From: Greg Kroah-Hartman Date: Sun, 28 Jun 2020 14:24:59 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.7.7~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f47752b533940d2b9530e55e4b8d84d2b634f3ed;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch net-core-reduce-recursion-limit-value.patch net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch net-fix-memleak-in-register_netdevice.patch net-fix-the-arp-error-in-some-cases.patch net-usb-ax88179_178a-fix-packet-alignment-padding.patch rocker-fix-incorrect-error-handling-in-dma_rings_init.patch rxrpc-fix-notification-call-on-completion-of-discarded-calls.patch sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch --- diff --git a/queue-4.9/ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch b/queue-4.9/ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch new file mode 100644 index 00000000000..202c7b2b939 --- /dev/null +++ b/queue-4.9/ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch @@ -0,0 +1,114 @@ +From foo@baz Sun 28 Jun 2020 03:29:00 PM CEST +From: Taehee Yoo +Date: Tue, 16 Jun 2020 16:04:00 +0000 +Subject: ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() + +From: Taehee Yoo + +[ Upstream commit dafabb6590cb15f300b77c095d50312e2c7c8e0f ] + +In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses +fallback tunnel device pointer, which is fb_tunnel_dev. +This pointer variable should be set to NULL when a fb interface is deleted. +But there is no routine to set fb_tunnel_dev pointer to NULL. +So, this pointer will be still used after interface is deleted and +it eventually results in the use-after-free problem. + +Test commands: + ip netns add A + ip netns add B + ip link add eth0 type veth peer name eth1 + ip link set eth0 netns A + ip link set eth1 netns B + + ip netns exec A ip link set lo up + ip netns exec A ip link set eth0 up + ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \ + remote fc:0::2 + ip netns exec A ip -6 a a fc:100::1/64 dev ip6gre1 + ip netns exec A ip link set ip6gre1 up + ip netns exec A ip -6 a a fc:0::1/64 dev eth0 + ip netns exec A ip link set ip6gre0 up + + ip netns exec B ip link set lo up + ip netns exec B ip link set eth1 up + ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \ + remote fc:0::1 + ip netns exec B ip -6 a a fc:100::2/64 dev ip6gre1 + ip netns exec B ip link set ip6gre1 up + ip netns exec B ip -6 a a fc:0::2/64 dev eth1 + ip netns exec B ip link set ip6gre0 up + ip netns exec A ping fc:100::2 -s 60000 & + ip netns del B + +Splat looks like: +[ 73.087285][ C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.088361][ C1] Read of size 4 at addr ffff888040559218 by task ping/1429 +[ 73.089317][ C1] +[ 73.089638][ C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602 +[ 73.090531][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 73.091725][ C1] Call Trace: +[ 73.092160][ C1] +[ 73.092556][ C1] dump_stack+0x96/0xdb +[ 73.093122][ C1] print_address_description.constprop.6+0x2cc/0x450 +[ 73.094016][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.094894][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.095767][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.096619][ C1] kasan_report+0x154/0x190 +[ 73.097209][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.097989][ C1] ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre] +[ 73.098750][ C1] ? gre_del_protocol+0x60/0x60 [gre] +[ 73.099500][ C1] gre_rcv+0x1c5/0x1450 [ip6_gre] +[ 73.100199][ C1] ? ip6gre_header+0xf00/0xf00 [ip6_gre] +[ 73.100985][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0 +[ 73.101830][ C1] ? ip6_input_finish+0x5/0xf0 +[ 73.102483][ C1] ip6_protocol_deliver_rcu+0xcbb/0x1510 +[ 73.103296][ C1] ip6_input_finish+0x5b/0xf0 +[ 73.103920][ C1] ip6_input+0xcd/0x2c0 +[ 73.104473][ C1] ? ip6_input_finish+0xf0/0xf0 +[ 73.105115][ C1] ? rcu_read_lock_held+0x90/0xa0 +[ 73.105783][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0 +[ 73.106548][ C1] ipv6_rcv+0x1f1/0x300 +[ ... ] + +Suggested-by: Eric Dumazet +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -124,6 +124,7 @@ static struct ip6_tnl *ip6gre_tunnel_loo + int dev_type = (gre_proto == htons(ETH_P_TEB)) ? + ARPHRD_ETHER : ARPHRD_IP6GRE; + int score, cand_score = 4; ++ struct net_device *ndev; + + for_each_ip_tunnel_rcu(t, ign->tunnels_r_l[h0 ^ h1]) { + if (!ipv6_addr_equal(local, &t->parms.laddr) || +@@ -226,9 +227,9 @@ static struct ip6_tnl *ip6gre_tunnel_loo + if (cand) + return cand; + +- dev = ign->fb_tunnel_dev; +- if (dev->flags & IFF_UP) +- return netdev_priv(dev); ++ ndev = READ_ONCE(ign->fb_tunnel_dev); ++ if (ndev && ndev->flags & IFF_UP) ++ return netdev_priv(ndev); + + return NULL; + } +@@ -364,6 +365,8 @@ static void ip6gre_tunnel_uninit(struct + struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id); + + ip6gre_tunnel_unlink(ign, t); ++ if (ign->fb_tunnel_dev == dev) ++ WRITE_ONCE(ign->fb_tunnel_dev, NULL); + dst_cache_reset(&t->dst_cache); + dev_put(dev); + } diff --git a/queue-4.9/ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch b/queue-4.9/ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch new file mode 100644 index 00000000000..4b9795c582a --- /dev/null +++ b/queue-4.9/ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch @@ -0,0 +1,117 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Taehee Yoo +Date: Tue, 16 Jun 2020 16:51:51 +0000 +Subject: ip_tunnel: fix use-after-free in ip_tunnel_lookup() + +From: Taehee Yoo + +[ Upstream commit ba61539c6ae57f4146284a5cb4f7b7ed8d42bf45 ] + +In the datapath, the ip_tunnel_lookup() is used and it internally uses +fallback tunnel device pointer, which is fb_tunnel_dev. +This pointer variable should be set to NULL when a fb interface is deleted. +But there is no routine to set fb_tunnel_dev pointer to NULL. +So, this pointer will be still used after interface is deleted and +it eventually results in the use-after-free problem. + +Test commands: + ip netns add A + ip netns add B + ip link add eth0 type veth peer name eth1 + ip link set eth0 netns A + ip link set eth1 netns B + + ip netns exec A ip link set lo up + ip netns exec A ip link set eth0 up + ip netns exec A ip link add gre1 type gre local 10.0.0.1 \ + remote 10.0.0.2 + ip netns exec A ip link set gre1 up + ip netns exec A ip a a 10.0.100.1/24 dev gre1 + ip netns exec A ip a a 10.0.0.1/24 dev eth0 + + ip netns exec B ip link set lo up + ip netns exec B ip link set eth1 up + ip netns exec B ip link add gre1 type gre local 10.0.0.2 \ + remote 10.0.0.1 + ip netns exec B ip link set gre1 up + ip netns exec B ip a a 10.0.100.2/24 dev gre1 + ip netns exec B ip a a 10.0.0.2/24 dev eth1 + ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 & + ip netns del B + +Splat looks like: +[ 77.793450][ C3] ================================================================== +[ 77.794702][ C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30 +[ 77.795573][ C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905 +[ 77.796398][ C3] +[ 77.796664][ C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616 +[ 77.797474][ C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 77.798453][ C3] Call Trace: +[ 77.798815][ C3] +[ 77.799142][ C3] dump_stack+0x9d/0xdb +[ 77.799605][ C3] print_address_description.constprop.7+0x2cc/0x450 +[ 77.800365][ C3] ? ip_tunnel_lookup+0xcc4/0xf30 +[ 77.800908][ C3] ? ip_tunnel_lookup+0xcc4/0xf30 +[ 77.801517][ C3] ? ip_tunnel_lookup+0xcc4/0xf30 +[ 77.802145][ C3] kasan_report+0x154/0x190 +[ 77.802821][ C3] ? ip_tunnel_lookup+0xcc4/0xf30 +[ 77.803503][ C3] ip_tunnel_lookup+0xcc4/0xf30 +[ 77.804165][ C3] __ipgre_rcv+0x1ab/0xaa0 [ip_gre] +[ 77.804862][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0 +[ 77.805621][ C3] gre_rcv+0x304/0x1910 [ip_gre] +[ 77.806293][ C3] ? lock_acquire+0x1a9/0x870 +[ 77.806925][ C3] ? gre_rcv+0xfe/0x354 [gre] +[ 77.807559][ C3] ? erspan_xmit+0x2e60/0x2e60 [ip_gre] +[ 77.808305][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0 +[ 77.809032][ C3] ? rcu_read_lock_held+0x90/0xa0 +[ 77.809713][ C3] gre_rcv+0x1b8/0x354 [gre] +[ ... ] + +Suggested-by: Eric Dumazet +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -98,9 +98,10 @@ struct ip_tunnel *ip_tunnel_lookup(struc + __be32 remote, __be32 local, + __be32 key) + { +- unsigned int hash; + struct ip_tunnel *t, *cand = NULL; + struct hlist_head *head; ++ struct net_device *ndev; ++ unsigned int hash; + + hash = ip_tunnel_hash(key, remote); + head = &itn->tunnels[hash]; +@@ -175,8 +176,9 @@ struct ip_tunnel *ip_tunnel_lookup(struc + if (t) + return t; + +- if (itn->fb_tunnel_dev && itn->fb_tunnel_dev->flags & IFF_UP) +- return netdev_priv(itn->fb_tunnel_dev); ++ ndev = READ_ONCE(itn->fb_tunnel_dev); ++ if (ndev && ndev->flags & IFF_UP) ++ return netdev_priv(ndev); + + return NULL; + } +@@ -1193,9 +1195,9 @@ void ip_tunnel_uninit(struct net_device + struct ip_tunnel_net *itn; + + itn = net_generic(net, tunnel->ip_tnl_net_id); +- /* fb_tunnel_dev will be unregisted in net-exit call. */ +- if (itn->fb_tunnel_dev != dev) +- ip_tunnel_del(itn, netdev_priv(dev)); ++ ip_tunnel_del(itn, netdev_priv(dev)); ++ if (itn->fb_tunnel_dev == dev) ++ WRITE_ONCE(itn->fb_tunnel_dev, NULL); + + dst_cache_reset(&tunnel->dst_cache); + } diff --git a/queue-4.9/mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch b/queue-4.9/mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch new file mode 100644 index 00000000000..eafea0b925b --- /dev/null +++ b/queue-4.9/mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch @@ -0,0 +1,57 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Wang Hai +Date: Thu, 11 Jun 2020 15:57:50 +0800 +Subject: mld: fix memory leak in ipv6_mc_destroy_dev() + +From: Wang Hai + +[ Upstream commit ea2fce88d2fd678ed9d45354ff49b73f1d5615dd ] + +Commit a84d01647989 ("mld: fix memory leak in mld_del_delrec()") fixed +the memory leak of MLD, but missing the ipv6_mc_destroy_dev() path, in +which mca_sources are leaked after ma_put(). + +Using ip6_mc_clear_src() to take care of the missing free. + +BUG: memory leak +unreferenced object 0xffff8881113d3180 (size 64): + comm "syz-executor071", pid 389, jiffies 4294887985 (age 17.943s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 ff 02 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000002cbc483c>] kmalloc include/linux/slab.h:555 [inline] + [<000000002cbc483c>] kzalloc include/linux/slab.h:669 [inline] + [<000000002cbc483c>] ip6_mc_add1_src net/ipv6/mcast.c:2237 [inline] + [<000000002cbc483c>] ip6_mc_add_src+0x7f5/0xbb0 net/ipv6/mcast.c:2357 + [<0000000058b8b1ff>] ip6_mc_source+0xe0c/0x1530 net/ipv6/mcast.c:449 + [<000000000bfc4fb5>] do_ipv6_setsockopt.isra.12+0x1b2c/0x3b30 net/ipv6/ipv6_sockglue.c:754 + [<00000000e4e7a722>] ipv6_setsockopt+0xda/0x150 net/ipv6/ipv6_sockglue.c:950 + [<0000000029260d9a>] rawv6_setsockopt+0x45/0x100 net/ipv6/raw.c:1081 + [<000000005c1b46f9>] __sys_setsockopt+0x131/0x210 net/socket.c:2132 + [<000000008491f7db>] __do_sys_setsockopt net/socket.c:2148 [inline] + [<000000008491f7db>] __se_sys_setsockopt net/socket.c:2145 [inline] + [<000000008491f7db>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145 + [<00000000c7bc11c5>] do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295 + [<000000005fb7a3f3>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -2601,6 +2601,7 @@ void ipv6_mc_destroy_dev(struct inet6_de + idev->mc_list = i->next; + + write_unlock_bh(&idev->lock); ++ ip6_mc_clear_src(i); + ma_put(i); + write_lock_bh(&idev->lock); + } diff --git a/queue-4.9/net-core-reduce-recursion-limit-value.patch b/queue-4.9/net-core-reduce-recursion-limit-value.patch new file mode 100644 index 00000000000..70a859364fa --- /dev/null +++ b/queue-4.9/net-core-reduce-recursion-limit-value.patch @@ -0,0 +1,81 @@ +From foo@baz Sun 28 Jun 2020 03:29:00 PM CEST +From: Taehee Yoo +Date: Tue, 16 Jun 2020 15:52:05 +0000 +Subject: net: core: reduce recursion limit value + +From: Taehee Yoo + +[ Upstream commit fb7861d14c8d7edac65b2fcb6e8031cb138457b2 ] + +In the current code, ->ndo_start_xmit() can be executed recursively only +10 times because of stack memory. +But, in the case of the vxlan, 10 recursion limit value results in +a stack overflow. +In the current code, the nested interface is limited by 8 depth. +There is no critical reason that the recursion limitation value should +be 10. +So, it would be good to be the same value with the limitation value of +nesting interface depth. + +Test commands: + ip link add vxlan10 type vxlan vni 10 dstport 4789 srcport 4789 4789 + ip link set vxlan10 up + ip a a 192.168.10.1/24 dev vxlan10 + ip n a 192.168.10.2 dev vxlan10 lladdr fc:22:33:44:55:66 nud permanent + + for i in {9..0} + do + let A=$i+1 + ip link add vxlan$i type vxlan vni $i dstport 4789 srcport 4789 4789 + ip link set vxlan$i up + ip a a 192.168.$i.1/24 dev vxlan$i + ip n a 192.168.$i.2 dev vxlan$i lladdr fc:22:33:44:55:66 nud permanent + bridge fdb add fc:22:33:44:55:66 dev vxlan$A dst 192.168.$i.2 self + done + hping3 192.168.10.2 -2 -d 60000 + +Splat looks like: +[ 103.814237][ T1127] ============================================================================= +[ 103.871955][ T1127] BUG kmalloc-2k (Tainted: G B ): Padding overwritten. 0x00000000897a2e4f-0x000 +[ 103.873187][ T1127] ----------------------------------------------------------------------------- +[ 103.873187][ T1127] +[ 103.874252][ T1127] INFO: Slab 0x000000005cccc724 objects=5 used=5 fp=0x0000000000000000 flags=0x10000000001020 +[ 103.881323][ T1127] CPU: 3 PID: 1127 Comm: hping3 Tainted: G B 5.7.0+ #575 +[ 103.882131][ T1127] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 103.883006][ T1127] Call Trace: +[ 103.883324][ T1127] dump_stack+0x96/0xdb +[ 103.883716][ T1127] slab_err+0xad/0xd0 +[ 103.884106][ T1127] ? _raw_spin_unlock+0x1f/0x30 +[ 103.884620][ T1127] ? get_partial_node.isra.78+0x140/0x360 +[ 103.885214][ T1127] slab_pad_check.part.53+0xf7/0x160 +[ 103.885769][ T1127] ? pskb_expand_head+0x110/0xe10 +[ 103.886316][ T1127] check_slab+0x97/0xb0 +[ 103.886763][ T1127] alloc_debug_processing+0x84/0x1a0 +[ 103.887308][ T1127] ___slab_alloc+0x5a5/0x630 +[ 103.887765][ T1127] ? pskb_expand_head+0x110/0xe10 +[ 103.888265][ T1127] ? lock_downgrade+0x730/0x730 +[ 103.888762][ T1127] ? pskb_expand_head+0x110/0xe10 +[ 103.889244][ T1127] ? __slab_alloc+0x3e/0x80 +[ 103.889675][ T1127] __slab_alloc+0x3e/0x80 +[ 103.890108][ T1127] __kmalloc_node_track_caller+0xc7/0x420 +[ ... ] + +Fixes: 11a766ce915f ("net: Increase xmit RECURSION_LIMIT to 10.") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2480,7 +2480,7 @@ void synchronize_net(void); + int init_dummy_netdev(struct net_device *dev); + + DECLARE_PER_CPU(int, xmit_recursion); +-#define XMIT_RECURSION_LIMIT 10 ++#define XMIT_RECURSION_LIMIT 8 + + static inline int dev_recursion_level(void) + { diff --git a/queue-4.9/net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch b/queue-4.9/net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch new file mode 100644 index 00000000000..3702efe8a7b --- /dev/null +++ b/queue-4.9/net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch @@ -0,0 +1,57 @@ +From foo@baz Sun 28 Jun 2020 02:29:11 PM CEST +From: Tariq Toukan +Date: Mon, 22 Jun 2020 23:26:04 +0300 +Subject: net: Do not clear the sock TX queue in sk_set_socket() + +From: Tariq Toukan + +[ Upstream commit 41b14fb8724d5a4b382a63cb4a1a61880347ccb8 ] + +Clearing the sock TX queue in sk_set_socket() might cause unexpected +out-of-order transmit when called from sock_orphan(), as outstanding +packets can pick a different TX queue and bypass the ones already queued. + +This is undesired in general. More specifically, it breaks the in-order +scheduling property guarantee for device-offloaded TLS sockets. + +Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it +explicitly only where needed. + +Fixes: e022f0b4a03f ("net: Introduce sk_tx_queue_mapping") +Signed-off-by: Tariq Toukan +Reviewed-by: Boris Pismenny +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 1 - + net/core/sock.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1631,7 +1631,6 @@ static inline int sk_tx_queue_get(const + + static inline void sk_set_socket(struct sock *sk, struct socket *sock) + { +- sk_tx_queue_clear(sk); + sk->sk_socket = sock; + } + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1403,6 +1403,7 @@ struct sock *sk_alloc(struct net *net, i + cgroup_sk_alloc(&sk->sk_cgrp_data); + sock_update_classid(&sk->sk_cgrp_data); + sock_update_netprioidx(&sk->sk_cgrp_data); ++ sk_tx_queue_clear(sk); + } + + return sk; +@@ -1587,6 +1588,7 @@ struct sock *sk_clone_lock(const struct + */ + sk_refcnt_debug_inc(newsk); + sk_set_socket(newsk, NULL); ++ sk_tx_queue_clear(newsk); + newsk->sk_wq = NULL; + + if (newsk->sk_prot->sockets_allocated) diff --git a/queue-4.9/net-fix-memleak-in-register_netdevice.patch b/queue-4.9/net-fix-memleak-in-register_netdevice.patch new file mode 100644 index 00000000000..aa33b6df9e6 --- /dev/null +++ b/queue-4.9/net-fix-memleak-in-register_netdevice.patch @@ -0,0 +1,87 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Yang Yingliang +Date: Tue, 16 Jun 2020 09:39:21 +0000 +Subject: net: fix memleak in register_netdevice() + +From: Yang Yingliang + +[ Upstream commit 814152a89ed52c722ab92e9fbabcac3cb8a39245 ] + +I got a memleak report when doing some fuzz test: + +unreferenced object 0xffff888112584000 (size 13599): + comm "ip", pid 3048, jiffies 4294911734 (age 343.491s) + hex dump (first 32 bytes): + 74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00 tap0............ + 00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000002f60ba65>] __kmalloc_node+0x309/0x3a0 + [<0000000075b211ec>] kvmalloc_node+0x7f/0xc0 + [<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0 + [<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70 + [<000000001127ca24>] ksys_ioctl+0xe5/0x130 + [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0 + [<00000000e1023498>] do_syscall_64+0x56/0xa0 + [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +unreferenced object 0xffff888111845cc0 (size 8): + comm "ip", pid 3048, jiffies 4294911734 (age 343.491s) + hex dump (first 8 bytes): + 74 61 70 30 00 88 ff ff tap0.... + backtrace: + [<000000004c159777>] kstrdup+0x35/0x70 + [<00000000d8b496ad>] kstrdup_const+0x3d/0x50 + [<00000000494e884a>] kvasprintf_const+0xf1/0x180 + [<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140 + [<000000008fbdfc7b>] dev_set_name+0xab/0xe0 + [<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390 + [<00000000602704fe>] register_netdevice+0xb61/0x1250 + [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70 + [<000000001127ca24>] ksys_ioctl+0xe5/0x130 + [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0 + [<00000000e1023498>] do_syscall_64+0x56/0xa0 + [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +unreferenced object 0xffff88811886d800 (size 512): + comm "ip", pid 3048, jiffies 4294911734 (age 343.491s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff .........f=..... + backtrace: + [<0000000050315800>] device_add+0x61e/0x1950 + [<0000000021008dfb>] netdev_register_kobject+0x17e/0x390 + [<00000000602704fe>] register_netdevice+0xb61/0x1250 + [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70 + [<000000001127ca24>] ksys_ioctl+0xe5/0x130 + [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0 + [<00000000e1023498>] do_syscall_64+0x56/0xa0 + [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +If call_netdevice_notifiers() failed, then rollback_registered() +calls netdev_unregister_kobject() which holds the kobject. The +reference cannot be put because the netdev won't be add to todo +list, so it will leads a memleak, we need put the reference to +avoid memleak. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7355,6 +7355,13 @@ int register_netdevice(struct net_device + rcu_barrier(); + + dev->reg_state = NETREG_UNREGISTERED; ++ /* We should put the kobject that hold in ++ * netdev_unregister_kobject(), otherwise ++ * the net device cannot be freed when ++ * driver calls free_netdev(), because the ++ * kobject is being hold. ++ */ ++ kobject_put(&dev->dev.kobj); + } + /* + * Prevent userspace races by waiting until the network diff --git a/queue-4.9/net-fix-the-arp-error-in-some-cases.patch b/queue-4.9/net-fix-the-arp-error-in-some-cases.patch new file mode 100644 index 00000000000..0bdac8e7ca3 --- /dev/null +++ b/queue-4.9/net-fix-the-arp-error-in-some-cases.patch @@ -0,0 +1,50 @@ +From foo@baz Sun 28 Jun 2020 02:29:11 PM CEST +From: guodeqing +Date: Wed, 17 Jun 2020 10:07:16 +0800 +Subject: net: Fix the arp error in some cases + +From: guodeqing + +[ Upstream commit 5eea3a63ff4aba6a26002e657a6d21934b7e2b96 ] + +ie., +$ ifconfig eth0 6.6.6.6 netmask 255.255.255.0 + +$ ip rule add from 6.6.6.6 table 6666 + +$ ip route add 9.9.9.9 via 6.6.6.6 + +$ ping -I 6.6.6.6 9.9.9.9 +PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data. + +3 packets transmitted, 0 received, 100% packet loss, time 2079ms + +$ arp +Address HWtype HWaddress Flags Mask Iface +6.6.6.6 (incomplete) eth0 + +The arp request address is error, this is because fib_table_lookup in +fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of +the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST. +Here I add a check of whether this is RT_TABLE_MAIN to solve this problem. + +Fixes: 3bfd847203c6 ("net: Use passed in table for nexthop lookups") +Signed-off-by: guodeqing +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -776,7 +776,7 @@ static int fib_check_nh(struct fib_confi + if (fl4.flowi4_scope < RT_SCOPE_LINK) + fl4.flowi4_scope = RT_SCOPE_LINK; + +- if (cfg->fc_table) ++ if (cfg->fc_table && cfg->fc_table != RT_TABLE_MAIN) + tbl = fib_get_table(net, cfg->fc_table); + + if (tbl) diff --git a/queue-4.9/net-usb-ax88179_178a-fix-packet-alignment-padding.patch b/queue-4.9/net-usb-ax88179_178a-fix-packet-alignment-padding.patch new file mode 100644 index 00000000000..ae7539e0757 --- /dev/null +++ b/queue-4.9/net-usb-ax88179_178a-fix-packet-alignment-padding.patch @@ -0,0 +1,69 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Jeremy Kerr +Date: Mon, 15 Jun 2020 10:54:56 +0800 +Subject: net: usb: ax88179_178a: fix packet alignment padding + +From: Jeremy Kerr + +[ Upstream commit e869e7a17798d85829fa7d4f9bbe1eebd4b2d3f6 ] + +Using a AX88179 device (0b95:1790), I see two bytes of appended data on +every RX packet. For example, this 48-byte ping, using 0xff as a +payload byte: + + 04:20:22.528472 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 2447, seq 1, length 64 + 0x0000: 000a cd35 ea50 000a cd35 ea4f 0800 4500 + 0x0010: 0054 c116 4000 4001 f63e c0a8 0101 c0a8 + 0x0020: 0102 0800 b633 098f 0001 87ea cd5e 0000 + 0x0030: 0000 dcf2 0600 0000 0000 ffff ffff ffff + 0x0040: ffff ffff ffff ffff ffff ffff ffff ffff + 0x0050: ffff ffff ffff ffff ffff ffff ffff ffff + 0x0060: ffff 961f + +Those last two bytes - 96 1f - aren't part of the original packet. + +In the ax88179 RX path, the usbnet rx_fixup function trims a 2-byte +'alignment pseudo header' from the start of the packet, and sets the +length from a per-packet field populated by hardware. It looks like that +length field *includes* the 2-byte header; the current driver assumes +that it's excluded. + +This change trims the 2-byte alignment header after we've set the packet +length, so the resulting packet length is correct. While we're moving +the comment around, this also fixes the spelling of 'pseudo'. + +Signed-off-by: Jeremy Kerr +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1396,10 +1396,10 @@ static int ax88179_rx_fixup(struct usbne + } + + if (pkt_cnt == 0) { +- /* Skip IP alignment psudo header */ +- skb_pull(skb, 2); + skb->len = pkt_len; +- skb_set_tail_pointer(skb, pkt_len); ++ /* Skip IP alignment pseudo header */ ++ skb_pull(skb, 2); ++ skb_set_tail_pointer(skb, skb->len); + skb->truesize = pkt_len + sizeof(struct sk_buff); + ax88179_rx_checksum(skb, pkt_hdr); + return 1; +@@ -1408,8 +1408,9 @@ static int ax88179_rx_fixup(struct usbne + ax_skb = skb_clone(skb, GFP_ATOMIC); + if (ax_skb) { + ax_skb->len = pkt_len; +- ax_skb->data = skb->data + 2; +- skb_set_tail_pointer(ax_skb, pkt_len); ++ /* Skip IP alignment pseudo header */ ++ skb_pull(ax_skb, 2); ++ skb_set_tail_pointer(ax_skb, ax_skb->len); + ax_skb->truesize = pkt_len + sizeof(struct sk_buff); + ax88179_rx_checksum(ax_skb, pkt_hdr); + usbnet_skb_return(dev, ax_skb); diff --git a/queue-4.9/rocker-fix-incorrect-error-handling-in-dma_rings_init.patch b/queue-4.9/rocker-fix-incorrect-error-handling-in-dma_rings_init.patch new file mode 100644 index 00000000000..3e7d49e21bd --- /dev/null +++ b/queue-4.9/rocker-fix-incorrect-error-handling-in-dma_rings_init.patch @@ -0,0 +1,36 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Aditya Pakki +Date: Fri, 12 Jun 2020 15:27:55 -0500 +Subject: rocker: fix incorrect error handling in dma_rings_init + +From: Aditya Pakki + +[ Upstream commit 58d0c864e1a759a15c9df78f50ea5a5c32b3989e ] + +In rocker_dma_rings_init, the goto blocks in case of errors +caused by the functions rocker_dma_cmd_ring_waits_alloc() and +rocker_dma_ring_create() are incorrect. The patch fixes the +order consistent with cleanup in rocker_dma_rings_fini(). + +Signed-off-by: Aditya Pakki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/rocker/rocker_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/rocker/rocker_main.c ++++ b/drivers/net/ethernet/rocker/rocker_main.c +@@ -648,10 +648,10 @@ static int rocker_dma_rings_init(struct + err_dma_event_ring_bufs_alloc: + rocker_dma_ring_destroy(rocker, &rocker->event_ring); + err_dma_event_ring_create: ++ rocker_dma_cmd_ring_waits_free(rocker); ++err_dma_cmd_ring_waits_alloc: + rocker_dma_ring_bufs_free(rocker, &rocker->cmd_ring, + PCI_DMA_BIDIRECTIONAL); +-err_dma_cmd_ring_waits_alloc: +- rocker_dma_cmd_ring_waits_free(rocker); + err_dma_cmd_ring_bufs_alloc: + rocker_dma_ring_destroy(rocker, &rocker->cmd_ring); + return err; diff --git a/queue-4.9/rxrpc-fix-notification-call-on-completion-of-discarded-calls.patch b/queue-4.9/rxrpc-fix-notification-call-on-completion-of-discarded-calls.patch new file mode 100644 index 00000000000..69109f97c98 --- /dev/null +++ b/queue-4.9/rxrpc-fix-notification-call-on-completion-of-discarded-calls.patch @@ -0,0 +1,146 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: David Howells +Date: Fri, 19 Jun 2020 23:38:16 +0100 +Subject: rxrpc: Fix notification call on completion of discarded calls + +From: David Howells + +[ Upstream commit 0041cd5a50442db6e456b145892a0eaf2dff061f ] + +When preallocated service calls are being discarded, they're passed to +->discard_new_call() to have the caller clean up any attached higher-layer +preallocated pieces before being marked completed. However, the act of +marking them completed now invokes the call's notification function - which +causes a problem because that function might assume that the previously +freed pieces of memory are still there. + +Fix this by setting a dummy notification function on the socket after +calling ->discard_new_call(). + +This results in the following kasan message when the kafs module is +removed. + +================================================================== +BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707 +Write of size 1 at addr ffff8880946c39e4 by task kworker/u4:1/21 + +CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x18f/0x20d lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707 + rxrpc_notify_socket+0x1db/0x5d0 net/rxrpc/recvmsg.c:40 + __rxrpc_set_call_completion.part.0+0x172/0x410 net/rxrpc/recvmsg.c:76 + __rxrpc_call_completed net/rxrpc/recvmsg.c:112 [inline] + rxrpc_call_completed+0xca/0xf0 net/rxrpc/recvmsg.c:111 + rxrpc_discard_prealloc+0x781/0xab0 net/rxrpc/call_accept.c:233 + rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245 + afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110 + afs_net_exit+0x1bc/0x310 fs/afs/main.c:155 + ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186 + cleanup_net+0x511/0xa50 net/core/net_namespace.c:603 + process_one_work+0x965/0x1690 kernel/workqueue.c:2269 + worker_thread+0x96/0xe10 kernel/workqueue.c:2415 + kthread+0x3b5/0x4a0 kernel/kthread.c:291 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 + +Allocated by task 6820: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467 + kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + afs_alloc_call+0x55/0x630 fs/afs/rxrpc.c:141 + afs_charge_preallocation+0xe9/0x2d0 fs/afs/rxrpc.c:757 + afs_open_socket+0x292/0x360 fs/afs/rxrpc.c:92 + afs_net_init+0xa6c/0xe30 fs/afs/main.c:125 + ops_init+0xaf/0x420 net/core/net_namespace.c:151 + setup_net+0x2de/0x860 net/core/net_namespace.c:341 + copy_net_ns+0x293/0x590 net/core/net_namespace.c:482 + create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231 + ksys_unshare+0x43d/0x8e0 kernel/fork.c:2983 + __do_sys_unshare kernel/fork.c:3051 [inline] + __se_sys_unshare kernel/fork.c:3049 [inline] + __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3049 + do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 21: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455 + __cache_free mm/slab.c:3426 [inline] + kfree+0x109/0x2b0 mm/slab.c:3757 + afs_put_call+0x585/0xa40 fs/afs/rxrpc.c:190 + rxrpc_discard_prealloc+0x764/0xab0 net/rxrpc/call_accept.c:230 + rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245 + afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110 + afs_net_exit+0x1bc/0x310 fs/afs/main.c:155 + ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186 + cleanup_net+0x511/0xa50 net/core/net_namespace.c:603 + process_one_work+0x965/0x1690 kernel/workqueue.c:2269 + worker_thread+0x96/0xe10 kernel/workqueue.c:2415 + kthread+0x3b5/0x4a0 kernel/kthread.c:291 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff8880946c3800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 484 bytes inside of + 1024-byte region [ffff8880946c3800, ffff8880946c3c00) +The buggy address belongs to the page: +page:ffffea000251b0c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea0002546508 ffffea00024fa248 ffff8880aa000c40 +raw: 0000000000000000 ffff8880946c3000 0000000100000002 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880946c3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880946c3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880946c3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880946c3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880946c3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: syzbot+d3eccef36ddbd02713e9@syzkaller.appspotmail.com +Fixes: 5ac0d62226a0 ("rxrpc: Fix missing notification") +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_accept.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -26,6 +26,11 @@ + #include + #include "ar-internal.h" + ++static void rxrpc_dummy_notify(struct sock *sk, struct rxrpc_call *call, ++ unsigned long user_call_ID) ++{ ++} ++ + /* + * Preallocate a single service call, connection and peer and, if possible, + * give them a user ID and attach the user's side of the ID to them. +@@ -224,6 +229,8 @@ void rxrpc_discard_prealloc(struct rxrpc + if (rx->discard_new_call) { + _debug("discard %lx", call->user_call_ID); + rx->discard_new_call(call, call->user_call_ID); ++ if (call->notify_rx) ++ call->notify_rx = rxrpc_dummy_notify; + rxrpc_put_call(call, rxrpc_call_put_kernel); + } + rxrpc_call_completed(call); diff --git a/queue-4.9/sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch b/queue-4.9/sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch new file mode 100644 index 00000000000..25c8e8f731e --- /dev/null +++ b/queue-4.9/sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch @@ -0,0 +1,86 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Marcelo Ricardo Leitner +Date: Wed, 24 Jun 2020 17:34:18 -0300 +Subject: sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket + +From: Marcelo Ricardo Leitner + +[ Upstream commit 471e39df96b9a4c4ba88a2da9e25a126624d7a9c ] + +If a socket is set ipv6only, it will still send IPv4 addresses in the +INIT and INIT_ACK packets. This potentially misleads the peer into using +them, which then would cause association termination. + +The fix is to not add IPv4 addresses to ipv6only sockets. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Corey Minyard +Signed-off-by: Marcelo Ricardo Leitner +Tested-by: Corey Minyard +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/constants.h | 8 +++++--- + net/sctp/associola.c | 5 ++++- + net/sctp/bind_addr.c | 1 + + net/sctp/protocol.c | 1 + + 4 files changed, 11 insertions(+), 4 deletions(-) + +--- a/include/net/sctp/constants.h ++++ b/include/net/sctp/constants.h +@@ -357,11 +357,13 @@ typedef enum { + ipv4_is_anycast_6to4(a)) + + /* Flags used for the bind address copy functions. */ +-#define SCTP_ADDR6_ALLOWED 0x00000001 /* IPv6 address is allowed by ++#define SCTP_ADDR4_ALLOWED 0x00000001 /* IPv4 address is allowed by + local sock family */ +-#define SCTP_ADDR4_PEERSUPP 0x00000002 /* IPv4 address is supported by ++#define SCTP_ADDR6_ALLOWED 0x00000002 /* IPv6 address is allowed by ++ local sock family */ ++#define SCTP_ADDR4_PEERSUPP 0x00000004 /* IPv4 address is supported by + peer */ +-#define SCTP_ADDR6_PEERSUPP 0x00000004 /* IPv6 address is supported by ++#define SCTP_ADDR6_PEERSUPP 0x00000008 /* IPv6 address is supported by + peer */ + + /* Reasons to retransmit. */ +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1583,12 +1583,15 @@ void sctp_assoc_rwnd_decrease(struct sct + int sctp_assoc_set_bind_addr_from_ep(struct sctp_association *asoc, + sctp_scope_t scope, gfp_t gfp) + { ++ struct sock *sk = asoc->base.sk; + int flags; + + /* Use scoping rules to determine the subset of addresses from + * the endpoint. + */ +- flags = (PF_INET6 == asoc->base.sk->sk_family) ? SCTP_ADDR6_ALLOWED : 0; ++ flags = (PF_INET6 == sk->sk_family) ? SCTP_ADDR6_ALLOWED : 0; ++ if (!inet_v6_ipv6only(sk)) ++ flags |= SCTP_ADDR4_ALLOWED; + if (asoc->peer.ipv4_address) + flags |= SCTP_ADDR4_PEERSUPP; + if (asoc->peer.ipv6_address) +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -451,6 +451,7 @@ static int sctp_copy_one_addr(struct net + * well as the remote peer. + */ + if ((((AF_INET == addr->sa.sa_family) && ++ (flags & SCTP_ADDR4_ALLOWED) && + (flags & SCTP_ADDR4_PEERSUPP))) || + (((AF_INET6 == addr->sa.sa_family) && + (flags & SCTP_ADDR6_ALLOWED) && +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -210,6 +210,7 @@ int sctp_copy_local_addr_list(struct net + * sock as well as the remote peer. + */ + if ((((AF_INET == addr->a.sa.sa_family) && ++ (copy_flags & SCTP_ADDR4_ALLOWED) && + (copy_flags & SCTP_ADDR4_PEERSUPP))) || + (((AF_INET6 == addr->a.sa.sa_family) && + (copy_flags & SCTP_ADDR6_ALLOWED) && diff --git a/queue-4.9/series b/queue-4.9/series index d38a2626a99..1d7047a5655 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -129,3 +129,17 @@ scsi-scsi_devinfo-handle-non-terminated-strings.patch l2tp-allow-duplicate-session-creation-with-udp.patch net-sched-export-__netdev_watchdog_up.patch fix-a-braino-in-sparc32-fix-register-window-handling.patch +mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch +net-fix-memleak-in-register_netdevice.patch +net-usb-ax88179_178a-fix-packet-alignment-padding.patch +rocker-fix-incorrect-error-handling-in-dma_rings_init.patch +rxrpc-fix-notification-call-on-completion-of-discarded-calls.patch +tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch +ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch +tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch +ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch +tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch +sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch +net-fix-the-arp-error-in-some-cases.patch +net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch +net-core-reduce-recursion-limit-value.patch diff --git a/queue-4.9/tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch b/queue-4.9/tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch new file mode 100644 index 00000000000..8fba5abcdc8 --- /dev/null +++ b/queue-4.9/tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch @@ -0,0 +1,94 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Eric Dumazet +Date: Mon, 15 Jun 2020 20:37:07 -0700 +Subject: tcp: grow window for OOO packets only for SACK flows + +From: Eric Dumazet + +[ Upstream commit 662051215c758ae8545451628816204ed6cd372d ] + +Back in 2013, we made a change that broke fast retransmit +for non SACK flows. + +Indeed, for these flows, a sender needs to receive three duplicate +ACK before starting fast retransmit. Sending ACK with different +receive window do not count. + +Even if enabling SACK is strongly recommended these days, +there still are some cases where it has to be disabled. + +Not increasing the window seems better than having to +rely on RTO. + +After the fix, following packetdrill test gives : + +// Initialize connection + 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 + +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 + +0 bind(3, ..., ...) = 0 + +0 listen(3, 1) = 0 + + +0 < S 0:0(0) win 32792 + +0 > S. 0:0(0) ack 1 + +0 < . 1:1(0) ack 1 win 514 + + +0 accept(3, ..., ...) = 4 + + +0 < . 1:1001(1000) ack 1 win 514 +// Quick ack + +0 > . 1:1(0) ack 1001 win 264 + + +0 < . 2001:3001(1000) ack 1 win 514 +// DUPACK : Normally we should not change the window + +0 > . 1:1(0) ack 1001 win 264 + + +0 < . 3001:4001(1000) ack 1 win 514 +// DUPACK : Normally we should not change the window + +0 > . 1:1(0) ack 1001 win 264 + + +0 < . 4001:5001(1000) ack 1 win 514 +// DUPACK : Normally we should not change the window + +0 > . 1:1(0) ack 1001 win 264 + + +0 < . 1001:2001(1000) ack 1 win 514 +// Hole is repaired. + +0 > . 1:1(0) ack 5001 win 272 + +Fixes: 4e4f1fc22681 ("tcp: properly increase rcv_ssthresh for ofo packets") +Signed-off-by: Eric Dumazet +Reported-by: Venkat Venkatsubra +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4537,7 +4537,11 @@ static void tcp_data_queue_ofo(struct so + if (tcp_ooo_try_coalesce(sk, tp->ooo_last_skb, + skb, &fragstolen)) { + coalesce_done: +- tcp_grow_window(sk, skb); ++ /* For non sack flows, do not grow window to force DUPACK ++ * and trigger fast retransmit. ++ */ ++ if (tcp_is_sack(tp)) ++ tcp_grow_window(sk, skb); + kfree_skb_partial(skb, fragstolen); + skb = NULL; + goto add_sack; +@@ -4621,7 +4625,11 @@ add_sack: + tcp_sack_new_ofo_skb(sk, seq, end_seq); + end: + if (skb) { +- tcp_grow_window(sk, skb); ++ /* For non sack flows, do not grow window to force DUPACK ++ * and trigger fast retransmit. ++ */ ++ if (tcp_is_sack(tp)) ++ tcp_grow_window(sk, skb); + skb_set_owner_r(skb, sk); + } + } diff --git a/queue-4.9/tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch b/queue-4.9/tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch new file mode 100644 index 00000000000..cb92162a1b2 --- /dev/null +++ b/queue-4.9/tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch @@ -0,0 +1,50 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: Neal Cardwell +Date: Wed, 24 Jun 2020 12:42:02 -0400 +Subject: tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT + +From: Neal Cardwell + +[ Upstream commit b344579ca8478598937215f7005d6c7b84d28aee ] + +Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where +Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an +ACK when the minimum rtt of a connection goes down. From inspection it +is clear from the existing code that this could happen in an example +like the following: + +o The first 8 RTT samples in a round trip are 150ms, resulting in a + curr_rtt of 150ms and a delay_min of 150ms. + +o The 9th RTT sample is 100ms. The curr_rtt does not change after the + first 8 samples, so curr_rtt remains 150ms. But delay_min can be + lowered at any time, so delay_min falls to 100ms. The code executes + the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min + of 100ms, and the curr_rtt is declared far enough above delay_min to + force a (spurious) exit of Slow start. + +The fix here is simple: allow every RTT sample in a round trip to +lower the curr_rtt. + +Fixes: ae27e98a5152 ("[TCP] CUBIC v2.3") +Reported-by: Mirja Kuehlewind +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_cubic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -414,6 +414,8 @@ static void hystart_update(struct sock * + + if (hystart_detect & HYSTART_DELAY) { + /* obtain the minimum delay of more than sampling packets */ ++ if (ca->curr_rtt > delay) ++ ca->curr_rtt = delay; + if (ca->sample_cnt < HYSTART_MIN_SAMPLES) { + if (ca->curr_rtt == 0 || ca->curr_rtt > delay) + ca->curr_rtt = delay; diff --git a/queue-4.9/tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch b/queue-4.9/tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch new file mode 100644 index 00000000000..d78e9a33822 --- /dev/null +++ b/queue-4.9/tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch @@ -0,0 +1,37 @@ +From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST +From: David Christensen +Date: Wed, 17 Jun 2020 11:51:17 -0700 +Subject: tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes + +From: David Christensen + +[ Upstream commit 3a2656a211caf35e56afc9425e6e518fa52f7fbc ] + +The driver function tg3_io_error_detected() calls napi_disable twice, +without an intervening napi_enable, when the number of EEH errors exceeds +eeh_max_freezes, resulting in an indefinite sleep while holding rtnl_lock. + +Add check for pcierr_recovery which skips code already executed for the +"Frozen" state. + +Signed-off-by: David Christensen +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -18174,8 +18174,8 @@ static pci_ers_result_t tg3_io_error_det + + rtnl_lock(); + +- /* We probably don't have netdev yet */ +- if (!netdev || !netif_running(netdev)) ++ /* Could be second call or maybe we don't have netdev yet */ ++ if (!netdev || tp->pcierr_recovery || !netif_running(netdev)) + goto done; + + /* We needn't recover from permanent error */