From: Greg Kroah-Hartman Date: Thu, 28 May 2020 13:35:08 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.226~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b9cfd569ee0348971e75d567f15fa3882d615490;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ax25-fix-setsockopt-so_bindtodevice.patch net-mlx5-add-command-entry-handling-completion.patch net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch --- diff --git a/queue-4.4/ax25-fix-setsockopt-so_bindtodevice.patch b/queue-4.4/ax25-fix-setsockopt-so_bindtodevice.patch new file mode 100644 index 00000000000..c4a5ab6bcbb --- /dev/null +++ b/queue-4.4/ax25-fix-setsockopt-so_bindtodevice.patch @@ -0,0 +1,72 @@ +From foo@baz Thu 28 May 2020 03:29:06 PM CEST +From: Eric Dumazet +Date: Tue, 19 May 2020 18:24:43 -0700 +Subject: ax25: fix setsockopt(SO_BINDTODEVICE) + +From: Eric Dumazet + +[ Upstream commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 ] + +syzbot was able to trigger this trace [1], probably by using +a zero optlen. + +While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ. + +[1] +BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569 +CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + strnlen+0xf9/0x170 lib/string.c:569 + dev_name_hash net/core/dev.c:207 [inline] + netdev_name_node_lookup net/core/dev.c:277 [inline] + __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778 + ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654 + __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:413 [inline] + __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410 + __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f57dd9 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101 +RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004 +RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Local variable ----devname@ax25_setsockopt created at: + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -639,8 +639,10 @@ static int ax25_setsockopt(struct socket + break; + + case SO_BINDTODEVICE: +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ ++ memset(devname, 0, sizeof(devname)); + + if (copy_from_user(devname, optval, optlen)) { + res = -EFAULT; diff --git a/queue-4.4/net-mlx5-add-command-entry-handling-completion.patch b/queue-4.4/net-mlx5-add-command-entry-handling-completion.patch new file mode 100644 index 00000000000..dd854e2d72d --- /dev/null +++ b/queue-4.4/net-mlx5-add-command-entry-handling-completion.patch @@ -0,0 +1,97 @@ +From foo@baz Thu 28 May 2020 03:24:57 PM CEST +From: Moshe Shemesh +Date: Fri, 27 Dec 2019 07:01:53 +0200 +Subject: net/mlx5: Add command entry handling completion + +From: Moshe Shemesh + +[ Upstream commit 17d00e839d3b592da9659c1977d45f85b77f986a ] + +When FW response to commands is very slow and all command entries in +use are waiting for completion we can have a race where commands can get +timeout before they get out of the queue and handled. Timeout +completion on uninitialized command will cause releasing command's +buffers before accessing it for initialization and then we will get NULL +pointer exception while trying access it. It may also cause releasing +buffers of another command since we may have timeout completion before +even allocating entry index for this command. +Add entry handling completion to avoid this race. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 +++++++++++++++ + include/linux/mlx5/driver.h | 1 + + 2 files changed, 16 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -670,6 +670,7 @@ static void cmd_work_handler(struct work + int alloc_ret; + int cmd_mode; + ++ complete(&ent->handling); + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +@@ -769,6 +770,12 @@ static int wait_func(struct mlx5_core_de + struct mlx5_cmd *cmd = &dev->cmd; + int err; + ++ if (!wait_for_completion_timeout(&ent->handling, timeout) && ++ cancel_work_sync(&ent->work)) { ++ ent->ret = -ECANCELED; ++ goto out_err; ++ } ++ + if (cmd->mode == CMD_MODE_POLLING) { + wait_for_completion(&ent->done); + } else if (!wait_for_completion_timeout(&ent->done, timeout)) { +@@ -776,12 +783,17 @@ static int wait_func(struct mlx5_core_de + mlx5_cmd_comp_handler(dev, 1UL << ent->idx); + } + ++out_err: + err = ent->ret; + + if (err == -ETIMEDOUT) { + mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); ++ } else if (err == -ECANCELED) { ++ mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", ++ mlx5_command_str(msg_to_opcode(ent->in)), ++ msg_to_opcode(ent->in)); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -826,6 +838,7 @@ static int mlx5_cmd_invoke(struct mlx5_c + + ent->token = token; + ++ init_completion(&ent->handling); + if (!callback) + init_completion(&ent->done); + +@@ -841,6 +854,8 @@ static int mlx5_cmd_invoke(struct mlx5_c + + if (callback) + goto out; ++ if (err == -ECANCELED) ++ goto out_free; + + err = wait_func(dev, ent); + if (err == -ETIMEDOUT) +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -569,6 +569,7 @@ struct mlx5_cmd_work_ent { + struct delayed_work cb_timeout_work; + void *context; + int idx; ++ struct completion handling; + struct completion done; + struct mlx5_cmd *cmd; + struct work_struct work; diff --git a/queue-4.4/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch b/queue-4.4/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch new file mode 100644 index 00000000000..b1f486b6c68 --- /dev/null +++ b/queue-4.4/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch @@ -0,0 +1,66 @@ +From foo@baz Thu 28 May 2020 03:29:06 PM CEST +From: Yuqi Jin +Date: Sat, 16 May 2020 11:46:49 +0800 +Subject: net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" + +From: Yuqi Jin + +[ Upstream commit a6211caa634da39d861a47437ffcda8b38ef421b ] + +Commit adb03115f459 ("net: get rid of an signed integer overflow in ip_idents_reserve()") +used atomic_cmpxchg to replace "atomic_add_return" inside the function +"ip_idents_reserve". The reason was to avoid UBSAN warning. +However, this change has caused performance degrade and in GCC-8, +fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer +and signed integer overflow is now undefined by default at all +optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv +/-fno-strict-overflow, so Let's revert it safely. + +[1] https://gcc.gnu.org/gcc-8/changes.html + +Suggested-by: Peter Zijlstra +Suggested-by: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Cc: Jakub Kicinski +Cc: Jiri Pirko +Cc: Arvind Sankar +Cc: Peter Zijlstra +Cc: Eric Dumazet +Cc: Jiong Wang +Signed-off-by: Yuqi Jin +Signed-off-by: Shaokun Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -477,18 +477,16 @@ u32 ip_idents_reserve(u32 hash, int segs + atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ; + u32 old = ACCESS_ONCE(*p_tstamp); + u32 now = (u32)jiffies; +- u32 new, delta = 0; ++ u32 delta = 0; + + if (old != now && cmpxchg(p_tstamp, old, now) == old) + delta = prandom_u32_max(now - old); + +- /* Do not use atomic_add_return() as it makes UBSAN unhappy */ +- do { +- old = (u32)atomic_read(p_id); +- new = old + delta + segs; +- } while (atomic_cmpxchg(p_id, old, new) != old); +- +- return new - segs; ++ /* If UBSAN reports an error there, please make sure your compiler ++ * supports -fno-strict-overflow before reporting it that was a bug ++ * in UBSAN, and it has been fixed in GCC-8. ++ */ ++ return atomic_add_return(segs + delta, p_id) - segs; + } + EXPORT_SYMBOL(ip_idents_reserve); + diff --git a/queue-4.4/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch b/queue-4.4/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch new file mode 100644 index 00000000000..0e8a163bf3b --- /dev/null +++ b/queue-4.4/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch @@ -0,0 +1,69 @@ +From foo@baz Thu 28 May 2020 03:29:06 PM CEST +From: "Jere Leppänen" +Date: Wed, 20 May 2020 18:15:31 +0300 +Subject: sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed + +From: "Jere Leppänen" + +[ Upstream commit d3e8e4c11870413789f029a71e72ae6e971fe678 ] + +Commit bdf6fa52f01b ("sctp: handle association restarts when the +socket is closed.") starts shutdown when an association is restarted, +if in SHUTDOWN-PENDING state and the socket is closed. However, the +rationale stated in that commit applies also when in SHUTDOWN-SENT +state - we don't want to move an association to ESTABLISHED state when +the socket has been closed, because that results in an association +that is unreachable from user space. + +The problem scenario: + +1. Client crashes and/or restarts. + +2. Server (using one-to-one socket) calls close(). SHUTDOWN is lost. + +3. Client reconnects using the same addresses and ports. + +4. Server's association is restarted. The association and the socket + move to ESTABLISHED state, even though the server process has + closed its descriptor. + +Also, after step 4 when the server process exits, some resources are +leaked in an attempt to release the underlying inet sock structure in +ESTABLISHED state: + + IPv4: Attempt to release TCP socket in state 1 00000000377288c7 + +Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if +an association is restarted in SHUTDOWN-SENT state and the socket is +closed, then start shutdown and don't move the association or the +socket to ESTABLISHED state. + +Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") +Signed-off-by: Jere Leppänen +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1793,12 +1793,13 @@ static sctp_disposition_t sctp_sf_do_dup + /* Update the content of current association. */ + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); +- if (sctp_state(asoc, SHUTDOWN_PENDING) && ++ if ((sctp_state(asoc, SHUTDOWN_PENDING) || ++ sctp_state(asoc, SHUTDOWN_SENT)) && + (sctp_sstate(asoc->base.sk, CLOSING) || + sock_flag(asoc->base.sk, SOCK_DEAD))) { +- /* if were currently in SHUTDOWN_PENDING, but the socket +- * has been closed by user, don't transition to ESTABLISHED. +- * Instead trigger SHUTDOWN bundled with COOKIE_ACK. ++ /* If the socket has been closed by user, don't ++ * transition to ESTABLISHED. Instead trigger SHUTDOWN ++ * bundled with COOKIE_ACK. + */ + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); + return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..a2a809182ce --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,4 @@ +ax25-fix-setsockopt-so_bindtodevice.patch +net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch +sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch +net-mlx5-add-command-entry-handling-completion.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..01d9f6b28ca --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,8 @@ +ax25-fix-setsockopt-so_bindtodevice.patch +net-ipip-fix-wrong-address-family-in-init-error-path.patch +net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch +net-sched-fix-reporting-the-first-time-use-timestamp.patch +sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch +net-mlx5e-update-netdev-txq-on-completions-during-closure.patch +net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch +net-mlx5-add-command-entry-handling-completion.patch