From: Greg Kroah-Hartman Date: Thu, 9 Apr 2020 11:24:32 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.219~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5c03af634824ed33964aa050b4049916f28b24f8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cxgb4-fix-mps-index-overwrite-when-setting-mac-address.patch ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch net-dsa-bcm_sf2-do-not-register-slave-mdio-bus-with-of.patch net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch net-dsa-mt7530-fix-null-pointer-dereferencing-in-port5-setup.patch net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch net_sched-add-a-temporary-refcnt-for-struct-tcindex_data.patch net_sched-fix-a-missing-refcnt-in-tcindex_init.patch r8169-change-back-sg-and-tso-to-be-disabled-by-default.patch slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch tun-don-t-put_page-for-all-negative-return-values-from-xdp-program.patch --- diff --git a/queue-5.4/cxgb4-fix-mps-index-overwrite-when-setting-mac-address.patch b/queue-5.4/cxgb4-fix-mps-index-overwrite-when-setting-mac-address.patch new file mode 100644 index 00000000000..adad3f12b80 --- /dev/null +++ b/queue-5.4/cxgb4-fix-mps-index-overwrite-when-setting-mac-address.patch @@ -0,0 +1,42 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Herat Ramani +Date: Wed, 1 Apr 2020 01:16:09 +0530 +Subject: cxgb4: fix MPS index overwrite when setting MAC address + +From: Herat Ramani + +[ Upstream commit 41aa8561ca3fc5748391f08cc5f3e561923da52c ] + +cxgb4_update_mac_filt() earlier requests firmware to add a new MAC +address into MPS TCAM. The MPS TCAM index returned by firmware is +stored in pi->xact_addr_filt. However, the saved MPS TCAM index gets +overwritten again with the return value of cxgb4_update_mac_filt(), +which is wrong. + +When trying to update to another MAC address later, the wrong MPS TCAM +index is sent to firmware, which causes firmware to return error, +because it's not the same MPS TCAM index that firmware had sent +earlier to driver. + +So, fix by removing the wrong overwrite being done after call to +cxgb4_update_mac_filt(). + +Fixes: 3f8cfd0d95e6 ("cxgb4/cxgb4vf: Program hash region for {t4/t4vf}_change_mac()") +Signed-off-by: Herat Ramani +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -3032,7 +3032,6 @@ static int cxgb_set_mac_addr(struct net_ + return ret; + + memcpy(dev->dev_addr, addr->sa_data, dev->addr_len); +- pi->xact_addr_filt = ret; + return 0; + } + diff --git a/queue-5.4/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch b/queue-5.4/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch new file mode 100644 index 00000000000..1b067ded35e --- /dev/null +++ b/queue-5.4/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch @@ -0,0 +1,91 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Jarod Wilson +Date: Mon, 30 Mar 2020 11:22:19 -0400 +Subject: ipv6: don't auto-add link-local address to lag ports + +From: Jarod Wilson + +[ Upstream commit 744fdc8233f6aa9582ce08a51ca06e59796a3196 ] + +Bonding slave and team port devices should not have link-local addresses +automatically added to them, as it can interfere with openvswitch being +able to properly add tc ingress. + +Basic reproducer, courtesy of Marcelo: + +$ ip link add name bond0 type bond +$ ip link set dev ens2f0np0 master bond0 +$ ip link set dev ens2f1np2 master bond0 +$ ip link set dev bond0 up +$ ip a s +1: lo: mtu 65536 qdisc noqueue state UNKNOWN +group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: ens2f0np0: mtu 1500 qdisc +mq master bond0 state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff +5: ens2f1np2: mtu 1500 qdisc +mq master bond0 state DOWN group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff +11: bond0: mtu 1500 qdisc +noqueue state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link + valid_lft forever preferred_lft forever + +(above trimmed to relevant entries, obviously) + +$ sysctl net.ipv6.conf.ens2f0np0.addr_gen_mode=0 +net.ipv6.conf.ens2f0np0.addr_gen_mode = 0 +$ sysctl net.ipv6.conf.ens2f1np2.addr_gen_mode=0 +net.ipv6.conf.ens2f1np2.addr_gen_mode = 0 + +$ ip a l ens2f0np0 +2: ens2f0np0: mtu 1500 qdisc +mq master bond0 state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link tentative + valid_lft forever preferred_lft forever +$ ip a l ens2f1np2 +5: ens2f1np2: mtu 1500 qdisc +mq master bond0 state DOWN group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link tentative + valid_lft forever preferred_lft forever + +Looks like addrconf_sysctl_addr_gen_mode() bypasses the original "is +this a slave interface?" check added by commit c2edacf80e15, and +results in an address getting added, while w/the proposed patch added, +no address gets added. This simply adds the same gating check to another +code path, and thus should prevent the same devices from erroneously +obtaining an ipv6 link-local address. + +Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode") +Reported-by: Moshe Levi +CC: Stephen Hemminger +CC: Marcelo Ricardo Leitner +CC: netdev@vger.kernel.org +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3296,6 +3296,10 @@ static void addrconf_addr_gen(struct ine + if (netif_is_l3_master(idev->dev)) + return; + ++ /* no link local addresses on devices flagged as slaves */ ++ if (idev->dev->flags & IFF_SLAVE) ++ return; ++ + ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0); + + switch (idev->cnf.addr_gen_mode) { diff --git a/queue-5.4/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch b/queue-5.4/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch new file mode 100644 index 00000000000..be3c2d763d2 --- /dev/null +++ b/queue-5.4/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch @@ -0,0 +1,42 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Petr Machata +Date: Sun, 5 Apr 2020 09:50:22 +0300 +Subject: mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE + +From: Petr Machata + +[ Upstream commit ccfc569347f870830e7c7cf854679a06cf9c45b5 ] + +The handler for FLOW_ACTION_VLAN_MANGLE ends by returning whatever the +lower-level function that it calls returns. If there are more actions lined +up after this action, those are never offloaded. Fix by only bailing out +when the called function returns an error. + +Fixes: a150201a70da ("mlxsw: spectrum: Add support for vlan modify TC action") +Signed-off-by: Petr Machata +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -123,9 +123,12 @@ static int mlxsw_sp_flower_parse_actions + u8 prio = act->vlan.prio; + u16 vid = act->vlan.vid; + +- return mlxsw_sp_acl_rulei_act_vlan(mlxsw_sp, rulei, +- act->id, vid, +- proto, prio, extack); ++ err = mlxsw_sp_acl_rulei_act_vlan(mlxsw_sp, rulei, ++ act->id, vid, ++ proto, prio, extack); ++ if (err) ++ return err; ++ break; + } + default: + NL_SET_ERR_MSG_MOD(extack, "Unsupported action"); diff --git a/queue-5.4/net-dsa-bcm_sf2-do-not-register-slave-mdio-bus-with-of.patch b/queue-5.4/net-dsa-bcm_sf2-do-not-register-slave-mdio-bus-with-of.patch new file mode 100644 index 00000000000..3217340e8b1 --- /dev/null +++ b/queue-5.4/net-dsa-bcm_sf2-do-not-register-slave-mdio-bus-with-of.patch @@ -0,0 +1,53 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Florian Fainelli +Date: Sat, 4 Apr 2020 14:35:17 -0700 +Subject: net: dsa: bcm_sf2: Do not register slave MDIO bus with OF + +From: Florian Fainelli + +[ Upstream commit 536fab5bf5826404534a6c271f622ad2930d9119 ] + +We were registering our slave MDIO bus with OF and doing so with +assigning the newly created slave_mii_bus of_node to the master MDIO bus +controller node. This is a bad thing to do for a number of reasons: + +- we are completely lying about the slave MII bus is arranged and yet we + still want to control which MDIO devices it probes. It was attempted + before to play tricks with the bus_mask to perform that: + https://www.spinics.net/lists/netdev/msg429420.html but the approach + was rightfully rejected + +- the device_node reference counting is messed up and we are effectively + doing a double probe on the devices we already probed using the + master, this messes up all resources reference counts (such as clocks) + +The proper fix for this as indicated by David in his reply to the +thread above is to use a platform data style registration so as to +control exactly which devices we probe: +https://www.spinics.net/lists/netdev/msg430083.html + +By using mdiobus_register(), our slave_mii_bus->phy_mask value is used +as intended, and all the PHY addresses that must be redirected towards +our slave MDIO bus is happening while other addresses get redirected +towards the master MDIO bus. + +Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -459,7 +459,7 @@ static int bcm_sf2_mdio_register(struct + priv->slave_mii_bus->parent = ds->dev->parent; + priv->slave_mii_bus->phy_mask = ~priv->indir_phy_mask; + +- err = of_mdiobus_register(priv->slave_mii_bus, dn); ++ err = mdiobus_register(priv->slave_mii_bus); + if (err && dn) + of_node_put(dn); + diff --git a/queue-5.4/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch b/queue-5.4/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch new file mode 100644 index 00000000000..28e80aa5c41 --- /dev/null +++ b/queue-5.4/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch @@ -0,0 +1,48 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Florian Fainelli +Date: Sun, 5 Apr 2020 13:00:30 -0700 +Subject: net: dsa: bcm_sf2: Ensure correct sub-node is parsed + +From: Florian Fainelli + +[ Upstream commit afa3b592953bfaecfb4f2f335ec5f935cff56804 ] + +When the bcm_sf2 was converted into a proper platform device driver and +used the new dsa_register_switch() interface, we would still be parsing +the legacy DSA node that contained all the port information since the +platform firmware has intentionally maintained backward and forward +compatibility to client programs. Ensure that we do parse the correct +node, which is "ports" per the revised DSA binding. + +Fixes: d9338023fb8e ("net: dsa: bcm_sf2: Make it a real platform device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -1053,6 +1053,7 @@ static int bcm_sf2_sw_probe(struct platf + const struct bcm_sf2_of_data *data; + struct b53_platform_data *pdata; + struct dsa_switch_ops *ops; ++ struct device_node *ports; + struct bcm_sf2_priv *priv; + struct b53_device *dev; + struct dsa_switch *ds; +@@ -1115,7 +1116,11 @@ static int bcm_sf2_sw_probe(struct platf + set_bit(0, priv->cfp.used); + set_bit(0, priv->cfp.unique); + +- bcm_sf2_identify_ports(priv, dn->child); ++ ports = of_find_node_by_name(dn, "ports"); ++ if (ports) { ++ bcm_sf2_identify_ports(priv, ports); ++ of_node_put(ports); ++ } + + priv->irq0 = irq_of_parse_and_map(dn, 0); + priv->irq1 = irq_of_parse_and_map(dn, 1); diff --git a/queue-5.4/net-dsa-mt7530-fix-null-pointer-dereferencing-in-port5-setup.patch b/queue-5.4/net-dsa-mt7530-fix-null-pointer-dereferencing-in-port5-setup.patch new file mode 100644 index 00000000000..bd586635930 --- /dev/null +++ b/queue-5.4/net-dsa-mt7530-fix-null-pointer-dereferencing-in-port5-setup.patch @@ -0,0 +1,41 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Chuanhong Guo +Date: Fri, 3 Apr 2020 19:28:24 +0800 +Subject: net: dsa: mt7530: fix null pointer dereferencing in port5 setup + +From: Chuanhong Guo + +[ Upstream commit 0452800f6db4ed0a42ffb15867c0acfd68829f6a ] + +The 2nd gmac of mediatek soc ethernet may not be connected to a PHY +and a phy-handle isn't always available. +Unfortunately, mt7530 dsa driver assumes that the 2nd gmac is always +connected to switch port 5 and setup mt7530 according to phy address +of 2nd gmac node, causing null pointer dereferencing when phy-handle +isn't defined in dts. +This commit fix this setup code by checking return value of +of_parse_phandle before using it. + +Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5") +Signed-off-by: Chuanhong Guo +Reviewed-by: Vivien Didelot +Reviewed-by: Florian Fainelli +Tested-by: René van Dorst +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mt7530.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1353,6 +1353,9 @@ mt7530_setup(struct dsa_switch *ds) + continue; + + phy_node = of_parse_phandle(mac_np, "phy-handle", 0); ++ if (!phy_node) ++ continue; ++ + if (phy_node->parent == priv->dev->of_node->parent) { + interface = of_get_phy_mode(mac_np); + id = of_mdio_parse_addr(ds->dev, phy_node); diff --git a/queue-5.4/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch b/queue-5.4/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch new file mode 100644 index 00000000000..4f6c8cdc487 --- /dev/null +++ b/queue-5.4/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch @@ -0,0 +1,63 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Oleksij Rempel +Date: Fri, 3 Apr 2020 09:53:25 +0200 +Subject: net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers + +From: Oleksij Rempel + +[ Upstream commit 6110dff776f7fa65c35850ef65b41d3b39e2fac2 ] + +After the power-down bit is cleared, the chip internally triggers a +global reset. According to the KSZ9031 documentation, we have to wait at +least 1ms for the reset to finish. + +If the chip is accessed during reset, read will return 0xffff, while +write will be ignored. Depending on the system performance and MDIO bus +speed, we may or may not run in to this issue. + +This bug was discovered on an iMX6QP system with KSZ9031 PHY and +attached PHY interrupt line. If IRQ was used, the link status update was +lost. In polling mode, the link status update was always correct. + +The investigation showed, that during a read-modify-write access, the +read returned 0xffff (while the chip was still in reset) and +corresponding write hit the chip _after_ reset and triggered (due to the +0xffff) another reset in an undocumented bit (register 0x1f, bit 1), +resulting in the next write being lost due to the new reset cycle. + +This patch fixes the issue by adding a 1...2 ms sleep after the +genphy_resume(). + +Fixes: 836384d2501d ("net: phy: micrel: Add specific suspend") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + /* Operation Mode Strap Override */ + #define MII_KSZPHY_OMSO 0x16 +@@ -902,6 +903,12 @@ static int kszphy_resume(struct phy_devi + + genphy_resume(phydev); + ++ /* After switching from power-down to normal mode, an internal global ++ * reset is automatically generated. Wait a minimum of 1 ms before ++ * read/write access to the PHY registers. ++ */ ++ usleep_range(1000, 2000); ++ + ret = kszphy_config_reset(phydev); + if (ret) + return ret; diff --git a/queue-5.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch b/queue-5.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch new file mode 100644 index 00000000000..fd826dc127f --- /dev/null +++ b/queue-5.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Jisheng Zhang +Date: Fri, 3 Apr 2020 10:23:29 +0800 +Subject: net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting + +From: Jisheng Zhang + +[ Upstream commit 3e1221acf6a8f8595b5ce354bab4327a69d54d18 ] + +Commit 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address +entries") cleared the unused mac address entries, but introduced an +out-of bounds mac address register programming bug -- After setting +the secondary unicast mac addresses, the "reg" value has reached +netdev_uc_count() + 1, thus we should only clear address entries +if (addr < perfect_addr_number) + +Fixes: 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address entries") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -209,7 +209,7 @@ static void dwmac1000_set_filter(struct + reg++; + } + +- while (reg <= perfect_addr_number) { ++ while (reg < perfect_addr_number) { + writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); + writel(0, ioaddr + GMAC_ADDR_LOW(reg)); + reg++; diff --git a/queue-5.4/net_sched-add-a-temporary-refcnt-for-struct-tcindex_data.patch b/queue-5.4/net_sched-add-a-temporary-refcnt-for-struct-tcindex_data.patch new file mode 100644 index 00000000000..e8115c4dfeb --- /dev/null +++ b/queue-5.4/net_sched-add-a-temporary-refcnt-for-struct-tcindex_data.patch @@ -0,0 +1,197 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Cong Wang +Date: Sat, 28 Mar 2020 12:12:59 -0700 +Subject: net_sched: add a temporary refcnt for struct tcindex_data + +From: Cong Wang + +[ Upstream commit 304e024216a802a7dc8ba75d36de82fa136bbf3e ] + +Although we intentionally use an ordered workqueue for all tc +filter works, the ordering is not guaranteed by RCU work, +given that tcf_queue_work() is esstenially a call_rcu(). + +This problem is demostrated by Thomas: + + CPU 0: + tcf_queue_work() + tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work); + + -> Migration to CPU 1 + + CPU 1: + tcf_queue_work(&p->rwork, tcindex_destroy_work); + +so the 2nd work could be queued before the 1st one, which leads +to a free-after-free. + +Enforcing this order in RCU work is hard as it requires to change +RCU code too. Fortunately we can workaround this problem in tcindex +filter by taking a temporary refcnt, we only refcnt it right before +we begin to destroy it. This simplifies the code a lot as a full +refcnt requires much more changes in tcindex_set_parms(). + +Reported-by: syzbot+46f513c3033d592409d2@syzkaller.appspotmail.com +Fixes: 3d210534cc93 ("net_sched: fix a race condition in tcindex_destroy()") +Cc: Thomas Gleixner +Cc: Paul E. McKenney +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Signed-off-by: Cong Wang +Reviewed-by: Paul E. McKenney +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_tcindex.c | 44 ++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 6 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -26,9 +27,12 @@ + #define DEFAULT_HASH_SIZE 64 /* optimized for diffserv */ + + ++struct tcindex_data; ++ + struct tcindex_filter_result { + struct tcf_exts exts; + struct tcf_result res; ++ struct tcindex_data *p; + struct rcu_work rwork; + }; + +@@ -49,6 +53,7 @@ struct tcindex_data { + u32 hash; /* hash table size; 0 if undefined */ + u32 alloc_hash; /* allocated size */ + u32 fall_through; /* 0: only classify if explicit match */ ++ refcount_t refcnt; /* a temporary refcnt for perfect hash */ + struct rcu_work rwork; + }; + +@@ -57,6 +62,20 @@ static inline int tcindex_filter_is_set( + return tcf_exts_has_actions(&r->exts) || r->res.classid; + } + ++static void tcindex_data_get(struct tcindex_data *p) ++{ ++ refcount_inc(&p->refcnt); ++} ++ ++static void tcindex_data_put(struct tcindex_data *p) ++{ ++ if (refcount_dec_and_test(&p->refcnt)) { ++ kfree(p->perfect); ++ kfree(p->h); ++ kfree(p); ++ } ++} ++ + static struct tcindex_filter_result *tcindex_lookup(struct tcindex_data *p, + u16 key) + { +@@ -141,6 +160,7 @@ static void __tcindex_destroy_rexts(stru + { + tcf_exts_destroy(&r->exts); + tcf_exts_put_net(&r->exts); ++ tcindex_data_put(r->p); + } + + static void tcindex_destroy_rexts_work(struct work_struct *work) +@@ -212,6 +232,8 @@ found: + else + __tcindex_destroy_fexts(f); + } else { ++ tcindex_data_get(p); ++ + if (tcf_exts_get_net(&r->exts)) + tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work); + else +@@ -228,9 +250,7 @@ static void tcindex_destroy_work(struct + struct tcindex_data, + rwork); + +- kfree(p->perfect); +- kfree(p->h); +- kfree(p); ++ tcindex_data_put(p); + } + + static inline int +@@ -248,9 +268,11 @@ static const struct nla_policy tcindex_p + }; + + static int tcindex_filter_result_init(struct tcindex_filter_result *r, ++ struct tcindex_data *p, + struct net *net) + { + memset(r, 0, sizeof(*r)); ++ r->p = p; + return tcf_exts_init(&r->exts, net, TCA_TCINDEX_ACT, + TCA_TCINDEX_POLICE); + } +@@ -290,6 +312,7 @@ static int tcindex_alloc_perfect_hash(st + TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE); + if (err < 0) + goto errout; ++ cp->perfect[i].p = cp; + } + + return 0; +@@ -334,6 +357,7 @@ tcindex_set_parms(struct net *net, struc + cp->alloc_hash = p->alloc_hash; + cp->fall_through = p->fall_through; + cp->tp = tp; ++ refcount_set(&cp->refcnt, 1); /* Paired with tcindex_destroy_work() */ + + if (tb[TCA_TCINDEX_HASH]) + cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); +@@ -366,7 +390,7 @@ tcindex_set_parms(struct net *net, struc + } + cp->h = p->h; + +- err = tcindex_filter_result_init(&new_filter_result, net); ++ err = tcindex_filter_result_init(&new_filter_result, cp, net); + if (err < 0) + goto errout_alloc; + if (old_r) +@@ -434,7 +458,7 @@ tcindex_set_parms(struct net *net, struc + goto errout_alloc; + f->key = handle; + f->next = NULL; +- err = tcindex_filter_result_init(&f->result, net); ++ err = tcindex_filter_result_init(&f->result, cp, net); + if (err < 0) { + kfree(f); + goto errout_alloc; +@@ -447,7 +471,7 @@ tcindex_set_parms(struct net *net, struc + } + + if (old_r && old_r != r) { +- err = tcindex_filter_result_init(old_r, net); ++ err = tcindex_filter_result_init(old_r, cp, net); + if (err < 0) { + kfree(f); + goto errout_alloc; +@@ -571,6 +595,14 @@ static void tcindex_destroy(struct tcf_p + for (i = 0; i < p->hash; i++) { + struct tcindex_filter_result *r = p->perfect + i; + ++ /* tcf_queue_work() does not guarantee the ordering we ++ * want, so we have to take this refcnt temporarily to ++ * ensure 'p' is freed after all tcindex_filter_result ++ * here. Imperfect hash does not need this, because it ++ * uses linked lists rather than an array. ++ */ ++ tcindex_data_get(p); ++ + tcf_unbind_filter(tp, &r->res); + if (tcf_exts_get_net(&r->exts)) + tcf_queue_work(&r->rwork, diff --git a/queue-5.4/net_sched-fix-a-missing-refcnt-in-tcindex_init.patch b/queue-5.4/net_sched-fix-a-missing-refcnt-in-tcindex_init.patch new file mode 100644 index 00000000000..a9a259366f9 --- /dev/null +++ b/queue-5.4/net_sched-fix-a-missing-refcnt-in-tcindex_init.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Cong Wang +Date: Thu, 2 Apr 2020 20:58:51 -0700 +Subject: net_sched: fix a missing refcnt in tcindex_init() + +From: Cong Wang + +[ Upstream commit a8eab6d35e22f4f21471f16147be79529cd6aaf7 ] + +The initial refcnt of struct tcindex_data should be 1, +it is clear that I forgot to set it to 1 in tcindex_init(). +This leads to a dec-after-zero warning. + +Reported-by: syzbot+8325e509a1bf83ec741d@syzkaller.appspotmail.com +Fixes: 304e024216a8 ("net_sched: add a temporary refcnt for struct tcindex_data") +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Cc: Paul E. McKenney +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_tcindex.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -151,6 +151,7 @@ static int tcindex_init(struct tcf_proto + p->mask = 0xffff; + p->hash = DEFAULT_HASH_SIZE; + p->fall_through = 1; ++ refcount_set(&p->refcnt, 1); /* Paired with tcindex_destroy_work() */ + + rcu_assign_pointer(tp->root, p); + return 0; diff --git a/queue-5.4/r8169-change-back-sg-and-tso-to-be-disabled-by-default.patch b/queue-5.4/r8169-change-back-sg-and-tso-to-be-disabled-by-default.patch new file mode 100644 index 00000000000..13c4f0ef9c4 --- /dev/null +++ b/queue-5.4/r8169-change-back-sg-and-tso-to-be-disabled-by-default.patch @@ -0,0 +1,78 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Heiner Kallweit +Date: Sat, 4 Apr 2020 23:48:45 +0200 +Subject: r8169: change back SG and TSO to be disabled by default + +From: Heiner Kallweit + +[ Upstream commit 95099c569a9fdbe186a27447dfa8a5a0562d4b7f ] + +There has been a number of reports that using SG/TSO on different chip +versions results in tx timeouts. However for a lot of people SG/TSO +works fine. Therefore disable both features by default, but allow users +to enable them. Use at own risk! + +Fixes: 93681cd7d94f ("r8169: enable HW csum and TSO") +Signed-off-by: Heiner Kallweit +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 34 ++++++++++++++---------------- + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -7167,12 +7167,10 @@ static int rtl_init_one(struct pci_dev * + + netif_napi_add(dev, &tp->napi, rtl8169_poll, NAPI_POLL_WEIGHT); + +- dev->features |= NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO | +- NETIF_F_RXCSUM | NETIF_F_HW_VLAN_CTAG_TX | +- NETIF_F_HW_VLAN_CTAG_RX; +- dev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO | +- NETIF_F_RXCSUM | NETIF_F_HW_VLAN_CTAG_TX | +- NETIF_F_HW_VLAN_CTAG_RX; ++ dev->features |= NETIF_F_IP_CSUM | NETIF_F_RXCSUM | ++ NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX; ++ dev->hw_features = NETIF_F_IP_CSUM | NETIF_F_RXCSUM | ++ NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX; + dev->vlan_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO | + NETIF_F_HIGHDMA; + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; +@@ -7190,25 +7188,25 @@ static int rtl_init_one(struct pci_dev * + dev->hw_features &= ~NETIF_F_HW_VLAN_CTAG_RX; + + if (rtl_chip_supports_csum_v2(tp)) { +- dev->hw_features |= NETIF_F_IPV6_CSUM | NETIF_F_TSO6; +- dev->features |= NETIF_F_IPV6_CSUM | NETIF_F_TSO6; ++ dev->hw_features |= NETIF_F_IPV6_CSUM; ++ dev->features |= NETIF_F_IPV6_CSUM; ++ } ++ ++ /* There has been a number of reports that using SG/TSO results in ++ * tx timeouts. However for a lot of people SG/TSO works fine. ++ * Therefore disable both features by default, but allow users to ++ * enable them. Use at own risk! ++ */ ++ if (rtl_chip_supports_csum_v2(tp)) { ++ dev->hw_features |= NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6; + dev->gso_max_size = RTL_GSO_MAX_SIZE_V2; + dev->gso_max_segs = RTL_GSO_MAX_SEGS_V2; + } else { ++ dev->hw_features |= NETIF_F_SG | NETIF_F_TSO; + dev->gso_max_size = RTL_GSO_MAX_SIZE_V1; + dev->gso_max_segs = RTL_GSO_MAX_SEGS_V1; + } + +- /* RTL8168e-vl and one RTL8168c variant are known to have a +- * HW issue with TSO. +- */ +- if (tp->mac_version == RTL_GIGA_MAC_VER_34 || +- tp->mac_version == RTL_GIGA_MAC_VER_22) { +- dev->vlan_features &= ~(NETIF_F_ALL_TSO | NETIF_F_SG); +- dev->hw_features &= ~(NETIF_F_ALL_TSO | NETIF_F_SG); +- dev->features &= ~(NETIF_F_ALL_TSO | NETIF_F_SG); +- } +- + dev->hw_features |= NETIF_F_RXALL; + dev->hw_features |= NETIF_F_RXFCS; + diff --git a/queue-5.4/series b/queue-5.4/series index 26067224306..30e699fd7e0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,14 @@ net-phy-realtek-fix-handling-of-rtl8105e-integrated-phy.patch +cxgb4-fix-mps-index-overwrite-when-setting-mac-address.patch +ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch +net-dsa-bcm_sf2-do-not-register-slave-mdio-bus-with-of.patch +net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch +net-dsa-mt7530-fix-null-pointer-dereferencing-in-port5-setup.patch +net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch +net_sched-add-a-temporary-refcnt-for-struct-tcindex_data.patch +net_sched-fix-a-missing-refcnt-in-tcindex_init.patch +net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch +slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch +tun-don-t-put_page-for-all-negative-return-values-from-xdp-program.patch +mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch +r8169-change-back-sg-and-tso-to-be-disabled-by-default.patch diff --git a/queue-5.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch b/queue-5.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch new file mode 100644 index 00000000000..5bc4b695399 --- /dev/null +++ b/queue-5.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch @@ -0,0 +1,51 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Richard Palethorpe +Date: Wed, 1 Apr 2020 12:06:39 +0200 +Subject: slcan: Don't transmit uninitialized stack data in padding + +From: Richard Palethorpe + +[ Upstream commit b9258a2cece4ec1f020715fe3554bc2e360f6264 ] + +struct can_frame contains some padding which is not explicitly zeroed in +slc_bump. This uninitialized data will then be transmitted if the stack +initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). + +This commit just zeroes the whole struct including the padding. + +Signed-off-by: Richard Palethorpe +Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters") +Reviewed-by: Kees Cook +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: security@kernel.org +Cc: wg@grandegger.com +Cc: mkl@pengutronix.de +Cc: davem@davemloft.net +Acked-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -148,7 +148,7 @@ static void slc_bump(struct slcan *sl) + u32 tmpid; + char *cmd = sl->rbuff; + +- cf.can_id = 0; ++ memset(&cf, 0, sizeof(cf)); + + switch (*cmd) { + case 'r': +@@ -187,8 +187,6 @@ static void slc_bump(struct slcan *sl) + else + return; + +- *(u64 *) (&cf.data) = 0; /* clear payload */ +- + /* RTR frames may have a dlc > 0 but they never have any data bytes */ + if (!(cf.can_id & CAN_RTR_FLAG)) { + for (i = 0; i < cf.can_dlc; i++) { diff --git a/queue-5.4/tun-don-t-put_page-for-all-negative-return-values-from-xdp-program.patch b/queue-5.4/tun-don-t-put_page-for-all-negative-return-values-from-xdp-program.patch new file mode 100644 index 00000000000..1c706a150e7 --- /dev/null +++ b/queue-5.4/tun-don-t-put_page-for-all-negative-return-values-from-xdp-program.patch @@ -0,0 +1,63 @@ +From foo@baz Thu 09 Apr 2020 01:21:20 PM CEST +From: Will Deacon +Date: Fri, 3 Apr 2020 16:13:21 +0100 +Subject: tun: Don't put_page() for all negative return values from XDP program + +From: Will Deacon + +[ Upstream commit bee348907d19d654e8524d3a946dcd25b693aa7e ] + +When an XDP program is installed, tun_build_skb() grabs a reference to +the current page fragment page if the program returns XDP_REDIRECT or +XDP_TX. However, since tun_xdp_act() passes through negative return +values from the XDP program, it is possible to trigger the error path by +mistake and accidentally drop a reference to the fragments page without +taking one, leading to a spurious free. This is believed to be the cause +of some KASAN use-after-free reports from syzbot [1], although without a +reproducer it is not possible to confirm whether this patch fixes the +problem. + +Ensure that we only drop a reference to the fragments page if the XDP +transmit or redirect operations actually fail. + +[1] https://syzkaller.appspot.com/bug?id=e76a6af1be4acd727ff6bbca669833f98cbf5d95 + +Cc: "David S. Miller" +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +CC: Eric Dumazet +Acked-by: Jason Wang +Fixes: 8ae1aff0b331 ("tuntap: split out XDP logic") +Signed-off-by: Will Deacon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1715,8 +1715,12 @@ static struct sk_buff *tun_build_skb(str + alloc_frag->offset += buflen; + } + err = tun_xdp_act(tun, xdp_prog, &xdp, act); +- if (err < 0) +- goto err_xdp; ++ if (err < 0) { ++ if (act == XDP_REDIRECT || act == XDP_TX) ++ put_page(alloc_frag->page); ++ goto out; ++ } ++ + if (err == XDP_REDIRECT) + xdp_do_flush_map(); + if (err != XDP_PASS) +@@ -1730,8 +1734,6 @@ static struct sk_buff *tun_build_skb(str + + return __tun_build_skb(tfile, alloc_frag, buf, buflen, len, pad); + +-err_xdp: +- put_page(alloc_frag->page); + out: + rcu_read_unlock(); + local_bh_enable();