From: Greg Kroah-Hartman Date: Thu, 28 May 2020 12:20:56 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.226~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3abbcfe03b383a40e1f64f8c732a93ea4d17fd34;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: __netif_receive_skb_core-pass-skb-by-reference.patch ax25-fix-setsockopt-so_bindtodevice.patch dpaa_eth-fix-usage-as-dsa-master-try-3.patch net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch net-ipip-fix-wrong-address-family-in-init-error-path.patch net-mlx5-add-command-entry-handling-completion.patch net-mlx5e-update-netdev-txq-on-completions-during-closure.patch net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch net-sched-fix-reporting-the-first-time-use-timestamp.patch r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch --- diff --git a/queue-4.19/__netif_receive_skb_core-pass-skb-by-reference.patch b/queue-4.19/__netif_receive_skb_core-pass-skb-by-reference.patch new file mode 100644 index 00000000000..39e301bb19a --- /dev/null +++ b/queue-4.19/__netif_receive_skb_core-pass-skb-by-reference.patch @@ -0,0 +1,91 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Boris Sukholitko +Date: Tue, 19 May 2020 10:32:37 +0300 +Subject: __netif_receive_skb_core: pass skb by reference + +From: Boris Sukholitko + +[ Upstream commit c0bbbdc32febd4f034ecbf3ea17865785b2c0652 ] + +__netif_receive_skb_core may change the skb pointer passed into it (e.g. +in rx_handler). The original skb may be freed as a result of this +operation. + +The callers of __netif_receive_skb_core may further process original skb +by using pt_prev pointer returned by __netif_receive_skb_core thus +leading to unpleasant effects. + +The solution is to pass skb by reference into __netif_receive_skb_core. + +v2: Added Fixes tag and comment regarding ppt_prev and skb invariant. + +Fixes: 88eb1944e18c ("net: core: propagate SKB lists through packet_type lookup") +Signed-off-by: Boris Sukholitko +Acked-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4778,11 +4778,12 @@ static inline int nf_ingress(struct sk_b + return 0; + } + +-static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc, ++static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc, + struct packet_type **ppt_prev) + { + struct packet_type *ptype, *pt_prev; + rx_handler_func_t *rx_handler; ++ struct sk_buff *skb = *pskb; + struct net_device *orig_dev; + bool deliver_exact = false; + int ret = NET_RX_DROP; +@@ -4813,8 +4814,10 @@ another_round: + ret2 = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog), skb); + preempt_enable(); + +- if (ret2 != XDP_PASS) +- return NET_RX_DROP; ++ if (ret2 != XDP_PASS) { ++ ret = NET_RX_DROP; ++ goto out; ++ } + skb_reset_mac_len(skb); + } + +@@ -4936,6 +4939,13 @@ drop: + } + + out: ++ /* The invariant here is that if *ppt_prev is not NULL ++ * then skb should also be non-NULL. ++ * ++ * Apparently *ppt_prev assignment above holds this invariant due to ++ * skb dereferencing near it. ++ */ ++ *pskb = skb; + return ret; + } + +@@ -4945,7 +4955,7 @@ static int __netif_receive_skb_one_core( + struct packet_type *pt_prev = NULL; + int ret; + +- ret = __netif_receive_skb_core(skb, pfmemalloc, &pt_prev); ++ ret = __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev); + if (pt_prev) + ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); + return ret; +@@ -5021,7 +5031,7 @@ static void __netif_receive_skb_list_cor + struct packet_type *pt_prev = NULL; + + skb_list_del_init(skb); +- __netif_receive_skb_core(skb, pfmemalloc, &pt_prev); ++ __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev); + if (!pt_prev) + continue; + if (pt_curr != pt_prev || od_curr != orig_dev) { diff --git a/queue-4.19/ax25-fix-setsockopt-so_bindtodevice.patch b/queue-4.19/ax25-fix-setsockopt-so_bindtodevice.patch new file mode 100644 index 00000000000..c655f77a4d1 --- /dev/null +++ b/queue-4.19/ax25-fix-setsockopt-so_bindtodevice.patch @@ -0,0 +1,72 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Eric Dumazet +Date: Tue, 19 May 2020 18:24:43 -0700 +Subject: ax25: fix setsockopt(SO_BINDTODEVICE) + +From: Eric Dumazet + +[ Upstream commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 ] + +syzbot was able to trigger this trace [1], probably by using +a zero optlen. + +While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ. + +[1] +BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569 +CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + strnlen+0xf9/0x170 lib/string.c:569 + dev_name_hash net/core/dev.c:207 [inline] + netdev_name_node_lookup net/core/dev.c:277 [inline] + __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778 + ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654 + __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:413 [inline] + __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410 + __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f57dd9 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101 +RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004 +RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Local variable ----devname@ax25_setsockopt created at: + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -638,8 +638,10 @@ static int ax25_setsockopt(struct socket + break; + + case SO_BINDTODEVICE: +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ ++ memset(devname, 0, sizeof(devname)); + + if (copy_from_user(devname, optval, optlen)) { + res = -EFAULT; diff --git a/queue-4.19/dpaa_eth-fix-usage-as-dsa-master-try-3.patch b/queue-4.19/dpaa_eth-fix-usage-as-dsa-master-try-3.patch new file mode 100644 index 00000000000..0849defe6f5 --- /dev/null +++ b/queue-4.19/dpaa_eth-fix-usage-as-dsa-master-try-3.patch @@ -0,0 +1,73 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Vladimir Oltean +Date: Mon, 25 May 2020 00:22:51 +0300 +Subject: dpaa_eth: fix usage as DSA master, try 3 + +From: Vladimir Oltean + +[ Upstream commit 5d14c304bfc14b4fd052dc83d5224376b48f52f0 ] + +The dpaa-eth driver probes on compatible string for the MAC node, and +the fman/mac.c driver allocates a dpaa-ethernet platform device that +triggers the probing of the dpaa-eth net device driver. + +All of this is fine, but the problem is that the struct device of the +dpaa_eth net_device is 2 parents away from the MAC which can be +referenced via of_node. So of_find_net_device_by_node can't find it, and +DSA switches won't be able to probe on top of FMan ports. + +It would be a bit silly to modify a core function +(of_find_net_device_by_node) to look for dev->parent->parent->of_node +just for one driver. We're just 1 step away from implementing full +recursion. + +Actually there have already been at least 2 previous attempts to make +this work: +- Commit a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node") +- One or more of the patches in "[v3,0/6] adapt DPAA drivers for DSA": + https://patchwork.ozlabs.org/project/netdev/cover/1508178970-28945-1-git-send-email-madalin.bucur@nxp.com/ + (I couldn't really figure out which one was supposed to solve the + problem and how). + +Point being, it looks like this is still pretty much a problem today. +On T1040, the /sys/class/net/eth0 symlink currently points to + +../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/dpaa-ethernet.0/net/eth0 + +which pretty much illustrates the problem. The closest of_node we've got +is the "fsl,fman-memac" at /soc@ffe000000/fman@400000/ethernet@e6000, +which is what we'd like to be able to reference from DSA as host port. + +For of_find_net_device_by_node to find the eth0 port, we would need the +parent of the eth0 net_device to not be the "dpaa-ethernet" platform +device, but to point 1 level higher, aka the "fsl,fman-memac" node +directly. The new sysfs path would look like this: + +../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/net/eth0 + +And this is exactly what SET_NETDEV_DEV does. It sets the parent of the +net_device. The new parent has an of_node associated with it, and +of_dev_node_match already checks for the of_node of the device or of its +parent. + +Fixes: a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node") +Fixes: c6e26ea8c893 ("dpaa_eth: change device used") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2796,7 +2796,7 @@ static int dpaa_eth_probe(struct platfor + } + + /* Do this here, so we can be verbose early */ +- SET_NETDEV_DEV(net_dev, dev); ++ SET_NETDEV_DEV(net_dev, dev->parent); + dev_set_drvdata(dev, net_dev); + + priv = netdev_priv(net_dev); diff --git a/queue-4.19/net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch b/queue-4.19/net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch new file mode 100644 index 00000000000..c0d585665a2 --- /dev/null +++ b/queue-4.19/net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch @@ -0,0 +1,121 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: DENG Qingfang +Date: Wed, 13 May 2020 23:10:16 +0800 +Subject: net: dsa: mt7530: fix roaming from DSA user ports + +From: DENG Qingfang + +[ Upstream commit 5e5502e012b8129e11be616acb0f9c34bc8f8adb ] + +When a client moves from a DSA user port to a software port in a bridge, +it cannot reach any other clients that connected to the DSA user ports. +That is because SA learning on the CPU port is disabled, so the switch +ignores the client's frames from the CPU port and still thinks it is at +the user port. + +Fix it by enabling SA learning on the CPU port. + +To prevent the switch from learning from flooding frames from the CPU +port, set skb->offload_fwd_mark to 1 for unicast and broadcast frames, +and let the switch flood them instead of trapping to the CPU port. +Multicast frames still need to be trapped to the CPU port for snooping, +so set the SA_DIS bit of the MTK tag to 1 when transmitting those frames +to disable SA learning. + +Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") +Signed-off-by: DENG Qingfang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mt7530.c | 9 ++------- + drivers/net/dsa/mt7530.h | 1 + + net/dsa/tag_mtk.c | 15 +++++++++++++++ + 3 files changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -685,11 +685,8 @@ mt7530_cpu_port_enable(struct mt7530_pri + /* Setup the MAC by default for the cpu port */ + mt7530_write(priv, MT7530_PMCR_P(port), PMCR_CPUP_LINK); + +- /* Disable auto learning on the cpu port */ +- mt7530_set(priv, MT7530_PSC_P(port), SA_DIS); +- +- /* Unknown unicast frame fordwarding to the cpu port */ +- mt7530_set(priv, MT7530_MFC, UNU_FFP(BIT(port))); ++ /* Unknown multicast frame forwarding to the cpu port */ ++ mt7530_rmw(priv, MT7530_MFC, UNM_FFP_MASK, UNM_FFP(BIT(port))); + + /* CPU port gets connected to all user ports of + * the switch +@@ -1288,8 +1285,6 @@ mt7530_setup(struct dsa_switch *ds) + /* Enable and reset MIB counters */ + mt7530_mib_reset(ds); + +- mt7530_clear(priv, MT7530_MFC, UNU_FFP_MASK); +- + for (i = 0; i < MT7530_NUM_PORTS; i++) { + /* Disable forwarding by default on all ports */ + mt7530_rmw(priv, MT7530_PCR_P(i), PCR_MATRIX_MASK, +--- a/drivers/net/dsa/mt7530.h ++++ b/drivers/net/dsa/mt7530.h +@@ -34,6 +34,7 @@ + #define MT7530_MFC 0x10 + #define BC_FFP(x) (((x) & 0xff) << 24) + #define UNM_FFP(x) (((x) & 0xff) << 16) ++#define UNM_FFP_MASK UNM_FFP(~0) + #define UNU_FFP(x) (((x) & 0xff) << 8) + #define UNU_FFP_MASK UNU_FFP(~0) + +--- a/net/dsa/tag_mtk.c ++++ b/net/dsa/tag_mtk.c +@@ -22,6 +22,7 @@ + #define MTK_HDR_XMIT_TAGGED_TPID_8100 1 + #define MTK_HDR_RECV_SOURCE_PORT_MASK GENMASK(2, 0) + #define MTK_HDR_XMIT_DP_BIT_MASK GENMASK(5, 0) ++#define MTK_HDR_XMIT_SA_DIS BIT(6) + + static struct sk_buff *mtk_tag_xmit(struct sk_buff *skb, + struct net_device *dev) +@@ -29,6 +30,9 @@ static struct sk_buff *mtk_tag_xmit(stru + struct dsa_port *dp = dsa_slave_to_port(dev); + u8 *mtk_tag; + bool is_vlan_skb = true; ++ unsigned char *dest = eth_hdr(skb)->h_dest; ++ bool is_multicast_skb = is_multicast_ether_addr(dest) && ++ !is_broadcast_ether_addr(dest); + + /* Build the special tag after the MAC Source Address. If VLAN header + * is present, it's required that VLAN header and special tag is +@@ -54,6 +58,10 @@ static struct sk_buff *mtk_tag_xmit(stru + MTK_HDR_XMIT_UNTAGGED; + mtk_tag[1] = (1 << dp->index) & MTK_HDR_XMIT_DP_BIT_MASK; + ++ /* Disable SA learning for multicast frames */ ++ if (unlikely(is_multicast_skb)) ++ mtk_tag[1] |= MTK_HDR_XMIT_SA_DIS; ++ + /* Tag control information is kept for 802.1Q */ + if (!is_vlan_skb) { + mtk_tag[2] = 0; +@@ -68,6 +76,9 @@ static struct sk_buff *mtk_tag_rcv(struc + { + int port; + __be16 *phdr, hdr; ++ unsigned char *dest = eth_hdr(skb)->h_dest; ++ bool is_multicast_skb = is_multicast_ether_addr(dest) && ++ !is_broadcast_ether_addr(dest); + + if (unlikely(!pskb_may_pull(skb, MTK_HDR_LEN))) + return NULL; +@@ -93,6 +104,10 @@ static struct sk_buff *mtk_tag_rcv(struc + if (!skb->dev) + return NULL; + ++ /* Only unicast or broadcast frames are offloaded */ ++ if (likely(!is_multicast_skb)) ++ skb->offload_fwd_mark = 1; ++ + return skb; + } + diff --git a/queue-4.19/net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch b/queue-4.19/net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch new file mode 100644 index 00000000000..58a45e834aa --- /dev/null +++ b/queue-4.19/net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch @@ -0,0 +1,163 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Martin KaFai Lau +Date: Mon, 18 May 2020 17:13:34 -0700 +Subject: net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* + +From: Martin KaFai Lau + +[ Upstream commit 88d7fcfa3b1fe670f0412b95be785aafca63352b ] + +The commit 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk") +added a bind-address cache in tb->fast*. The tb->fast* caches the address +of a sk which has successfully been binded with SO_REUSEPORT ON. The idea +is to avoid the expensive conflict search in inet_csk_bind_conflict(). + +There is an issue with wildcard matching where sk_reuseport_match() should +have returned false but it is currently returning true. It ends up +hiding bind conflict. For example, + +bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */ +bind("[::2]:443"); /* with SO_REUSEPORT. Succeed. */ +bind("[::]:443"); /* with SO_REUSEPORT. Still Succeed where it shouldn't */ + +The last bind("[::]:443") with SO_REUSEPORT on should have failed because +it should have a conflict with the very first bind("[::1]:443") which +has SO_REUSEPORT off. However, the address "[::2]" is cached in +tb->fast* in the second bind. In the last bind, the sk_reuseport_match() +returns true because the binding sk's wildcard addr "[::]" matches with +the "[::2]" cached in tb->fast*. + +The correct bind conflict is reported by removing the second +bind such that tb->fast* cache is not involved and forces the +bind("[::]:443") to go through the inet_csk_bind_conflict(): + +bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */ +bind("[::]:443"); /* with SO_REUSEPORT. -EADDRINUSE */ + +The expected behavior for sk_reuseport_match() is, it should only allow +the "cached" tb->fast* address to be used as a wildcard match but not +the address of the binding sk. To do that, the current +"bool match_wildcard" arg is split into +"bool match_sk1_wildcard" and "bool match_sk2_wildcard". + +This change only affects the sk_reuseport_match() which is only +used by inet_csk (e.g. TCP). +The other use cases are calling inet_rcv_saddr_equal() and +this patch makes it pass the same "match_wildcard" arg twice to +the "ipv[46]_rcv_saddr_equal(..., match_wildcard, match_wildcard)". + +Cc: Josef Bacik +Fixes: 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk") +Signed-off-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_connection_sock.c | 43 ++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 19 deletions(-) + +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -28,17 +28,19 @@ + #include + + #if IS_ENABLED(CONFIG_IPV6) +-/* match_wildcard == true: IPV6_ADDR_ANY equals to any IPv6 addresses if IPv6 +- * only, and any IPv4 addresses if not IPv6 only +- * match_wildcard == false: addresses must be exactly the same, i.e. +- * IPV6_ADDR_ANY only equals to IPV6_ADDR_ANY, +- * and 0.0.0.0 equals to 0.0.0.0 only ++/* match_sk*_wildcard == true: IPV6_ADDR_ANY equals to any IPv6 addresses ++ * if IPv6 only, and any IPv4 addresses ++ * if not IPv6 only ++ * match_sk*_wildcard == false: addresses must be exactly the same, i.e. ++ * IPV6_ADDR_ANY only equals to IPV6_ADDR_ANY, ++ * and 0.0.0.0 equals to 0.0.0.0 only + */ + static bool ipv6_rcv_saddr_equal(const struct in6_addr *sk1_rcv_saddr6, + const struct in6_addr *sk2_rcv_saddr6, + __be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr, + bool sk1_ipv6only, bool sk2_ipv6only, +- bool match_wildcard) ++ bool match_sk1_wildcard, ++ bool match_sk2_wildcard) + { + int addr_type = ipv6_addr_type(sk1_rcv_saddr6); + int addr_type2 = sk2_rcv_saddr6 ? ipv6_addr_type(sk2_rcv_saddr6) : IPV6_ADDR_MAPPED; +@@ -48,8 +50,8 @@ static bool ipv6_rcv_saddr_equal(const s + if (!sk2_ipv6only) { + if (sk1_rcv_saddr == sk2_rcv_saddr) + return true; +- if (!sk1_rcv_saddr || !sk2_rcv_saddr) +- return match_wildcard; ++ return (match_sk1_wildcard && !sk1_rcv_saddr) || ++ (match_sk2_wildcard && !sk2_rcv_saddr); + } + return false; + } +@@ -57,11 +59,11 @@ static bool ipv6_rcv_saddr_equal(const s + if (addr_type == IPV6_ADDR_ANY && addr_type2 == IPV6_ADDR_ANY) + return true; + +- if (addr_type2 == IPV6_ADDR_ANY && match_wildcard && ++ if (addr_type2 == IPV6_ADDR_ANY && match_sk2_wildcard && + !(sk2_ipv6only && addr_type == IPV6_ADDR_MAPPED)) + return true; + +- if (addr_type == IPV6_ADDR_ANY && match_wildcard && ++ if (addr_type == IPV6_ADDR_ANY && match_sk1_wildcard && + !(sk1_ipv6only && addr_type2 == IPV6_ADDR_MAPPED)) + return true; + +@@ -73,18 +75,19 @@ static bool ipv6_rcv_saddr_equal(const s + } + #endif + +-/* match_wildcard == true: 0.0.0.0 equals to any IPv4 addresses +- * match_wildcard == false: addresses must be exactly the same, i.e. +- * 0.0.0.0 only equals to 0.0.0.0 ++/* match_sk*_wildcard == true: 0.0.0.0 equals to any IPv4 addresses ++ * match_sk*_wildcard == false: addresses must be exactly the same, i.e. ++ * 0.0.0.0 only equals to 0.0.0.0 + */ + static bool ipv4_rcv_saddr_equal(__be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr, +- bool sk2_ipv6only, bool match_wildcard) ++ bool sk2_ipv6only, bool match_sk1_wildcard, ++ bool match_sk2_wildcard) + { + if (!sk2_ipv6only) { + if (sk1_rcv_saddr == sk2_rcv_saddr) + return true; +- if (!sk1_rcv_saddr || !sk2_rcv_saddr) +- return match_wildcard; ++ return (match_sk1_wildcard && !sk1_rcv_saddr) || ++ (match_sk2_wildcard && !sk2_rcv_saddr); + } + return false; + } +@@ -100,10 +103,12 @@ bool inet_rcv_saddr_equal(const struct s + sk2->sk_rcv_saddr, + ipv6_only_sock(sk), + ipv6_only_sock(sk2), ++ match_wildcard, + match_wildcard); + #endif + return ipv4_rcv_saddr_equal(sk->sk_rcv_saddr, sk2->sk_rcv_saddr, +- ipv6_only_sock(sk2), match_wildcard); ++ ipv6_only_sock(sk2), match_wildcard, ++ match_wildcard); + } + EXPORT_SYMBOL(inet_rcv_saddr_equal); + +@@ -274,10 +279,10 @@ static inline int sk_reuseport_match(str + tb->fast_rcv_saddr, + sk->sk_rcv_saddr, + tb->fast_ipv6_only, +- ipv6_only_sock(sk), true); ++ ipv6_only_sock(sk), true, false); + #endif + return ipv4_rcv_saddr_equal(tb->fast_rcv_saddr, sk->sk_rcv_saddr, +- ipv6_only_sock(sk), true); ++ ipv6_only_sock(sk), true, false); + } + + /* Obtain a reference to a local port for the given sock, diff --git a/queue-4.19/net-ipip-fix-wrong-address-family-in-init-error-path.patch b/queue-4.19/net-ipip-fix-wrong-address-family-in-init-error-path.patch new file mode 100644 index 00000000000..1c8e6b2c481 --- /dev/null +++ b/queue-4.19/net-ipip-fix-wrong-address-family-in-init-error-path.patch @@ -0,0 +1,31 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:50:48 +0300 +Subject: net: ipip: fix wrong address family in init error path + +From: Vadim Fedorenko + +[ Upstream commit 57ebc8f08504f176eb0f25b3e0fde517dec61a4f ] + +In case of error with MPLS support the code is misusing AF_INET +instead of AF_MPLS. + +Fixes: 1b69e7e6c4da ("ipip: support MPLS over IPv4") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -704,7 +704,7 @@ out: + + rtnl_link_failed: + #if IS_ENABLED(CONFIG_MPLS) +- xfrm4_tunnel_deregister(&mplsip_handler, AF_INET); ++ xfrm4_tunnel_deregister(&mplsip_handler, AF_MPLS); + xfrm_tunnel_mplsip_failed: + + #endif diff --git a/queue-4.19/net-mlx5-add-command-entry-handling-completion.patch b/queue-4.19/net-mlx5-add-command-entry-handling-completion.patch new file mode 100644 index 00000000000..d420763b617 --- /dev/null +++ b/queue-4.19/net-mlx5-add-command-entry-handling-completion.patch @@ -0,0 +1,96 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Moshe Shemesh +Date: Fri, 27 Dec 2019 07:01:53 +0200 +Subject: net/mlx5: Add command entry handling completion + +From: Moshe Shemesh + +[ Upstream commit 17d00e839d3b592da9659c1977d45f85b77f986a ] + +When FW response to commands is very slow and all command entries in +use are waiting for completion we can have a race where commands can get +timeout before they get out of the queue and handled. Timeout +completion on uninitialized command will cause releasing command's +buffers before accessing it for initialization and then we will get NULL +pointer exception while trying access it. It may also cause releasing +buffers of another command since we may have timeout completion before +even allocating entry index for this command. +Add entry handling completion to avoid this race. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 14 ++++++++++++++ + include/linux/mlx5/driver.h | 1 + + 2 files changed, 15 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -835,6 +835,7 @@ static void cmd_work_handler(struct work + int alloc_ret; + int cmd_mode; + ++ complete(&ent->handling); + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +@@ -953,6 +954,11 @@ static int wait_func(struct mlx5_core_de + struct mlx5_cmd *cmd = &dev->cmd; + int err; + ++ if (!wait_for_completion_timeout(&ent->handling, timeout) && ++ cancel_work_sync(&ent->work)) { ++ ent->ret = -ECANCELED; ++ goto out_err; ++ } + if (cmd->mode == CMD_MODE_POLLING || ent->polling) { + wait_for_completion(&ent->done); + } else if (!wait_for_completion_timeout(&ent->done, timeout)) { +@@ -960,12 +966,17 @@ static int wait_func(struct mlx5_core_de + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); + } + ++out_err: + err = ent->ret; + + if (err == -ETIMEDOUT) { + mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); ++ } else if (err == -ECANCELED) { ++ mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", ++ mlx5_command_str(msg_to_opcode(ent->in)), ++ msg_to_opcode(ent->in)); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -1001,6 +1012,7 @@ static int mlx5_cmd_invoke(struct mlx5_c + ent->token = token; + ent->polling = force_polling; + ++ init_completion(&ent->handling); + if (!callback) + init_completion(&ent->done); + +@@ -1020,6 +1032,8 @@ static int mlx5_cmd_invoke(struct mlx5_c + err = wait_func(dev, ent); + if (err == -ETIMEDOUT) + goto out; ++ if (err == -ECANCELED) ++ goto out_free; + + ds = ent->ts2 - ent->ts1; + op = MLX5_GET(mbox_in, in->first.data, opcode); +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -902,6 +902,7 @@ struct mlx5_cmd_work_ent { + struct delayed_work cb_timeout_work; + void *context; + int idx; ++ struct completion handling; + struct completion done; + struct mlx5_cmd *cmd; + struct work_struct work; diff --git a/queue-4.19/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch b/queue-4.19/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch new file mode 100644 index 00000000000..a8c56c3b2fc --- /dev/null +++ b/queue-4.19/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch @@ -0,0 +1,48 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Moshe Shemesh +Date: Tue, 7 Apr 2020 17:38:28 +0300 +Subject: net/mlx5e: Update netdev txq on completions during closure + +From: Moshe Shemesh + +[ Upstream commit 5e911e2c06bd8c17df29147a5e2d4b17fafda024 ] + +On sq closure when we free its descriptors, we should also update netdev +txq on completions which would not arrive. Otherwise if we reopen sqs +and attach them back, for example on fw fatal recovery flow, we may get +tx timeout. + +Fixes: 29429f3300a3 ("net/mlx5e: Timeout if SQ doesn't flush during close") +Signed-off-by: Moshe Shemesh +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -595,8 +595,9 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *c + void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq) + { + struct mlx5e_tx_wqe_info *wi; ++ u32 nbytes = 0; ++ u16 ci, npkts = 0; + struct sk_buff *skb; +- u16 ci; + int i; + + while (sq->cc != sq->pc) { +@@ -617,8 +618,11 @@ void mlx5e_free_txqsq_descs(struct mlx5e + } + + dev_kfree_skb_any(skb); ++ npkts++; ++ nbytes += wi->num_bytes; + sq->cc += wi->num_wqebbs; + } ++ netdev_tx_completed_queue(sq->txq, npkts, nbytes); + } + + #ifdef CONFIG_MLX5_CORE_IPOIB diff --git a/queue-4.19/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch b/queue-4.19/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch new file mode 100644 index 00000000000..fd459977e52 --- /dev/null +++ b/queue-4.19/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch @@ -0,0 +1,38 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Manivannan Sadhasivam +Date: Tue, 19 May 2020 23:44:16 +0530 +Subject: net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() + +From: Manivannan Sadhasivam + +[ Upstream commit d28ea1fbbf437054ef339afec241019f2c4e2bb6 ] + +Once the traversal of the list is completed with list_for_each_entry(), +the iterator (node) will point to an invalid object. So passing this to +qrtr_local_enqueue() which is outside of the iterator block is erroneous +eventhough the object is not used. + +So fix this by passing NULL to qrtr_local_enqueue(). + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Reported-by: kbuild test robot +Reported-by: Julia Lawall +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -718,7 +718,7 @@ static int qrtr_bcast_enqueue(struct qrt + } + mutex_unlock(&qrtr_node_lock); + +- qrtr_local_enqueue(node, skb, type, from, to); ++ qrtr_local_enqueue(NULL, skb, type, from, to); + + return 0; + } diff --git a/queue-4.19/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch b/queue-4.19/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch new file mode 100644 index 00000000000..ab1be986a7d --- /dev/null +++ b/queue-4.19/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch @@ -0,0 +1,66 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Yuqi Jin +Date: Sat, 16 May 2020 11:46:49 +0800 +Subject: net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" + +From: Yuqi Jin + +[ Upstream commit a6211caa634da39d861a47437ffcda8b38ef421b ] + +Commit adb03115f459 ("net: get rid of an signed integer overflow in ip_idents_reserve()") +used atomic_cmpxchg to replace "atomic_add_return" inside the function +"ip_idents_reserve". The reason was to avoid UBSAN warning. +However, this change has caused performance degrade and in GCC-8, +fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer +and signed integer overflow is now undefined by default at all +optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv +/-fno-strict-overflow, so Let's revert it safely. + +[1] https://gcc.gnu.org/gcc-8/changes.html + +Suggested-by: Peter Zijlstra +Suggested-by: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Cc: Jakub Kicinski +Cc: Jiri Pirko +Cc: Arvind Sankar +Cc: Peter Zijlstra +Cc: Eric Dumazet +Cc: Jiong Wang +Signed-off-by: Yuqi Jin +Signed-off-by: Shaokun Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -484,18 +484,16 @@ u32 ip_idents_reserve(u32 hash, int segs + atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ; + u32 old = READ_ONCE(*p_tstamp); + u32 now = (u32)jiffies; +- u32 new, delta = 0; ++ u32 delta = 0; + + if (old != now && cmpxchg(p_tstamp, old, now) == old) + delta = prandom_u32_max(now - old); + +- /* Do not use atomic_add_return() as it makes UBSAN unhappy */ +- do { +- old = (u32)atomic_read(p_id); +- new = old + delta + segs; +- } while (atomic_cmpxchg(p_id, old, new) != old); +- +- return new - segs; ++ /* If UBSAN reports an error there, please make sure your compiler ++ * supports -fno-strict-overflow before reporting it that was a bug ++ * in UBSAN, and it has been fixed in GCC-8. ++ */ ++ return atomic_add_return(segs + delta, p_id) - segs; + } + EXPORT_SYMBOL(ip_idents_reserve); + diff --git a/queue-4.19/net-sched-fix-reporting-the-first-time-use-timestamp.patch b/queue-4.19/net-sched-fix-reporting-the-first-time-use-timestamp.patch new file mode 100644 index 00000000000..0d447822be7 --- /dev/null +++ b/queue-4.19/net-sched-fix-reporting-the-first-time-use-timestamp.patch @@ -0,0 +1,37 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Roman Mashak +Date: Sun, 17 May 2020 08:46:31 -0400 +Subject: net sched: fix reporting the first-time use timestamp + +From: Roman Mashak + +[ Upstream commit b15e62631c5f19fea9895f7632dae9c1b27fe0cd ] + +When a new action is installed, firstuse field of 'tcf_t' is explicitly set +to 0. Value of zero means "new action, not yet used"; as a packet hits the +action, 'firstuse' is stamped with the current jiffies value. + +tcf_tm_dump() should return 0 for firstuse if action has not yet been hit. + +Fixes: 48d8ee1694dd ("net sched actions: aggregate dumping of actions timeinfo") +Cc: Jamal Hadi Salim +Signed-off-by: Roman Mashak +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/act_api.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/act_api.h ++++ b/include/net/act_api.h +@@ -67,7 +67,8 @@ static inline void tcf_tm_dump(struct tc + { + dtm->install = jiffies_to_clock_t(jiffies - stm->install); + dtm->lastuse = jiffies_to_clock_t(jiffies - stm->lastuse); +- dtm->firstuse = jiffies_to_clock_t(jiffies - stm->firstuse); ++ dtm->firstuse = stm->firstuse ? ++ jiffies_to_clock_t(jiffies - stm->firstuse) : 0; + dtm->expires = jiffies_to_clock_t(stm->expires); + } + diff --git a/queue-4.19/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch b/queue-4.19/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch new file mode 100644 index 00000000000..42530fef7f9 --- /dev/null +++ b/queue-4.19/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch @@ -0,0 +1,60 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Marc Payne +Date: Tue, 19 May 2020 19:01:46 +0100 +Subject: r8152: support additional Microsoft Surface Ethernet Adapter variant + +From: Marc Payne + +[ Upstream commit c27a204383616efba5a4194075e90819961ff66a ] + +Device id 0927 is the RTL8153B-based component of the 'Surface USB-C to +Ethernet and USB Adapter' and may be used as a component of other devices +in future. Tested and working with the r8152 driver. + +Update the cdc_ether blacklist due to the RTL8153 'network jam on suspend' +issue which this device will cause (personally confirmed). + +Signed-off-by: Marc Payne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 11 +++++++++-- + drivers/net/usb/r8152.c | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -821,14 +821,21 @@ static const struct usb_device_id produc + .driver_info = 0, + }, + +-/* Microsoft Surface 3 dock (based on Realtek RTL8153) */ ++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x07c6, USB_CLASS_COMM, + USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), + .driver_info = 0, + }, + +- /* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ ++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153B) */ ++{ ++ USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x0927, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), ++ .driver_info = 0, ++}, ++ ++/* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, 0x0601, USB_CLASS_COMM, + USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5344,6 +5344,7 @@ static const struct usb_device_id rtl815 + {REALTEK_USB_DEVICE(VENDOR_ID_REALTEK, 0x8153)}, + {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07ab)}, + {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07c6)}, ++ {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x0927)}, + {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x304f)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x3062)}, diff --git a/queue-4.19/sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch b/queue-4.19/sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch new file mode 100644 index 00000000000..0ef24bd3d6c --- /dev/null +++ b/queue-4.19/sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch @@ -0,0 +1,81 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Neil Horman +Date: Tue, 19 May 2020 16:04:05 -0400 +Subject: sctp: Don't add the shutdown timer if its already been added + +From: Neil Horman + +[ Upstream commit 20a785aa52c82246055a089e55df9dac47d67da1 ] + +This BUG halt was reported a while back, but the patch somehow got +missed: + +PID: 2879 TASK: c16adaa0 CPU: 1 COMMAND: "sctpn" + #0 [f418dd28] crash_kexec at c04a7d8c + #1 [f418dd7c] oops_end at c0863e02 + #2 [f418dd90] do_invalid_op at c040aaca + #3 [f418de28] error_code (via invalid_op) at c08631a5 + EAX: f34baac0 EBX: 00000090 ECX: f418deb0 EDX: f5542950 EBP: 00000000 + DS: 007b ESI: f34ba800 ES: 007b EDI: f418dea0 GS: 00e0 + CS: 0060 EIP: c046fa5e ERR: ffffffff EFLAGS: 00010286 + #4 [f418de5c] add_timer at c046fa5e + #5 [f418de68] sctp_do_sm at f8db8c77 [sctp] + #6 [f418df30] sctp_primitive_SHUTDOWN at f8dcc1b5 [sctp] + #7 [f418df48] inet_shutdown at c080baf9 + #8 [f418df5c] sys_shutdown at c079eedf + #9 [f418df70] sys_socketcall at c079fe88 + EAX: ffffffda EBX: 0000000d ECX: bfceea90 EDX: 0937af98 + DS: 007b ESI: 0000000c ES: 007b EDI: b7150ae4 + SS: 007b ESP: bfceea7c EBP: bfceeaa8 GS: 0033 + CS: 0073 EIP: b775c424 ERR: 00000066 EFLAGS: 00000282 + +It appears that the side effect that starts the shutdown timer was processed +multiple times, which can happen as multiple paths can trigger it. This of +course leads to the BUG halt in add_timer getting called. + +Fix seems pretty straightforward, just check before the timer is added if its +already been started. If it has mod the timer instead to min(current +expiration, new expiration) + +Its been tested but not confirmed to fix the problem, as the issue has only +occured in production environments where test kernels are enjoined from being +installed. It appears to be a sane fix to me though. Also, recentely, +Jere found a reproducer posted on list to confirm that this resolves the +issues + +Signed-off-by: Neil Horman +CC: Vlad Yasevich +CC: "David S. Miller" +CC: jere.leppanen@nokia.com +CC: marcelo.leitner@gmail.com +CC: netdev@vger.kernel.org +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_sideeffect.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1537,9 +1537,17 @@ static int sctp_cmd_interpreter(enum sct + timeout = asoc->timeouts[cmd->obj.to]; + BUG_ON(!timeout); + +- timer->expires = jiffies + timeout; +- sctp_association_hold(asoc); +- add_timer(timer); ++ /* ++ * SCTP has a hard time with timer starts. Because we process ++ * timer starts as side effects, it can be hard to tell if we ++ * have already started a timer or not, which leads to BUG ++ * halts when we call add_timer. So here, instead of just starting ++ * a timer, if the timer is already started, and just mod ++ * the timer with the shorter of the two expiration times ++ */ ++ if (!timer_pending(timer)) ++ sctp_association_hold(asoc); ++ timer_reduce(timer, jiffies + timeout); + break; + + case SCTP_CMD_TIMER_RESTART: diff --git a/queue-4.19/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch b/queue-4.19/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch new file mode 100644 index 00000000000..2a0aa2bec7b --- /dev/null +++ b/queue-4.19/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch @@ -0,0 +1,69 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: "Jere Leppänen" +Date: Wed, 20 May 2020 18:15:31 +0300 +Subject: sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed + +From: "Jere Leppänen" + +[ Upstream commit d3e8e4c11870413789f029a71e72ae6e971fe678 ] + +Commit bdf6fa52f01b ("sctp: handle association restarts when the +socket is closed.") starts shutdown when an association is restarted, +if in SHUTDOWN-PENDING state and the socket is closed. However, the +rationale stated in that commit applies also when in SHUTDOWN-SENT +state - we don't want to move an association to ESTABLISHED state when +the socket has been closed, because that results in an association +that is unreachable from user space. + +The problem scenario: + +1. Client crashes and/or restarts. + +2. Server (using one-to-one socket) calls close(). SHUTDOWN is lost. + +3. Client reconnects using the same addresses and ports. + +4. Server's association is restarted. The association and the socket + move to ESTABLISHED state, even though the server process has + closed its descriptor. + +Also, after step 4 when the server process exits, some resources are +leaked in an attempt to release the underlying inet sock structure in +ESTABLISHED state: + + IPv4: Attempt to release TCP socket in state 1 00000000377288c7 + +Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if +an association is restarted in SHUTDOWN-SENT state and the socket is +closed, then start shutdown and don't move the association or the +socket to ESTABLISHED state. + +Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") +Signed-off-by: Jere Leppänen +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1871,12 +1871,13 @@ static enum sctp_disposition sctp_sf_do_ + /* Update the content of current association. */ + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); +- if (sctp_state(asoc, SHUTDOWN_PENDING) && ++ if ((sctp_state(asoc, SHUTDOWN_PENDING) || ++ sctp_state(asoc, SHUTDOWN_SENT)) && + (sctp_sstate(asoc->base.sk, CLOSING) || + sock_flag(asoc->base.sk, SOCK_DEAD))) { +- /* if were currently in SHUTDOWN_PENDING, but the socket +- * has been closed by user, don't transition to ESTABLISHED. +- * Instead trigger SHUTDOWN bundled with COOKIE_ACK. ++ /* If the socket has been closed by user, don't ++ * transition to ESTABLISHED. Instead trigger SHUTDOWN ++ * bundled with COOKIE_ACK. + */ + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); + return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..0ac517a67b4 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,14 @@ +ax25-fix-setsockopt-so_bindtodevice.patch +dpaa_eth-fix-usage-as-dsa-master-try-3.patch +net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch +__netif_receive_skb_core-pass-skb-by-reference.patch +net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch +net-ipip-fix-wrong-address-family-in-init-error-path.patch +net-mlx5-add-command-entry-handling-completion.patch +net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch +net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch +net-sched-fix-reporting-the-first-time-use-timestamp.patch +r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch +sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch +sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch +net-mlx5e-update-netdev-txq-on-completions-during-closure.patch