000000000 R08: ffff888091d0a380 R09: 0000000000800081 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000012 +R13: ffff8880a8ae8078 R14: 00000000c545c93e R15: 0000000000000006 + cipher_crypt_one crypto/cipher.c:75 [inline] + crypto_cipher_encrypt_one+0x124/0x210 crypto/cipher.c:82 + crypto_cbcmac_digest_update+0x1b5/0x250 crypto/ccm.c:830 + crypto_shash_update+0xc4/0x120 crypto/shash.c:119 + shash_ahash_update+0xa3/0x110 crypto/shash.c:246 + crypto_ahash_update include/crypto/hash.h:547 [inline] + hash_sendmsg+0x518/0xad0 crypto/algif_hash.c:102 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x308/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmmsg+0x195/0x480 net/socket.c:2506 + __do_sys_sendmmsg net/socket.c:2535 [inline] + __se_sys_sendmmsg net/socket.c:2532 [inline] + __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 +RIP: 0033:0x45c829 +Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f6d9528ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00000000004fc080 RCX: 000000000045c829 +RDX: 0000000000000001 RSI: 0000000020002640 RDI: 0000000000000004 +RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000008d7 R14: 00000000004cb7aa R15: 00007f6d9528f6d4 + +Fixes: 4b15c7075352 ("net/sched: Make etf report drops on error_queue") +Fixes: 25db26a91364 ("net/sched: Introduce the ETF Qdisc") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Vinicius Costa Gomes +Reviewed-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_etf.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_etf.c ++++ b/net/sched/sch_etf.c +@@ -77,7 +77,7 @@ static bool is_packet_valid(struct Qdisc + struct sock *sk = nskb->sk; + ktime_t now; + +- if (!sk) ++ if (!sk || !sk_fullsock(sk)) + return false; + + if (!sock_flag(sk, SOCK_TXTIME)) +@@ -129,8 +129,9 @@ static void report_sock_error(struct sk_ + struct sock_exterr_skb *serr; + struct sk_buff *clone; + ktime_t txtime = skb->tstamp; ++ struct sock *sk = skb->sk; + +- if (!skb->sk || !(skb->sk->sk_txtime_report_errors)) ++ if (!sk || !sk_fullsock(sk) || !(sk->sk_txtime_report_errors)) + return; + + clone = skb_clone(skb, GFP_ATOMIC); +@@ -146,7 +147,7 @@ static void report_sock_error(struct sk_ + serr->ee.ee_data = (txtime >> 32); /* high part of tstamp */ + serr->ee.ee_info = txtime; /* low part of tstamp */ + +- if (sock_queue_err_skb(skb->sk, clone)) ++ if (sock_queue_err_skb(sk, clone)) + kfree_skb(clone); + } + diff --git a/queue-4.19/series b/queue-4.19/series index b7c00f0d9ca..fdd84a48016 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -50,3 +50,23 @@ x86-kvm-introduce-kvm_-un-map_gfn.patch x86-kvm-cache-gfn-to-pfn-translation.patch x86-kvm-make-sure-kvm_vcpu_flush_tlb-flag-is-not-mis.patch x86-kvm-clean-up-host-s-steal-time-structure.patch +cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch +cxgb4-fix-large-delays-in-ptp-synchronization.patch +ipv6-fix-restrict-ipv6_addrform-operation.patch +macsec-avoid-to-set-wrong-mtu.patch +macvlan-fix-null-dereference-in-macvlan_device_event.patch +net-bcmgenet-correct-per-tx-rx-ring-statistics.patch +net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch +net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch +net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch +sched-etf-do-not-assume-all-sockets-are-full-blown.patch +tcp-cache-line-align-max_tcp_header.patch +team-fix-hang-in-team_mode_get.patch +vrf-fix-ipv6-with-qdisc-and-xfrm.patch +net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch +net-dsa-b53-fix-arl-register-definitions.patch +net-dsa-b53-rework-arl-bin-logic.patch +net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch +xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch +vrf-check-skb-for-xfrm_transformed-flag.patch +mlxsw-fix-some-is_err-vs-null-bugs.patch diff --git a/queue-4.19/tcp-cache-line-align-max_tcp_header.patch b/queue-4.19/tcp-cache-line-align-max_tcp_header.patch new file mode 100644 index 00000000000..2e50a47da69 --- /dev/null +++ b/queue-4.19/tcp-cache-line-align-max_tcp_header.patch @@ -0,0 +1,38 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Eric Dumazet +Date: Fri, 17 Apr 2020 07:10:23 -0700 +Subject: tcp: cache line align MAX_TCP_HEADER + +From: Eric Dumazet + +[ Upstream commit 9bacd256f1354883d3c1402655153367982bba49 ] + +TCP stack is dumb in how it cooks its output packets. + +Depending on MAX_HEADER value, we might chose a bad ending point +for the headers. + +If we align the end of TCP headers to cache line boundary, we +make sure to always use the smallest number of cache lines, +which always help. + +Signed-off-by: Eric Dumazet +Cc: Soheil Hassas Yeganeh +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -53,7 +53,7 @@ extern struct inet_hashinfo tcp_hashinfo + extern struct percpu_counter tcp_orphan_count; + void tcp_time_wait(struct sock *sk, int state, int timeo); + +-#define MAX_TCP_HEADER (128 + MAX_HEADER) ++#define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER) + #define MAX_TCP_OPTION_SPACE 40 + #define TCP_MIN_SND_MSS 48 + #define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE) diff --git a/queue-4.19/team-fix-hang-in-team_mode_get.patch b/queue-4.19/team-fix-hang-in-team_mode_get.patch new file mode 100644 index 00000000000..94f1e9a3647 --- /dev/null +++ b/queue-4.19/team-fix-hang-in-team_mode_get.patch @@ -0,0 +1,90 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: Taehee Yoo +Date: Mon, 20 Apr 2020 15:01:33 +0000 +Subject: team: fix hang in team_mode_get() + +From: Taehee Yoo + +[ Upstream commit 1c30fbc76b8f0c07c92a8ca4cd7c456612e17eb5 ] + +When team mode is changed or set, the team_mode_get() is called to check +whether the mode module is inserted or not. If the mode module is not +inserted, it calls the request_module(). +In the request_module(), it creates a child process, which is +the "modprobe" process and waits for the done of the child process. +At this point, the following locks were used. +down_read(&cb_lock()); by genl_rcv() + genl_lock(); by genl_rcv_msc() + rtnl_lock(); by team_nl_cmd_options_set() + mutex_lock(&team->lock); by team_nl_team_get() + +Concurrently, the team module could be removed by rmmod or "modprobe -r" +The __exit function of team module is team_module_exit(), which calls +team_nl_fini() and it tries to acquire following locks. +down_write(&cb_lock); + genl_lock(); +Because of the genl_lock() and cb_lock, this process can't be finished +earlier than request_module() routine. + +The problem secenario. +CPU0 CPU1 +team_mode_get + request_module() + modprobe -r team_mode_roundrobin + team <--(B) + modprobe team <--(A) + team_mode_roundrobin + +By request_module(), the "modprobe team_mode_roundrobin" command +will be executed. At this point, the modprobe process will decide +that the team module should be inserted before team_mode_roundrobin. +Because the team module is being removed. + +By the module infrastructure, the same module insert/remove operations +can't be executed concurrently. +So, (A) waits for (B) but (B) also waits for (A) because of locks. +So that the hang occurs at this point. + +Test commands: + while : + do + teamd -d & + killall teamd & + modprobe -rv team_mode_roundrobin & + done + +The approach of this patch is to hold the reference count of the team +module if the team module is compiled as a module. If the reference count +of the team module is not zero while request_module() is being called, +the team module will not be removed at that moment. +So that the above scenario could not occur. + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Taehee Yoo +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -475,6 +475,9 @@ static const struct team_mode *team_mode + struct team_mode_item *mitem; + const struct team_mode *mode = NULL; + ++ if (!try_module_get(THIS_MODULE)) ++ return NULL; ++ + spin_lock(&mode_list_lock); + mitem = __find_mode(kind); + if (!mitem) { +@@ -490,6 +493,7 @@ static const struct team_mode *team_mode + } + + spin_unlock(&mode_list_lock); ++ module_put(THIS_MODULE); + return mode; + } + diff --git a/queue-4.19/vrf-check-skb-for-xfrm_transformed-flag.patch b/queue-4.19/vrf-check-skb-for-xfrm_transformed-flag.patch new file mode 100644 index 00000000000..ea55b62d4de --- /dev/null +++ b/queue-4.19/vrf-check-skb-for-xfrm_transformed-flag.patch @@ -0,0 +1,44 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: David Ahern +Date: Mon, 20 Apr 2020 17:13:52 -0600 +Subject: vrf: Check skb for XFRM_TRANSFORMED flag + +From: David Ahern + +[ Upstream commit 16b9db1ce34ff00d6c18e82825125cfef0cdfb13 ] + +To avoid a loop with qdiscs and xfrms, check if the skb has already gone +through the qdisc attached to the VRF device and then to the xfrm layer. +If so, no need for a second redirect. + +Fixes: 193125dbd8eb ("net: Introduce VRF device driver") +Reported-by: Trev Larock +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -478,7 +478,8 @@ static struct sk_buff *vrf_ip6_out(struc + if (rt6_need_strict(&ipv6_hdr(skb)->daddr)) + return skb; + +- if (qdisc_tx_is_default(vrf_dev)) ++ if (qdisc_tx_is_default(vrf_dev) || ++ IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) + return vrf_ip6_out_direct(vrf_dev, sk, skb); + + return vrf_ip6_out_redirect(vrf_dev, skb); +@@ -692,7 +693,8 @@ static struct sk_buff *vrf_ip_out(struct + ipv4_is_lbcast(ip_hdr(skb)->daddr)) + return skb; + +- if (qdisc_tx_is_default(vrf_dev)) ++ if (qdisc_tx_is_default(vrf_dev) || ++ IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) + return vrf_ip_out_direct(vrf_dev, sk, skb); + + return vrf_ip_out_redirect(vrf_dev, skb); diff --git a/queue-4.19/vrf-fix-ipv6-with-qdisc-and-xfrm.patch b/queue-4.19/vrf-fix-ipv6-with-qdisc-and-xfrm.patch new file mode 100644 index 00000000000..7ab197acc5d --- /dev/null +++ b/queue-4.19/vrf-fix-ipv6-with-qdisc-and-xfrm.patch @@ -0,0 +1,36 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: David Ahern +Date: Tue, 21 Apr 2020 17:48:27 -0600 +Subject: vrf: Fix IPv6 with qdisc and xfrm + +From: David Ahern + +[ Upstream commit a53c102872ad6e34e1518e25899dc9498c27f8b1 ] + +When a qdisc is attached to the VRF device, the packet goes down the ndo +xmit function which is setup to send the packet back to the VRF driver +which does a lookup to send the packet out. The lookup in the VRF driver +is not considering xfrm policies. Change it to use ip6_dst_lookup_flow +rather than ip6_route_output. + +Fixes: 35402e313663 ("net: Add IPv6 support to VRF device") +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vrf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -192,8 +192,8 @@ static netdev_tx_t vrf_process_v6_outbou + fl6.flowi6_proto = iph->nexthdr; + fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF; + +- dst = ip6_route_output(net, NULL, &fl6); +- if (dst == dst_null) ++ dst = ip6_dst_lookup_flow(net, NULL, &fl6, NULL); ++ if (IS_ERR(dst) || dst == dst_null) + goto err; + + skb_dst_drop(skb); diff --git a/queue-4.19/xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch b/queue-4.19/xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch new file mode 100644 index 00000000000..d99835e4f80 --- /dev/null +++ b/queue-4.19/xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch @@ -0,0 +1,47 @@ +From foo@baz Mon 27 Apr 2020 01:34:41 PM CEST +From: David Ahern +Date: Mon, 20 Apr 2020 17:13:51 -0600 +Subject: xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish + +From: David Ahern + +[ Upstream commit 0c922a4850eba2e668f73a3f1153196e09abb251 ] + +IPSKB_XFRM_TRANSFORMED and IP6SKB_XFRM_TRANSFORMED are skb flags set by +xfrm code to tell other skb handlers that the packet has been passed +through the xfrm output functions. Simplify the code and just always +set them rather than conditionally based on netfilter enabled thus +making the flag available for other users. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/xfrm4_output.c | 2 -- + net/ipv6/xfrm6_output.c | 2 -- + 2 files changed, 4 deletions(-) + +--- a/net/ipv4/xfrm4_output.c ++++ b/net/ipv4/xfrm4_output.c +@@ -77,9 +77,7 @@ int xfrm4_output_finish(struct sock *sk, + { + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); + +-#ifdef CONFIG_NETFILTER + IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + } +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -130,9 +130,7 @@ int xfrm6_output_finish(struct sock *sk, + { + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); + +-#ifdef CONFIG_NETFILTER + IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; +-#endif + + return xfrm_output(sk, skb); + }