From: Greg Kroah-Hartman Date: Sun, 10 Jan 2021 13:08:08 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.251~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ad8eb6341d05a041641d36a5596f1fca398b8a74;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: atm-idt77252-call-pci_disable_device-on-error-path.patch cdc-ncm-remove-connected-log-message.patch ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_remove.patch ipv4-ignore-ecn-bits-for-fib-lookups-in-fib_compute_spec_dst.patch net-dcb-validate-netlink-message-in-dcb-handler.patch net-ethernet-fix-memleak-in-ethoc_probe.patch net-hdlc_ppp-fix-issues-when-mod_timer-is-called-while-timer-is-running.patch net-hns-fix-return-value-check-in-__lb_other_process.patch net-ncsi-use-real-net-device-for-response-handler.patch net-sched-prevent-invalid-scell_log-shift-count.patch vhost_net-fix-ubuf-refcount-incorrectly-when-sendmsg-fails.patch virtio_net-fix-recursive-call-to-cpus_read_lock.patch --- diff --git a/queue-4.9/atm-idt77252-call-pci_disable_device-on-error-path.patch b/queue-4.9/atm-idt77252-call-pci_disable_device-on-error-path.patch new file mode 100644 index 00000000000..5cc08b2805f --- /dev/null +++ b/queue-4.9/atm-idt77252-call-pci_disable_device-on-error-path.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Dan Carpenter +Date: Sat, 19 Dec 2020 14:01:44 +0300 +Subject: atm: idt77252: call pci_disable_device() on error path + +From: Dan Carpenter + +[ Upstream commit 8df66af5c1e5f80562fe728db5ec069b21810144 ] + +This error path needs to disable the pci device before returning. + +Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X93dmC4NX0vbTpGp@mwanda +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/idt77252.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -3615,7 +3615,7 @@ static int idt77252_init_one(struct pci_ + + if ((err = dma_set_mask_and_coherent(&pcidev->dev, DMA_BIT_MASK(32)))) { + printk("idt77252: can't enable DMA for PCI device at %s\n", pci_name(pcidev)); +- return err; ++ goto err_out_disable_pdev; + } + + card = kzalloc(sizeof(struct idt77252_dev), GFP_KERNEL); diff --git a/queue-4.9/cdc-ncm-remove-connected-log-message.patch b/queue-4.9/cdc-ncm-remove-connected-log-message.patch new file mode 100644 index 00000000000..dd1abce727a --- /dev/null +++ b/queue-4.9/cdc-ncm-remove-connected-log-message.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jan 10 01:36:07 PM CET 2021 +From: Roland Dreier +Date: Wed, 23 Dec 2020 19:21:16 -0800 +Subject: CDC-NCM: remove "connected" log message + +From: Roland Dreier + +[ Upstream commit 59b4a8fa27f5a895582ada1ae5034af7c94a57b5 ] + +The cdc_ncm driver passes network connection notifications up to +usbnet_link_change(), which is the right place for any logging. +Remove the netdev_info() duplicating this from the driver itself. + +This stops devices such as my "TRENDnet USB 10/100/1G/2.5G LAN" +(ID 20f4:e02b) adapter from spamming the kernel log with + + cdc_ncm 2-2:2.0 enp0s2u2c2: network connection: connected + +messages every 60 msec or so. + +Signed-off-by: Roland Dreier +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20201224032116.2453938-1-roland@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1602,9 +1602,6 @@ static void cdc_ncm_status(struct usbnet + * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be + * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE. + */ +- netif_info(dev, link, dev->net, +- "network connection: %sconnected\n", +- !!event->wValue ? "" : "dis"); + usbnet_link_change(dev, !!event->wValue, 0); + break; + diff --git a/queue-4.9/ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_remove.patch b/queue-4.9/ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_remove.patch new file mode 100644 index 00000000000..bc91bb15b16 --- /dev/null +++ b/queue-4.9/ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_remove.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Rasmus Villemoes +Date: Fri, 18 Dec 2020 11:55:38 +0100 +Subject: ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() + +From: Rasmus Villemoes + +[ Upstream commit e925e0cd2a705aaacb0b907bb3691fcac3a973a4 ] + +ugeth is the netdiv_priv() part of the netdevice. Accessing the memory +pointed to by ugeth (such as done by ucc_geth_memclean() and the two +of_node_puts) after free_netdev() is thus use-after-free. + +Fixes: 80a9fad8e89a ("ucc_geth: fix module removal") +Signed-off-by: Rasmus Villemoes +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/ucc_geth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/ucc_geth.c ++++ b/drivers/net/ethernet/freescale/ucc_geth.c +@@ -3939,12 +3939,12 @@ static int ucc_geth_remove(struct platfo + struct device_node *np = ofdev->dev.of_node; + + unregister_netdev(dev); +- free_netdev(dev); + ucc_geth_memclean(ugeth); + if (of_phy_is_fixed_link(np)) + of_phy_deregister_fixed_link(np); + of_node_put(ugeth->ug_info->tbi_node); + of_node_put(ugeth->ug_info->phy_node); ++ free_netdev(dev); + + return 0; + } diff --git a/queue-4.9/ipv4-ignore-ecn-bits-for-fib-lookups-in-fib_compute_spec_dst.patch b/queue-4.9/ipv4-ignore-ecn-bits-for-fib-lookups-in-fib_compute_spec_dst.patch new file mode 100644 index 00000000000..b52248e45ed --- /dev/null +++ b/queue-4.9/ipv4-ignore-ecn-bits-for-fib-lookups-in-fib_compute_spec_dst.patch @@ -0,0 +1,69 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Guillaume Nault +Date: Thu, 24 Dec 2020 20:01:09 +0100 +Subject: ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() + +From: Guillaume Nault + +[ Upstream commit 21fdca22eb7df2a1e194b8adb812ce370748b733 ] + +RT_TOS() only clears one of the ECN bits. Therefore, when +fib_compute_spec_dst() resorts to a fib lookup, it can return +different results depending on the value of the second ECN bit. + +For example, ECT(0) and ECT(1) packets could be treated differently. + + $ ip netns add ns0 + $ ip netns add ns1 + $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1 + $ ip -netns ns0 link set dev lo up + $ ip -netns ns1 link set dev lo up + $ ip -netns ns0 link set dev veth01 up + $ ip -netns ns1 link set dev veth10 up + + $ ip -netns ns0 address add 192.0.2.10/24 dev veth01 + $ ip -netns ns1 address add 192.0.2.11/24 dev veth10 + + $ ip -netns ns1 address add 192.0.2.21/32 dev lo + $ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10 src 192.0.2.21 + $ ip netns exec ns1 sysctl -wq net.ipv4.icmp_echo_ignore_broadcasts=0 + +With TOS 4 and ECT(1), ns1 replies using source address 192.0.2.21 +(ping uses -Q to set all TOS and ECN bits): + + $ ip netns exec ns0 ping -c 1 -b -Q 5 192.0.2.255 + [...] + 64 bytes from 192.0.2.21: icmp_seq=1 ttl=64 time=0.544 ms + +But with TOS 4 and ECT(0), ns1 replies using source address 192.0.2.11 +because the "tos 4" route isn't matched: + + $ ip netns exec ns0 ping -c 1 -b -Q 6 192.0.2.255 + [...] + 64 bytes from 192.0.2.11: icmp_seq=1 ttl=64 time=0.597 ms + +After this patch the ECN bits don't affect the result anymore: + + $ ip netns exec ns0 ping -c 1 -b -Q 6 192.0.2.255 + [...] + 64 bytes from 192.0.2.21: icmp_seq=1 ttl=64 time=0.591 ms + +Fixes: 35ebf65e851c ("ipv4: Create and use fib_compute_spec_dst() helper.") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -292,7 +292,7 @@ __be32 fib_compute_spec_dst(struct sk_bu + .flowi4_iif = LOOPBACK_IFINDEX, + .flowi4_oif = l3mdev_master_ifindex_rcu(dev), + .daddr = ip_hdr(skb)->saddr, +- .flowi4_tos = RT_TOS(ip_hdr(skb)->tos), ++ .flowi4_tos = ip_hdr(skb)->tos & IPTOS_RT_MASK, + .flowi4_scope = scope, + .flowi4_mark = vmark ? skb->mark : 0, + }; diff --git a/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch b/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch new file mode 100644 index 00000000000..1211657cd72 --- /dev/null +++ b/queue-4.9/net-dcb-validate-netlink-message-in-dcb-handler.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Petr Machata +Date: Tue, 22 Dec 2020 22:49:44 +0100 +Subject: net: dcb: Validate netlink message in DCB handler + +From: Petr Machata + +[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ] + +DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB +messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have +the CAP_NET_ADMIN capability. + +However, the operation to be performed is not decided from the DCB message +type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for +reading DCB objects, the corresponding SET and DEL commands are used for +manipulation. + +The assumption is that set-like commands will be sent via an RTM_SETDCB +message, and get-like ones via RTM_GETDCB. However, this assumption is not +enforced. + +It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN +capability by sending the corresponding command in an RTM_GETDCB message. +That is a bug. Fix it by validating the type of the request message against +the type used for the response. + +Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver") +Signed-off-by: Petr Machata +Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1726,6 +1726,8 @@ static int dcb_doit(struct sk_buff *skb, + fn = &reply_funcs[dcb->cmd]; + if (!fn->cb) + return -EOPNOTSUPP; ++ if (fn->type != nlh->nlmsg_type) ++ return -EPERM; + + if (!tb[DCB_ATTR_IFNAME]) + return -EINVAL; diff --git a/queue-4.9/net-ethernet-fix-memleak-in-ethoc_probe.patch b/queue-4.9/net-ethernet-fix-memleak-in-ethoc_probe.patch new file mode 100644 index 00000000000..005f5b879c2 --- /dev/null +++ b/queue-4.9/net-ethernet-fix-memleak-in-ethoc_probe.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Dinghao Liu +Date: Wed, 23 Dec 2020 19:06:12 +0800 +Subject: net: ethernet: Fix memleak in ethoc_probe + +From: Dinghao Liu + +[ Upstream commit 5d41f9b7ee7a5a5138894f58846a4ffed601498a ] + +When mdiobus_register() fails, priv->mdio allocated +by mdiobus_alloc() has not been freed, which leads +to memleak. + +Fixes: e7f4dc3536a4 ("mdio: Move allocation of interrupts into core") +Signed-off-by: Dinghao Liu +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20201223110615.31389-1-dinghao.liu@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ethoc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ethoc.c ++++ b/drivers/net/ethernet/ethoc.c +@@ -1190,7 +1190,7 @@ static int ethoc_probe(struct platform_d + ret = mdiobus_register(priv->mdio); + if (ret) { + dev_err(&netdev->dev, "failed to register MDIO bus\n"); +- goto free2; ++ goto free3; + } + + ret = ethoc_mdio_probe(netdev); +@@ -1222,6 +1222,7 @@ error2: + netif_napi_del(&priv->napi); + error: + mdiobus_unregister(priv->mdio); ++free3: + mdiobus_free(priv->mdio); + free2: + if (priv->clk) diff --git a/queue-4.9/net-hdlc_ppp-fix-issues-when-mod_timer-is-called-while-timer-is-running.patch b/queue-4.9/net-hdlc_ppp-fix-issues-when-mod_timer-is-called-while-timer-is-running.patch new file mode 100644 index 00000000000..46c6fb6bdf2 --- /dev/null +++ b/queue-4.9/net-hdlc_ppp-fix-issues-when-mod_timer-is-called-while-timer-is-running.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Xie He +Date: Sun, 27 Dec 2020 18:53:39 -0800 +Subject: net: hdlc_ppp: Fix issues when mod_timer is called while timer is running + +From: Xie He + +[ Upstream commit 1fef73597fa545c35fddc953979013882fbd4e55 ] + +ppp_cp_event is called directly or indirectly by ppp_rx with "ppp->lock" +held. It may call mod_timer to add a new timer. However, at the same time +ppp_timer may be already running and waiting for "ppp->lock". In this +case, there's no need for ppp_timer to continue running and it can just +exit. + +If we let ppp_timer continue running, it may call add_timer. This causes +kernel panic because add_timer can't be called with a timer pending. +This patch fixes this problem. + +Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.") +Cc: Krzysztof Halasa +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/hdlc_ppp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -572,6 +572,13 @@ static void ppp_timer(unsigned long arg) + unsigned long flags; + + spin_lock_irqsave(&ppp->lock, flags); ++ /* mod_timer could be called after we entered this function but ++ * before we got the lock. ++ */ ++ if (timer_pending(&proto->timer)) { ++ spin_unlock_irqrestore(&ppp->lock, flags); ++ return; ++ } + switch (proto->state) { + case STOPPING: + case REQ_SENT: diff --git a/queue-4.9/net-hns-fix-return-value-check-in-__lb_other_process.patch b/queue-4.9/net-hns-fix-return-value-check-in-__lb_other_process.patch new file mode 100644 index 00000000000..69786c7ae22 --- /dev/null +++ b/queue-4.9/net-hns-fix-return-value-check-in-__lb_other_process.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: Yunjian Wang +Date: Sat, 26 Dec 2020 16:10:05 +0800 +Subject: net: hns: fix return value check in __lb_other_process() + +From: Yunjian Wang + +[ Upstream commit 5ede3ada3da7f050519112b81badc058190b9f9f ] + +The function skb_copy() could return NULL, the return value +need to be checked. + +Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support") +Signed-off-by: Yunjian Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +@@ -447,6 +447,10 @@ static void __lb_other_process(struct hn + /* for mutl buffer*/ + new_skb = skb_copy(skb, GFP_ATOMIC); + dev_kfree_skb_any(skb); ++ if (!new_skb) { ++ netdev_err(ndev, "skb alloc failed\n"); ++ return; ++ } + skb = new_skb; + + check_ok = 0; diff --git a/queue-4.9/net-ncsi-use-real-net-device-for-response-handler.patch b/queue-4.9/net-ncsi-use-real-net-device-for-response-handler.patch new file mode 100644 index 00000000000..13ca5c9dfa6 --- /dev/null +++ b/queue-4.9/net-ncsi-use-real-net-device-for-response-handler.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jan 10 01:36:06 PM CET 2021 +From: John Wang +Date: Wed, 23 Dec 2020 13:55:23 +0800 +Subject: net/ncsi: Use real net-device for response handler + +From: John Wang + +[ Upstream commit 427c940558560bff2583d07fc119a21094675982 ] + +When aggregating ncsi interfaces and dedicated interfaces to bond +interfaces, the ncsi response handler will use the wrong net device to +find ncsi_dev, so that the ncsi interface will not work properly. +Here, we use the original net device to fix it. + +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: John Wang +Link: https://lore.kernel.org/r/20201223055523.2069-1-wangzhiqiang.bj@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-rsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -975,7 +975,7 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + int payload, i, ret; + + /* Find the NCSI device */ +- nd = ncsi_find_dev(dev); ++ nd = ncsi_find_dev(orig_dev); + ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL; + if (!ndp) + return -ENODEV; diff --git a/queue-4.9/net-sched-prevent-invalid-scell_log-shift-count.patch b/queue-4.9/net-sched-prevent-invalid-scell_log-shift-count.patch new file mode 100644 index 00000000000..82a812bf3c9 --- /dev/null +++ b/queue-4.9/net-sched-prevent-invalid-scell_log-shift-count.patch @@ -0,0 +1,98 @@ +From foo@baz Sun Jan 10 12:47:32 PM CET 2021 +From: Randy Dunlap +Date: Thu, 24 Dec 2020 22:23:44 -0800 +Subject: net: sched: prevent invalid Scell_log shift count + +From: Randy Dunlap + +[ Upstream commit bd1248f1ddbc48b0c30565fce897a3b6423313b8 ] + +Check Scell_log shift size in red_check_params() and modify all callers +of red_check_params() to pass Scell_log. + +This prevents a shift out-of-bounds as detected by UBSAN: + UBSAN: shift-out-of-bounds in ./include/net/red.h:252:22 + shift exponent 72 is too large for 32-bit type 'int' + +Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") +Signed-off-by: Randy Dunlap +Reported-by: syzbot+97c5bd9cc81eca63d36e@syzkaller.appspotmail.com +Cc: Nogah Frankel +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Cc: netdev@vger.kernel.org +Cc: "David S. Miller" +Cc: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/red.h | 4 +++- + net/sched/sch_choke.c | 2 +- + net/sched/sch_gred.c | 2 +- + net/sched/sch_red.c | 2 +- + net/sched/sch_sfq.c | 2 +- + 5 files changed, 7 insertions(+), 5 deletions(-) + +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -167,12 +167,14 @@ static inline void red_set_vars(struct r + v->qcount = -1; + } + +-static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog) ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_log) + { + if (fls(qth_min) + Wlog > 32) + return false; + if (fls(qth_max) + Wlog > 32) + return false; ++ if (Scell_log >= 32) ++ return false; + if (qth_max < qth_min) + return false; + return true; +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -425,7 +425,7 @@ static int choke_change(struct Qdisc *sc + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); + +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) + return -EINVAL; + + if (ctl->limit > CHOKE_MAX_QUEUE) +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -356,7 +356,7 @@ static inline int gred_change_vq(struct + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) + return -EINVAL; + + if (!q) { +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -184,7 +184,7 @@ static int red_change(struct Qdisc *sch, + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) + return -EINVAL; + + if (ctl->limit > 0) { +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -645,7 +645,7 @@ static int sfq_change(struct Qdisc *sch, + } + + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, +- ctl_v1->Wlog)) ++ ctl_v1->Wlog, ctl_v1->Scell_log)) + return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-4.9/series b/queue-4.9/series index 4cfae6f14ed..3493ad4abd3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,15 @@ kbuild-don-t-hardcode-depmod-path.patch workqueue-kick-a-worker-based-on-the-actual-activati.patch lib-genalloc-fix-the-overflow-when-size-is-too-big.patch depmod-handle-the-case-of-sbin-depmod-without-sbin-i.patch +ethernet-ucc_geth-fix-use-after-free-in-ucc_geth_remove.patch +atm-idt77252-call-pci_disable_device-on-error-path.patch +net-dcb-validate-netlink-message-in-dcb-handler.patch +net-ncsi-use-real-net-device-for-response-handler.patch +net-ethernet-fix-memleak-in-ethoc_probe.patch +ipv4-ignore-ecn-bits-for-fib-lookups-in-fib_compute_spec_dst.patch +net-hns-fix-return-value-check-in-__lb_other_process.patch +net-hdlc_ppp-fix-issues-when-mod_timer-is-called-while-timer-is-running.patch +cdc-ncm-remove-connected-log-message.patch +vhost_net-fix-ubuf-refcount-incorrectly-when-sendmsg-fails.patch +net-sched-prevent-invalid-scell_log-shift-count.patch +virtio_net-fix-recursive-call-to-cpus_read_lock.patch diff --git a/queue-4.9/vhost_net-fix-ubuf-refcount-incorrectly-when-sendmsg-fails.patch b/queue-4.9/vhost_net-fix-ubuf-refcount-incorrectly-when-sendmsg-fails.patch new file mode 100644 index 00000000000..3b893906001 --- /dev/null +++ b/queue-4.9/vhost_net-fix-ubuf-refcount-incorrectly-when-sendmsg-fails.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Jan 10 01:16:11 PM CET 2021 +From: Yunjian Wang +Date: Tue, 29 Dec 2020 10:01:48 +0800 +Subject: vhost_net: fix ubuf refcount incorrectly when sendmsg fails + +From: Yunjian Wang + +[ Upstream commit 01e31bea7e622f1890c274f4aaaaf8bccd296aa5 ] + +Currently the vhost_zerocopy_callback() maybe be called to decrease +the refcount when sendmsg fails in tun. The error handling in vhost +handle_tx_zerocopy() will try to decrease the same refcount again. +This is wrong. To fix this issue, we only call vhost_net_ubuf_put() +when vq->heads[nvq->desc].len == VHOST_DMA_IN_PROGRESS. + +Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support") +Signed-off-by: Yunjian Wang +Acked-by: Willem de Bruijn +Acked-by: Michael S. Tsirkin +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/1609207308-20544-1-git-send-email-wangyunjian@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -377,6 +377,7 @@ static void handle_tx(struct vhost_net * + size_t hdr_size; + struct socket *sock; + struct vhost_net_ubuf_ref *uninitialized_var(ubufs); ++ struct ubuf_info *ubuf; + bool zcopy, zcopy_used; + int sent_pkts = 0; + +@@ -444,9 +445,7 @@ static void handle_tx(struct vhost_net * + + /* use msg_control to pass vhost zerocopy ubuf info to skb */ + if (zcopy_used) { +- struct ubuf_info *ubuf; + ubuf = nvq->ubuf_info + nvq->upend_idx; +- + vq->heads[nvq->upend_idx].id = cpu_to_vhost32(vq, head); + vq->heads[nvq->upend_idx].len = VHOST_DMA_IN_PROGRESS; + ubuf->callback = vhost_zerocopy_callback; +@@ -465,7 +464,8 @@ static void handle_tx(struct vhost_net * + err = sock->ops->sendmsg(sock, &msg, len); + if (unlikely(err < 0)) { + if (zcopy_used) { +- vhost_net_ubuf_put(ubufs); ++ if (vq->heads[ubuf->desc].len == VHOST_DMA_IN_PROGRESS) ++ vhost_net_ubuf_put(ubufs); + nvq->upend_idx = ((unsigned)nvq->upend_idx - 1) + % UIO_MAXIOV; + } diff --git a/queue-4.9/virtio_net-fix-recursive-call-to-cpus_read_lock.patch b/queue-4.9/virtio_net-fix-recursive-call-to-cpus_read_lock.patch new file mode 100644 index 00000000000..f94efd4a8e5 --- /dev/null +++ b/queue-4.9/virtio_net-fix-recursive-call-to-cpus_read_lock.patch @@ -0,0 +1,61 @@ +From foo@baz Sun Jan 10 01:16:11 PM CET 2021 +From: Jeff Dike +Date: Tue, 22 Dec 2020 21:54:21 -0500 +Subject: virtio_net: Fix recursive call to cpus_read_lock() + +From: Jeff Dike + +[ Upstream commit de33212f768c5d9e2fe791b008cb26f92f0aa31c ] + +virtnet_set_channels can recursively call cpus_read_lock if CONFIG_XPS +and CONFIG_HOTPLUG are enabled. + +The path is: + virtnet_set_channels - calls get_online_cpus(), which is a trivial +wrapper around cpus_read_lock() + netif_set_real_num_tx_queues + netif_reset_xps_queues_gt + netif_reset_xps_queues - calls cpus_read_lock() + +This call chain and potential deadlock happens when the number of TX +queues is reduced. + +This commit the removes netif_set_real_num_[tr]x_queues calls from +inside the get/put_online_cpus section, as they don't require that it +be held. + +Fixes: 47be24796c13 ("virtio-net: fix the set affinity bug when CPU IDs are not consecutive") +Signed-off-by: Jeff Dike +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20201223025421.671-1-jdike@akamai.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1357,14 +1357,16 @@ static int virtnet_set_channels(struct n + + get_online_cpus(); + err = virtnet_set_queues(vi, queue_pairs); +- if (!err) { +- netif_set_real_num_tx_queues(dev, queue_pairs); +- netif_set_real_num_rx_queues(dev, queue_pairs); +- +- virtnet_set_affinity(vi); ++ if (err) { ++ put_online_cpus(); ++ goto err; + } ++ virtnet_set_affinity(vi); + put_online_cpus(); + ++ netif_set_real_num_tx_queues(dev, queue_pairs); ++ netif_set_real_num_rx_queues(dev, queue_pairs); ++err: + return err; + } +