From: Greg Kroah-Hartman Date: Sun, 7 Jun 2020 13:02:33 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v5.7.2~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f379431d5b83c50f255679da2d4ac7cc8819bfeb;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: --- diff --git a/queue-5.6/devinet-fix-memleak-in-inetdev_init.patch b/queue-5.6/devinet-fix-memleak-in-inetdev_init.patch new file mode 100644 index 00000000000..89d893d3768 --- /dev/null +++ b/queue-5.6/devinet-fix-memleak-in-inetdev_init.patch @@ -0,0 +1,31 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Yang Yingliang +Date: Sat, 30 May 2020 11:34:33 +0800 +Subject: devinet: fix memleak in inetdev_init() + +From: Yang Yingliang + +[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ] + +When devinet_sysctl_register() failed, the memory allocated +in neigh_parms_alloc() should be freed. + +Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default") +Signed-off-by: Yang Yingliang +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/devinet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -276,6 +276,7 @@ static struct in_device *inetdev_init(st + err = devinet_sysctl_register(in_dev); + if (err) { + in_dev->dead = 1; ++ neigh_parms_release(&arp_tbl, in_dev->arp_parms); + in_dev_put(in_dev); + in_dev = NULL; + goto out; diff --git a/queue-5.6/l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch b/queue-5.6/l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch new file mode 100644 index 00000000000..2c0748c82c2 --- /dev/null +++ b/queue-5.6/l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch @@ -0,0 +1,139 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Eric Dumazet +Date: Fri, 29 May 2020 11:32:25 -0700 +Subject: l2tp: add sk_family checks to l2tp_validate_socket + +From: Eric Dumazet + +[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ] + +syzbot was able to trigger a crash after using an ISDN socket +and fool l2tp. + +Fix this by making sure the UDP socket is of the proper family. + +BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 +Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018 + +CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382 + __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 + l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523 + l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249 + genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:718 [inline] + genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735 + netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:746 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352 + ___sys_sendmsg+0x100/0x170 net/socket.c:2406 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 +RIP: 0033:0x45ca29 +Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29 +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 +RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4 + +Allocated by task 3018: + save_stack+0x1b/0x40 mm/kasan/common.c:49 + set_track mm/kasan/common.c:57 [inline] + __kasan_kmalloc mm/kasan/common.c:495 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 + __do_kmalloc mm/slab.c:3656 [inline] + __kmalloc+0x161/0x7a0 mm/slab.c:3665 + kmalloc include/linux/slab.h:560 [inline] + sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612 + sk_alloc+0x36/0x1100 net/core/sock.c:1666 + data_sock_create drivers/isdn/mISDN/socket.c:600 [inline] + mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796 + __sock_create+0x3cb/0x730 net/socket.c:1428 + sock_create net/socket.c:1479 [inline] + __sys_socket+0xef/0x200 net/socket.c:1521 + __do_sys_socket net/socket.c:1530 [inline] + __se_sys_socket net/socket.c:1528 [inline] + __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +Freed by task 2484: + save_stack+0x1b/0x40 mm/kasan/common.c:49 + set_track mm/kasan/common.c:57 [inline] + kasan_set_free_info mm/kasan/common.c:317 [inline] + __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 + __cache_free mm/slab.c:3426 [inline] + kfree+0x109/0x2b0 mm/slab.c:3757 + kvfree+0x42/0x50 mm/util.c:603 + __free_fdtable+0x2d/0x70 fs/file.c:31 + put_files_struct fs/file.c:420 [inline] + put_files_struct+0x248/0x2e0 fs/file.c:413 + exit_files+0x7e/0xa0 fs/file.c:445 + do_exit+0xb04/0x2dd0 kernel/exit.c:791 + do_group_exit+0x125/0x340 kernel/exit.c:894 + get_signal+0x47b/0x24e0 kernel/signal.c:2739 + do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784 + exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161 + prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] + syscall_return_slowpath arch/x86/entry/common.c:279 [inline] + do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +The buggy address belongs to the object at ffff88808ed0c000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 1424 bytes inside of + 2048-byte region [ffff88808ed0c000, ffff88808ed0c800) +The buggy address belongs to the page: +page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00 +raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") +Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Guillaume Nault +Reported-by: syzbot +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1458,6 +1458,9 @@ static int l2tp_validate_socket(const st + if (sk->sk_type != SOCK_DGRAM) + return -EPROTONOSUPPORT; + ++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) ++ return -EPROTONOSUPPORT; ++ + if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) || + (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP)) + return -EPROTONOSUPPORT; diff --git a/queue-5.6/l2tp-do-not-use-inet_hash-inet_unhash.patch b/queue-5.6/l2tp-do-not-use-inet_hash-inet_unhash.patch new file mode 100644 index 00000000000..a055f756fa2 --- /dev/null +++ b/queue-5.6/l2tp-do-not-use-inet_hash-inet_unhash.patch @@ -0,0 +1,201 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Eric Dumazet +Date: Fri, 29 May 2020 11:20:53 -0700 +Subject: l2tp: do not use inet_hash()/inet_unhash() + +From: Eric Dumazet + +[ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ] + +syzbot recently found a way to crash the kernel [1] + +Issue here is that inet_hash() & inet_unhash() are currently +only meant to be used by TCP & DCCP, since only these protocols +provide the needed hashinfo pointer. + +L2TP uses a single list (instead of a hash table) + +This old bug became an issue after commit 610236587600 +("bpf: Add new cgroup attach type to enable sock modifications") +since after this commit, sk_common_release() can be called +while the L2TP socket is still considered 'hashed'. + +general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600 +Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 +RSP: 0018:ffffc90001777d30 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242 +RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008 +RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1 +R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0 +R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00 +FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + sk_common_release+0xba/0x370 net/core/sock.c:3210 + inet_create net/ipv4/af_inet.c:390 [inline] + inet_create+0x966/0xe00 net/ipv4/af_inet.c:248 + __sock_create+0x3cb/0x730 net/socket.c:1428 + sock_create net/socket.c:1479 [inline] + __sys_socket+0xef/0x200 net/socket.c:1521 + __do_sys_socket net/socket.c:1530 [inline] + __se_sys_socket net/socket.c:1528 [inline] + __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + entry_SYSCALL_64_after_hwframe+0x49/0xb3 +RIP: 0033:0x441e29 +Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29 +RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000 +Modules linked in: +---[ end trace 23b6578228ce553e ]--- +RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600 +Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 +RSP: 0018:ffffc90001777d30 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242 +RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008 +RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1 +R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0 +R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00 +FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support") +Signed-off-by: Eric Dumazet +Cc: James Chapman +Cc: Andrii Nakryiko +Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip.c | 29 ++++++++++++++++++++++------- + net/l2tp/l2tp_ip6.c | 30 ++++++++++++++++++++++-------- + 2 files changed, 44 insertions(+), 15 deletions(-) + +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -20,7 +20,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -209,15 +208,31 @@ discard: + return 0; + } + +-static int l2tp_ip_open(struct sock *sk) ++static int l2tp_ip_hash(struct sock *sk) + { +- /* Prevent autobind. We don't have ports. */ +- inet_sk(sk)->inet_num = IPPROTO_L2TP; ++ if (sk_unhashed(sk)) { ++ write_lock_bh(&l2tp_ip_lock); ++ sk_add_node(sk, &l2tp_ip_table); ++ write_unlock_bh(&l2tp_ip_lock); ++ } ++ return 0; ++} + ++static void l2tp_ip_unhash(struct sock *sk) ++{ ++ if (sk_unhashed(sk)) ++ return; + write_lock_bh(&l2tp_ip_lock); +- sk_add_node(sk, &l2tp_ip_table); ++ sk_del_node_init(sk); + write_unlock_bh(&l2tp_ip_lock); ++} ++ ++static int l2tp_ip_open(struct sock *sk) ++{ ++ /* Prevent autobind. We don't have ports. */ ++ inet_sk(sk)->inet_num = IPPROTO_L2TP; + ++ l2tp_ip_hash(sk); + return 0; + } + +@@ -594,8 +609,8 @@ static struct proto l2tp_ip_prot = { + .sendmsg = l2tp_ip_sendmsg, + .recvmsg = l2tp_ip_recvmsg, + .backlog_rcv = l2tp_ip_backlog_recv, +- .hash = inet_hash, +- .unhash = inet_unhash, ++ .hash = l2tp_ip_hash, ++ .unhash = l2tp_ip_unhash, + .obj_size = sizeof(struct l2tp_ip_sock), + #ifdef CONFIG_COMPAT + .compat_setsockopt = compat_ip_setsockopt, +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -20,8 +20,6 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include +@@ -222,15 +220,31 @@ discard: + return 0; + } + +-static int l2tp_ip6_open(struct sock *sk) ++static int l2tp_ip6_hash(struct sock *sk) + { +- /* Prevent autobind. We don't have ports. */ +- inet_sk(sk)->inet_num = IPPROTO_L2TP; ++ if (sk_unhashed(sk)) { ++ write_lock_bh(&l2tp_ip6_lock); ++ sk_add_node(sk, &l2tp_ip6_table); ++ write_unlock_bh(&l2tp_ip6_lock); ++ } ++ return 0; ++} + ++static void l2tp_ip6_unhash(struct sock *sk) ++{ ++ if (sk_unhashed(sk)) ++ return; + write_lock_bh(&l2tp_ip6_lock); +- sk_add_node(sk, &l2tp_ip6_table); ++ sk_del_node_init(sk); + write_unlock_bh(&l2tp_ip6_lock); ++} ++ ++static int l2tp_ip6_open(struct sock *sk) ++{ ++ /* Prevent autobind. We don't have ports. */ ++ inet_sk(sk)->inet_num = IPPROTO_L2TP; + ++ l2tp_ip6_hash(sk); + return 0; + } + +@@ -728,8 +742,8 @@ static struct proto l2tp_ip6_prot = { + .sendmsg = l2tp_ip6_sendmsg, + .recvmsg = l2tp_ip6_recvmsg, + .backlog_rcv = l2tp_ip6_backlog_recv, +- .hash = inet6_hash, +- .unhash = inet_unhash, ++ .hash = l2tp_ip6_hash, ++ .unhash = l2tp_ip6_unhash, + .obj_size = sizeof(struct l2tp_ip6_sock), + #ifdef CONFIG_COMPAT + .compat_setsockopt = compat_ipv6_setsockopt, diff --git a/queue-5.6/mptcp-fix-unblocking-connect.patch b/queue-5.6/mptcp-fix-unblocking-connect.patch new file mode 100644 index 00000000000..1625cdabc98 --- /dev/null +++ b/queue-5.6/mptcp-fix-unblocking-connect.patch @@ -0,0 +1,66 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Paolo Abeni +Date: Fri, 29 May 2020 17:43:29 +0200 +Subject: mptcp: fix unblocking connect() + +From: Paolo Abeni + +[ Upstream commit 41be81a8d3d09acb9033799938306349328861f9 ] + +Currently unblocking connect() on MPTCP sockets fails frequently. +If mptcp_stream_connect() is invoked to complete a previously +attempted unblocking connection, it will still try to create +the first subflow via __mptcp_socket_create(). If the 3whs is +completed and the 'can_ack' flag is already set, the latter +will fail with -EINVAL. + +This change addresses the issue checking for pending connect and +delegating the completion to the first subflow. Additionally +do msk addresses and sk_state changes only when needed. + +Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket") +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -920,6 +920,14 @@ static int mptcp_stream_connect(struct s + int err; + + lock_sock(sock->sk); ++ if (sock->state != SS_UNCONNECTED && msk->subflow) { ++ /* pending connection or invalid state, let existing subflow ++ * cope with that ++ */ ++ ssock = msk->subflow; ++ goto do_connect; ++ } ++ + ssock = __mptcp_socket_create(msk, TCP_SYN_SENT); + if (IS_ERR(ssock)) { + err = PTR_ERR(ssock); +@@ -934,9 +942,17 @@ static int mptcp_stream_connect(struct s + mptcp_subflow_ctx(ssock->sk)->request_mptcp = 0; + #endif + ++do_connect: + err = ssock->ops->connect(ssock, uaddr, addr_len, flags); +- inet_sk_state_store(sock->sk, inet_sk_state_load(ssock->sk)); +- mptcp_copy_inaddrs(sock->sk, ssock->sk); ++ sock->state = ssock->state; ++ ++ /* on successful connect, the msk state will be moved to established by ++ * subflow_finish_connect() ++ */ ++ if (!err || err == EINPROGRESS) ++ mptcp_copy_inaddrs(sock->sk, ssock->sk); ++ else ++ inet_sk_state_store(sock->sk, inet_sk_state_load(ssock->sk)); + + unlock: + release_sock(sock->sk); diff --git a/queue-5.6/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch b/queue-5.6/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch new file mode 100644 index 00000000000..67a045b9f00 --- /dev/null +++ b/queue-5.6/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch @@ -0,0 +1,69 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Eric Dumazet +Date: Thu, 28 May 2020 14:57:47 -0700 +Subject: net: be more gentle about silly gso requests coming from user + +From: Eric Dumazet + +[ Upstream commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 ] + +Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests. + +When --mss=XXX option is set, packetdrill always provide gso_type & gso_size +for its inbound packets, regardless of packet size. + + if (packet->tcp && packet->mss) { + if (packet->ipv4) + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; + gso.gso_size = packet->mss; + } + +Since many other programs could do the same, relax virtio_net_hdr_to_skb() +to no longer return an error, but instead ignore gso settings. + +This keeps Willem intent to make sure no malicious packet could +reach gso stack. + +Note that TCP stack has a special logic in tcp_set_skb_tso_segs() +to clear gso_size for small packets. + +Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -109,16 +109,17 @@ retry: + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + +- if (skb->len - p_off <= gso_size) +- return -EINVAL; ++ /* Too small packets are not really GSO ones. */ ++ if (skb->len - p_off > gso_size) { ++ shinfo->gso_size = gso_size; ++ shinfo->gso_type = gso_type; + +- skb_shinfo(skb)->gso_size = gso_size; +- skb_shinfo(skb)->gso_type = gso_type; +- +- /* Header must be checked, and gso_segs computed. */ +- skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; +- skb_shinfo(skb)->gso_segs = 0; ++ /* Header must be checked, and gso_segs computed. */ ++ shinfo->gso_type |= SKB_GSO_DODGY; ++ shinfo->gso_segs = 0; ++ } + } + + return 0; diff --git a/queue-5.6/net-check-untrusted-gso_size-at-kernel-entry.patch b/queue-5.6/net-check-untrusted-gso_size-at-kernel-entry.patch new file mode 100644 index 00000000000..659f4a5239f --- /dev/null +++ b/queue-5.6/net-check-untrusted-gso_size-at-kernel-entry.patch @@ -0,0 +1,74 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Willem de Bruijn +Date: Mon, 25 May 2020 15:07:40 -0400 +Subject: net: check untrusted gso_size at kernel entry + +From: Willem de Bruijn + +[ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ] + +Syzkaller again found a path to a kernel crash through bad gso input: +a packet with gso size exceeding len. + +These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment. +But they may affect gso size calculations earlier in the path. + +Now that we have thlen as of commit 9274124f023b ("net: stricter +validation of untrusted gso packets"), check gso_size at entry too. + +Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb( + { + unsigned int gso_type = 0; + unsigned int thlen = 0; ++ unsigned int p_off = 0; + unsigned int ip_proto; + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { +@@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb( + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; + +- if (skb_transport_offset(skb) + thlen > skb_headlen(skb)) ++ p_off = skb_transport_offset(skb) + thlen; ++ if (p_off > skb_headlen(skb)) + return -EINVAL; + } else { + /* gso packets without NEEDS_CSUM do not set transport_offset. +@@ -92,17 +94,25 @@ retry: + return -EINVAL; + } + +- if (keys.control.thoff + thlen > skb_headlen(skb) || ++ p_off = keys.control.thoff + thlen; ++ if (p_off > skb_headlen(skb) || + keys.basic.ip_proto != ip_proto) + return -EINVAL; + + skb_set_transport_header(skb, keys.control.thoff); ++ } else if (gso_type) { ++ p_off = thlen; ++ if (p_off > skb_headlen(skb)) ++ return -EINVAL; + } + } + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); + ++ if (skb->len - p_off <= gso_size) ++ return -EINVAL; ++ + skb_shinfo(skb)->gso_size = gso_size; + skb_shinfo(skb)->gso_type = gso_type; + diff --git a/queue-5.6/net-dsa-felix-send-vlans-on-cpu-port-as-egress-tagged.patch b/queue-5.6/net-dsa-felix-send-vlans-on-cpu-port-as-egress-tagged.patch new file mode 100644 index 00000000000..d3bab3ad152 --- /dev/null +++ b/queue-5.6/net-dsa-felix-send-vlans-on-cpu-port-as-egress-tagged.patch @@ -0,0 +1,59 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Vladimir Oltean +Date: Wed, 27 May 2020 19:48:03 +0300 +Subject: net: dsa: felix: send VLANs on CPU port as egress-tagged + +From: Vladimir Oltean + +[ Upstream commit 183be6f967fe37c3154bfac39e913c3bafe89d1b ] + +As explained in other commits before (b9cd75e66895 and 87b0f983f66f), +ocelot switches have a single egress-untagged VLAN per port, and the +driver would deny adding a second one while an egress-untagged VLAN +already exists. + +But on the CPU port (where the VLAN configuration is implicit, because +there is no net device for the bridge to control), the DSA core attempts +to add a VLAN using the same flags as were used for the front-panel +port. This would make adding any untagged VLAN fail due to the CPU port +rejecting the configuration: + +bridge vlan add dev swp0 vid 100 pvid untagged +[ 1865.854253] mscc_felix 0000:00:00.5: Port already has a native VLAN: 1 +[ 1865.860824] mscc_felix 0000:00:00.5: Failed to add VLAN 100 to port 5: -16 + +(note that port 5 is the CPU port and not the front-panel swp0). + +So this hardware will send all VLANs as tagged towards the CPU. + +Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/ocelot/felix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/ocelot/felix.c ++++ b/drivers/net/dsa/ocelot/felix.c +@@ -100,13 +100,17 @@ static void felix_vlan_add(struct dsa_sw + const struct switchdev_obj_port_vlan *vlan) + { + struct ocelot *ocelot = ds->priv; ++ u16 flags = vlan->flags; + u16 vid; + int err; + ++ if (dsa_is_cpu_port(ds, port)) ++ flags &= ~BRIDGE_VLAN_INFO_UNTAGGED; ++ + for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) { + err = ocelot_vlan_add(ocelot, port, vid, +- vlan->flags & BRIDGE_VLAN_INFO_PVID, +- vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED); ++ flags & BRIDGE_VLAN_INFO_PVID, ++ flags & BRIDGE_VLAN_INFO_UNTAGGED); + if (err) { + dev_err(ds->dev, "Failed to add VLAN %d to port %d: %d\n", + vid, port, err); diff --git a/queue-5.6/net-mlx5-fix-crash-upon-suspend-resume.patch b/queue-5.6/net-mlx5-fix-crash-upon-suspend-resume.patch new file mode 100644 index 00000000000..418cf242cd2 --- /dev/null +++ b/queue-5.6/net-mlx5-fix-crash-upon-suspend-resume.patch @@ -0,0 +1,58 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Mark Bloch +Date: Wed, 20 May 2020 17:32:08 +0000 +Subject: net/mlx5: Fix crash upon suspend/resume + +From: Mark Bloch + +[ Upstream commit 8fc3e29be9248048f449793502c15af329f35c6e ] + +Currently a Linux system with the mlx5 NIC always crashes upon +hibernation - suspend/resume. + +Add basic callbacks so the NIC could be suspended and resumed. + +Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core") +Tested-by: Dexuan Cui +Signed-off-by: Mark Bloch +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1552,6 +1552,22 @@ static void shutdown(struct pci_dev *pde + mlx5_pci_disable_device(dev); + } + ++static int mlx5_suspend(struct pci_dev *pdev, pm_message_t state) ++{ ++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev); ++ ++ mlx5_unload_one(dev, false); ++ ++ return 0; ++} ++ ++static int mlx5_resume(struct pci_dev *pdev) ++{ ++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev); ++ ++ return mlx5_load_one(dev, false); ++} ++ + static const struct pci_device_id mlx5_core_pci_table[] = { + { PCI_VDEVICE(MELLANOX, PCI_DEVICE_ID_MELLANOX_CONNECTIB) }, + { PCI_VDEVICE(MELLANOX, 0x1012), MLX5_PCI_DEV_IS_VF}, /* Connect-IB VF */ +@@ -1595,6 +1611,8 @@ static struct pci_driver mlx5_core_drive + .id_table = mlx5_core_pci_table, + .probe = init_one, + .remove = remove_one, ++ .suspend = mlx5_suspend, ++ .resume = mlx5_resume, + .shutdown = shutdown, + .err_handler = &mlx5_err_handler, + .sriov_configure = mlx5_core_sriov_configure, diff --git a/queue-5.6/net-mlx5e-replace-einval-in-mlx5e_flower_parse_meta.patch b/queue-5.6/net-mlx5e-replace-einval-in-mlx5e_flower_parse_meta.patch new file mode 100644 index 00000000000..2c415186f5e --- /dev/null +++ b/queue-5.6/net-mlx5e-replace-einval-in-mlx5e_flower_parse_meta.patch @@ -0,0 +1,48 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Pablo Neira Ayuso +Date: Sun, 19 Apr 2020 14:12:35 +0200 +Subject: net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta() + +From: Pablo Neira Ayuso + +[ Upstream commit a683012a8e77675a1947cc8f11f97cdc1d5bb769 ] + +The drivers reports EINVAL to userspace through netlink on invalid meta +match. This is confusing since EINVAL is usually reserved for malformed +netlink messages. Replace it by more meaningful codes. + +Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1824,7 +1824,7 @@ static int mlx5e_flower_parse_meta(struc + flow_rule_match_meta(rule, &match); + if (match.mask->ingress_ifindex != 0xFFFFFFFF) { + NL_SET_ERR_MSG_MOD(extack, "Unsupported ingress ifindex mask"); +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + ingress_dev = __dev_get_by_index(dev_net(filter_dev), +@@ -1832,13 +1832,13 @@ static int mlx5e_flower_parse_meta(struc + if (!ingress_dev) { + NL_SET_ERR_MSG_MOD(extack, + "Can't find the ingress port to match on"); +- return -EINVAL; ++ return -ENOENT; + } + + if (ingress_dev != filter_dev) { + NL_SET_ERR_MSG_MOD(extack, + "Can't match on the ingress filter port"); +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + return 0; diff --git a/queue-5.6/net-sched-fix-infinite-loop-in-sch_fq_pie.patch b/queue-5.6/net-sched-fix-infinite-loop-in-sch_fq_pie.patch new file mode 100644 index 00000000000..592cb40bdb6 --- /dev/null +++ b/queue-5.6/net-sched-fix-infinite-loop-in-sch_fq_pie.patch @@ -0,0 +1,96 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Davide Caratti +Date: Wed, 27 May 2020 02:04:26 +0200 +Subject: net/sched: fix infinite loop in sch_fq_pie + +From: Davide Caratti + +[ Upstream commit bb2f930d6dd708469a587dc9ed1efe1ef969c0bf ] + +this command hangs forever: + + # tc qdisc add dev eth0 root fq_pie flows 65536 + + watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [tc:1028] + [...] + CPU: 1 PID: 1028 Comm: tc Not tainted 5.7.0-rc6+ #167 + RIP: 0010:fq_pie_init+0x60e/0x8b7 [sch_fq_pie] + Code: 4c 89 65 50 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 2a 02 00 00 48 8d 7d 10 4c 89 65 58 48 89 f8 48 c1 e8 03 42 80 3c 30 00 <0f> 85 a7 01 00 00 48 8d 7d 18 48 c7 45 10 46 c3 23 00 48 89 f8 48 + RSP: 0018:ffff888138d67468 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 + RAX: 1ffff9200018d2b2 RBX: ffff888139c1c400 RCX: ffffffffffffffff + RDX: 000000000000c5e8 RSI: ffffc900000e5000 RDI: ffffc90000c69590 + RBP: ffffc90000c69580 R08: fffffbfff79a9699 R09: fffffbfff79a9699 + R10: 0000000000000700 R11: fffffbfff79a9698 R12: ffffc90000c695d0 + R13: 0000000000000000 R14: dffffc0000000000 R15: 000000002347c5e8 + FS: 00007f01e1850e40(0000) GS:ffff88814c880000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000067c340 CR3: 000000013864c000 CR4: 0000000000340ee0 + Call Trace: + qdisc_create+0x3fd/0xeb0 + tc_modify_qdisc+0x3be/0x14a0 + rtnetlink_rcv_msg+0x5f3/0x920 + netlink_rcv_skb+0x121/0x350 + netlink_unicast+0x439/0x630 + netlink_sendmsg+0x714/0xbf0 + sock_sendmsg+0xe2/0x110 + ____sys_sendmsg+0x5b4/0x890 + ___sys_sendmsg+0xe9/0x160 + __sys_sendmsg+0xd3/0x170 + do_syscall_64+0x9a/0x370 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +we can't accept 65536 as a valid number for 'nflows', because the loop on +'idx' in fq_pie_init() will never end. The extack message is correct, but +it doesn't say that 0 is not a valid number for 'flows': while at it, fix +this also. Add a tdc selftest to check correct validation of 'flows'. + +CC: Ivan Vecera +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Signed-off-by: Davide Caratti +Reviewed-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq_pie.c | 4 - + tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json | 21 ++++++++++ + 2 files changed, 23 insertions(+), 2 deletions(-) + create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json + +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -298,9 +298,9 @@ static int fq_pie_change(struct Qdisc *s + goto flow_error; + } + q->flows_cnt = nla_get_u32(tb[TCA_FQ_PIE_FLOWS]); +- if (!q->flows_cnt || q->flows_cnt > 65536) { ++ if (!q->flows_cnt || q->flows_cnt >= 65536) { + NL_SET_ERR_MSG_MOD(extack, +- "Number of flows must be < 65536"); ++ "Number of flows must range in [1..65535]"); + goto flow_error; + } + } +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json +@@ -0,0 +1,21 @@ ++[ ++ { ++ "id": "83be", ++ "name": "Create FQ-PIE with invalid number of flows", ++ "category": [ ++ "qdisc", ++ "fq_pie" ++ ], ++ "setup": [ ++ "$IP link add dev $DUMMY type dummy || /bin/true" ++ ], ++ "cmdUnderTest": "$TC qdisc add dev $DUMMY root fq_pie flows 65536", ++ "expExitCode": "2", ++ "verifyCmd": "$TC qdisc show dev $DUMMY", ++ "matchPattern": "qdisc", ++ "matchCount": "0", ++ "teardown": [ ++ "$IP link del dev $DUMMY" ++ ] ++ } ++] diff --git a/queue-5.6/net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch b/queue-5.6/net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch new file mode 100644 index 00000000000..ca22b2d6fbb --- /dev/null +++ b/queue-5.6/net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch @@ -0,0 +1,55 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Fugang Duan +Date: Mon, 25 May 2020 16:18:14 +0800 +Subject: net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a + +From: Fugang Duan + +[ Upstream commit f2fb6b6275eba9d312957ca44c487bd780da6169 ] + +For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be +PTP v2/802.AS1, any layer, any kind of event packet, but HW only +take timestamp snapshot for below PTP message: sync, Pdelay_req, +Pdelay_resp. + +Then it causes below issue when test E2E case: +ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp +ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp +ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp +ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp +ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp +ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp +ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp +ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp +ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp + +Timestamp snapshot dependency on register bits in received path: +SNAPTYPSEL TSMSTRENA TSEVNTENA PTP_Messages +01 x 0 SYNC, Follow_Up, Delay_Req, + Delay_Resp, Pdelay_Req, Pdelay_Resp, + Pdelay_Resp_Follow_Up +01 0 1 SYNC, Pdelay_Req, Pdelay_Resp + +For dwmac v5.10a, enabling all events by setting register +DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA] +to 0’b0, which can support all required events. + +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -630,7 +630,8 @@ static int stmmac_hwtstamp_set(struct ne + config.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; + ptp_v2 = PTP_TCR_TSVER2ENA; + snap_type_sel = PTP_TCR_SNAPTYPSEL_1; +- ts_event_en = PTP_TCR_TSEVNTENA; ++ if (priv->synopsys_id != DWMAC_CORE_5_10) ++ ts_event_en = PTP_TCR_TSEVNTENA; + ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA; + ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA; + ptp_over_ethernet = PTP_TCR_TSIPENA; diff --git a/queue-5.6/net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch b/queue-5.6/net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch new file mode 100644 index 00000000000..1bcb1bee84f --- /dev/null +++ b/queue-5.6/net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Daniele Palmas +Date: Mon, 25 May 2020 23:25:37 +0200 +Subject: net: usb: qmi_wwan: add Telit LE910C1-EUX composition + +From: Daniele Palmas + +[ Upstream commit 591612aa578cd7148b7b9d74869ef40118978389 ] + +Add support for Telit LE910C1-EUX composition + +0x1031: tty, tty, tty, rmnet +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1324,6 +1324,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ diff --git a/queue-5.6/nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch b/queue-5.6/nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch new file mode 100644 index 00000000000..a3908bb177a --- /dev/null +++ b/queue-5.6/nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch @@ -0,0 +1,34 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Chuhong Yuan +Date: Thu, 28 May 2020 18:20:37 +0800 +Subject: NFC: st21nfca: add missed kfree_skb() in an error path + +From: Chuhong Yuan + +[ Upstream commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 ] + +st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path. +Add the missed function call to fix it. + +Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode") +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/dep.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nfc/st21nfca/dep.c ++++ b/drivers/nfc/st21nfca/dep.c +@@ -173,8 +173,10 @@ static int st21nfca_tm_send_atr_res(stru + memcpy(atr_res->gbi, atr_req->gbi, gb_len); + r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi, + gb_len); +- if (r < 0) ++ if (r < 0) { ++ kfree_skb(skb); + return r; ++ } + } + + info->dep_info.curr_nfc_dep_pni = 0; diff --git a/queue-5.6/nfp-flower-fix-used-time-of-merge-flow-statistics.patch b/queue-5.6/nfp-flower-fix-used-time-of-merge-flow-statistics.patch new file mode 100644 index 00000000000..f6ddb52faf6 --- /dev/null +++ b/queue-5.6/nfp-flower-fix-used-time-of-merge-flow-statistics.patch @@ -0,0 +1,41 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Heinrich Kuhn +Date: Wed, 27 May 2020 09:44:20 +0200 +Subject: nfp: flower: fix used time of merge flow statistics + +From: Heinrich Kuhn + +[ Upstream commit 5b186cd60f033110960a3db424ffbd6de4cee528 ] + +Prior to this change the correct value for the used counter is calculated +but not stored nor, therefore, propagated to user-space. In use-cases such +as OVS use-case at least this results in active flows being removed from +the hardware datapath. Which results in both unnecessary flow tear-down +and setup, and packet processing on the host. + +This patch addresses the problem by saving the calculated used value +which allows the value to propagate to user-space. + +Found by inspection. + +Fixes: aa6ce2ea0c93 ("nfp: flower: support stats update for merge flows") +Signed-off-by: Heinrich Kuhn +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c +@@ -1440,7 +1440,8 @@ __nfp_flower_update_merge_stats(struct n + ctx_id = be32_to_cpu(sub_flow->meta.host_ctx_id); + priv->stats[ctx_id].pkts += pkts; + priv->stats[ctx_id].bytes += bytes; +- max_t(u64, priv->stats[ctx_id].used, used); ++ priv->stats[ctx_id].used = max_t(u64, used, ++ priv->stats[ctx_id].used); + } + } + diff --git a/queue-5.6/sctp-check-assoc-before-sctp_addr_-made_prim-added-event.patch b/queue-5.6/sctp-check-assoc-before-sctp_addr_-made_prim-added-event.patch new file mode 100644 index 00000000000..1cf27d034ac --- /dev/null +++ b/queue-5.6/sctp-check-assoc-before-sctp_addr_-made_prim-added-event.patch @@ -0,0 +1,40 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Jonas Falkevik +Date: Wed, 27 May 2020 11:56:40 +0200 +Subject: sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event + +From: Jonas Falkevik + +[ Upstream commit 45ebf73ebcec88a34a778f5feaa0b82b1c76069e ] + +Make sure SCTP_ADDR_{MADE_PRIM,ADDED} are sent only for associations +that have been established. + +These events are described in rfc6458#section-6.1 +SCTP_PEER_ADDR_CHANGE: +This tag indicates that an address that is +part of an existing association has experienced a change of +state (e.g., a failure or return to service of the reachability +of an endpoint via a specific transport address). + +Signed-off-by: Jonas Falkevik +Acked-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ulpevent.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -343,6 +343,9 @@ void sctp_ulpevent_nofity_peer_addr_chan + struct sockaddr_storage addr; + struct sctp_ulpevent *event; + ++ if (asoc->state < SCTP_STATE_ESTABLISHED) ++ return; ++ + memset(&addr, 0, sizeof(struct sockaddr_storage)); + memcpy(&addr, &transport->ipaddr, transport->af_specific->sockaddr_len); + diff --git a/queue-5.6/series b/queue-5.6/series new file mode 100644 index 00000000000..8384715f3d9 --- /dev/null +++ b/queue-5.6/series @@ -0,0 +1,17 @@ +devinet-fix-memleak-in-inetdev_init.patch +l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch +l2tp-do-not-use-inet_hash-inet_unhash.patch +net-check-untrusted-gso_size-at-kernel-entry.patch +net-mlx5-fix-crash-upon-suspend-resume.patch +net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch +net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch +nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch +nfp-flower-fix-used-time-of-merge-flow-statistics.patch +sctp-check-assoc-before-sctp_addr_-made_prim-added-event.patch +virtio_vsock-fix-race-condition-in-virtio_transport_recv_pkt.patch +vsock-fix-timeout-in-vsock_accept.patch +net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch +net-dsa-felix-send-vlans-on-cpu-port-as-egress-tagged.patch +mptcp-fix-unblocking-connect.patch +net-sched-fix-infinite-loop-in-sch_fq_pie.patch +net-mlx5e-replace-einval-in-mlx5e_flower_parse_meta.patch diff --git a/queue-5.6/virtio_vsock-fix-race-condition-in-virtio_transport_recv_pkt.patch b/queue-5.6/virtio_vsock-fix-race-condition-in-virtio_transport_recv_pkt.patch new file mode 100644 index 00000000000..23081fddc3b --- /dev/null +++ b/queue-5.6/virtio_vsock-fix-race-condition-in-virtio_transport_recv_pkt.patch @@ -0,0 +1,89 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Jia He +Date: Sat, 30 May 2020 09:38:28 +0800 +Subject: virtio_vsock: Fix race condition in virtio_transport_recv_pkt + +From: Jia He + +[ Upstream commit 8692cefc433f282228fd44938dd4d26ed38254a2 ] + +When client on the host tries to connect(SOCK_STREAM, O_NONBLOCK) to the +server on the guest, there will be a panic on a ThunderX2 (armv8a server): + +[ 463.718844] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 463.718848] Mem abort info: +[ 463.718849] ESR = 0x96000044 +[ 463.718852] EC = 0x25: DABT (current EL), IL = 32 bits +[ 463.718853] SET = 0, FnV = 0 +[ 463.718854] EA = 0, S1PTW = 0 +[ 463.718855] Data abort info: +[ 463.718856] ISV = 0, ISS = 0x00000044 +[ 463.718857] CM = 0, WnR = 1 +[ 463.718859] user pgtable: 4k pages, 48-bit VAs, pgdp=0000008f6f6e9000 +[ 463.718861] [0000000000000000] pgd=0000000000000000 +[ 463.718866] Internal error: Oops: 96000044 [#1] SMP +[...] +[ 463.718977] CPU: 213 PID: 5040 Comm: vhost-5032 Tainted: G O 5.7.0-rc7+ #139 +[ 463.718980] Hardware name: GIGABYTE R281-T91-00/MT91-FS1-00, BIOS F06 09/25/2018 +[ 463.718982] pstate: 60400009 (nZCv daif +PAN -UAO) +[ 463.718995] pc : virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] +[ 463.718999] lr : virtio_transport_recv_pkt+0x1fc/0xd40 [vmw_vsock_virtio_transport_common] +[ 463.719000] sp : ffff80002dbe3c40 +[...] +[ 463.719025] Call trace: +[ 463.719030] virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] +[ 463.719034] vhost_vsock_handle_tx_kick+0x360/0x408 [vhost_vsock] +[ 463.719041] vhost_worker+0x100/0x1a0 [vhost] +[ 463.719048] kthread+0x128/0x130 +[ 463.719052] ret_from_fork+0x10/0x18 + +The race condition is as follows: +Task1 Task2 +===== ===== +__sock_release virtio_transport_recv_pkt + __vsock_release vsock_find_bound_socket (found sk) + lock_sock_nested + vsock_remove_sock + sock_orphan + sk_set_socket(sk, NULL) + sk->sk_shutdown = SHUTDOWN_MASK + ... + release_sock + lock_sock + virtio_transport_recv_connecting + sk->sk_socket->state (panic!) + +The root cause is that vsock_find_bound_socket can't hold the lock_sock, +so there is a small race window between vsock_find_bound_socket() and +lock_sock(). If __vsock_release() is running in another task, +sk->sk_socket will be set to NULL inadvertently. + +This fixes it by checking sk->sk_shutdown(suggested by Stefano) after +lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the +protection of lock_sock_nested. + +Signed-off-by: Jia He +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1128,6 +1128,14 @@ void virtio_transport_recv_pkt(struct vi + + lock_sock(sk); + ++ /* Check if sk has been released before lock_sock */ ++ if (sk->sk_shutdown == SHUTDOWN_MASK) { ++ (void)virtio_transport_reset_no_sock(t, pkt); ++ release_sock(sk); ++ sock_put(sk); ++ goto free_pkt; ++ } ++ + /* Update CID in case it has changed after a transport reset event */ + vsk->local_addr.svm_cid = dst.svm_cid; + diff --git a/queue-5.6/vsock-fix-timeout-in-vsock_accept.patch b/queue-5.6/vsock-fix-timeout-in-vsock_accept.patch new file mode 100644 index 00000000000..83c0d33346d --- /dev/null +++ b/queue-5.6/vsock-fix-timeout-in-vsock_accept.patch @@ -0,0 +1,35 @@ +From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST +From: Stefano Garzarella +Date: Wed, 27 May 2020 09:56:55 +0200 +Subject: vsock: fix timeout in vsock_accept() + +From: Stefano Garzarella + +[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ] + +The accept(2) is an "input" socket interface, so we should use +SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout. + +So this patch replace sock_sndtimeo() with sock_rcvtimeo() to +use the right timeout in the vsock_accept(). + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Reviewed-by: Jorgen Hansen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1408,7 +1408,7 @@ static int vsock_accept(struct socket *s + /* Wait for children sockets to appear; these are the new sockets + * created upon connection establishment. + */ +- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK); ++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK); + prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE); + + while ((connected = vsock_dequeue_accept(listener)) == NULL &&