From: Greg Kroah-Hartman Date: Sat, 31 Oct 2020 09:38:26 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.74~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=353c4c8437e09d2b7abe0ce34f8b3b87a7689d03;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: chelsio-chtls-fix-deadlock-issue.patch chelsio-chtls-fix-memory-leaks-in-cpl-handlers.patch chelsio-chtls-fix-tls-record-info-to-user.patch cxgb4-set-up-filter-action-after-rewrites.patch gtp-fix-an-use-before-init-in-gtp_newlink.patch mlxsw-core-fix-memory-leak-on-module-removal.patch netem-fix-zero-division-in-tabledist.patch r8169-fix-issue-with-forced-threading-in-combination-with-shared-interrupts.patch ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch tcp-prevent-low-rmem-stalls-with-so_rcvlowat.patch tipc-fix-memory-leak-caused-by-tipc_buf_append.patch --- diff --git a/queue-4.19/chelsio-chtls-fix-deadlock-issue.patch b/queue-4.19/chelsio-chtls-fix-deadlock-issue.patch new file mode 100644 index 00000000000..f513763edcf --- /dev/null +++ b/queue-4.19/chelsio-chtls-fix-deadlock-issue.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Vinay Kumar Yadav +Date: Mon, 26 Oct 2020 01:05:39 +0530 +Subject: [PATCH stable 5.8 06/22] chelsio/chtls: fix deadlock issue + +From: Vinay Kumar Yadav + +[ Upstream commit 28e9dcd9172028263c8225c15c4e329e08475e89 ] + +In chtls_pass_establish() we hold child socket lock using bh_lock_sock +and we are again trying bh_lock_sock in add_to_reap_list, causing deadlock. +Remove bh_lock_sock in add_to_reap_list() as lock is already held. + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201025193538.31112-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -1348,7 +1348,6 @@ static void add_to_reap_list(struct sock + struct chtls_sock *csk = sk->sk_user_data; + + local_bh_disable(); +- bh_lock_sock(sk); + release_tcp_port(sk); /* release the port immediately */ + + spin_lock(&reap_list_lock); +@@ -1357,7 +1356,6 @@ static void add_to_reap_list(struct sock + if (!csk->passive_reap_next) + schedule_work(&reap_task); + spin_unlock(&reap_list_lock); +- bh_unlock_sock(sk); + local_bh_enable(); + } + diff --git a/queue-4.19/chelsio-chtls-fix-memory-leaks-in-cpl-handlers.patch b/queue-4.19/chelsio-chtls-fix-memory-leaks-in-cpl-handlers.patch new file mode 100644 index 00000000000..a6c980d43cf --- /dev/null +++ b/queue-4.19/chelsio-chtls-fix-memory-leaks-in-cpl-handlers.patch @@ -0,0 +1,67 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Vinay Kumar Yadav +Date: Mon, 26 Oct 2020 01:12:29 +0530 +Subject: [PATCH stable 5.8 07/22] chelsio/chtls: fix memory leaks in CPL handlers + +From: Vinay Kumar Yadav + +[ Upstream commit 6daa1da4e262b0cd52ef0acc1989ff22b5540264 ] + +CPL handler functions chtls_pass_open_rpl() and +chtls_close_listsrv_rpl() should return CPL_RET_BUF_DONE +so that caller function will do skb free to avoid leak. + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201025194228.31271-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -696,14 +696,13 @@ static int chtls_pass_open_rpl(struct ch + if (rpl->status != CPL_ERR_NONE) { + pr_info("Unexpected PASS_OPEN_RPL status %u for STID %u\n", + rpl->status, stid); +- return CPL_RET_BUF_DONE; ++ } else { ++ cxgb4_free_stid(cdev->tids, stid, listen_ctx->lsk->sk_family); ++ sock_put(listen_ctx->lsk); ++ kfree(listen_ctx); ++ module_put(THIS_MODULE); + } +- cxgb4_free_stid(cdev->tids, stid, listen_ctx->lsk->sk_family); +- sock_put(listen_ctx->lsk); +- kfree(listen_ctx); +- module_put(THIS_MODULE); +- +- return 0; ++ return CPL_RET_BUF_DONE; + } + + static int chtls_close_listsrv_rpl(struct chtls_dev *cdev, struct sk_buff *skb) +@@ -720,15 +719,13 @@ static int chtls_close_listsrv_rpl(struc + if (rpl->status != CPL_ERR_NONE) { + pr_info("Unexpected CLOSE_LISTSRV_RPL status %u for STID %u\n", + rpl->status, stid); +- return CPL_RET_BUF_DONE; ++ } else { ++ cxgb4_free_stid(cdev->tids, stid, listen_ctx->lsk->sk_family); ++ sock_put(listen_ctx->lsk); ++ kfree(listen_ctx); ++ module_put(THIS_MODULE); + } +- +- cxgb4_free_stid(cdev->tids, stid, listen_ctx->lsk->sk_family); +- sock_put(listen_ctx->lsk); +- kfree(listen_ctx); +- module_put(THIS_MODULE); +- +- return 0; ++ return CPL_RET_BUF_DONE; + } + + static void chtls_purge_wr_queue(struct sock *sk) diff --git a/queue-4.19/chelsio-chtls-fix-tls-record-info-to-user.patch b/queue-4.19/chelsio-chtls-fix-tls-record-info-to-user.patch new file mode 100644 index 00000000000..9f271e0756d --- /dev/null +++ b/queue-4.19/chelsio-chtls-fix-tls-record-info-to-user.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Vinay Kumar Yadav +Date: Fri, 23 Oct 2020 00:35:57 +0530 +Subject: [PATCH stable 5.8 08/22] chelsio/chtls: fix tls record info to user + +From: Vinay Kumar Yadav + +[ Upstream commit 4f3391ce8f5a69e7e6d66d0a3fc654eb6dbdc919 ] + +chtls_pt_recvmsg() receives a skb with tls header and subsequent +skb with data, need to finalize the data copy whenever next skb +with tls header is available. but here current tls header is +overwritten by next available tls header, ends up corrupting +user buffer data. fixing it by finalizing current record whenever +next skb contains tls header. + +v1->v2: +- Improved commit message. + +Fixes: 17a7d24aa89d ("crypto: chtls - generic handling of data and hdr") +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201022190556.21308-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_io.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/chelsio/chtls/chtls_io.c ++++ b/drivers/crypto/chelsio/chtls/chtls_io.c +@@ -1549,6 +1549,7 @@ skip_copy: + tp->urg_data = 0; + + if ((avail + offset) >= skb->len) { ++ struct sk_buff *next_skb; + if (ULP_SKB_CB(skb)->flags & ULPCB_FLAG_TLS_HDR) { + tp->copied_seq += skb->len; + hws->rcvpld = skb->hdr_len; +@@ -1558,8 +1559,10 @@ skip_copy: + chtls_free_skb(sk, skb); + buffers_freed++; + hws->copied_seq = 0; +- if (copied >= target && +- !skb_peek(&sk->sk_receive_queue)) ++ next_skb = skb_peek(&sk->sk_receive_queue); ++ if (copied >= target && !next_skb) ++ break; ++ if (ULP_SKB_CB(next_skb)->flags & ULPCB_FLAG_TLS_HDR) + break; + } + } while (len > 0); diff --git a/queue-4.19/cxgb4-set-up-filter-action-after-rewrites.patch b/queue-4.19/cxgb4-set-up-filter-action-after-rewrites.patch new file mode 100644 index 00000000000..9836044a167 --- /dev/null +++ b/queue-4.19/cxgb4-set-up-filter-action-after-rewrites.patch @@ -0,0 +1,153 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Raju Rangoju +Date: Fri, 23 Oct 2020 17:28:52 +0530 +Subject: [PATCH stable 5.8 09/22] cxgb4: set up filter action after rewrites + +From: Raju Rangoju + +[ Upstream commit 937d8420588421eaa5c7aa5c79b26b42abb288ef ] + +The current code sets up the filter action field before +rewrites are set up. When the action 'switch' is used +with rewrites, this may result in initial few packets +that get switched out don't have rewrites applied +on them. + +So, make sure filter action is set up along with rewrites +or only after everything else is set up for rewrites. + +Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters") +Signed-off-by: Raju Rangoju +Link: https://lore.kernel.org/r/20201023115852.18262-1-rajur@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 56 ++++++++++------------ + drivers/net/ethernet/chelsio/cxgb4/t4_tcb.h | 4 + + 2 files changed, 31 insertions(+), 29 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -145,13 +145,13 @@ static int configure_filter_smac(struct + int err; + + /* do a set-tcb for smac-sel and CWR bit.. */ +- err = set_tcb_tflag(adap, f, f->tid, TF_CCTRL_CWR_S, 1, 1); +- if (err) +- goto smac_err; +- + err = set_tcb_field(adap, f, f->tid, TCB_SMAC_SEL_W, + TCB_SMAC_SEL_V(TCB_SMAC_SEL_M), + TCB_SMAC_SEL_V(f->smt->idx), 1); ++ if (err) ++ goto smac_err; ++ ++ err = set_tcb_tflag(adap, f, f->tid, TF_CCTRL_CWR_S, 1, 1); + if (!err) + return 0; + +@@ -608,6 +608,7 @@ int set_filter_wr(struct adapter *adapte + FW_FILTER_WR_DIRSTEERHASH_V(f->fs.dirsteerhash) | + FW_FILTER_WR_LPBK_V(f->fs.action == FILTER_SWITCH) | + FW_FILTER_WR_DMAC_V(f->fs.newdmac) | ++ FW_FILTER_WR_SMAC_V(f->fs.newsmac) | + FW_FILTER_WR_INSVLAN_V(f->fs.newvlan == VLAN_INSERT || + f->fs.newvlan == VLAN_REWRITE) | + FW_FILTER_WR_RMVLAN_V(f->fs.newvlan == VLAN_REMOVE || +@@ -625,7 +626,7 @@ int set_filter_wr(struct adapter *adapte + FW_FILTER_WR_OVLAN_VLD_V(f->fs.val.ovlan_vld) | + FW_FILTER_WR_IVLAN_VLDM_V(f->fs.mask.ivlan_vld) | + FW_FILTER_WR_OVLAN_VLDM_V(f->fs.mask.ovlan_vld)); +- fwr->smac_sel = 0; ++ fwr->smac_sel = f->smt->idx; + fwr->rx_chan_rx_rpl_iq = + htons(FW_FILTER_WR_RX_CHAN_V(0) | + FW_FILTER_WR_RX_RPL_IQ_V(adapter->sge.fw_evtq.abs_id)); +@@ -1019,11 +1020,8 @@ static void mk_act_open_req6(struct filt + TX_QUEUE_V(f->fs.nat_mode) | + T5_OPT_2_VALID_F | + RX_CHANNEL_F | +- CONG_CNTRL_V((f->fs.action == FILTER_DROP) | +- (f->fs.dirsteer << 1)) | + PACE_V((f->fs.maskhash) | +- ((f->fs.dirsteerhash) << 1)) | +- CCTRL_ECN_V(f->fs.action == FILTER_SWITCH)); ++ ((f->fs.dirsteerhash) << 1))); + } + + static void mk_act_open_req(struct filter_entry *f, struct sk_buff *skb, +@@ -1059,11 +1057,8 @@ static void mk_act_open_req(struct filte + TX_QUEUE_V(f->fs.nat_mode) | + T5_OPT_2_VALID_F | + RX_CHANNEL_F | +- CONG_CNTRL_V((f->fs.action == FILTER_DROP) | +- (f->fs.dirsteer << 1)) | + PACE_V((f->fs.maskhash) | +- ((f->fs.dirsteerhash) << 1)) | +- CCTRL_ECN_V(f->fs.action == FILTER_SWITCH)); ++ ((f->fs.dirsteerhash) << 1))); + } + + static int cxgb4_set_hash_filter(struct net_device *dev, +@@ -1722,6 +1717,20 @@ void hash_filter_rpl(struct adapter *ada + } + return; + } ++ switch (f->fs.action) { ++ case FILTER_PASS: ++ if (f->fs.dirsteer) ++ set_tcb_tflag(adap, f, tid, ++ TF_DIRECT_STEER_S, 1, 1); ++ break; ++ case FILTER_DROP: ++ set_tcb_tflag(adap, f, tid, TF_DROP_S, 1, 1); ++ break; ++ case FILTER_SWITCH: ++ set_tcb_tflag(adap, f, tid, TF_LPBK_S, 1, 1); ++ break; ++ } ++ + break; + + default: +@@ -1781,22 +1790,11 @@ void filter_rpl(struct adapter *adap, co + if (ctx) + ctx->result = 0; + } else if (ret == FW_FILTER_WR_FLT_ADDED) { +- int err = 0; +- +- if (f->fs.newsmac) +- err = configure_filter_smac(adap, f); +- +- if (!err) { +- f->pending = 0; /* async setup completed */ +- f->valid = 1; +- if (ctx) { +- ctx->result = 0; +- ctx->tid = idx; +- } +- } else { +- clear_filter(adap, f); +- if (ctx) +- ctx->result = err; ++ f->pending = 0; /* async setup completed */ ++ f->valid = 1; ++ if (ctx) { ++ ctx->result = 0; ++ ctx->tid = idx; + } + } else { + /* Something went wrong. Issue a warning about the +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_tcb.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_tcb.h +@@ -42,6 +42,10 @@ + + #define TCB_T_FLAGS_W 1 + ++#define TF_DROP_S 22 ++#define TF_DIRECT_STEER_S 23 ++#define TF_LPBK_S 59 ++ + #define TF_CCTRL_ECE_S 60 + #define TF_CCTRL_CWR_S 61 + #define TF_CCTRL_RFR_S 62 diff --git a/queue-4.19/gtp-fix-an-use-before-init-in-gtp_newlink.patch b/queue-4.19/gtp-fix-an-use-before-init-in-gtp_newlink.patch new file mode 100644 index 00000000000..e7fef572389 --- /dev/null +++ b/queue-4.19/gtp-fix-an-use-before-init-in-gtp_newlink.patch @@ -0,0 +1,86 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Masahiro Fujiwara +Date: Tue, 27 Oct 2020 20:48:46 +0900 +Subject: [PATCH stable 5.8 10/22] gtp: fix an use-before-init in gtp_newlink() + +From: Masahiro Fujiwara + +[ Upstream commit 51467431200b91682b89d31317e35dcbca1469ce ] + +*_pdp_find() from gtp_encap_recv() would trigger a crash when a peer +sends GTP packets while creating new GTP device. + +RIP: 0010:gtp1_pdp_find.isra.0+0x68/0x90 [gtp] + +Call Trace: + + gtp_encap_recv+0xc2/0x2e0 [gtp] + ? gtp1_pdp_find.isra.0+0x90/0x90 [gtp] + udp_queue_rcv_one_skb+0x1fe/0x530 + udp_queue_rcv_skb+0x40/0x1b0 + udp_unicast_rcv_skb.isra.0+0x78/0x90 + __udp4_lib_rcv+0x5af/0xc70 + udp_rcv+0x1a/0x20 + ip_protocol_deliver_rcu+0xc5/0x1b0 + ip_local_deliver_finish+0x48/0x50 + ip_local_deliver+0xe5/0xf0 + ? ip_protocol_deliver_rcu+0x1b0/0x1b0 + +gtp_encap_enable() should be called after gtp_hastable_new() otherwise +*_pdp_find() will access the uninitialized hash table. + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Signed-off-by: Masahiro Fujiwara +Link: https://lore.kernel.org/r/20201027114846.3924-1-fujiwara.masahiro@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -667,10 +667,6 @@ static int gtp_newlink(struct net *src_n + + gtp = netdev_priv(dev); + +- err = gtp_encap_enable(gtp, data); +- if (err < 0) +- return err; +- + if (!data[IFLA_GTP_PDP_HASHSIZE]) { + hashsize = 1024; + } else { +@@ -681,12 +677,16 @@ static int gtp_newlink(struct net *src_n + + err = gtp_hashtable_new(gtp, hashsize); + if (err < 0) +- goto out_encap; ++ return err; ++ ++ err = gtp_encap_enable(gtp, data); ++ if (err < 0) ++ goto out_hashtable; + + err = register_netdevice(dev); + if (err < 0) { + netdev_dbg(dev, "failed to register new netdev %d\n", err); +- goto out_hashtable; ++ goto out_encap; + } + + gn = net_generic(dev_net(dev), gtp_net_id); +@@ -697,11 +697,11 @@ static int gtp_newlink(struct net *src_n + + return 0; + ++out_encap: ++ gtp_encap_disable(gtp); + out_hashtable: + kfree(gtp->addr_hash); + kfree(gtp->tid_hash); +-out_encap: +- gtp_encap_disable(gtp); + return err; + } + diff --git a/queue-4.19/mlxsw-core-fix-memory-leak-on-module-removal.patch b/queue-4.19/mlxsw-core-fix-memory-leak-on-module-removal.patch new file mode 100644 index 00000000000..40110997bbd --- /dev/null +++ b/queue-4.19/mlxsw-core-fix-memory-leak-on-module-removal.patch @@ -0,0 +1,56 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Ido Schimmel +Date: Sat, 24 Oct 2020 16:37:32 +0300 +Subject: [PATCH stable 5.8 13/22] mlxsw: core: Fix memory leak on module removal + +From: Ido Schimmel + +[ Upstream commit adc80b6cfedff6dad8b93d46a5ea2775fd5af9ec ] + +Free the devlink instance during the teardown sequence in the non-reload +case to avoid the following memory leak. + +unreferenced object 0xffff888232895000 (size 2048): + comm "modprobe", pid 1073, jiffies 4295568857 (age 164.871s) + hex dump (first 32 bytes): + 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... + 10 50 89 32 82 88 ff ff 10 50 89 32 82 88 ff ff .P.2.....P.2.... + backtrace: + [<00000000c704e9a6>] __kmalloc+0x13a/0x2a0 + [<00000000ee30129d>] devlink_alloc+0xff/0x760 + [<0000000092ab3e5d>] 0xffffffffa042e5b0 + [<000000004f3f8a31>] 0xffffffffa042f6ad + [<0000000092800b4b>] 0xffffffffa0491df3 + [<00000000c4843903>] local_pci_probe+0xcb/0x170 + [<000000006993ded7>] pci_device_probe+0x2c2/0x4e0 + [<00000000a8e0de75>] really_probe+0x2c5/0xf90 + [<00000000d42ba75d>] driver_probe_device+0x1eb/0x340 + [<00000000bcc95e05>] device_driver_attach+0x294/0x300 + [<000000000e2bc177>] __driver_attach+0x167/0x2f0 + [<000000007d44cd6e>] bus_for_each_dev+0x148/0x1f0 + [<000000003cd5a91e>] driver_attach+0x45/0x60 + [<000000000041ce51>] bus_add_driver+0x3b8/0x720 + [<00000000f5215476>] driver_register+0x230/0x4e0 + [<00000000d79356f5>] __pci_register_driver+0x190/0x200 + +Fixes: a22712a96291 ("mlxsw: core: Fix devlink unregister flow") +Signed-off-by: Ido Schimmel +Reported-by: Vadim Pasternak +Tested-by: Oleksandr Shamray +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1111,6 +1111,8 @@ void mlxsw_core_bus_device_unregister(st + if (!reload) + devlink_resources_unregister(devlink, NULL); + mlxsw_core->bus->fini(mlxsw_core->bus_priv); ++ if (!reload) ++ devlink_free(devlink); + + return; + diff --git a/queue-4.19/netem-fix-zero-division-in-tabledist.patch b/queue-4.19/netem-fix-zero-division-in-tabledist.patch new file mode 100644 index 00000000000..eb8280fd54b --- /dev/null +++ b/queue-4.19/netem-fix-zero-division-in-tabledist.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Aleksandr Nogikh +Date: Wed, 28 Oct 2020 17:07:31 +0000 +Subject: [PATCH stable 5.8 14/22] netem: fix zero division in tabledist + +From: Aleksandr Nogikh + +[ Upstream commit eadd1befdd778a1eca57fad058782bd22b4db804 ] + +Currently it is possible to craft a special netlink RTM_NEWQDISC +command that can result in jitter being equal to 0x80000000. It is +enough to set the 32 bit jitter to 0x02000000 (it will later be +multiplied by 2^6) or just set the 64 bit jitter via +TCA_NETEM_JITTER64. This causes an overflow during the generation of +uniformly distributed numbers in tabledist(), which in turn leads to +division by zero (sigma != 0, but sigma * 2 is 0). + +The related fragment of code needs 32-bit division - see commit +9b0ed89 ("netem: remove unnecessary 64 bit modulus"), so switching to +64 bit is not an option. + +Fix the issue by keeping the value of jitter within the range that can +be adequately handled by tabledist() - [0;INT_MAX]. As negative std +deviation makes no sense, take the absolute value of the passed value +and cap it at INT_MAX. Inside tabledist(), switch to unsigned 32 bit +arithmetic in order to prevent overflows. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Aleksandr Nogikh +Reported-by: syzbot+ec762a6342ad0d3c0d8f@syzkaller.appspotmail.com +Acked-by: Stephen Hemminger +Link: https://lore.kernel.org/r/20201028170731.1383332-1-aleksandrnogikh@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -330,7 +330,7 @@ static s64 tabledist(s64 mu, s32 sigma, + + /* default uniform distribution */ + if (dist == NULL) +- return ((rnd % (2 * sigma)) + mu) - sigma; ++ return ((rnd % (2 * (u32)sigma)) + mu) - sigma; + + t = dist->table[rnd % dist->size]; + x = (sigma % NETEM_DIST_SCALE) * t; +@@ -787,6 +787,10 @@ static void get_slot(struct netem_sched_ + q->slot_config.max_packets = INT_MAX; + if (q->slot_config.max_bytes == 0) + q->slot_config.max_bytes = INT_MAX; ++ ++ /* capping dist_jitter to the range acceptable by tabledist() */ ++ q->slot_config.dist_jitter = min_t(__s64, INT_MAX, abs(q->slot_config.dist_jitter)); ++ + q->slot.packets_left = q->slot_config.max_packets; + q->slot.bytes_left = q->slot_config.max_bytes; + if (q->slot_config.min_delay | q->slot_config.max_delay | +@@ -1011,6 +1015,9 @@ static int netem_change(struct Qdisc *sc + if (tb[TCA_NETEM_SLOT]) + get_slot(q, tb[TCA_NETEM_SLOT]); + ++ /* capping jitter to the range acceptable by tabledist() */ ++ q->jitter = min_t(s64, abs(q->jitter), INT_MAX); ++ + return ret; + + get_table_failure: diff --git a/queue-4.19/r8169-fix-issue-with-forced-threading-in-combination-with-shared-interrupts.patch b/queue-4.19/r8169-fix-issue-with-forced-threading-in-combination-with-shared-interrupts.patch new file mode 100644 index 00000000000..536234e15c5 --- /dev/null +++ b/queue-4.19/r8169-fix-issue-with-forced-threading-in-combination-with-shared-interrupts.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Heiner Kallweit +Date: Thu, 29 Oct 2020 10:18:53 +0100 +Subject: [PATCH stable 5.8 18/22] r8169: fix issue with forced threading in combination with shared interrupts + +From: Heiner Kallweit + +[ Upstream commit 2734a24e6e5d18522fbf599135c59b82ec9b2c9e ] + +As reported by Serge flag IRQF_NO_THREAD causes an error if the +interrupt is actually shared and the other driver(s) don't have this +flag set. This situation can occur if a PCI(e) legacy interrupt is +used in combination with forced threading. +There's no good way to deal with this properly, therefore we have to +remove flag IRQF_NO_THREAD. For fixing the original forced threading +issue switch to napi_schedule(). + +Fixes: 424a646e072a ("r8169: fix operation under forced interrupt threading") +Link: https://www.spinics.net/lists/netdev/msg694960.html +Reported-by: Serge Belyshev +Signed-off-by: Heiner Kallweit +Tested-by: Serge Belyshev +Link: https://lore.kernel.org/r/b5b53bfe-35ac-3768-85bf-74d1290cf394@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -6630,7 +6630,7 @@ static irqreturn_t rtl8169_interrupt(int + return IRQ_NONE; + + rtl_irq_disable(tp); +- napi_schedule_irqoff(&tp->napi); ++ napi_schedule(&tp->napi); + + return IRQ_HANDLED; + } +@@ -6886,7 +6886,7 @@ static int rtl_open(struct net_device *d + rtl_request_firmware(tp); + + retval = request_irq(pci_irq_vector(pdev, 0), rtl8169_interrupt, +- IRQF_NO_THREAD | IRQF_SHARED, dev->name, tp); ++ IRQF_SHARED, dev->name, tp); + if (retval < 0) + goto err_release_fw_2; + diff --git a/queue-4.19/ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch b/queue-4.19/ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch new file mode 100644 index 00000000000..e8205147630 --- /dev/null +++ b/queue-4.19/ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch @@ -0,0 +1,69 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Andrew Gabbasov +Date: Mon, 26 Oct 2020 05:21:30 -0500 +Subject: [PATCH stable 5.8 19/22] ravb: Fix bit fields checking in ravb_hwtstamp_get() + +From: Andrew Gabbasov + +[ Upstream commit 68b9f0865b1ef545da180c57d54b82c94cb464a4 ] + +In the function ravb_hwtstamp_get() in ravb_main.c with the existing +values for RAVB_RXTSTAMP_TYPE_V2_L2_EVENT (0x2) and RAVB_RXTSTAMP_TYPE_ALL +(0x6) + +if (priv->tstamp_rx_ctrl & RAVB_RXTSTAMP_TYPE_V2_L2_EVENT) + config.rx_filter = HWTSTAMP_FILTER_PTP_V2_L2_EVENT; +else if (priv->tstamp_rx_ctrl & RAVB_RXTSTAMP_TYPE_ALL) + config.rx_filter = HWTSTAMP_FILTER_ALL; + +if the test on RAVB_RXTSTAMP_TYPE_ALL should be true, +it will never be reached. + +This issue can be verified with 'hwtstamp_config' testing program +(tools/testing/selftests/net/hwtstamp_config.c). Setting filter type +to ALL and subsequent retrieving it gives incorrect value: + +$ hwtstamp_config eth0 OFF ALL +flags = 0 +tx_type = OFF +rx_filter = ALL +$ hwtstamp_config eth0 +flags = 0 +tx_type = OFF +rx_filter = PTP_V2_L2_EVENT + +Correct this by converting if-else's to switch. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reported-by: Julia Lawall +Signed-off-by: Andrew Gabbasov +Reviewed-by: Sergei Shtylyov +Link: https://lore.kernel.org/r/20201026102130.29368-1-andrew_gabbasov@mentor.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1732,12 +1732,16 @@ static int ravb_hwtstamp_get(struct net_ + config.flags = 0; + config.tx_type = priv->tstamp_tx_ctrl ? HWTSTAMP_TX_ON : + HWTSTAMP_TX_OFF; +- if (priv->tstamp_rx_ctrl & RAVB_RXTSTAMP_TYPE_V2_L2_EVENT) ++ switch (priv->tstamp_rx_ctrl & RAVB_RXTSTAMP_TYPE) { ++ case RAVB_RXTSTAMP_TYPE_V2_L2_EVENT: + config.rx_filter = HWTSTAMP_FILTER_PTP_V2_L2_EVENT; +- else if (priv->tstamp_rx_ctrl & RAVB_RXTSTAMP_TYPE_ALL) ++ break; ++ case RAVB_RXTSTAMP_TYPE_ALL: + config.rx_filter = HWTSTAMP_FILTER_ALL; +- else ++ break; ++ default: + config.rx_filter = HWTSTAMP_FILTER_NONE; ++ } + + return copy_to_user(req->ifr_data, &config, sizeof(config)) ? + -EFAULT : 0; diff --git a/queue-4.19/series b/queue-4.19/series index 5aa64772907..83b28cf4956 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -4,3 +4,14 @@ arm64-run-arch_workaround_1-enabling-code-on-all-cpus.patch arm64-link-with-z-norelro-regardless-of-config_relocatable.patch x86-pci-fix-intel_mid_pci.c-build-error-when-acpi-is-not-enabled.patch efivarfs-replace-invalid-slashes-with-exclamation-marks-in-dentries.patch +chelsio-chtls-fix-deadlock-issue.patch +chelsio-chtls-fix-memory-leaks-in-cpl-handlers.patch +chelsio-chtls-fix-tls-record-info-to-user.patch +gtp-fix-an-use-before-init-in-gtp_newlink.patch +mlxsw-core-fix-memory-leak-on-module-removal.patch +netem-fix-zero-division-in-tabledist.patch +ravb-fix-bit-fields-checking-in-ravb_hwtstamp_get.patch +tcp-prevent-low-rmem-stalls-with-so_rcvlowat.patch +tipc-fix-memory-leak-caused-by-tipc_buf_append.patch +r8169-fix-issue-with-forced-threading-in-combination-with-shared-interrupts.patch +cxgb4-set-up-filter-action-after-rewrites.patch diff --git a/queue-4.19/tcp-prevent-low-rmem-stalls-with-so_rcvlowat.patch b/queue-4.19/tcp-prevent-low-rmem-stalls-with-so_rcvlowat.patch new file mode 100644 index 00000000000..ef85e66dae4 --- /dev/null +++ b/queue-4.19/tcp-prevent-low-rmem-stalls-with-so_rcvlowat.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Arjun Roy +Date: Fri, 23 Oct 2020 11:47:09 -0700 +Subject: [PATCH stable 5.8 20/22] tcp: Prevent low rmem stalls with SO_RCVLOWAT. + +From: Arjun Roy + +[ Upstream commit 435ccfa894e35e3d4a1799e6ac030e48a7b69ef5 ] + +With SO_RCVLOWAT, under memory pressure, +it is possible to enter a state where: + +1. We have not received enough bytes to satisfy SO_RCVLOWAT. +2. We have not entered buffer pressure (see tcp_rmem_pressure()). +3. But, we do not have enough buffer space to accept more packets. + +In this case, we advertise 0 rwnd (due to #3) but the application does +not drain the receive queue (no wakeup because of #1 and #2) so the +flow stalls. + +Modify the heuristic for SO_RCVLOWAT so that, if we are advertising +rwnd<=rcv_mss, force a wakeup to prevent a stall. + +Without this patch, setting tcp_rmem to 6143 and disabling TCP +autotune causes a stalled flow. With this patch, no stall occurs. This +is with RPC-style traffic with large messages. + +Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") +Signed-off-by: Arjun Roy +Acked-by: Soheil Hassas Yeganeh +Acked-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20201023184709.217614-1-arjunroy.kdev@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + net/ipv4/tcp_input.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -495,6 +495,8 @@ static inline bool tcp_stream_is_readabl + return true; + if (tcp_rmem_pressure(sk)) + return true; ++ if (tcp_receive_window(tp) <= inet_csk(sk)->icsk_ack.rcv_mss) ++ return true; + } + if (sk->sk_prot->stream_memory_read) + return sk->sk_prot->stream_memory_read(sk); +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4704,7 +4704,8 @@ void tcp_data_ready(struct sock *sk) + int avail = tp->rcv_nxt - tp->copied_seq; + + if (avail < sk->sk_rcvlowat && !tcp_rmem_pressure(sk) && +- !sock_flag(sk, SOCK_DONE)) ++ !sock_flag(sk, SOCK_DONE) && ++ tcp_receive_window(tp) > inet_csk(sk)->icsk_ack.rcv_mss) + return; + + sk->sk_data_ready(sk); diff --git a/queue-4.19/tipc-fix-memory-leak-caused-by-tipc_buf_append.patch b/queue-4.19/tipc-fix-memory-leak-caused-by-tipc_buf_append.patch new file mode 100644 index 00000000000..9a46a06beb6 --- /dev/null +++ b/queue-4.19/tipc-fix-memory-leak-caused-by-tipc_buf_append.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Oct 31 10:28:22 AM CET 2020 +From: Tung Nguyen +Date: Tue, 27 Oct 2020 10:24:03 +0700 +Subject: [PATCH stable 5.8 21/22] tipc: fix memory leak caused by tipc_buf_append() + +From: Tung Nguyen + +[ Upstream commit ceb1eb2fb609c88363e06618b8d4bbf7815a4e03 ] + +Commit ed42989eab57 ("tipc: fix the skb_unshare() in tipc_buf_append()") +replaced skb_unshare() with skb_copy() to not reduce the data reference +counter of the original skb intentionally. This is not the correct +way to handle the cloned skb because it causes memory leak in 2 +following cases: + 1/ Sending multicast messages via broadcast link + The original skb list is cloned to the local skb list for local + destination. After that, the data reference counter of each skb + in the original list has the value of 2. This causes each skb not + to be freed after receiving ACK: + tipc_link_advance_transmq() + { + ... + /* release skb */ + __skb_unlink(skb, &l->transmq); + kfree_skb(skb); <-- memory exists after being freed + } + + 2/ Sending multicast messages via replicast link + Similar to the above case, each skb cannot be freed after purging + the skb list: + tipc_mcast_xmit() + { + ... + __skb_queue_purge(pkts); <-- memory exists after being freed + } + +This commit fixes this issue by using skb_unshare() instead. Besides, +to avoid use-after-free error reported by KASAN, the pointer to the +fragment is set to NULL before calling skb_unshare() to make sure that +the original skb is not freed after freeing the fragment 2 times in +case skb_unshare() returns NULL. + +Fixes: ed42989eab57 ("tipc: fix the skb_unshare() in tipc_buf_append()") +Acked-by: Jon Maloy +Reported-by: Thang Hoang Ngo +Signed-off-by: Tung Nguyen +Reviewed-by: Xin Long +Acked-by: Cong Wang +Link: https://lore.kernel.org/r/20201027032403.1823-1-tung.q.nguyen@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -140,12 +140,11 @@ int tipc_buf_append(struct sk_buff **hea + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- if (skb_cloned(frag)) +- frag = skb_copy(frag, GFP_ATOMIC); ++ *buf = NULL; ++ frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; + head = *headbuf = frag; +- *buf = NULL; + TIPC_SKB_CB(head)->tail = NULL; + if (skb_is_nonlinear(head)) { + skb_walk_frags(head, tail) {