From: Greg Kroah-Hartman Date: Sun, 6 Dec 2020 09:25:18 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.211~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6d3f34f921a79fe9e3e9607326231e5ca5995448;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch chelsio-chtls-fix-panic-during-unload-reload-chtls.patch cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch dt-bindings-net-correct-interrupt-flags-in-examples.patch geneve-pull-ip-header-before-ecn-decapsulation.patch ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch ibmvnic-fix-tx-completion-error-handling.patch inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch ipv4-fix-tos-mask-in-inet_rtm_getroute.patch net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch net-mvpp2-fix-error-return-code-in-mvpp2_open.patch net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch net-x25-prevent-a-couple-of-overflows.patch netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch vxlan-fix-error-return-code-in-__vxlan_dev_create.patch --- diff --git a/queue-5.4/chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch b/queue-5.4/chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch new file mode 100644 index 00000000000..bb43c1a234e --- /dev/null +++ b/queue-5.4/chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Dan Carpenter +Date: Thu, 3 Dec 2020 11:44:31 +0300 +Subject: chelsio/chtls: fix a double free in chtls_setkey() + +From: Dan Carpenter + +[ Upstream commit 391119fb5c5c4bdb4d57c7ffeb5e8d18560783d1 ] + +The "skb" is freed by the transmit code in cxgb4_ofld_send() and we +shouldn't use it again. But in the current code, if we hit an error +later on in the function then the clean up code will call kfree_skb(skb) +and so it causes a double free. + +Set the "skb" to NULL and that makes the kfree_skb() a no-op. + +Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X8ilb6PtBRLWiSHp@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/chelsio/chtls/chtls_hw.c ++++ b/drivers/crypto/chelsio/chtls/chtls_hw.c +@@ -365,6 +365,7 @@ int chtls_setkey(struct chtls_sock *csk, + csk->wr_unacked += DIV_ROUND_UP(len, 16); + enqueue_wr(csk, skb); + cxgb4_ofld_send(csk->egress_dev, skb); ++ skb = NULL; + + chtls_set_scmd(csk); + /* Clear quiesce for Rx key */ diff --git a/queue-5.4/chelsio-chtls-fix-panic-during-unload-reload-chtls.patch b/queue-5.4/chelsio-chtls-fix-panic-during-unload-reload-chtls.patch new file mode 100644 index 00000000000..a7826f1e746 --- /dev/null +++ b/queue-5.4/chelsio-chtls-fix-panic-during-unload-reload-chtls.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Vinay Kumar Yadav +Date: Thu, 26 Nov 2020 03:19:14 +0530 +Subject: chelsio/chtls: fix panic during unload reload chtls + +From: Vinay Kumar Yadav + +[ Upstream commit e3d5e971d2f83d8ddd4b91a50cea4517fb488383 ] + +there is kernel panic in inet_twsk_free() while chtls +module unload when socket is in TIME_WAIT state because +sk_prot_creator was not preserved on connection socket. + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Udai Sharma +Signed-off-by: Vinay Kumar Yadav +Link: https://lore.kernel.org/r/20201125214913.16938-1-vinay.yadav@chelsio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -1077,6 +1077,7 @@ static struct sock *chtls_recv_sock(stru + sk_setup_caps(newsk, dst); + ctx = tls_get_ctx(lsk); + newsk->sk_destruct = ctx->sk_destruct; ++ newsk->sk_prot_creator = lsk->sk_prot_creator; + csk->sk = newsk; + csk->passive_reap_next = oreq; + csk->tx_chan = cxgb4_port_chan(ndev); diff --git a/queue-5.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch b/queue-5.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch new file mode 100644 index 00000000000..8e3c0615ed3 --- /dev/null +++ b/queue-5.4/cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Zhang Changzhong +Date: Wed, 2 Dec 2020 17:56:05 +0800 +Subject: cxgb3: fix error return code in t3_sge_alloc_qset() + +From: Zhang Changzhong + +[ Upstream commit ff9924897f8bfed82e61894b373ab9d2dfea5b10 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: b1fb1f280d09 ("cxgb3 - Fix dma mapping error path") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Acked-by: Raju Rangoju +Link: https://lore.kernel.org/r/1606902965-1646-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c +@@ -3176,6 +3176,7 @@ int t3_sge_alloc_qset(struct adapter *ad + GFP_KERNEL | __GFP_COMP); + if (!avail) { + CH_ALERT(adapter, "free list queue 0 initialization failed\n"); ++ ret = -ENOMEM; + goto err; + } + if (avail < q->fl[0].size) diff --git a/queue-5.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch b/queue-5.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch new file mode 100644 index 00000000000..bd12a9ac93d --- /dev/null +++ b/queue-5.4/dt-bindings-net-correct-interrupt-flags-in-examples.patch @@ -0,0 +1,68 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Krzysztof Kozlowski +Date: Mon, 26 Oct 2020 16:36:20 +0100 +Subject: dt-bindings: net: correct interrupt flags in examples + +From: Krzysztof Kozlowski + +[ Upstream commit 4d521943f76bd0d1e68ea5e02df7aadd30b2838a ] + +GPIO_ACTIVE_x flags are not correct in the context of interrupt flags. +These are simple defines so they could be used in DTS but they will not +have the same meaning: +1. GPIO_ACTIVE_HIGH = 0 = IRQ_TYPE_NONE +2. GPIO_ACTIVE_LOW = 1 = IRQ_TYPE_EDGE_RISING + +Correct the interrupt flags, assuming the author of the code wanted same +logical behavior behind the name "ACTIVE_xxx", this is: + ACTIVE_LOW => IRQ_TYPE_LEVEL_LOW + ACTIVE_HIGH => IRQ_TYPE_LEVEL_HIGH + +Fixes: a1a8b4594f8d ("NFC: pn544: i2c: Add DTS Documentation") +Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver") +Fixes: e3b329221567 ("dt-bindings: can: tcan4x5x: Update binding to use interrupt property") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Rob Herring +Acked-by: Marc Kleine-Budde # for tcan4x5x.txt +Link: https://lore.kernel.org/r/20201026153620.89268-1-krzk@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/can/tcan4x5x.txt | 2 +- + Documentation/devicetree/bindings/net/nfc/nxp-nci.txt | 2 +- + Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/Documentation/devicetree/bindings/net/can/tcan4x5x.txt ++++ b/Documentation/devicetree/bindings/net/can/tcan4x5x.txt +@@ -33,7 +33,7 @@ tcan4x5x: tcan4x5x@0 { + spi-max-frequency = <10000000>; + bosch,mram-cfg = <0x0 0 0 32 0 0 1 1>; + interrupt-parent = <&gpio1>; +- interrupts = <14 GPIO_ACTIVE_LOW>; ++ interrupts = <14 IRQ_TYPE_LEVEL_LOW>; + device-state-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>; + device-wake-gpios = <&gpio1 15 GPIO_ACTIVE_HIGH>; + reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>; +--- a/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt ++++ b/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt +@@ -25,7 +25,7 @@ Example (for ARM-based BeagleBone with N + clock-frequency = <100000>; + + interrupt-parent = <&gpio1>; +- interrupts = <29 GPIO_ACTIVE_HIGH>; ++ interrupts = <29 IRQ_TYPE_LEVEL_HIGH>; + + enable-gpios = <&gpio0 30 GPIO_ACTIVE_HIGH>; + firmware-gpios = <&gpio0 31 GPIO_ACTIVE_HIGH>; +--- a/Documentation/devicetree/bindings/net/nfc/pn544.txt ++++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt +@@ -25,7 +25,7 @@ Example (for ARM-based BeagleBone with P + clock-frequency = <400000>; + + interrupt-parent = <&gpio1>; +- interrupts = <17 GPIO_ACTIVE_HIGH>; ++ interrupts = <17 IRQ_TYPE_LEVEL_HIGH>; + + enable-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>; + firmware-gpios = <&gpio3 19 GPIO_ACTIVE_HIGH>; diff --git a/queue-5.4/geneve-pull-ip-header-before-ecn-decapsulation.patch b/queue-5.4/geneve-pull-ip-header-before-ecn-decapsulation.patch new file mode 100644 index 00000000000..9f6f1cebb9f --- /dev/null +++ b/queue-5.4/geneve-pull-ip-header-before-ecn-decapsulation.patch @@ -0,0 +1,122 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Eric Dumazet +Date: Tue, 1 Dec 2020 01:05:07 -0800 +Subject: geneve: pull IP header before ECN decapsulation + +From: Eric Dumazet + +[ Upstream commit 4179b00c04d18ea7013f68d578d80f3c9d13150a ] + +IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume +IP header is already pulled. + +geneve does not ensure this yet. + +Fixing this generically in IP_ECN_decapsulate() and +IP6_ECN_decapsulate() is not possible, since callers +pass a pointer that might be freed by pskb_may_pull() + +syzbot reported : + +BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] +BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 +CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 + __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] + INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 + geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306 + geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377 + udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093 + udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167 + udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline] + __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394 + udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564 + ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 + ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 + dst_input include/net/dst.h:449 [inline] + ip_rcv_finish net/ipv4/ip_input.c:428 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 + __netif_receive_skb_one_core net/core/dev.c:5315 [inline] + __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 + process_backlog+0x523/0xc10 net/core/dev.c:6319 + napi_poll+0x420/0x1010 net/core/dev.c:6763 + net_rx_action+0x35c/0xd40 net/core/dev.c:6833 + __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 + asm_call_irq_on_stack+0xf/0x20 + + __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] + run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] + do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77 + do_softirq kernel/softirq.c:343 [inline] + __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195 + local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 + rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline] + __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 + packet_snd net/packet/af_packet.c:2992 [inline] + packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:671 [inline] + __sys_sendto+0x9dc/0xc80 net/socket.c:1992 + __do_sys_sendto net/socket.c:2004 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:2000 + __x64_sys_sendto+0x6e/0x90 net/socket.c:2000 + do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -254,11 +254,21 @@ static void geneve_rx(struct geneve_dev + skb_dst_set(skb, &tun_dst->dst); + + /* Ignore packet loops (and multicast echo) */ +- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) { +- geneve->dev->stats.rx_errors++; +- goto drop; +- } ++ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) ++ goto rx_error; + ++ switch (skb_protocol(skb, true)) { ++ case htons(ETH_P_IP): ++ if (pskb_may_pull(skb, sizeof(struct iphdr))) ++ goto rx_error; ++ break; ++ case htons(ETH_P_IPV6): ++ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) ++ goto rx_error; ++ break; ++ default: ++ goto rx_error; ++ } + oiph = skb_network_header(skb); + skb_reset_network_header(skb); + +@@ -299,6 +309,8 @@ static void geneve_rx(struct geneve_dev + u64_stats_update_end(&stats->syncp); + } + return; ++rx_error: ++ geneve->dev->stats.rx_errors++; + drop: + /* Consume bad packet */ + kfree_skb(skb); diff --git a/queue-5.4/ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch b/queue-5.4/ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch new file mode 100644 index 00000000000..deef66fbbe0 --- /dev/null +++ b/queue-5.4/ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Thomas Falcon +Date: Tue, 1 Dec 2020 09:52:10 -0600 +Subject: ibmvnic: Ensure that SCRQ entry reads are correctly ordered + +From: Thomas Falcon + +[ Upstream commit b71ec952234610b4f90ef17a2fdcb124d5320070 ] + +Ensure that received Subordinate Command-Response Queue (SCRQ) +entries are properly read in order by the driver. These queues +are used in the ibmvnic device to process RX buffer and TX completion +descriptors. dma_rmb barriers have been added after checking for a +pending descriptor to ensure the correct descriptor entry is checked +and after reading the SCRQ descriptor to ensure the entire +descriptor is read before processing. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2307,6 +2307,12 @@ restart_poll: + + if (!pending_scrq(adapter, adapter->rx_scrq[scrq_num])) + break; ++ /* The queue entry at the current index is peeked at above ++ * to determine that there is a valid descriptor awaiting ++ * processing. We want to be sure that the current slot ++ * holds a valid descriptor before reading its contents. ++ */ ++ dma_rmb(); + next = ibmvnic_next_scrq(adapter, adapter->rx_scrq[scrq_num]); + rx_buff = + (struct ibmvnic_rx_buff *)be64_to_cpu(next-> +@@ -2988,6 +2994,13 @@ restart_loop: + unsigned int pool = scrq->pool_index; + int num_entries = 0; + ++ /* The queue entry at the current index is peeked at above ++ * to determine that there is a valid descriptor awaiting ++ * processing. We want to be sure that the current slot ++ * holds a valid descriptor before reading its contents. ++ */ ++ dma_rmb(); ++ + next = ibmvnic_next_scrq(adapter, scrq); + for (i = 0; i < next->tx_comp.num_comps; i++) { + if (next->tx_comp.rcs[i]) { +@@ -3388,6 +3401,11 @@ static union sub_crq *ibmvnic_next_scrq( + } + spin_unlock_irqrestore(&scrq->lock, flags); + ++ /* Ensure that the entire buffer descriptor has been ++ * loaded before reading its contents ++ */ ++ dma_rmb(); ++ + return entry; + } + diff --git a/queue-5.4/ibmvnic-fix-tx-completion-error-handling.patch b/queue-5.4/ibmvnic-fix-tx-completion-error-handling.patch new file mode 100644 index 00000000000..38078dc3bc6 --- /dev/null +++ b/queue-5.4/ibmvnic-fix-tx-completion-error-handling.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Thomas Falcon +Date: Tue, 1 Dec 2020 09:52:11 -0600 +Subject: ibmvnic: Fix TX completion error handling + +From: Thomas Falcon + +[ Upstream commit ba246c175116e2e8fa4fdfa5f8e958e086a9a818 ] + +TX completions received with an error return code are not +being processed properly. When an error code is seen, do not +proceed to the next completion before cleaning up the existing +entry's data structures. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -3003,11 +3003,9 @@ restart_loop: + + next = ibmvnic_next_scrq(adapter, scrq); + for (i = 0; i < next->tx_comp.num_comps; i++) { +- if (next->tx_comp.rcs[i]) { ++ if (next->tx_comp.rcs[i]) + dev_err(dev, "tx error %x\n", + next->tx_comp.rcs[i]); +- continue; +- } + index = be32_to_cpu(next->tx_comp.correlators[i]); + if (index & IBMVNIC_TSO_POOL_MASK) { + tx_pool = &adapter->tso_pool[pool]; diff --git a/queue-5.4/inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch b/queue-5.4/inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch new file mode 100644 index 00000000000..4456595d0b6 --- /dev/null +++ b/queue-5.4/inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: "Toke Høiland-Jørgensen" +Date: Mon, 30 Nov 2020 19:37:05 +0100 +Subject: inet_ecn: Fix endianness of checksum update when setting ECT(1) + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit 2867e1eac61016f59b3d730e3f7aa488e186e917 ] + +When adding support for propagating ECT(1) marking in IP headers it seems I +suffered from endianness-confusion in the checksum update calculation: In +fact the ECN field is in the *lower* bits of the first 16-bit word of the +IP header when calculating in network byte order. This means that the +addition performed to update the checksum field was wrong; let's fix that. + +Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040") +Reported-by: Jonathan Morton +Tested-by: Pete Heist +Signed-off-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20201130183705.17540-1-toke@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_ecn.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/inet_ecn.h ++++ b/include/net/inet_ecn.h +@@ -107,7 +107,7 @@ static inline int IP_ECN_set_ect1(struct + if ((iph->tos & INET_ECN_MASK) != INET_ECN_ECT_0) + return 0; + +- check += (__force u16)htons(0x100); ++ check += (__force u16)htons(0x1); + + iph->check = (__force __sum16)(check + (check>=0xFFFF)); + iph->tos ^= INET_ECN_MASK; diff --git a/queue-5.4/ipv4-fix-tos-mask-in-inet_rtm_getroute.patch b/queue-5.4/ipv4-fix-tos-mask-in-inet_rtm_getroute.patch new file mode 100644 index 00000000000..936e41d3204 --- /dev/null +++ b/queue-5.4/ipv4-fix-tos-mask-in-inet_rtm_getroute.patch @@ -0,0 +1,70 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Guillaume Nault +Date: Thu, 26 Nov 2020 19:09:22 +0100 +Subject: ipv4: Fix tos mask in inet_rtm_getroute() + +From: Guillaume Nault + +[ Upstream commit 1ebf179037cb46c19da3a9c1e2ca16e7a754b75e ] + +When inet_rtm_getroute() was converted to use the RCU variants of +ip_route_input() and ip_route_output_key(), the TOS parameters +stopped being masked with IPTOS_RT_MASK before doing the route lookup. + +As a result, "ip route get" can return a different route than what +would be used when sending real packets. + +For example: + + $ ip route add 192.0.2.11/32 dev eth0 + $ ip route add unreachable 192.0.2.11/32 tos 2 + $ ip route get 192.0.2.11 tos 2 + RTNETLINK answers: No route to host + +But, packets with TOS 2 (ECT(0) if interpreted as an ECN bit) would +actually be routed using the first route: + + $ ping -c 1 -Q 2 192.0.2.11 + PING 192.0.2.11 (192.0.2.11) 56(84) bytes of data. + 64 bytes from 192.0.2.11: icmp_seq=1 ttl=64 time=0.173 ms + + --- 192.0.2.11 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.173/0.173/0.173/0.000 ms + +This patch re-applies IPTOS_RT_MASK in inet_rtm_getroute(), to +return results consistent with real route lookups. + +Fixes: 3765d35ed8b9 ("net: ipv4: Convert inet_rtm_getroute to rcu versions of route lookup") +Signed-off-by: Guillaume Nault +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/b2d237d08317ca55926add9654a48409ac1b8f5b.1606412894.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -3132,7 +3132,7 @@ static int inet_rtm_getroute(struct sk_b + + fl4.daddr = dst; + fl4.saddr = src; +- fl4.flowi4_tos = rtm->rtm_tos; ++ fl4.flowi4_tos = rtm->rtm_tos & IPTOS_RT_MASK; + fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0; + fl4.flowi4_mark = mark; + fl4.flowi4_uid = uid; +@@ -3156,8 +3156,9 @@ static int inet_rtm_getroute(struct sk_b + fl4.flowi4_iif = iif; /* for rt_fill_info */ + skb->dev = dev; + skb->mark = mark; +- err = ip_route_input_rcu(skb, dst, src, rtm->rtm_tos, +- dev, &res); ++ err = ip_route_input_rcu(skb, dst, src, ++ rtm->rtm_tos & IPTOS_RT_MASK, dev, ++ &res); + + rt = skb_rtable(skb); + if (err == 0 && rt->dst.error) diff --git a/queue-5.4/net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch b/queue-5.4/net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch new file mode 100644 index 00000000000..39f2c60b98d --- /dev/null +++ b/queue-5.4/net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch @@ -0,0 +1,69 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Antoine Tenart +Date: Mon, 30 Nov 2020 17:19:11 +0100 +Subject: net: ip6_gre: set dev->hard_header_len when using header_ops + +From: Antoine Tenart + +[ Upstream commit 832ba596494b2c9eac7760259eff2d8b7dcad0ee ] + +syzkaller managed to crash the kernel using an NBMA ip6gre interface. I +could reproduce it creating an NBMA ip6gre interface and forwarding +traffic to it: + + skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33 + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:109! + Call Trace: + skb_push+0x10/0x10 + ip6gre_header+0x47/0x1b0 + neigh_connected_output+0xae/0xf0 + +ip6gre tunnel provides its own header_ops->create, and sets it +conditionally when initializing the tunnel in NBMA mode. When +header_ops->create is used, dev->hard_header_len should reflect the +length of the header created. Otherwise, when not used, +dev->needed_headroom should be used. + +Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap") +Cc: Maria Pasechnik +Signed-off-by: Antoine Tenart +Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1120,8 +1120,13 @@ static void ip6gre_tnl_link_config_route + return; + + if (rt->dst.dev) { +- dev->needed_headroom = rt->dst.dev->hard_header_len + +- t_hlen; ++ unsigned short dst_len = rt->dst.dev->hard_header_len + ++ t_hlen; ++ ++ if (t->dev->header_ops) ++ dev->hard_header_len = dst_len; ++ else ++ dev->needed_headroom = dst_len; + + if (set_mtu) { + dev->mtu = rt->dst.dev->mtu - t_hlen; +@@ -1146,7 +1151,12 @@ static int ip6gre_calc_hlen(struct ip6_t + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; + + t_hlen = tunnel->hlen + sizeof(struct ipv6hdr); +- tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; ++ ++ if (tunnel->dev->header_ops) ++ tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen; ++ else ++ tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; ++ + return t_hlen; + } + diff --git a/queue-5.4/net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch b/queue-5.4/net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch new file mode 100644 index 00000000000..19adce9dfe9 --- /dev/null +++ b/queue-5.4/net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch @@ -0,0 +1,87 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Yevgeny Kliteynik +Date: Wed, 2 Dec 2020 20:39:46 -0800 +Subject: net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering + +From: Yevgeny Kliteynik + +[ Upstream commit d421e466c2373095f165ddd25cbabd6c5b077928 ] + +STEs format for Connect-X5 and Connect-X6DX different. Currently, on +Connext-X6DX the SW steering would break at some point when building STEs +w/o giving a proper error message. Fix this by checking the STE format of +the current device when initializing domain: add mlx5_ifc definitions for +Connect-X6DX SW steering, read FW capability to get the current format +version, and check this version when domain is being created. + +Fixes: 26d688e33f88 ("net/mlx5: DR, Add Steering entry (STE) utilities") +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 1 + + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 5 +++++ + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 1 + + include/linux/mlx5/mlx5_ifc.h | 9 ++++++++- + 4 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -92,6 +92,7 @@ int mlx5dr_cmd_query_device(struct mlx5_ + caps->eswitch_manager = MLX5_CAP_GEN(mdev, eswitch_manager); + caps->gvmi = MLX5_CAP_GEN(mdev, vhca_id); + caps->flex_protocols = MLX5_CAP_GEN(mdev, flex_parser_protocols); ++ caps->sw_format_ver = MLX5_CAP_GEN(mdev, steering_format_version); + + if (mlx5dr_matcher_supp_flex_parser_icmp_v4(caps)) { + caps->flex_parser_id_icmp_dw0 = MLX5_CAP_GEN(mdev, flex_parser_id_icmp_dw0); +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -223,6 +223,11 @@ static int dr_domain_caps_init(struct ml + if (ret) + return ret; + ++ if (dmn->info.caps.sw_format_ver != MLX5_STEERING_FORMAT_CONNECTX_5) { ++ mlx5dr_err(dmn, "SW steering is not supported on this device\n"); ++ return -EOPNOTSUPP; ++ } ++ + ret = dr_domain_query_fdb_caps(mdev, dmn); + if (ret) + return ret; +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -613,6 +613,7 @@ struct mlx5dr_cmd_caps { + u8 max_ft_level; + u16 roce_min_src_udp; + u8 num_esw_ports; ++ u8 sw_format_ver; + bool eswitch_manager; + bool rx_sw_owner; + bool tx_sw_owner; +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -1139,6 +1139,11 @@ enum mlx5_fc_bulk_alloc_bitmask { + + #define MLX5_FC_BULK_NUM_FCS(fc_enum) (MLX5_FC_BULK_SIZE_FACTOR * (fc_enum)) + ++enum { ++ MLX5_STEERING_FORMAT_CONNECTX_5 = 0, ++ MLX5_STEERING_FORMAT_CONNECTX_6DX = 1, ++}; ++ + struct mlx5_ifc_cmd_hca_cap_bits { + u8 reserved_at_0[0x30]; + u8 vhca_id[0x10]; +@@ -1419,7 +1424,9 @@ struct mlx5_ifc_cmd_hca_cap_bits { + + u8 general_obj_types[0x40]; + +- u8 reserved_at_440[0x20]; ++ u8 reserved_at_440[0x4]; ++ u8 steering_format_version[0x4]; ++ u8 create_qp_start_hint[0x18]; + + u8 reserved_at_460[0x3]; + u8 log_max_uctx[0x5]; diff --git a/queue-5.4/net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch b/queue-5.4/net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch new file mode 100644 index 00000000000..c3a579bca4b --- /dev/null +++ b/queue-5.4/net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Eran Ben Elisha +Date: Wed, 2 Dec 2020 20:39:43 -0800 +Subject: net/mlx5: Fix wrong address reclaim when command interface is down + +From: Eran Ben Elisha + +[ Upstream commit 1d2bb5ad89f47d8ce8aedc70ef85059ab3870292 ] + +When command interface is down, driver to reclaim all 4K page chucks that +were hold by the Firmeware. Fix a bug for 64K page size systems, where +driver repeatedly released only the first chunk of the page. + +Define helper function to fill 4K chunks for a given Firmware pages. +Iterate over all unreleased Firmware pages and call the hepler per each. + +Fixes: 5adff6a08862 ("net/mlx5: Fix incorrect page count when in internal error") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 21 ++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +@@ -339,6 +339,24 @@ out_free: + return err; + } + ++static u32 fwp_fill_manage_pages_out(struct fw_page *fwp, u32 *out, u32 index, ++ u32 npages) ++{ ++ u32 pages_set = 0; ++ unsigned int n; ++ ++ for_each_clear_bit(n, &fwp->bitmask, MLX5_NUM_4K_IN_PAGE) { ++ MLX5_ARRAY_SET64(manage_pages_out, out, pas, index + pages_set, ++ fwp->addr + (n * MLX5_ADAPTER_PAGE_SIZE)); ++ pages_set++; ++ ++ if (!--npages) ++ break; ++ } ++ ++ return pages_set; ++} ++ + static int reclaim_pages_cmd(struct mlx5_core_dev *dev, + u32 *in, int in_size, u32 *out, int out_size) + { +@@ -362,8 +380,7 @@ static int reclaim_pages_cmd(struct mlx5 + if (fwp->func_id != func_id) + continue; + +- MLX5_ARRAY_SET64(manage_pages_out, out, pas, i, fwp->addr); +- i++; ++ i += fwp_fill_manage_pages_out(fwp, out, i, npages - i); + } + + MLX5_SET(manage_pages_out, out, output_num_entries, i); diff --git a/queue-5.4/net-mvpp2-fix-error-return-code-in-mvpp2_open.patch b/queue-5.4/net-mvpp2-fix-error-return-code-in-mvpp2_open.patch new file mode 100644 index 00000000000..4c80ed13fb7 --- /dev/null +++ b/queue-5.4/net-mvpp2-fix-error-return-code-in-mvpp2_open.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Wang Hai +Date: Thu, 3 Dec 2020 22:18:06 +0800 +Subject: net: mvpp2: Fix error return code in mvpp2_open() + +From: Wang Hai + +[ Upstream commit 82a10dc7f0960735f40e8d7d3bee56934291600f ] + +Fix to return negative error code -ENOENT from invalid configuration +error handling case instead of 0, as done elsewhere in this function. + +Fixes: 4bb043262878 ("net: mvpp2: phylink support") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20201203141806.37966-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -3696,6 +3696,7 @@ static int mvpp2_open(struct net_device + if (!valid) { + netdev_err(port->dev, + "invalid configuration: no dt or link IRQ"); ++ err = -ENOENT; + goto err_free_irq; + } + diff --git a/queue-5.4/net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch b/queue-5.4/net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch new file mode 100644 index 00000000000..7979b1aa900 --- /dev/null +++ b/queue-5.4/net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Davide Caratti +Date: Thu, 3 Dec 2020 10:46:06 +0100 +Subject: net: openvswitch: ensure LSE is pullable before reading it + +From: Davide Caratti + +[ Upstream commit 43c13605bad44b8abbc9776d6e63f62ccb7a47d6 ] + +when openvswitch is configured to mangle the LSE, the current value is +read from the packet dereferencing 4 bytes at mpls_hdr(): ensure that +the label is contained in the skb "linear" area. + +Found by code inspection. + +Fixes: d27cf5c59a12 ("net: core: add MPLS update core helper and use in OvS") +Signed-off-by: Davide Caratti +Link: https://lore.kernel.org/r/aa099f245d93218b84b5c056b67b6058ccf81a66.1606987185.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/actions.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -196,6 +196,9 @@ static int set_mpls(struct sk_buff *skb, + __be32 lse; + int err; + ++ if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN)) ++ return -ENOMEM; ++ + stack = mpls_hdr(skb); + lse = OVS_MASKED(stack->label_stack_entry, *mpls_lse, *mask); + err = skb_mpls_update_lse(skb, lse); diff --git a/queue-5.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch b/queue-5.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch new file mode 100644 index 00000000000..3517c359f1e --- /dev/null +++ b/queue-5.4/net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Zhang Changzhong +Date: Wed, 2 Dec 2020 17:57:15 +0800 +Subject: net: pasemi: fix error return code in pasemi_mac_open() + +From: Zhang Changzhong + +[ Upstream commit aba84871bd4f52c4dfcf3ad5d4501a6c9d2de90e ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 72b05b9940f0 ("pasemi_mac: RX/TX ring management cleanup") +Fixes: 8d636d8bc5ff ("pasemi_mac: jumbo frame support") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1606903035-1838-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/pasemi/pasemi_mac.c ++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c +@@ -1078,16 +1078,20 @@ static int pasemi_mac_open(struct net_de + + mac->tx = pasemi_mac_setup_tx_resources(dev); + +- if (!mac->tx) ++ if (!mac->tx) { ++ ret = -ENOMEM; + goto out_tx_ring; ++ } + + /* We might already have allocated rings in case mtu was changed + * before interface was brought up. + */ + if (dev->mtu > 1500 && !mac->num_cs) { + pasemi_mac_setup_csrings(mac); +- if (!mac->num_cs) ++ if (!mac->num_cs) { ++ ret = -ENOMEM; + goto out_tx_ring; ++ } + } + + /* Zero out rmon counters */ diff --git a/queue-5.4/net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch b/queue-5.4/net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch new file mode 100644 index 00000000000..621ed22a6a3 --- /dev/null +++ b/queue-5.4/net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Davide Caratti +Date: Thu, 3 Dec 2020 10:37:52 +0100 +Subject: net/sched: act_mpls: ensure LSE is pullable before reading it + +From: Davide Caratti + +[ Upstream commit 9608fa653059c3f72faab0c148ac8773c46e7314 ] + +when 'act_mpls' is used to mangle the LSE, the current value is read from +the packet dereferencing 4 bytes at mpls_hdr(): ensure that the label is +contained in the skb "linear" area. + +Found by code inspection. + +v2: + - use MPLS_HLEN instead of sizeof(new_lse), thanks to Jakub Kicinski + +Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC") +Signed-off-by: Davide Caratti +Acked-by: Guillaume Nault +Link: https://lore.kernel.org/r/3243506cba43d14858f3bd21ee0994160e44d64a.1606987058.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_mpls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sched/act_mpls.c ++++ b/net/sched/act_mpls.c +@@ -88,6 +88,9 @@ static int tcf_mpls_act(struct sk_buff * + goto drop; + break; + case TCA_MPLS_ACT_MODIFY: ++ if (!pskb_may_pull(skb, ++ skb_network_offset(skb) + MPLS_HLEN)) ++ goto drop; + new_lse = tcf_mpls_get_lse(mpls_hdr(skb), p, false); + if (skb_mpls_update_lse(skb, new_lse)) + goto drop; diff --git a/queue-5.4/net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch b/queue-5.4/net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch new file mode 100644 index 00000000000..c26a8ec2cef --- /dev/null +++ b/queue-5.4/net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Davide Caratti +Date: Thu, 3 Dec 2020 10:58:21 +0100 +Subject: net: skbuff: ensure LSE is pullable before decrementing the MPLS ttl + +From: Davide Caratti + +[ Upstream commit 13de4ed9e3a9ccbe54d05f7d5c773f69ecaf6c64 ] + +skb_mpls_dec_ttl() reads the LSE without ensuring that it is contained in +the skb "linear" area. Fix this calling pskb_may_pull() before reading the +current ttl. + +Found by code inspection. + +Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC") +Reported-by: Marcelo Ricardo Leitner +Signed-off-by: Davide Caratti +Link: https://lore.kernel.org/r/53659f28be8bc336c113b5254dc637cc76bbae91.1606987074.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5618,6 +5618,9 @@ int skb_mpls_dec_ttl(struct sk_buff *skb + if (unlikely(!eth_p_mpls(skb->protocol))) + return -EINVAL; + ++ if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN)) ++ return -ENOMEM; ++ + lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry); + ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT; + if (!--ttl) diff --git a/queue-5.4/net-x25-prevent-a-couple-of-overflows.patch b/queue-5.4/net-x25-prevent-a-couple-of-overflows.patch new file mode 100644 index 00000000000..b7be051292f --- /dev/null +++ b/queue-5.4/net-x25-prevent-a-couple-of-overflows.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Dan Carpenter +Date: Tue, 1 Dec 2020 18:15:12 +0300 +Subject: net/x25: prevent a couple of overflows + +From: Dan Carpenter + +[ Upstream commit 6ee50c8e262a0f0693dad264c3c99e30e6442a56 ] + +The .x25_addr[] address comes from the user and is not necessarily +NUL terminated. This leads to a couple problems. The first problem is +that the strlen() in x25_bind() can read beyond the end of the buffer. + +The second problem is more subtle and could result in memory corruption. +The call tree is: + x25_connect() + --> x25_write_internal() + --> x25_addr_aton() + +The .x25_addr[] buffers are copied to the "addresses" buffer from +x25_write_internal() so it will lead to stack corruption. + +Verify that the strings are NUL terminated and return -EINVAL if they +are not. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: a9288525d2ae ("X25: Dont let x25_bind use addresses containing characters") +Reported-by: "kiyin(尹亮)" +Signed-off-by: Dan Carpenter +Acked-by: Martin Schiller +Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/x25/af_x25.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -675,7 +675,8 @@ static int x25_bind(struct socket *sock, + int len, i, rc = 0; + + if (addr_len != sizeof(struct sockaddr_x25) || +- addr->sx25_family != AF_X25) { ++ addr->sx25_family != AF_X25 || ++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) { + rc = -EINVAL; + goto out; + } +@@ -769,7 +770,8 @@ static int x25_connect(struct socket *so + + rc = -EINVAL; + if (addr_len != sizeof(struct sockaddr_x25) || +- addr->sx25_family != AF_X25) ++ addr->sx25_family != AF_X25 || ++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) + goto out; + + rc = -ENETUNREACH; diff --git a/queue-5.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch b/queue-5.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch new file mode 100644 index 00000000000..522c790171f --- /dev/null +++ b/queue-5.4/netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch @@ -0,0 +1,84 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Antoine Tenart +Date: Mon, 23 Nov 2020 18:49:02 +0100 +Subject: netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal + +From: Antoine Tenart + +[ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ] + +Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the +hooks as, while it's an expected value for a bridge, routing expects +PACKET_HOST. The change is undone later on after hook traversal. This +can be seen with pairs of functions updating skb>pkt_type and then +reverting it to its original value: + +For hook NF_INET_PRE_ROUTING: + setup_pre_routing / br_nf_pre_routing_finish + +For hook NF_INET_FORWARD: + br_nf_forward_ip / br_nf_forward_finish + +But the third case where netfilter does this, for hook +NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing +but never reverted. A comment says: + + /* We assume any code from br_dev_queue_push_xmit onwards doesn't care + * about the value of skb->pkt_type. */ + +But when having a tunnel (say vxlan) attached to a bridge we have the +following call trace: + + br_nf_pre_routing + br_nf_pre_routing_ipv6 + br_nf_pre_routing_finish + br_nf_forward_ip + br_nf_forward_finish + br_nf_post_routing <- pkt_type is updated to PACKET_HOST + br_nf_dev_queue_xmit <- but not reverted to its original value + vxlan_xmit + vxlan_xmit_one + skb_tunnel_check_pmtu <- a check on pkt_type is performed + +In this specific case, this creates issues such as when an ICMPv6 PTB +should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB +isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST +and returns early). + +If the comment is right and no one cares about the value of +skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting +it to its original value should be safe. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Antoine Tenart +Reviewed-by: Florian Westphal +Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netfilter_hooks.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -735,6 +735,11 @@ static int br_nf_dev_queue_xmit(struct n + mtu_reserved = nf_bridge_mtu_reduction(skb); + mtu = skb->dev->mtu; + ++ if (nf_bridge->pkt_otherhost) { ++ skb->pkt_type = PACKET_OTHERHOST; ++ nf_bridge->pkt_otherhost = false; ++ } ++ + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) + mtu = nf_bridge->frag_max_size; + +@@ -835,8 +840,6 @@ static unsigned int br_nf_post_routing(v + else + return NF_ACCEPT; + +- /* We assume any code from br_dev_queue_push_xmit onwards doesn't care +- * about the value of skb->pkt_type. */ + if (skb->pkt_type == PACKET_OTHERHOST) { + skb->pkt_type = PACKET_HOST; + nf_bridge->pkt_otherhost = true; diff --git a/queue-5.4/series b/queue-5.4/series index bece6133840..0ee2e22b4fa 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -12,3 +12,23 @@ bonding-wait-for-sysfs-kobject-destruction-before-freeing-struct-slave.patch staging-octeon-fix-up-merge-error.patch ima-extend-boot_aggregate-with-kernel-measurements.patch sched-fair-fix-unthrottle_cfs_rq-for-leaf_cfs_rq-lis.patch +netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch +ipv4-fix-tos-mask-in-inet_rtm_getroute.patch +dt-bindings-net-correct-interrupt-flags-in-examples.patch +chelsio-chtls-fix-panic-during-unload-reload-chtls.patch +ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch +ibmvnic-fix-tx-completion-error-handling.patch +inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch +geneve-pull-ip-header-before-ecn-decapsulation.patch +net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch +net-x25-prevent-a-couple-of-overflows.patch +cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch +net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch +vxlan-fix-error-return-code-in-__vxlan_dev_create.patch +chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch +net-mvpp2-fix-error-return-code-in-mvpp2_open.patch +net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch +net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch +net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch +net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch +net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch diff --git a/queue-5.4/vxlan-fix-error-return-code-in-__vxlan_dev_create.patch b/queue-5.4/vxlan-fix-error-return-code-in-__vxlan_dev_create.patch new file mode 100644 index 00000000000..b2d0c47be86 --- /dev/null +++ b/queue-5.4/vxlan-fix-error-return-code-in-__vxlan_dev_create.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Dec 6 10:20:28 AM CET 2020 +From: Zhang Changzhong +Date: Wed, 2 Dec 2020 17:58:42 +0800 +Subject: vxlan: fix error return code in __vxlan_dev_create() + +From: Zhang Changzhong + +[ Upstream commit 832e09798c261cf58de3a68cfcc6556408c16a5a ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 0ce1822c2a08 ("vxlan: add adjacent link to limit depth level") +Reported-by: Hulk Robot +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/r/1606903122-2098-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -3617,8 +3617,10 @@ static int __vxlan_dev_create(struct net + + if (dst->remote_ifindex) { + remote_dev = __dev_get_by_index(net, dst->remote_ifindex); +- if (!remote_dev) ++ if (!remote_dev) { ++ err = -ENODEV; + goto errout; ++ } + + err = netdev_upper_dev_link(remote_dev, dev, extack); + if (err)