From: Greg Kroah-Hartman Date: Mon, 23 Jul 2018 05:32:22 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.4.144~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d785d4ff250127ff5daf0bf5c46e4af0b5c3eb6b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: gen_stats-fix-netlink-stats-dumping-in-the-presence-of-padding.patch hv_netvsc-fix-napi-reschedule-while-receive-completion-is-busy.patch ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch ipv6-fix-useless-rol32-call-on-hash.patch ipv6-ila-select-config_dst_cache.patch ipv6-make-dad-fail-with-enhanced-dad-when-nonce-length-differs.patch lib-rhashtable-consider-param-min_size-when-setting-initial-table-size.patch net-aquantia-vlan-unicast-address-list-correct-handling.patch net-diag-don-t-double-free-tcp_new_syn_recv-sockets-in-tcp_abort.patch net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch net-ip6_gre-get-ipv6hdr-after-skb_cow_head.patch net-ipv4-set-oif-in-fib_compute_spec_dst.patch net-ipv6-do-not-allow-device-only-routes-via-the-multipath-api.patch net-mlx4_en-don-t-reuse-rx-page-when-xdp-is-set.patch net-phy-fix-flag-masking-in-__set_phy_supported.patch net-systemport-fix-crc-forwarding-check-for-systemport-lite.patch net-usb-asix-replace-mii_nway_restart-in-resume-path.patch ptp-fix-missing-break-in-switch.patch qmi_wwan-add-support-for-quectel-eg91.patch rhashtable-add-restart-routine-in-rhashtable_free_and_destroy.patch sch_fq_codel-zero-q-flows_cnt-when-fq_codel_init-fails.patch sctp-fix-the-issue-that-pathmtu-may-be-set-lower-than-minsegment.patch sctp-introduce-sctp_dst_mtu.patch skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch tg3-add-higher-cpu-clock-for-5762.patch --- diff --git a/queue-4.17/gen_stats-fix-netlink-stats-dumping-in-the-presence-of-padding.patch b/queue-4.17/gen_stats-fix-netlink-stats-dumping-in-the-presence-of-padding.patch new file mode 100644 index 00000000000..45669850637 --- /dev/null +++ b/queue-4.17/gen_stats-fix-netlink-stats-dumping-in-the-presence-of-padding.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: "Toke Høiland-Jørgensen" +Date: Mon, 2 Jul 2018 22:52:20 +0200 +Subject: gen_stats: Fix netlink stats dumping in the presence of padding + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit d5a672ac9f48f81b20b1cad1d9ed7bbf4e418d4c ] + +The gen_stats facility will add a header for the toplevel nlattr of type +TCA_STATS2 that contains all stats added by qdisc callbacks. A reference +to this header is stored in the gnet_dump struct, and when all the +per-qdisc callbacks have finished adding their stats, the length of the +containing header will be adjusted to the right value. + +However, on architectures that need padding (i.e., that don't set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS), the padding nlattr is added +before the stats, which means that the stored pointer will point to the +padding, and so when the header is fixed up, the result is just a very +big padding nlattr. Because most qdiscs also supply the legacy TCA_STATS +struct, this problem has been mostly invisible, but we exposed it with +the netlink attribute-based statistics in CAKE. + +Fix the issue by fixing up the stored pointer if it points to a padding +nlattr. + +Tested-by: Pete Heist +Tested-by: Kevin Darbyshire-Bryant +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/gen_stats.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/net/core/gen_stats.c ++++ b/net/core/gen_stats.c +@@ -77,8 +77,20 @@ gnet_stats_start_copy_compat(struct sk_b + d->lock = lock; + spin_lock_bh(lock); + } +- if (d->tail) +- return gnet_stats_copy(d, type, NULL, 0, padattr); ++ if (d->tail) { ++ int ret = gnet_stats_copy(d, type, NULL, 0, padattr); ++ ++ /* The initial attribute added in gnet_stats_copy() may be ++ * preceded by a padding attribute, in which case d->tail will ++ * end up pointing at the padding instead of the real attribute. ++ * Fix this so gnet_stats_finish_copy() adjusts the length of ++ * the right attribute. ++ */ ++ if (ret == 0 && d->tail->nla_type == padattr) ++ d->tail = (struct nlattr *)((char *)d->tail + ++ NLA_ALIGN(d->tail->nla_len)); ++ return ret; ++ } + + return 0; + } diff --git a/queue-4.17/hv_netvsc-fix-napi-reschedule-while-receive-completion-is-busy.patch b/queue-4.17/hv_netvsc-fix-napi-reschedule-while-receive-completion-is-busy.patch new file mode 100644 index 00000000000..a65c03e2460 --- /dev/null +++ b/queue-4.17/hv_netvsc-fix-napi-reschedule-while-receive-completion-is-busy.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Haiyang Zhang +Date: Tue, 17 Jul 2018 17:11:13 +0000 +Subject: hv_netvsc: Fix napi reschedule while receive completion is busy + +From: Haiyang Zhang + +[ Upstream commit 6b81b193b83e87da1ea13217d684b54fccf8ee8a ] + +If out ring is full temporarily and receive completion cannot go out, +we may still need to reschedule napi if certain conditions are met. +Otherwise the napi poll might be stopped forever, and cause network +disconnect. + +Fixes: 7426b1a51803 ("netvsc: optimize receive completions") +Signed-off-by: Stephen Hemminger +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1291,6 +1291,7 @@ int netvsc_poll(struct napi_struct *napi + struct hv_device *device = netvsc_channel_to_device(channel); + struct net_device *ndev = hv_get_drvdata(device); + int work_done = 0; ++ int ret; + + /* If starting a new interval */ + if (!nvchan->desc) +@@ -1302,16 +1303,18 @@ int netvsc_poll(struct napi_struct *napi + nvchan->desc = hv_pkt_iter_next(channel, nvchan->desc); + } + +- /* If send of pending receive completions suceeded +- * and did not exhaust NAPI budget this time +- * and not doing busy poll ++ /* Send any pending receive completions */ ++ ret = send_recv_completions(ndev, net_device, nvchan); ++ ++ /* If it did not exhaust NAPI budget this time ++ * and not doing busy poll + * then re-enable host interrupts +- * and reschedule if ring is not empty. ++ * and reschedule if ring is not empty ++ * or sending receive completion failed. + */ +- if (send_recv_completions(ndev, net_device, nvchan) == 0 && +- work_done < budget && ++ if (work_done < budget && + napi_complete_done(napi, work_done) && +- hv_end_read(&channel->inbound) && ++ (ret || hv_end_read(&channel->inbound)) && + napi_schedule_prep(napi)) { + hv_begin_read(&channel->inbound); + __napi_schedule(napi); diff --git a/queue-4.17/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch b/queue-4.17/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch new file mode 100644 index 00000000000..3da504649e5 --- /dev/null +++ b/queue-4.17/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Tyler Hicks +Date: Thu, 5 Jul 2018 18:49:23 +0000 +Subject: ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns + +From: Tyler Hicks + +[ Upstream commit 70ba5b6db96ff7324b8cfc87e0d0383cf59c9677 ] + +The low and high values of the net.ipv4.ping_group_range sysctl were +being silently forced to the default disabled state when a write to the +sysctl contained GIDs that didn't map to the associated user namespace. +Confusingly, the sysctl's write operation would return success and then +a subsequent read of the sysctl would indicate that the low and high +values are the overflowgid. + +This patch changes the behavior by clearly returning an error when the +sysctl write operation receives a GID range that doesn't map to the +associated user namespace. In such a situation, the previous value of +the sysctl is preserved and that range will be returned in a subsequent +read of the sysctl. + +Signed-off-by: Tyler Hicks +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/sysctl_net_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -187,8 +187,9 @@ static int ipv4_ping_group_range(struct + if (write && ret == 0) { + low = make_kgid(user_ns, urange[0]); + high = make_kgid(user_ns, urange[1]); +- if (!gid_valid(low) || !gid_valid(high) || +- (urange[1] < urange[0]) || gid_lt(high, low)) { ++ if (!gid_valid(low) || !gid_valid(high)) ++ return -EINVAL; ++ if (urange[1] < urange[0] || gid_lt(high, low)) { + low = make_kgid(&init_user_ns, 1); + high = make_kgid(&init_user_ns, 0); + } diff --git a/queue-4.17/ipv6-fix-useless-rol32-call-on-hash.patch b/queue-4.17/ipv6-fix-useless-rol32-call-on-hash.patch new file mode 100644 index 00000000000..02d81dfc4a2 --- /dev/null +++ b/queue-4.17/ipv6-fix-useless-rol32-call-on-hash.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Colin Ian King +Date: Tue, 17 Jul 2018 17:12:39 +0100 +Subject: ipv6: fix useless rol32 call on hash + +From: Colin Ian King + +[ Upstream commit 169dc027fb02492ea37a0575db6a658cf922b854 ] + +The rol32 call is currently rotating hash but the rol'd value is +being discarded. I believe the current code is incorrect and hash +should be assigned the rotated value returned from rol32. + +Thanks to David Lebrun for spotting this. + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -829,7 +829,7 @@ static inline __be32 ip6_make_flowlabel( + * to minimize possbility that any useful information to an + * attacker is leaked. Only lower 20 bits are relevant. + */ +- rol32(hash, 16); ++ hash = rol32(hash, 16); + + flowlabel = (__force __be32)hash & IPV6_FLOWLABEL_MASK; + diff --git a/queue-4.17/ipv6-ila-select-config_dst_cache.patch b/queue-4.17/ipv6-ila-select-config_dst_cache.patch new file mode 100644 index 00000000000..de863f023b6 --- /dev/null +++ b/queue-4.17/ipv6-ila-select-config_dst_cache.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Arnd Bergmann +Date: Wed, 18 Jul 2018 10:48:56 +0200 +Subject: ipv6: ila: select CONFIG_DST_CACHE + +From: Arnd Bergmann + +[ Upstream commit 83ed7d1fe2d2d4a11b30660dec20168bb473d9c1 ] + +My randconfig builds came across an old missing dependency for ILA: + +ERROR: "dst_cache_set_ip6" [net/ipv6/ila/ila.ko] undefined! +ERROR: "dst_cache_get" [net/ipv6/ila/ila.ko] undefined! +ERROR: "dst_cache_init" [net/ipv6/ila/ila.ko] undefined! +ERROR: "dst_cache_destroy" [net/ipv6/ila/ila.ko] undefined! + +We almost never run into this by accident because randconfig builds +end up selecting DST_CACHE from some other tunnel protocol, and this +one appears to be the only one missing the explicit 'select'. + +>From all I can tell, this problem first appeared in linux-4.9 +when dst_cache support got added to ILA. + +Fixes: 79ff2fc31e0f ("ila: Cache a route to translated address") +Cc: Tom Herbert +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -108,6 +108,7 @@ config IPV6_MIP6 + config IPV6_ILA + tristate "IPv6: Identifier Locator Addressing (ILA)" + depends on NETFILTER ++ select DST_CACHE + select LWTUNNEL + ---help--- + Support for IPv6 Identifier Locator Addressing (ILA). diff --git a/queue-4.17/ipv6-make-dad-fail-with-enhanced-dad-when-nonce-length-differs.patch b/queue-4.17/ipv6-make-dad-fail-with-enhanced-dad-when-nonce-length-differs.patch new file mode 100644 index 00000000000..abb720c1ca0 --- /dev/null +++ b/queue-4.17/ipv6-make-dad-fail-with-enhanced-dad-when-nonce-length-differs.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Sabrina Dubroca +Date: Fri, 13 Jul 2018 17:21:42 +0200 +Subject: ipv6: make DAD fail with enhanced DAD when nonce length differs + +From: Sabrina Dubroca + +[ Upstream commit e66515999b627368892ccc9b3a13a506f2ea1357 ] + +Commit adc176c54722 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)") +added enhanced DAD with a nonce length of 6 bytes. However, RFC7527 +doesn't specify the length of the nonce, other than being 6 + 8*k bytes, +with integer k >= 0 (RFC3971 5.3.2). The current implementation simply +assumes that the nonce will always be 6 bytes, but others systems are +free to choose different sizes. + +If another system sends a nonce of different length but with the same 6 +bytes prefix, it shouldn't be considered as the same nonce. Thus, check +that the length of the received nonce is the same as the length we sent. + +Ugly scapy test script running on veth0: + +def loop(): + pkt=sniff(iface="veth0", filter="icmp6", count=1) + pkt = pkt[0] + b = bytearray(pkt[Raw].load) + b[1] += 1 + b += b'\xde\xad\xbe\xef\xde\xad\xbe\xef' + pkt[Raw].load = bytes(b) + pkt[IPv6].plen += 8 + # fixup checksum after modifying the payload + pkt[IPv6].payload.cksum -= 0x3b44 + if pkt[IPv6].payload.cksum < 0: + pkt[IPv6].payload.cksum += 0xffff + sendp(pkt, iface="veth0") + +This should result in DAD failure for any address added to veth0's peer, +but is currently ignored. + +Fixes: adc176c54722 ("ipv6 addrconf: Implemented enhanced DAD (RFC7527)") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -811,7 +811,7 @@ static void ndisc_recv_ns(struct sk_buff + return; + } + } +- if (ndopts.nd_opts_nonce) ++ if (ndopts.nd_opts_nonce && ndopts.nd_opts_nonce->nd_opt_len == 1) + memcpy(&nonce, (u8 *)(ndopts.nd_opts_nonce + 1), 6); + + inc = ipv6_addr_is_multicast(daddr); diff --git a/queue-4.17/lib-rhashtable-consider-param-min_size-when-setting-initial-table-size.patch b/queue-4.17/lib-rhashtable-consider-param-min_size-when-setting-initial-table-size.patch new file mode 100644 index 00000000000..f7807aedf0d --- /dev/null +++ b/queue-4.17/lib-rhashtable-consider-param-min_size-when-setting-initial-table-size.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 16 Jul 2018 13:26:13 -0700 +Subject: lib/rhashtable: consider param->min_size when setting initial table size + +From: Davidlohr Bueso + +[ Upstream commit 107d01f5ba10f4162c38109496607eb197059064 ] + +rhashtable_init() currently does not take into account the user-passed +min_size parameter unless param->nelem_hint is set as well. As such, +the default size (number of buckets) will always be HASH_DEFAULT_SIZE +even if the smallest allowed size is larger than that. Remediate this +by unconditionally calling into rounded_hashtable_size() and handling +things accordingly. + +Signed-off-by: Davidlohr Bueso +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -923,8 +923,16 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_stop); + + static size_t rounded_hashtable_size(const struct rhashtable_params *params) + { +- return max(roundup_pow_of_two(params->nelem_hint * 4 / 3), +- (unsigned long)params->min_size); ++ size_t retsize; ++ ++ if (params->nelem_hint) ++ retsize = max(roundup_pow_of_two(params->nelem_hint * 4 / 3), ++ (unsigned long)params->min_size); ++ else ++ retsize = max(HASH_DEFAULT_SIZE, ++ (unsigned long)params->min_size); ++ ++ return retsize; + } + + static u32 rhashtable_jhash2(const void *key, u32 length, u32 seed) +@@ -981,8 +989,6 @@ int rhashtable_init(struct rhashtable *h + struct bucket_table *tbl; + size_t size; + +- size = HASH_DEFAULT_SIZE; +- + if ((!params->key_len && !params->obj_hashfn) || + (params->obj_hashfn && !params->obj_cmpfn)) + return -EINVAL; +@@ -1009,8 +1015,7 @@ int rhashtable_init(struct rhashtable *h + + ht->p.min_size = max_t(u16, ht->p.min_size, HASH_MIN_SIZE); + +- if (params->nelem_hint) +- size = rounded_hashtable_size(&ht->p); ++ size = rounded_hashtable_size(&ht->p); + + if (params->locks_mul) + ht->p.locks_mul = roundup_pow_of_two(params->locks_mul); diff --git a/queue-4.17/net-aquantia-vlan-unicast-address-list-correct-handling.patch b/queue-4.17/net-aquantia-vlan-unicast-address-list-correct-handling.patch new file mode 100644 index 00000000000..6eeecb55265 --- /dev/null +++ b/queue-4.17/net-aquantia-vlan-unicast-address-list-correct-handling.patch @@ -0,0 +1,194 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Igor Russkikh +Date: Thu, 5 Jul 2018 17:01:09 +0300 +Subject: net: aquantia: vlan unicast address list correct handling + +From: Igor Russkikh + +[ Upstream commit 94b3b542303f3055c326df74ef144a8a790d7d7f ] + +Setting up macvlan/macvtap networks over atlantic NIC results +in no traffic over these networks because ndo_set_rx_mode did +not listed UC MACs as registered in unicast filter. + +Here we fix that taking into account maximum number of UC +filters supported by hardware. If more than MAX addresses were +registered, we just enable promisc and/or allmulti to pass +the traffic in. + +We also remove MULTICAST_ADDRESS_MAX constant from aq_cfg since +thats not a configurable parameter at all. + +Fixes: b21f502 ("net:ethernet:aquantia: Fix for multicast filter handling.") +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_cfg.h | 2 + drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 4 - + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 11 --- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 47 ++++++++------ + drivers/net/ethernet/aquantia/atlantic/aq_nic.h | 2 + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 2 + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 4 - + 7 files changed, 36 insertions(+), 36 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_cfg.h +@@ -63,8 +63,6 @@ + + #define AQ_CFG_NAPI_WEIGHT 64U + +-#define AQ_CFG_MULTICAST_ADDRESS_MAX 32U +- + /*#define AQ_CFG_MAC_ADDR_PERMANENT {0x30, 0x0E, 0xE3, 0x12, 0x34, 0x56}*/ + + #define AQ_NIC_FC_OFF 0U +--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h +@@ -98,6 +98,8 @@ struct aq_stats_s { + #define AQ_HW_MEDIA_TYPE_TP 1U + #define AQ_HW_MEDIA_TYPE_FIBRE 2U + ++#define AQ_HW_MULTICAST_ADDRESS_MAX 32U ++ + struct aq_hw_s { + atomic_t flags; + u8 rbl_enabled:1; +@@ -177,7 +179,7 @@ struct aq_hw_ops { + unsigned int packet_filter); + + int (*hw_multicast_list_set)(struct aq_hw_s *self, +- u8 ar_mac[AQ_CFG_MULTICAST_ADDRESS_MAX] ++ u8 ar_mac[AQ_HW_MULTICAST_ADDRESS_MAX] + [ETH_ALEN], + u32 count); + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +@@ -135,17 +135,10 @@ err_exit: + static void aq_ndev_set_multicast_settings(struct net_device *ndev) + { + struct aq_nic_s *aq_nic = netdev_priv(ndev); +- int err = 0; + +- err = aq_nic_set_packet_filter(aq_nic, ndev->flags); +- if (err < 0) +- return; ++ aq_nic_set_packet_filter(aq_nic, ndev->flags); + +- if (netdev_mc_count(ndev)) { +- err = aq_nic_set_multicast_list(aq_nic, ndev); +- if (err < 0) +- return; +- } ++ aq_nic_set_multicast_list(aq_nic, ndev); + } + + static const struct net_device_ops aq_ndev_ops = { +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -563,34 +563,41 @@ err_exit: + + int aq_nic_set_multicast_list(struct aq_nic_s *self, struct net_device *ndev) + { ++ unsigned int packet_filter = self->packet_filter; + struct netdev_hw_addr *ha = NULL; + unsigned int i = 0U; + +- self->mc_list.count = 0U; +- +- netdev_for_each_mc_addr(ha, ndev) { +- ether_addr_copy(self->mc_list.ar[i++], ha->addr); +- ++self->mc_list.count; ++ self->mc_list.count = 0; ++ if (netdev_uc_count(ndev) > AQ_HW_MULTICAST_ADDRESS_MAX) { ++ packet_filter |= IFF_PROMISC; ++ } else { ++ netdev_for_each_uc_addr(ha, ndev) { ++ ether_addr_copy(self->mc_list.ar[i++], ha->addr); + +- if (i >= AQ_CFG_MULTICAST_ADDRESS_MAX) +- break; ++ if (i >= AQ_HW_MULTICAST_ADDRESS_MAX) ++ break; ++ } + } + +- if (i >= AQ_CFG_MULTICAST_ADDRESS_MAX) { +- /* Number of filters is too big: atlantic does not support this. +- * Force all multi filter to support this. +- * With this we disable all UC filters and setup "all pass" +- * multicast mask +- */ +- self->packet_filter |= IFF_ALLMULTI; +- self->aq_nic_cfg.mc_list_count = 0; +- return self->aq_hw_ops->hw_packet_filter_set(self->aq_hw, +- self->packet_filter); ++ if (i + netdev_mc_count(ndev) > AQ_HW_MULTICAST_ADDRESS_MAX) { ++ packet_filter |= IFF_ALLMULTI; + } else { +- return self->aq_hw_ops->hw_multicast_list_set(self->aq_hw, +- self->mc_list.ar, +- self->mc_list.count); ++ netdev_for_each_mc_addr(ha, ndev) { ++ ether_addr_copy(self->mc_list.ar[i++], ha->addr); ++ ++ if (i >= AQ_HW_MULTICAST_ADDRESS_MAX) ++ break; ++ } ++ } ++ ++ if (i > 0 && i < AQ_HW_MULTICAST_ADDRESS_MAX) { ++ packet_filter |= IFF_MULTICAST; ++ self->mc_list.count = i; ++ self->aq_hw_ops->hw_multicast_list_set(self->aq_hw, ++ self->mc_list.ar, ++ self->mc_list.count); + } ++ return aq_nic_set_packet_filter(self, packet_filter); + } + + int aq_nic_set_mtu(struct aq_nic_s *self, int new_mtu) +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.h +@@ -75,7 +75,7 @@ struct aq_nic_s { + struct aq_hw_link_status_s link_status; + struct { + u32 count; +- u8 ar[AQ_CFG_MULTICAST_ADDRESS_MAX][ETH_ALEN]; ++ u8 ar[AQ_HW_MULTICAST_ADDRESS_MAX][ETH_ALEN]; + } mc_list; + + struct pci_dev *pdev; +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +@@ -765,7 +765,7 @@ static int hw_atl_a0_hw_packet_filter_se + + static int hw_atl_a0_hw_multicast_list_set(struct aq_hw_s *self, + u8 ar_mac +- [AQ_CFG_MULTICAST_ADDRESS_MAX] ++ [AQ_HW_MULTICAST_ADDRESS_MAX] + [ETH_ALEN], + u32 count) + { +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -784,7 +784,7 @@ static int hw_atl_b0_hw_packet_filter_se + + static int hw_atl_b0_hw_multicast_list_set(struct aq_hw_s *self, + u8 ar_mac +- [AQ_CFG_MULTICAST_ADDRESS_MAX] ++ [AQ_HW_MULTICAST_ADDRESS_MAX] + [ETH_ALEN], + u32 count) + { +@@ -812,7 +812,7 @@ static int hw_atl_b0_hw_multicast_list_s + + hw_atl_rpfl2_uc_flr_en_set(self, + (self->aq_nic_cfg->is_mc_list_enabled), +- HW_ATL_B0_MAC_MIN + i); ++ HW_ATL_B0_MAC_MIN + i); + } + + err = aq_hw_err_from_flags(self); diff --git a/queue-4.17/net-diag-don-t-double-free-tcp_new_syn_recv-sockets-in-tcp_abort.patch b/queue-4.17/net-diag-don-t-double-free-tcp_new_syn_recv-sockets-in-tcp_abort.patch new file mode 100644 index 00000000000..441f89fc372 --- /dev/null +++ b/queue-4.17/net-diag-don-t-double-free-tcp_new_syn_recv-sockets-in-tcp_abort.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Lorenzo Colitti +Date: Sat, 7 Jul 2018 16:31:40 +0900 +Subject: net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort + +From: Lorenzo Colitti + +[ Upstream commit acc2cf4e37174646a24cba42fa53c668b2338d4e ] + +When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first +frees it by calling inet_csk_reqsk_queue_drop_and_and_put in +tcp_abort, and then frees it again by calling sock_gen_put. + +Since tcp_abort only has one caller, and all the other codepaths +in tcp_abort don't free the socket, just remove the free in that +function. + +Cc: David Ahern +Tested: passes Android sock_diag_test.py, which exercises this codepath +Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket") +Signed-off-by: Lorenzo Colitti +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Tested-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3524,8 +3524,7 @@ int tcp_abort(struct sock *sk, int err) + struct request_sock *req = inet_reqsk(sk); + + local_bh_disable(); +- inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, +- req); ++ inet_csk_reqsk_queue_drop(req->rsk_listener, req); + local_bh_enable(); + return 0; + } diff --git a/queue-4.17/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch b/queue-4.17/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch new file mode 100644 index 00000000000..c2773d73707 --- /dev/null +++ b/queue-4.17/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch @@ -0,0 +1,116 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Stefano Brivio +Date: Wed, 11 Jul 2018 14:39:42 +0200 +Subject: net: Don't copy pfmemalloc flag in __copy_skb_header() + +From: Stefano Brivio + +[ Upstream commit 8b7008620b8452728cadead460a36f64ed78c460 ] + +The pfmemalloc flag indicates that the skb was allocated from +the PFMEMALLOC reserves, and the flag is currently copied on skb +copy and clone. + +However, an skb copied from an skb flagged with pfmemalloc +wasn't necessarily allocated from PFMEMALLOC reserves, and on +the other hand an skb allocated that way might be copied from an +skb that wasn't. + +So we should not copy the flag on skb copy, and rather decide +whether to allow an skb to be associated with sockets unrelated +to page reclaim depending only on how it was allocated. + +Move the pfmemalloc flag before headers_start[0] using an +existing 1-bit hole, so that __copy_skb_header() doesn't copy +it. + +When cloning, we'll now take care of this flag explicitly, +contravening to the warning comment of __skb_clone(). + +While at it, restore the newline usage introduced by commit +b19372273164 ("net: reorganize sk_buff for faster +__copy_skb_header()") to visually separate bytes used in +bitfields after headers_start[0], that was gone after commit +a9e419dc7be6 ("netfilter: merge ctinfo into nfct pointer storage +area"), and describe the pfmemalloc flag in the kernel-doc +structure comment. + +This doesn't change the size of sk_buff or cacheline boundaries, +but consolidates the 15 bits hole before tc_index into a 2 bytes +hole before csum, that could now be filled more easily. + +Reported-by: Patrick Talbert +Fixes: c93bdd0e03e8 ("netvm: allow skb allocation to use PFMEMALLOC reserves") +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 10 +++++----- + net/core/skbuff.c | 2 ++ + 2 files changed, 7 insertions(+), 5 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -628,6 +628,7 @@ typedef unsigned char *sk_buff_data_t; + * @hash: the packet hash + * @queue_mapping: Queue mapping for multiqueue devices + * @xmit_more: More SKBs are pending for this queue ++ * @pfmemalloc: skbuff was allocated from PFMEMALLOC reserves + * @ndisc_nodetype: router type (from link layer) + * @ooo_okay: allow the mapping of a socket to a queue to be changed + * @l4_hash: indicate hash is a canonical 4-tuple hash over transport +@@ -733,7 +734,7 @@ struct sk_buff { + peeked:1, + head_frag:1, + xmit_more:1, +- __unused:1; /* one bit hole */ ++ pfmemalloc:1; + + /* fields enclosed in headers_start/headers_end are copied + * using a single memcpy() in __copy_skb_header() +@@ -752,31 +753,30 @@ struct sk_buff { + + __u8 __pkt_type_offset[0]; + __u8 pkt_type:3; +- __u8 pfmemalloc:1; + __u8 ignore_df:1; +- + __u8 nf_trace:1; + __u8 ip_summed:2; + __u8 ooo_okay:1; ++ + __u8 l4_hash:1; + __u8 sw_hash:1; + __u8 wifi_acked_valid:1; + __u8 wifi_acked:1; +- + __u8 no_fcs:1; + /* Indicates the inner headers are valid in the skbuff. */ + __u8 encapsulation:1; + __u8 encap_hdr_csum:1; + __u8 csum_valid:1; ++ + __u8 csum_complete_sw:1; + __u8 csum_level:2; + __u8 csum_not_inet:1; +- + __u8 dst_pending_confirm:1; + #ifdef CONFIG_IPV6_NDISC_NODETYPE + __u8 ndisc_nodetype:2; + #endif + __u8 ipvs_property:1; ++ + __u8 inner_protocol_type:1; + __u8 remcsum_offload:1; + #ifdef CONFIG_NET_SWITCHDEV +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -858,6 +858,8 @@ static struct sk_buff *__skb_clone(struc + n->cloned = 1; + n->nohdr = 0; + n->peeked = 0; ++ if (skb->pfmemalloc) ++ n->pfmemalloc = 1; + n->destructor = NULL; + C(tail); + C(end); diff --git a/queue-4.17/net-ip6_gre-get-ipv6hdr-after-skb_cow_head.patch b/queue-4.17/net-ip6_gre-get-ipv6hdr-after-skb_cow_head.patch new file mode 100644 index 00000000000..f256fe59b15 --- /dev/null +++ b/queue-4.17/net-ip6_gre-get-ipv6hdr-after-skb_cow_head.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Prashant Bhole +Date: Fri, 13 Jul 2018 14:40:50 +0900 +Subject: net: ip6_gre: get ipv6hdr after skb_cow_head() + +From: Prashant Bhole + +[ Upstream commit b7ed879425be371905d856410d19e9a42a62bcf3 ] + +A KASAN:use-after-free bug was found related to ip6-erspan +while running selftests/net/ip6_gre_headroom.sh + +It happens because of following sequence: +- ipv6hdr pointer is obtained from skb +- skb_cow_head() is called, skb->head memory is reallocated +- old data is accessed using ipv6hdr pointer + +skb_cow_head() call was added in e41c7c68ea77 ("ip6erspan: make sure +enough headroom at xmit."), but looking at the history there was a +chance of similar bug because gre_handle_offloads() and pskb_trim() +can also reallocate skb->head memory. Fixes tag points to commit +which introduced possibility of this bug. + +This patch moves ipv6hdr pointer assignment after skb_cow_head() call. + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Prashant Bhole +Reviewed-by: Greg Rose +Acked-by: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -927,7 +927,6 @@ tx_err: + static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + struct net_device *dev) + { +- struct ipv6hdr *ipv6h = ipv6_hdr(skb); + struct ip6_tnl *t = netdev_priv(dev); + struct dst_entry *dst = skb_dst(skb); + struct net_device_stats *stats; +@@ -998,6 +997,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit + goto tx_err; + } + } else { ++ struct ipv6hdr *ipv6h = ipv6_hdr(skb); ++ + switch (skb->protocol) { + case htons(ETH_P_IP): + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); diff --git a/queue-4.17/net-ipv4-set-oif-in-fib_compute_spec_dst.patch b/queue-4.17/net-ipv4-set-oif-in-fib_compute_spec_dst.patch new file mode 100644 index 00000000000..ebbef522da3 --- /dev/null +++ b/queue-4.17/net-ipv4-set-oif-in-fib_compute_spec_dst.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: David Ahern +Date: Sat, 7 Jul 2018 16:15:26 -0700 +Subject: net/ipv4: Set oif in fib_compute_spec_dst + +From: David Ahern + +[ Upstream commit e7372197e15856ec4ee66b668020a662994db103 ] + +Xin reported that icmp replies may not use the address on the device the +echo request is received if the destination address is broadcast. Instead +a route lookup is done without considering VRF context. Fix by setting +oif in flow struct to the master device if it is enslaved. That directs +the lookup to the VRF table. If the device is not enslaved, oif is still +0 so no affect. + +Fixes: cd2fbe1b6b51 ("net: Use VRF device index for lookups on RX") +Reported-by: Xin Long +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -300,6 +300,7 @@ __be32 fib_compute_spec_dst(struct sk_bu + if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) { + struct flowi4 fl4 = { + .flowi4_iif = LOOPBACK_IFINDEX, ++ .flowi4_oif = l3mdev_master_ifindex_rcu(dev), + .daddr = ip_hdr(skb)->saddr, + .flowi4_tos = RT_TOS(ip_hdr(skb)->tos), + .flowi4_scope = scope, diff --git a/queue-4.17/net-ipv6-do-not-allow-device-only-routes-via-the-multipath-api.patch b/queue-4.17/net-ipv6-do-not-allow-device-only-routes-via-the-multipath-api.patch new file mode 100644 index 00000000000..9dab21e752a --- /dev/null +++ b/queue-4.17/net-ipv6-do-not-allow-device-only-routes-via-the-multipath-api.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: David Ahern +Date: Sun, 15 Jul 2018 09:35:19 -0700 +Subject: net/ipv6: Do not allow device only routes via the multipath API + +From: David Ahern + +[ Upstream commit b5d2d75e079a918be686957b1a8d2f6c5cc95a0a ] + +Eric reported that reverting the patch that fixed and simplified IPv6 +multipath routes means reverting back to invalid userspace notifications. +eg., +$ ip -6 route add 2001:db8:1::/64 nexthop dev eth0 nexthop dev eth1 + +only generates a single notification: +2001:db8:1::/64 dev eth0 metric 1024 pref medium + +While working on a fix for this problem I found another case that is just +broken completely - a multipath route with a gateway followed by device +followed by gateway: + $ ip -6 ro add 2001:db8:103::/64 + nexthop via 2001:db8:1::64 + nexthop dev dummy2 + nexthop via 2001:db8:3::64 + +In this case the device only route is dropped completely - no notification +to userpsace but no addition to the FIB either: + +$ ip -6 ro ls +2001:db8:1::/64 dev dummy1 proto kernel metric 256 pref medium +2001:db8:2::/64 dev dummy2 proto kernel metric 256 pref medium +2001:db8:3::/64 dev dummy3 proto kernel metric 256 pref medium +2001:db8:103::/64 metric 1024 + nexthop via 2001:db8:1::64 dev dummy1 weight 1 + nexthop via 2001:db8:3::64 dev dummy3 weight 1 pref medium +fe80::/64 dev dummy1 proto kernel metric 256 pref medium +fe80::/64 dev dummy2 proto kernel metric 256 pref medium +fe80::/64 dev dummy3 proto kernel metric 256 pref medium + +Really, IPv6 multipath is just FUBAR'ed beyond repair when it comes to +device only routes, so do not allow it all. + +This change will break any scripts relying on the mpath api for insert, +but I don't see any other way to handle the permutations. Besides, since +the routes are added to the FIB as standalone (non-multipath) routes the +kernel is not doing what the user requested, so it might as well tell the +user that. + +Reported-by: Eric Dumazet +Signed-off-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4274,6 +4274,13 @@ static int ip6_route_multipath_add(struc + err_nh = nh; + goto add_errout; + } ++ if (!rt6_qualify_for_ecmp(rt)) { ++ err = -EINVAL; ++ NL_SET_ERR_MSG(extack, ++ "Device only routes can not be added for IPv6 using the multipath API."); ++ dst_release_immediate(&rt->dst); ++ goto cleanup; ++ } + + /* Because each route is added like a single route we remove + * these flags after the first nexthop: if there is a collision, diff --git a/queue-4.17/net-mlx4_en-don-t-reuse-rx-page-when-xdp-is-set.patch b/queue-4.17/net-mlx4_en-don-t-reuse-rx-page-when-xdp-is-set.patch new file mode 100644 index 00000000000..0b046a88239 --- /dev/null +++ b/queue-4.17/net-mlx4_en-don-t-reuse-rx-page-when-xdp-is-set.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Saeed Mahameed +Date: Sun, 15 Jul 2018 13:54:39 +0300 +Subject: net/mlx4_en: Don't reuse RX page when XDP is set + +From: Saeed Mahameed + +[ Upstream commit 432e629e56432064761be63bcd5e263c0920430d ] + +When a new rx packet arrives, the rx path will decide whether to reuse +the remainder of the page or not according to one of the below conditions: +1. frag_info->frag_stride == PAGE_SIZE / 2 +2. frags->page_offset + frag_info->frag_size > PAGE_SIZE; + +The first condition is no met for when XDP is set. +For XDP, page_offset is always set to priv->rx_headroom which is +XDP_PACKET_HEADROOM and frag_info->frag_size is around mtu size + some +padding, still the 2nd release condition will hold since +XDP_PACKET_HEADROOM + 1536 < PAGE_SIZE, as a result the page will not +be released and will be _wrongly_ reused for next free rx descriptor. + +In XDP there is an assumption to have a page per packet and reuse can +break such assumption and might cause packet data corruptions. + +Fix this by adding an extra condition (!priv->rx_headroom) to the 2nd +case to avoid page reuse when XDP is set, since rx_headroom is set to 0 +for non XDP setup and set to XDP_PACKET_HEADROOM for XDP setup. + +No additional cache line is required for the new condition. + +Fixes: 34db548bfb95 ("mlx4: add page recycling in receive path") +Signed-off-by: Saeed Mahameed +Signed-off-by: Tariq Toukan +Suggested-by: Martin KaFai Lau +CC: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -474,10 +474,10 @@ static int mlx4_en_complete_rx_desc(stru + { + const struct mlx4_en_frag_info *frag_info = priv->frag_info; + unsigned int truesize = 0; ++ bool release = true; + int nr, frag_size; + struct page *page; + dma_addr_t dma; +- bool release; + + /* Collect used fragments while replacing them in the HW descriptors */ + for (nr = 0;; frags++) { +@@ -500,7 +500,11 @@ static int mlx4_en_complete_rx_desc(stru + release = page_count(page) != 1 || + page_is_pfmemalloc(page) || + page_to_nid(page) != numa_mem_id(); +- } else { ++ } else if (!priv->rx_headroom) { ++ /* rx_headroom for non XDP setup is always 0. ++ * When XDP is set, the above condition will ++ * guarantee page is always released. ++ */ + u32 sz_align = ALIGN(frag_size, SMP_CACHE_BYTES); + + frags->page_offset += sz_align; diff --git a/queue-4.17/net-phy-fix-flag-masking-in-__set_phy_supported.patch b/queue-4.17/net-phy-fix-flag-masking-in-__set_phy_supported.patch new file mode 100644 index 00000000000..60e4f9acd32 --- /dev/null +++ b/queue-4.17/net-phy-fix-flag-masking-in-__set_phy_supported.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Heiner Kallweit +Date: Tue, 3 Jul 2018 22:34:54 +0200 +Subject: net: phy: fix flag masking in __set_phy_supported + +From: Heiner Kallweit + +[ Upstream commit df8ed346d4a806a6eef2db5924285e839604b3f9 ] + +Currently also the pause flags are removed from phydev->supported because +they're not included in PHY_DEFAULT_FEATURES. I don't think this is +intended, especially when considering that this function can be called +via phy_set_max_speed() anywhere in a driver. Change the masking to mask +out only the values we're going to change. In addition remove the +misleading comment, job of this small function is just to adjust the +supported and advertised speeds. + +Fixes: f3a6bd393c2c ("phylib: Add phy_set_max_speed helper") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1720,11 +1720,8 @@ EXPORT_SYMBOL(genphy_loopback); + + static int __set_phy_supported(struct phy_device *phydev, u32 max_speed) + { +- /* The default values for phydev->supported are provided by the PHY +- * driver "features" member, we want to reset to sane defaults first +- * before supporting higher speeds. +- */ +- phydev->supported &= PHY_DEFAULT_FEATURES; ++ phydev->supported &= ~(PHY_1000BT_FEATURES | PHY_100BT_FEATURES | ++ PHY_10BT_FEATURES); + + switch (max_speed) { + default: diff --git a/queue-4.17/net-systemport-fix-crc-forwarding-check-for-systemport-lite.patch b/queue-4.17/net-systemport-fix-crc-forwarding-check-for-systemport-lite.patch new file mode 100644 index 00000000000..1e04d26f5d4 --- /dev/null +++ b/queue-4.17/net-systemport-fix-crc-forwarding-check-for-systemport-lite.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Florian Fainelli +Date: Wed, 11 Jul 2018 02:47:58 -0700 +Subject: net: systemport: Fix CRC forwarding check for SYSTEMPORT Lite + +From: Florian Fainelli + +[ Upstream commit 9e3bff923913729d76d87f0015848ee7b8ff7083 ] + +SYSTEMPORT Lite reversed the logic compared to SYSTEMPORT, the +GIB_FCS_STRIP bit is set when the Ethernet FCS is stripped, and that bit +is not set by default. Fix the logic such that we properly check whether +that bit is set or not and we don't forward an extra 4 bytes to the +network stack. + +Fixes: 44a4524c54af ("net: systemport: Add support for SYSTEMPORT Lite") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++-- + drivers/net/ethernet/broadcom/bcmsysport.h | 3 ++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1946,8 +1946,8 @@ static int bcm_sysport_open(struct net_d + if (!priv->is_lite) + priv->crc_fwd = !!(umac_readl(priv, UMAC_CMD) & CMD_CRC_FWD); + else +- priv->crc_fwd = !!(gib_readl(priv, GIB_CONTROL) & +- GIB_FCS_STRIP); ++ priv->crc_fwd = !((gib_readl(priv, GIB_CONTROL) & ++ GIB_FCS_STRIP) >> GIB_FCS_STRIP_SHIFT); + + phydev = of_phy_connect(dev, priv->phy_dn, bcm_sysport_adj_link, + 0, priv->phy_interface); +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -278,7 +278,8 @@ struct bcm_rsb { + #define GIB_GTX_CLK_EXT_CLK (0 << GIB_GTX_CLK_SEL_SHIFT) + #define GIB_GTX_CLK_125MHZ (1 << GIB_GTX_CLK_SEL_SHIFT) + #define GIB_GTX_CLK_250MHZ (2 << GIB_GTX_CLK_SEL_SHIFT) +-#define GIB_FCS_STRIP (1 << 6) ++#define GIB_FCS_STRIP_SHIFT 6 ++#define GIB_FCS_STRIP (1 << GIB_FCS_STRIP_SHIFT) + #define GIB_LCL_LOOP_EN (1 << 7) + #define GIB_LCL_LOOP_TXEN (1 << 8) + #define GIB_RMT_LOOP_EN (1 << 9) diff --git a/queue-4.17/net-usb-asix-replace-mii_nway_restart-in-resume-path.patch b/queue-4.17/net-usb-asix-replace-mii_nway_restart-in-resume-path.patch new file mode 100644 index 00000000000..7e245d4844a --- /dev/null +++ b/queue-4.17/net-usb-asix-replace-mii_nway_restart-in-resume-path.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Alexander Couzens +Date: Tue, 17 Jul 2018 13:17:09 +0200 +Subject: net: usb: asix: replace mii_nway_restart in resume path + +From: Alexander Couzens + +[ Upstream commit 5c968f48021a9b3faa61ac2543cfab32461c0e05 ] + +mii_nway_restart is not pm aware which results in a rtnl deadlock. +Implement mii_nway_restart manual by setting BMCR_ANRESTART if +BMCR_ANENABLE is set. + +To reproduce: +* plug an asix based usb network interface +* wait until the device enters PM (~5 sec) +* `ip link set eth1 up` will never return + +Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") +Signed-off-by: Alexander Couzens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -642,10 +642,12 @@ static void ax88772_restore_phy(struct u + priv->presvd_phy_advertise); + + /* Restore BMCR */ ++ if (priv->presvd_phy_bmcr & BMCR_ANENABLE) ++ priv->presvd_phy_bmcr |= BMCR_ANRESTART; ++ + asix_mdio_write_nopm(dev->net, dev->mii.phy_id, MII_BMCR, + priv->presvd_phy_bmcr); + +- mii_nway_restart(&dev->mii); + priv->presvd_phy_advertise = 0; + priv->presvd_phy_bmcr = 0; + } diff --git a/queue-4.17/ptp-fix-missing-break-in-switch.patch b/queue-4.17/ptp-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..e3df41d1355 --- /dev/null +++ b/queue-4.17/ptp-fix-missing-break-in-switch.patch @@ -0,0 +1,31 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 17 Jul 2018 20:17:33 -0500 +Subject: ptp: fix missing break in switch + +From: "Gustavo A. R. Silva" + +[ Upstream commit 9ba8376ce1e2cbf4ce44f7e4bee1d0648e10d594 ] + +It seems that a *break* is missing in order to avoid falling through +to the default case. Otherwise, checking *chan* makes no sense. + +Fixes: 72df7a7244c0 ("ptp: Allow reassigning calibration pin function") +Signed-off-by: Gustavo A. R. Silva +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_chardev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -89,6 +89,7 @@ int ptp_set_pinfunc(struct ptp_clock *pt + case PTP_PF_PHYSYNC: + if (chan != 0) + return -EINVAL; ++ break; + default: + return -EINVAL; + } diff --git a/queue-4.17/qmi_wwan-add-support-for-quectel-eg91.patch b/queue-4.17/qmi_wwan-add-support-for-quectel-eg91.patch new file mode 100644 index 00000000000..332773c3ffe --- /dev/null +++ b/queue-4.17/qmi_wwan-add-support-for-quectel-eg91.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Matevz Vucnik +Date: Wed, 4 Jul 2018 18:12:48 +0200 +Subject: qmi_wwan: add support for Quectel EG91 + +From: Matevz Vucnik + +[ Upstream commit 38cd58ed9c4e389799b507bcffe02a7a7a180b33 ] + +This adds the USB id of LTE modem Quectel EG91. It requires the +same quirk as other Quectel modems to make it work. + +Signed-off-by: Matevz Vucnik +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1253,6 +1253,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ ++ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ + {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0306, 4)}, /* Quectel EP06 Mini PCIe */ + diff --git a/queue-4.17/rhashtable-add-restart-routine-in-rhashtable_free_and_destroy.patch b/queue-4.17/rhashtable-add-restart-routine-in-rhashtable_free_and_destroy.patch new file mode 100644 index 00000000000..abcd9eb3a3b --- /dev/null +++ b/queue-4.17/rhashtable-add-restart-routine-in-rhashtable_free_and_destroy.patch @@ -0,0 +1,137 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Taehee Yoo +Date: Sun, 8 Jul 2018 11:55:51 +0900 +Subject: rhashtable: add restart routine in rhashtable_free_and_destroy() + +From: Taehee Yoo + +[ Upstream commit 0026129c8629265bfe5079c1e017fa8543796d9f ] + +rhashtable_free_and_destroy() cancels re-hash deferred work +then walks and destroys elements. at this moment, some elements can be +still in future_tbl. that elements are not destroyed. + +test case: +nft_rhash_destroy() calls rhashtable_free_and_destroy() to destroy +all elements of sets before destroying sets and chains. +But rhashtable_free_and_destroy() doesn't destroy elements of future_tbl. +so that splat occurred. + +test script: + %cat test.nft + table ip aa { + map map1 { + type ipv4_addr : verdict; + elements = { + 0 : jump a0, + 1 : jump a0, + 2 : jump a0, + 3 : jump a0, + 4 : jump a0, + 5 : jump a0, + 6 : jump a0, + 7 : jump a0, + 8 : jump a0, + 9 : jump a0, + } + } + chain a0 { + } + } + flush ruleset + table ip aa { + map map1 { + type ipv4_addr : verdict; + elements = { + 0 : jump a0, + 1 : jump a0, + 2 : jump a0, + 3 : jump a0, + 4 : jump a0, + 5 : jump a0, + 6 : jump a0, + 7 : jump a0, + 8 : jump a0, + 9 : jump a0, + } + } + chain a0 { + } + } + flush ruleset + + %while :; do nft -f test.nft; done + +Splat looks like: +[ 200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363! +[ 200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24 +[ 200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[ 200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables] +[ 200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0 4c 8b 40 08 e8 58 e5 fd f8 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff +[ 200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282 +[ 200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000 +[ 200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90 +[ 200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa +[ 200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200 +[ 200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000 +[ 200.906354] FS: 00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000 +[ 200.915533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0 +[ 200.930353] Call Trace: +[ 200.932351] ? nf_tables_commit+0x26f6/0x2c60 [nf_tables] +[ 200.939525] ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables] +[ 200.947525] ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables] +[ 200.952383] ? nft_add_set_elem+0x1700/0x1700 [nf_tables] +[ 200.959532] ? nla_parse+0xab/0x230 +[ 200.963529] ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink] +[ 200.968384] ? nfnetlink_net_init+0x130/0x130 [nfnetlink] +[ 200.975525] ? debug_show_all_locks+0x290/0x290 +[ 200.980363] ? debug_show_all_locks+0x290/0x290 +[ 200.986356] ? sched_clock_cpu+0x132/0x170 +[ 200.990352] ? find_held_lock+0x39/0x1b0 +[ 200.994355] ? sched_clock_local+0x10d/0x130 +[ 200.999531] ? memset+0x1f/0x40 + +V2: + - free all tables requested by Herbert Xu + +Signed-off-by: Taehee Yoo +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/rhashtable.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -1107,13 +1107,14 @@ void rhashtable_free_and_destroy(struct + void (*free_fn)(void *ptr, void *arg), + void *arg) + { +- struct bucket_table *tbl; ++ struct bucket_table *tbl, *next_tbl; + unsigned int i; + + cancel_work_sync(&ht->run_work); + + mutex_lock(&ht->mutex); + tbl = rht_dereference(ht->tbl, ht); ++restart: + if (free_fn) { + for (i = 0; i < tbl->size; i++) { + struct rhash_head *pos, *next; +@@ -1130,7 +1131,12 @@ void rhashtable_free_and_destroy(struct + } + } + ++ next_tbl = rht_dereference(tbl->future_tbl, ht); + bucket_table_free(tbl); ++ if (next_tbl) { ++ tbl = next_tbl; ++ goto restart; ++ } + mutex_unlock(&ht->mutex); + } + EXPORT_SYMBOL_GPL(rhashtable_free_and_destroy); diff --git a/queue-4.17/sch_fq_codel-zero-q-flows_cnt-when-fq_codel_init-fails.patch b/queue-4.17/sch_fq_codel-zero-q-flows_cnt-when-fq_codel_init-fails.patch new file mode 100644 index 00000000000..bb0b0b73162 --- /dev/null +++ b/queue-4.17/sch_fq_codel-zero-q-flows_cnt-when-fq_codel_init-fails.patch @@ -0,0 +1,141 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Jacob Keller +Date: Tue, 10 Jul 2018 14:22:27 -0700 +Subject: sch_fq_codel: zero q->flows_cnt when fq_codel_init fails + +From: Jacob Keller + +[ Upstream commit 83fe6b8709f65bc505b10235bd82ece12c4c5099 ] + +When fq_codel_init fails, qdisc_create_dflt will cleanup by using +qdisc_destroy. This function calls the ->reset() op prior to calling the +->destroy() op. + +Unfortunately, during the failure flow for sch_fq_codel, the ->flows +parameter is not initialized, so the fq_codel_reset function will null +pointer dereference. + + kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + kernel: IP: fq_codel_reset+0x58/0xd0 [sch_fq_codel] + kernel: PGD 0 P4D 0 + kernel: Oops: 0000 [#1] SMP PTI + kernel: Modules linked in: i40iw i40e(OE) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc devlink ebtable_filter ebtables ip6table_filter ip6_tables rpcrdma ib_isert iscsi_target_mod sunrpc ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate iTCO_wdt iTCO_vendor_support intel_uncore ib_core intel_rapl_perf mei_me mei joydev i2c_i801 lpc_ich ioatdma shpchp wmi sch_fq_codel xfs libcrc32c mgag200 ixgbe drm_kms_helper isci ttm firewire_ohci + kernel: mdio drm igb libsas crc32c_intel firewire_core ptp pps_core scsi_transport_sas crc_itu_t dca i2c_algo_bit ipmi_si ipmi_devintf ipmi_msghandler [last unloaded: i40e] + kernel: CPU: 10 PID: 4219 Comm: ip Tainted: G OE 4.16.13custom-fq-codel-test+ #3 + kernel: Hardware name: Intel Corporation S2600CO/S2600CO, BIOS SE5C600.86B.02.05.0004.051120151007 05/11/2015 + kernel: RIP: 0010:fq_codel_reset+0x58/0xd0 [sch_fq_codel] + kernel: RSP: 0018:ffffbfbf4c1fb620 EFLAGS: 00010246 + kernel: RAX: 0000000000000400 RBX: 0000000000000000 RCX: 00000000000005b9 + kernel: RDX: 0000000000000000 RSI: ffff9d03264a60c0 RDI: ffff9cfd17b31c00 + kernel: RBP: 0000000000000001 R08: 00000000000260c0 R09: ffffffffb679c3e9 + kernel: R10: fffff1dab06a0e80 R11: ffff9cfd163af800 R12: ffff9cfd17b31c00 + kernel: R13: 0000000000000001 R14: ffff9cfd153de600 R15: 0000000000000001 + kernel: FS: 00007fdec2f92800(0000) GS:ffff9d0326480000(0000) knlGS:0000000000000000 + kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + kernel: CR2: 0000000000000008 CR3: 0000000c1956a006 CR4: 00000000000606e0 + kernel: Call Trace: + kernel: qdisc_destroy+0x56/0x140 + kernel: qdisc_create_dflt+0x8b/0xb0 + kernel: mq_init+0xc1/0xf0 + kernel: qdisc_create_dflt+0x5a/0xb0 + kernel: dev_activate+0x205/0x230 + kernel: __dev_open+0xf5/0x160 + kernel: __dev_change_flags+0x1a3/0x210 + kernel: dev_change_flags+0x21/0x60 + kernel: do_setlink+0x660/0xdf0 + kernel: ? down_trylock+0x25/0x30 + kernel: ? xfs_buf_trylock+0x1a/0xd0 [xfs] + kernel: ? rtnl_newlink+0x816/0x990 + kernel: ? _xfs_buf_find+0x327/0x580 [xfs] + kernel: ? _cond_resched+0x15/0x30 + kernel: ? kmem_cache_alloc+0x20/0x1b0 + kernel: ? rtnetlink_rcv_msg+0x200/0x2f0 + kernel: ? rtnl_calcit.isra.30+0x100/0x100 + kernel: ? netlink_rcv_skb+0x4c/0x120 + kernel: ? netlink_unicast+0x19e/0x260 + kernel: ? netlink_sendmsg+0x1ff/0x3c0 + kernel: ? sock_sendmsg+0x36/0x40 + kernel: ? ___sys_sendmsg+0x295/0x2f0 + kernel: ? ebitmap_cmp+0x6d/0x90 + kernel: ? dev_get_by_name_rcu+0x73/0x90 + kernel: ? skb_dequeue+0x52/0x60 + kernel: ? __inode_wait_for_writeback+0x7f/0xf0 + kernel: ? bit_waitqueue+0x30/0x30 + kernel: ? fsnotify_grab_connector+0x3c/0x60 + kernel: ? __sys_sendmsg+0x51/0x90 + kernel: ? do_syscall_64+0x74/0x180 + kernel: ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + kernel: Code: 00 00 48 89 87 00 02 00 00 8b 87 a0 01 00 00 85 c0 0f 84 84 00 00 00 31 ed 48 63 dd 83 c5 01 48 c1 e3 06 49 03 9c 24 90 01 00 00 <48> 8b 73 08 48 8b 3b e8 6c 9a 4f f6 48 8d 43 10 48 c7 03 00 00 + kernel: RIP: fq_codel_reset+0x58/0xd0 [sch_fq_codel] RSP: ffffbfbf4c1fb620 + kernel: CR2: 0000000000000008 + kernel: ---[ end trace e81a62bede66274e ]--- + +This is caused because flows_cnt is non-zero, but flows hasn't been +initialized. fq_codel_init has left the private data in a partially +initialized state. + +To fix this, reset flows_cnt to 0 when we fail to initialize. +Additionally, to make the state more consistent, also cleanup the flows +pointer when the allocation of backlogs fails. + +This fixes the NULL pointer dereference, since both the for-loop and +memset in fq_codel_reset will be no-ops when flow_cnt is zero. + +Signed-off-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq_codel.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -479,23 +479,27 @@ static int fq_codel_init(struct Qdisc *s + q->cparams.mtu = psched_mtu(qdisc_dev(sch)); + + if (opt) { +- int err = fq_codel_change(sch, opt, extack); ++ err = fq_codel_change(sch, opt, extack); + if (err) +- return err; ++ goto init_failure; + } + + err = tcf_block_get(&q->block, &q->filter_list, sch, extack); + if (err) +- return err; ++ goto init_failure; + + if (!q->flows) { + q->flows = kvzalloc(q->flows_cnt * + sizeof(struct fq_codel_flow), GFP_KERNEL); +- if (!q->flows) +- return -ENOMEM; ++ if (!q->flows) { ++ err = -ENOMEM; ++ goto init_failure; ++ } + q->backlogs = kvzalloc(q->flows_cnt * sizeof(u32), GFP_KERNEL); +- if (!q->backlogs) +- return -ENOMEM; ++ if (!q->backlogs) { ++ err = -ENOMEM; ++ goto alloc_failure; ++ } + for (i = 0; i < q->flows_cnt; i++) { + struct fq_codel_flow *flow = q->flows + i; + +@@ -508,6 +512,13 @@ static int fq_codel_init(struct Qdisc *s + else + sch->flags &= ~TCQ_F_CAN_BYPASS; + return 0; ++ ++alloc_failure: ++ kvfree(q->flows); ++ q->flows = NULL; ++init_failure: ++ q->flows_cnt = 0; ++ return err; + } + + static int fq_codel_dump(struct Qdisc *sch, struct sk_buff *skb) diff --git a/queue-4.17/sctp-fix-the-issue-that-pathmtu-may-be-set-lower-than-minsegment.patch b/queue-4.17/sctp-fix-the-issue-that-pathmtu-may-be-set-lower-than-minsegment.patch new file mode 100644 index 00000000000..e2fb9035020 --- /dev/null +++ b/queue-4.17/sctp-fix-the-issue-that-pathmtu-may-be-set-lower-than-minsegment.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Xin Long +Date: Tue, 3 Jul 2018 16:30:47 +0800 +Subject: sctp: fix the issue that pathmtu may be set lower than MINSEGMENT + +From: Xin Long + +[ Upstream commit a65925475571953da12a9bc2082aec29d4e2c0e7 ] + +After commit b6c5734db070 ("sctp: fix the handling of ICMP Frag Needed +for too small MTUs"), sctp_transport_update_pmtu would refetch pathmtu +from the dst and set it to transport's pathmtu without any check. + +The new pathmtu may be lower than MINSEGMENT if the dst is obsolete and +updated by .get_dst() in sctp_transport_update_pmtu. In this case, it +could have a smaller MTU as well, and thus we should validate it +against MINSEGMENT instead. + +Syzbot reported a warning in sctp_mtu_payload caused by this. + +This patch refetches the pathmtu by calling sctp_dst_mtu where it does +the check against MINSEGMENT. + +v1->v2: + - refetch the pathmtu by calling sctp_dst_mtu instead as Marcelo's + suggestion. + +Fixes: b6c5734db070 ("sctp: fix the handling of ICMP Frag Needed for too small MTUs") +Reported-by: syzbot+f0d9d7cba052f9344b03@syzkaller.appspotmail.com +Suggested-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -273,7 +273,7 @@ bool sctp_transport_update_pmtu(struct s + + if (dst) { + /* Re-fetch, as under layers may have a higher minimum size */ +- pmtu = SCTP_TRUNC4(dst_mtu(dst)); ++ pmtu = sctp_dst_mtu(dst); + change = t->pathmtu != pmtu; + } + t->pathmtu = pmtu; diff --git a/queue-4.17/sctp-introduce-sctp_dst_mtu.patch b/queue-4.17/sctp-introduce-sctp_dst_mtu.patch new file mode 100644 index 00000000000..8d8acd5773e --- /dev/null +++ b/queue-4.17/sctp-introduce-sctp_dst_mtu.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Marcelo Ricardo Leitner +Date: Thu, 26 Apr 2018 16:58:57 -0300 +Subject: sctp: introduce sctp_dst_mtu + +From: Marcelo Ricardo Leitner + +[ Upstream commit 6ff0f871c20ec1769a481edca86f23c76b2b06d3 ] + +Which makes sure that the MTU respects the minimum value of +SCTP_DEFAULT_MINSEGMENT and that it is correctly aligned. + +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/sctp.h | 9 +++++++-- + net/sctp/associola.c | 6 ++---- + net/sctp/transport.c | 6 +++--- + 3 files changed, 12 insertions(+), 9 deletions(-) + +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -609,10 +609,15 @@ static inline struct dst_entry *sctp_tra + return t->dst; + } + ++static inline __u32 sctp_dst_mtu(const struct dst_entry *dst) ++{ ++ return SCTP_TRUNC4(max_t(__u32, dst_mtu(dst), ++ SCTP_DEFAULT_MINSEGMENT)); ++} ++ + static inline bool sctp_transport_pmtu_check(struct sctp_transport *t) + { +- __u32 pmtu = max_t(size_t, SCTP_TRUNC4(dst_mtu(t->dst)), +- SCTP_DEFAULT_MINSEGMENT); ++ __u32 pmtu = sctp_dst_mtu(t->dst); + + if (t->pathmtu == pmtu) + return true; +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1446,11 +1446,9 @@ void sctp_assoc_sync_pmtu(struct sctp_as + return; + + /* Get the lowest pmtu of all the transports. */ +- list_for_each_entry(t, &asoc->peer.transport_addr_list, +- transports) { ++ list_for_each_entry(t, &asoc->peer.transport_addr_list, transports) { + if (t->pmtu_pending && t->dst) { +- sctp_transport_update_pmtu( +- t, SCTP_TRUNC4(dst_mtu(t->dst))); ++ sctp_transport_update_pmtu(t, sctp_dst_mtu(t->dst)); + t->pmtu_pending = 0; + } + if (!pmtu || (t->pathmtu < pmtu)) +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -242,9 +242,9 @@ void sctp_transport_pmtu(struct sctp_tra + &transport->fl, sk); + } + +- if (transport->dst) { +- transport->pathmtu = SCTP_TRUNC4(dst_mtu(transport->dst)); +- } else ++ if (transport->dst) ++ transport->pathmtu = sctp_dst_mtu(transport->dst); ++ else + transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT; + } + diff --git a/queue-4.17/series b/queue-4.17/series index 7122b5ec6c2..1417317f960 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -32,3 +32,28 @@ revert-drm-amd-display-don-t-return-ddc-result-and-read_bytes-in-same-return-val drm-nouveau-remove-bogus-crtc-check-in-pmops_runtime_idle.patch drm-nouveau-use-drm_connector_list_iter_-for-iterating-connectors.patch drm-nouveau-avoid-looping-through-fake-mst-connectors.patch +gen_stats-fix-netlink-stats-dumping-in-the-presence-of-padding.patch +ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch +ipv6-fix-useless-rol32-call-on-hash.patch +ipv6-ila-select-config_dst_cache.patch +lib-rhashtable-consider-param-min_size-when-setting-initial-table-size.patch +net-diag-don-t-double-free-tcp_new_syn_recv-sockets-in-tcp_abort.patch +net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch +skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch +net-ipv4-set-oif-in-fib_compute_spec_dst.patch +net-ipv6-do-not-allow-device-only-routes-via-the-multipath-api.patch +net-phy-fix-flag-masking-in-__set_phy_supported.patch +ptp-fix-missing-break-in-switch.patch +qmi_wwan-add-support-for-quectel-eg91.patch +rhashtable-add-restart-routine-in-rhashtable_free_and_destroy.patch +sch_fq_codel-zero-q-flows_cnt-when-fq_codel_init-fails.patch +tg3-add-higher-cpu-clock-for-5762.patch +net-ip6_gre-get-ipv6hdr-after-skb_cow_head.patch +sctp-introduce-sctp_dst_mtu.patch +sctp-fix-the-issue-that-pathmtu-may-be-set-lower-than-minsegment.patch +hv_netvsc-fix-napi-reschedule-while-receive-completion-is-busy.patch +net-aquantia-vlan-unicast-address-list-correct-handling.patch +net-mlx4_en-don-t-reuse-rx-page-when-xdp-is-set.patch +net-systemport-fix-crc-forwarding-check-for-systemport-lite.patch +ipv6-make-dad-fail-with-enhanced-dad-when-nonce-length-differs.patch +net-usb-asix-replace-mii_nway_restart-in-resume-path.patch diff --git a/queue-4.17/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch b/queue-4.17/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch new file mode 100644 index 00000000000..628174057b6 --- /dev/null +++ b/queue-4.17/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Stefano Brivio +Date: Fri, 13 Jul 2018 13:21:07 +0200 +Subject: skbuff: Unconditionally copy pfmemalloc in __skb_clone() + +From: Stefano Brivio + +[ Upstream commit e78bfb0751d4e312699106ba7efbed2bab1a53ca ] + +Commit 8b7008620b84 ("net: Don't copy pfmemalloc flag in +__copy_skb_header()") introduced a different handling for the +pfmemalloc flag in copy and clone paths. + +In __skb_clone(), now, the flag is set only if it was set in the +original skb, but not cleared if it wasn't. This is wrong and +might lead to socket buffers being flagged with pfmemalloc even +if the skb data wasn't allocated from pfmemalloc reserves. Copy +the flag instead of ORing it. + +Reported-by: Sabrina Dubroca +Fixes: 8b7008620b84 ("net: Don't copy pfmemalloc flag in __copy_skb_header()") +Signed-off-by: Stefano Brivio +Tested-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -858,8 +858,7 @@ static struct sk_buff *__skb_clone(struc + n->cloned = 1; + n->nohdr = 0; + n->peeked = 0; +- if (skb->pfmemalloc) +- n->pfmemalloc = 1; ++ C(pfmemalloc); + n->destructor = NULL; + C(tail); + C(end); diff --git a/queue-4.17/tg3-add-higher-cpu-clock-for-5762.patch b/queue-4.17/tg3-add-higher-cpu-clock-for-5762.patch new file mode 100644 index 00000000000..c65b1e6a666 --- /dev/null +++ b/queue-4.17/tg3-add-higher-cpu-clock-for-5762.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Jul 23 07:30:59 CEST 2018 +From: Sanjeev Bansal +Date: Mon, 16 Jul 2018 11:13:32 +0530 +Subject: tg3: Add higher cpu clock for 5762. + +From: Sanjeev Bansal + +[ Upstream commit 3a498606bb04af603a46ebde8296040b2de350d1 ] + +This patch has fix for TX timeout while running bi-directional +traffic with 100 Mbps using 5762. + +Signed-off-by: Sanjeev Bansal +Signed-off-by: Siva Reddy Kallam +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -9289,6 +9289,15 @@ static int tg3_chip_reset(struct tg3 *tp + + tg3_restore_clk(tp); + ++ /* Increase the core clock speed to fix tx timeout issue for 5762 ++ * with 100Mbps link speed. ++ */ ++ if (tg3_asic_rev(tp) == ASIC_REV_5762) { ++ val = tr32(TG3_CPMU_CLCK_ORIDE_ENABLE); ++ tw32(TG3_CPMU_CLCK_ORIDE_ENABLE, val | ++ TG3_CPMU_MAC_ORIDE_ENABLE); ++ } ++ + /* Reprobe ASF enable state. */ + tg3_flag_clear(tp, ENABLE_ASF); + tp->phy_flags &= ~(TG3_PHYFLG_1G_ON_VAUX_OK |