From 050c82f86ec4708221f722819f7872690d2de123 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 2 Jul 2019 06:10:48 +0200 Subject: [PATCH] 5.1-stable patches added patches: af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch bonding-always-enable-vlan-tx-offload.patch ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch net-aquantia-fix-vlans-not-working-over-bridged-network.patch net-packet-fix-memory-leak-in-packet_set_ring.patch net-remove-duplicate-fetch-in-sock_getsockopt.patch net-stmmac-fixed-new-system-time-seconds-value-calculation.patch net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch net-tls-fix-page-double-free-on-tx-cleanup.patch sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch team-always-enable-vlan-tx-offload.patch tipc-change-to-use-register_pernet_device.patch tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch tun-wake-up-waitqueues-after-iff_up-is-set.patch --- ...or-transmit-to-complete-in-af_packet.patch | 153 ++++++++++++++++++ ...onding-always-enable-vlan-tx-offload.patch | 50 ++++++ ...or-__raw_v4_lookup-in-the-while-loop.patch | 34 ++++ ...ans-not-working-over-bridged-network.patch | 125 ++++++++++++++ ...t-fix-memory-leak-in-packet_set_ring.patch | 41 +++++ ...e-duplicate-fetch-in-sock_getsockopt.patch | 37 +++++ ...ystem-time-seconds-value-calculation.patch | 44 +++++ ...ransmitting-frames-with-hw-timestamp.patch | 71 ++++++++ ...s-fix-page-double-free-on-tx-cleanup.patch | 100 ++++++++++++ ...r-auth-shkey-is-created-successfully.patch | 51 ++++++ queue-5.1/series | 14 ++ .../team-always-enable-vlan-tx-offload.patch | 37 +++++ ...change-to-use-register_pernet_device.patch | 100 ++++++++++++ ...len-in-tipc_nl_compat_bearer_disable.patch | 88 ++++++++++ ...ke-up-waitqueues-after-iff_up-is-set.patch | 76 +++++++++ 15 files changed, 1021 insertions(+) create mode 100644 queue-5.1/af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch create mode 100644 queue-5.1/bonding-always-enable-vlan-tx-offload.patch create mode 100644 queue-5.1/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch create mode 100644 queue-5.1/net-aquantia-fix-vlans-not-working-over-bridged-network.patch create mode 100644 queue-5.1/net-packet-fix-memory-leak-in-packet_set_ring.patch create mode 100644 queue-5.1/net-remove-duplicate-fetch-in-sock_getsockopt.patch create mode 100644 queue-5.1/net-stmmac-fixed-new-system-time-seconds-value-calculation.patch create mode 100644 queue-5.1/net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch create mode 100644 queue-5.1/net-tls-fix-page-double-free-on-tx-cleanup.patch create mode 100644 queue-5.1/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch create mode 100644 queue-5.1/team-always-enable-vlan-tx-offload.patch create mode 100644 queue-5.1/tipc-change-to-use-register_pernet_device.patch create mode 100644 queue-5.1/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch create mode 100644 queue-5.1/tun-wake-up-waitqueues-after-iff_up-is-set.patch diff --git a/queue-5.1/af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch b/queue-5.1/af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch new file mode 100644 index 00000000000..5fa96f1db47 --- /dev/null +++ b/queue-5.1/af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch @@ -0,0 +1,153 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Neil Horman +Date: Tue, 25 Jun 2019 17:57:49 -0400 +Subject: af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET + +From: Neil Horman + +[ Upstream commit 89ed5b519004a7706f50b70f611edbd3aaacff2c ] + +When an application is run that: +a) Sets its scheduler to be SCHED_FIFO +and +b) Opens a memory mapped AF_PACKET socket, and sends frames with the +MSG_DONTWAIT flag cleared, its possible for the application to hang +forever in the kernel. This occurs because when waiting, the code in +tpacket_snd calls schedule, which under normal circumstances allows +other tasks to run, including ksoftirqd, which in some cases is +responsible for freeing the transmitted skb (which in AF_PACKET calls a +destructor that flips the status bit of the transmitted frame back to +available, allowing the transmitting task to complete). + +However, when the calling application is SCHED_FIFO, its priority is +such that the schedule call immediately places the task back on the cpu, +preventing ksoftirqd from freeing the skb, which in turn prevents the +transmitting task from detecting that the transmission is complete. + +We can fix this by converting the schedule call to a completion +mechanism. By using a completion queue, we force the calling task, when +it detects there are no more frames to send, to schedule itself off the +cpu until such time as the last transmitted skb is freed, allowing +forward progress to be made. + +Tested by myself and the reporter, with good results + +Change Notes: + +V1->V2: + Enhance the sleep logic to support being interruptible and +allowing for honoring to SK_SNDTIMEO (Willem de Bruijn) + +V2->V3: + Rearrage the point at which we wait for the completion queue, to +avoid needing to check for ph/skb being null at the end of the loop. +Also move the complete call to the skb destructor to avoid needing to +modify __packet_set_status. Also gate calling complete on +packet_read_pending returning zero to avoid multiple calls to complete. +(Willem de Bruijn) + + Move timeo computation within loop, to re-fetch the socket +timeout since we also use the timeo variable to record the return code +from the wait_for_complete call (Neil Horman) + +V3->V4: + Willem has requested that the control flow be restored to the +previous state. Doing so lets us eliminate the need for the +po->wait_on_complete flag variable, and lets us get rid of the +packet_next_frame function, but introduces another complexity. +Specifically, but using the packet pending count, we can, if an +applications calls sendmsg multiple times with MSG_DONTWAIT set, each +set of transmitted frames, when complete, will cause +tpacket_destruct_skb to issue a complete call, for which there will +never be a wait_on_completion call. This imbalance will lead to any +future call to wait_for_completion here to return early, when the frames +they sent may not have completed. To correct this, we need to re-init +the completion queue on every call to tpacket_snd before we enter the +loop so as to ensure we wait properly for the frames we send in this +iteration. + + Change the timeout and interrupted gotos to out_put rather than +out_status so that we don't try to free a non-existant skb + Clean up some extra newlines (Willem de Bruijn) + +Reviewed-by: Willem de Bruijn +Signed-off-by: Neil Horman +Reported-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 20 +++++++++++++++++--- + net/packet/internal.h | 1 + + 2 files changed, 18 insertions(+), 3 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2409,6 +2409,9 @@ static void tpacket_destruct_skb(struct + + ts = __packet_set_timestamp(po, ph, skb); + __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts); ++ ++ if (!packet_read_pending(&po->tx_ring)) ++ complete(&po->skb_completion); + } + + sock_wfree(skb); +@@ -2593,7 +2596,7 @@ static int tpacket_parse_header(struct p + + static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + { +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; + struct net_device *dev; + struct virtio_net_hdr *vnet_hdr = NULL; + struct sockcm_cookie sockc; +@@ -2608,6 +2611,7 @@ static int tpacket_snd(struct packet_soc + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen, copylen = 0; ++ long timeo = 0; + + mutex_lock(&po->pg_vec_lock); + +@@ -2654,12 +2658,21 @@ static int tpacket_snd(struct packet_soc + if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr) + size_max = dev->mtu + reserve + VLAN_HLEN; + ++ reinit_completion(&po->skb_completion); ++ + do { + ph = packet_current_frame(po, &po->tx_ring, + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { +- if (need_wait && need_resched()) +- schedule(); ++ if (need_wait && skb) { ++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); ++ timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); ++ if (timeo <= 0) { ++ err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; ++ goto out_put; ++ } ++ } ++ /* check for additional frames */ + continue; + } + +@@ -3215,6 +3228,7 @@ static int packet_create(struct net *net + sock_init_data(sock, sk); + + po = pkt_sk(sk); ++ init_completion(&po->skb_completion); + sk->sk_family = PF_PACKET; + po->num = proto; + po->xmit = dev_queue_xmit; +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -128,6 +128,7 @@ struct packet_sock { + unsigned int tp_hdrlen; + unsigned int tp_reserve; + unsigned int tp_tstamp; ++ struct completion skb_completion; + struct net_device __rcu *cached_dev; + int (*xmit)(struct sk_buff *skb); + struct packet_type prot_hook ____cacheline_aligned_in_smp; diff --git a/queue-5.1/bonding-always-enable-vlan-tx-offload.patch b/queue-5.1/bonding-always-enable-vlan-tx-offload.patch new file mode 100644 index 00000000000..6996906bb1d --- /dev/null +++ b/queue-5.1/bonding-always-enable-vlan-tx-offload.patch @@ -0,0 +1,50 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: YueHaibing +Date: Wed, 26 Jun 2019 16:08:44 +0800 +Subject: bonding: Always enable vlan tx offload + +From: YueHaibing + +[ Upstream commit 30d8177e8ac776d89d387fad547af6a0f599210e ] + +We build vlan on top of bonding interface, which vlan offload +is off, bond mode is 802.3ad (LACP) and xmit_hash_policy is +BOND_XMIT_POLICY_ENCAP34. + +Because vlan tx offload is off, vlan tci is cleared and skb push +the vlan header in validate_xmit_vlan() while sending from vlan +devices. Then in bond_xmit_hash, __skb_flow_dissect() fails to +get information from protocol headers encapsulated within vlan, +because 'nhoff' is points to IP header, so bond hashing is based +on layer 2 info, which fails to distribute packets across slaves. + +This patch always enable bonding's vlan tx offload, pass the vlan +packets to the slave devices with vlan tci, let them to handle +vlan implementation. + +Fixes: 278339a42a1b ("bonding: propogate vlan_features to bonding master") +Suggested-by: Jiri Pirko +Signed-off-by: YueHaibing +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4321,12 +4321,12 @@ void bond_setup(struct net_device *bond_ + bond_dev->features |= NETIF_F_NETNS_LOCAL; + + bond_dev->hw_features = BOND_VLAN_FEATURES | +- NETIF_F_HW_VLAN_CTAG_TX | + NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_CTAG_FILTER; + + bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4; + bond_dev->features |= bond_dev->hw_features; ++ bond_dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX; + } + + /* Destroy a bonding device. diff --git a/queue-5.1/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch b/queue-5.1/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch new file mode 100644 index 00000000000..08e033c1976 --- /dev/null +++ b/queue-5.1/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Stephen Suryaputra +Date: Mon, 24 Jun 2019 20:14:06 -0400 +Subject: ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop + +From: Stephen Suryaputra + +[ Upstream commit 38c73529de13e1e10914de7030b659a2f8b01c3b ] + +In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local +traffic"), the dif argument to __raw_v4_lookup() is coming from the +returned value of inet_iif() but the change was done only for the first +lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex. + +Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic") +Signed-off-by: Stephen Suryaputra +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -201,7 +201,7 @@ static int raw_v4_input(struct sk_buff * + } + sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol, + iph->saddr, iph->daddr, +- skb->dev->ifindex, sdif); ++ dif, sdif); + } + out: + read_unlock(&raw_v4_hashinfo.lock); diff --git a/queue-5.1/net-aquantia-fix-vlans-not-working-over-bridged-network.patch b/queue-5.1/net-aquantia-fix-vlans-not-working-over-bridged-network.patch new file mode 100644 index 00000000000..9521287cb39 --- /dev/null +++ b/queue-5.1/net-aquantia-fix-vlans-not-working-over-bridged-network.patch @@ -0,0 +1,125 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Dmitry Bogdanov +Date: Sat, 22 Jun 2019 08:46:37 +0000 +Subject: net: aquantia: fix vlans not working over bridged network + +From: Dmitry Bogdanov + +[ Upstream commit 48dd73d08d4dda47ee31cc8611fb16840fc16803 ] + +In configuration of vlan over bridge over aquantia device +it was found that vlan tagged traffic is dropped on chip. + +The reason is that bridge device enables promisc mode, +but in atlantic chip vlan filters will still apply. +So we have to corellate promisc settings with vlan configuration. + +The solution is to track in a separate state variable the +need of vlan forced promisc. And also consider generic +promisc configuration when doing vlan filter config. + +Fixes: 7975d2aff5af ("net: aquantia: add support of rx-vlan-filter offload") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_filters.c | 10 +++++-- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 1 + drivers/net/ethernet/aquantia/atlantic/aq_nic.h | 1 + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 19 +++++++++----- + 4 files changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_filters.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_filters.c +@@ -843,9 +843,14 @@ int aq_filters_vlans_update(struct aq_ni + return err; + + if (aq_nic->ndev->features & NETIF_F_HW_VLAN_CTAG_FILTER) { +- if (hweight < AQ_VLAN_MAX_FILTERS) +- err = aq_hw_ops->hw_filter_vlan_ctrl(aq_hw, true); ++ if (hweight < AQ_VLAN_MAX_FILTERS && hweight > 0) { ++ err = aq_hw_ops->hw_filter_vlan_ctrl(aq_hw, ++ !(aq_nic->packet_filter & IFF_PROMISC)); ++ aq_nic->aq_nic_cfg.is_vlan_force_promisc = false; ++ } else { + /* otherwise left in promiscue mode */ ++ aq_nic->aq_nic_cfg.is_vlan_force_promisc = true; ++ } + } + + return err; +@@ -866,6 +871,7 @@ int aq_filters_vlan_offload_off(struct a + if (unlikely(!aq_hw_ops->hw_filter_vlan_ctrl)) + return -EOPNOTSUPP; + ++ aq_nic->aq_nic_cfg.is_vlan_force_promisc = true; + err = aq_hw_ops->hw_filter_vlan_ctrl(aq_hw, false); + if (err) + return err; +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -117,6 +117,7 @@ void aq_nic_cfg_start(struct aq_nic_s *s + + cfg->link_speed_msk &= cfg->aq_hw_caps->link_speed_msk; + cfg->features = cfg->aq_hw_caps->hw_features; ++ cfg->is_vlan_force_promisc = true; + } + + static int aq_nic_update_link_status(struct aq_nic_s *self) +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.h +@@ -36,6 +36,7 @@ struct aq_nic_cfg_s { + u32 flow_control; + u32 link_speed_msk; + u32 wol; ++ bool is_vlan_force_promisc; + u16 is_mc_list_enabled; + u16 mc_list_count; + bool is_autoneg; +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -771,8 +771,15 @@ static int hw_atl_b0_hw_packet_filter_se + unsigned int packet_filter) + { + unsigned int i = 0U; ++ struct aq_nic_cfg_s *cfg = self->aq_nic_cfg; ++ ++ hw_atl_rpfl2promiscuous_mode_en_set(self, ++ IS_FILTER_ENABLED(IFF_PROMISC)); ++ ++ hw_atl_rpf_vlan_prom_mode_en_set(self, ++ IS_FILTER_ENABLED(IFF_PROMISC) || ++ cfg->is_vlan_force_promisc); + +- hw_atl_rpfl2promiscuous_mode_en_set(self, IS_FILTER_ENABLED(IFF_PROMISC)); + hw_atl_rpfl2multicast_flr_en_set(self, + IS_FILTER_ENABLED(IFF_ALLMULTI), 0); + +@@ -781,13 +788,13 @@ static int hw_atl_b0_hw_packet_filter_se + + hw_atl_rpfl2broadcast_en_set(self, IS_FILTER_ENABLED(IFF_BROADCAST)); + +- self->aq_nic_cfg->is_mc_list_enabled = IS_FILTER_ENABLED(IFF_MULTICAST); ++ cfg->is_mc_list_enabled = IS_FILTER_ENABLED(IFF_MULTICAST); + + for (i = HW_ATL_B0_MAC_MIN; i < HW_ATL_B0_MAC_MAX; ++i) + hw_atl_rpfl2_uc_flr_en_set(self, +- (self->aq_nic_cfg->is_mc_list_enabled && +- (i <= self->aq_nic_cfg->mc_list_count)) ? +- 1U : 0U, i); ++ (cfg->is_mc_list_enabled && ++ (i <= cfg->mc_list_count)) ? ++ 1U : 0U, i); + + return aq_hw_err_from_flags(self); + } +@@ -1079,7 +1086,7 @@ static int hw_atl_b0_hw_vlan_set(struct + static int hw_atl_b0_hw_vlan_ctrl(struct aq_hw_s *self, bool enable) + { + /* set promisc in case of disabing the vland filter */ +- hw_atl_rpf_vlan_prom_mode_en_set(self, !!!enable); ++ hw_atl_rpf_vlan_prom_mode_en_set(self, !enable); + + return aq_hw_err_from_flags(self); + } diff --git a/queue-5.1/net-packet-fix-memory-leak-in-packet_set_ring.patch b/queue-5.1/net-packet-fix-memory-leak-in-packet_set_ring.patch new file mode 100644 index 00000000000..8770e3ebcf9 --- /dev/null +++ b/queue-5.1/net-packet-fix-memory-leak-in-packet_set_ring.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Eric Dumazet +Date: Mon, 24 Jun 2019 02:38:20 -0700 +Subject: net/packet: fix memory leak in packet_set_ring() + +From: Eric Dumazet + +[ Upstream commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 ] + +syzbot found we can leak memory in packet_set_ring(), if user application +provides buggy parameters. + +Fixes: 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3") +Signed-off-by: Eric Dumazet +Cc: Sowmini Varadhan +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4341,7 +4341,7 @@ static int packet_set_ring(struct sock * + req3->tp_sizeof_priv || + req3->tp_feature_req_word) { + err = -EINVAL; +- goto out; ++ goto out_free_pg_vec; + } + } + break; +@@ -4405,6 +4405,7 @@ static int packet_set_ring(struct sock * + prb_shutdown_retire_blk_timer(po, rb_queue); + } + ++out_free_pg_vec: + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: diff --git a/queue-5.1/net-remove-duplicate-fetch-in-sock_getsockopt.patch b/queue-5.1/net-remove-duplicate-fetch-in-sock_getsockopt.patch new file mode 100644 index 00000000000..48d4730e053 --- /dev/null +++ b/queue-5.1/net-remove-duplicate-fetch-in-sock_getsockopt.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: JingYi Hou +Date: Mon, 17 Jun 2019 14:56:05 +0800 +Subject: net: remove duplicate fetch in sock_getsockopt + +From: JingYi Hou + +[ Upstream commit d0bae4a0e3d8c5690a885204d7eb2341a5b4884d ] + +In sock_getsockopt(), 'optlen' is fetched the first time from userspace. +'len < 0' is then checked. Then in condition 'SO_MEMINFO', 'optlen' is +fetched the second time from userspace. + +If change it between two fetches may cause security problems or unexpected +behaivor, and there is no reason to fetch it a second time. + +To fix this, we need to remove the second fetch. + +Signed-off-by: JingYi Hou +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1482,9 +1482,6 @@ int sock_getsockopt(struct socket *sock, + { + u32 meminfo[SK_MEMINFO_VARS]; + +- if (get_user(len, optlen)) +- return -EFAULT; +- + sk_get_meminfo(sk, meminfo); + + len = min_t(unsigned int, len, sizeof(meminfo)); diff --git a/queue-5.1/net-stmmac-fixed-new-system-time-seconds-value-calculation.patch b/queue-5.1/net-stmmac-fixed-new-system-time-seconds-value-calculation.patch new file mode 100644 index 00000000000..81c9dde4e0b --- /dev/null +++ b/queue-5.1/net-stmmac-fixed-new-system-time-seconds-value-calculation.patch @@ -0,0 +1,44 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Roland Hii +Date: Wed, 19 Jun 2019 22:13:48 +0800 +Subject: net: stmmac: fixed new system time seconds value calculation + +From: Roland Hii + +[ Upstream commit a1e5388b4d5fc78688e5e9ee6641f779721d6291 ] + +When ADDSUB bit is set, the system time seconds field is calculated as +the complement of the seconds part of the update value. + +For example, if 3.000000001 seconds need to be subtracted from the +system time, this field is calculated as +2^32 - 3 = 4294967296 - 3 = 0x100000000 - 3 = 0xFFFFFFFD + +Previously, the 0x100000000 is mistakenly written as 100000000. + +This is further simplified from + sec = (0x100000000ULL - sec); +to + sec = -sec; + +Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4") +Signed-off-by: Roland Hii +Signed-off-by: Ong Boon Leong +Signed-off-by: Voon Weifeng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -122,7 +122,7 @@ static int adjust_systime(void __iomem * + * programmed with (2^32 – ) + */ + if (gmac4) +- sec = (100000000ULL - sec); ++ sec = -sec; + + value = readl(ioaddr + PTP_TCR); + if (value & PTP_TCR_TSCTRLSSR) diff --git a/queue-5.1/net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch b/queue-5.1/net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch new file mode 100644 index 00000000000..467fa6633dc --- /dev/null +++ b/queue-5.1/net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch @@ -0,0 +1,71 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Roland Hii +Date: Wed, 19 Jun 2019 22:41:48 +0800 +Subject: net: stmmac: set IC bit when transmitting frames with HW timestamp + +From: Roland Hii + +[ Upstream commit d0bb82fd60183868f46c8ccc595a3d61c3334a18 ] + +When transmitting certain PTP frames, e.g. SYNC and DELAY_REQ, the +PTP daemon, e.g. ptp4l, is polling the driver for the frame transmit +hardware timestamp. The polling will most likely timeout if the tx +coalesce is enabled due to the Interrupt-on-Completion (IC) bit is +not set in tx descriptor for those frames. + +This patch will ignore the tx coalesce parameter and set the IC bit +when transmitting PTP frames which need to report out the frame +transmit hardware timestamp to user space. + +Fixes: f748be531d70 ("net: stmmac: Rework coalesce timer and fix multi-queue races") +Signed-off-by: Roland Hii +Signed-off-by: Ong Boon Leong +Signed-off-by: Voon Weifeng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2957,12 +2957,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + + /* Manage tx mitigation */ + tx_q->tx_count_frames += nfrags + 1; +- if (priv->tx_coal_frames <= tx_q->tx_count_frames) { ++ if (likely(priv->tx_coal_frames > tx_q->tx_count_frames) && ++ !(priv->synopsys_id >= DWMAC_CORE_4_00 && ++ (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en)) { ++ stmmac_tx_timer_arm(priv, queue); ++ } else { ++ tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, desc); + priv->xstats.tx_set_ic_bit++; +- tx_q->tx_count_frames = 0; +- } else { +- stmmac_tx_timer_arm(priv, queue); + } + + skb_tx_timestamp(skb); +@@ -3176,12 +3179,15 @@ static netdev_tx_t stmmac_xmit(struct sk + * element in case of no SG. + */ + tx_q->tx_count_frames += nfrags + 1; +- if (priv->tx_coal_frames <= tx_q->tx_count_frames) { ++ if (likely(priv->tx_coal_frames > tx_q->tx_count_frames) && ++ !(priv->synopsys_id >= DWMAC_CORE_4_00 && ++ (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en)) { ++ stmmac_tx_timer_arm(priv, queue); ++ } else { ++ tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, desc); + priv->xstats.tx_set_ic_bit++; +- tx_q->tx_count_frames = 0; +- } else { +- stmmac_tx_timer_arm(priv, queue); + } + + skb_tx_timestamp(skb); diff --git a/queue-5.1/net-tls-fix-page-double-free-on-tx-cleanup.patch b/queue-5.1/net-tls-fix-page-double-free-on-tx-cleanup.patch new file mode 100644 index 00000000000..00d2dee3562 --- /dev/null +++ b/queue-5.1/net-tls-fix-page-double-free-on-tx-cleanup.patch @@ -0,0 +1,100 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Dirk van der Merwe +Date: Sun, 23 Jun 2019 21:26:58 -0700 +Subject: net/tls: fix page double free on TX cleanup + +From: Dirk van der Merwe + +[ Upstream commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d ] + +With commit 94850257cf0f ("tls: Fix tls_device handling of partial records") +a new path was introduced to cleanup partial records during sk_proto_close. +This path does not handle the SW KTLS tx_list cleanup. + +This is unnecessary though since the free_resources calls for both +SW and offload paths will cleanup a partial record. + +The visible effect is the following warning, but this bug also causes +a page double free. + + WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110 + RIP: 0010:sk_stream_kill_queues+0x103/0x110 + RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206 + RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007 + RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270 + RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a + R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007 + R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0 + Call Trace: + inet_csk_destroy_sock+0x55/0x100 + tcp_close+0x25d/0x400 + ? tcp_check_oom+0x120/0x120 + tls_sk_proto_close+0x127/0x1c0 + inet_release+0x3c/0x60 + __sock_release+0x3d/0xb0 + sock_close+0x11/0x20 + __fput+0xd8/0x210 + task_work_run+0x84/0xa0 + do_exit+0x2dc/0xb90 + ? release_sock+0x43/0x90 + do_group_exit+0x3a/0xa0 + get_signal+0x295/0x720 + do_signal+0x36/0x610 + ? SYSC_recvfrom+0x11d/0x130 + exit_to_usermode_loop+0x69/0xb0 + do_syscall_64+0x173/0x180 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + RIP: 0033:0x7fe9b9abc10d + RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca + RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d + RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430 + RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080 + R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000 + +Fixes: 94850257cf0f ("tls: Fix tls_device handling of partial records") +Signed-off-by: Dirk van der Merwe +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tls.h | 15 --------------- + net/tls/tls_main.c | 3 ++- + 2 files changed, 2 insertions(+), 16 deletions(-) + +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -347,21 +347,6 @@ static inline bool tls_is_partially_sent + return !!ctx->partially_sent_record; + } + +-static inline int tls_complete_pending_work(struct sock *sk, +- struct tls_context *ctx, +- int flags, long *timeo) +-{ +- int rc = 0; +- +- if (unlikely(sk->sk_write_pending)) +- rc = wait_on_pending_writer(sk, timeo); +- +- if (!rc && tls_is_partially_sent_record(ctx)) +- rc = tls_push_partial_record(sk, ctx, flags); +- +- return rc; +-} +- + static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx) + { + return tls_ctx->pending_open_record_frags; +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -279,7 +279,8 @@ static void tls_sk_proto_close(struct so + goto skip_tx_cleanup; + } + +- if (!tls_complete_pending_work(sk, ctx, 0, &timeo)) ++ if (unlikely(sk->sk_write_pending) && ++ !wait_on_pending_writer(sk, &timeo)) + tls_handle_open_record(sk, 0); + + /* We need these for tls_sw_fallback handling of other packets */ diff --git a/queue-5.1/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch b/queue-5.1/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch new file mode 100644 index 00000000000..2b4f1f29553 --- /dev/null +++ b/queue-5.1/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Xin Long +Date: Tue, 25 Jun 2019 00:21:45 +0800 +Subject: sctp: change to hold sk after auth shkey is created successfully + +From: Xin Long + +[ Upstream commit 25bff6d5478b2a02368097015b7d8eb727c87e16 ] + +Now in sctp_endpoint_init(), it holds the sk then creates auth +shkey. But when the creation fails, it doesn't release the sk, +which causes a sk defcnf leak, + +Here to fix it by only holding the sk when auth shkey is created +successfully. + +Fixes: a29a5bd4f5c3 ("[SCTP]: Implement SCTP-AUTH initializations.") +Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com +Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/endpointola.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/sctp/endpointola.c ++++ b/net/sctp/endpointola.c +@@ -133,10 +133,6 @@ static struct sctp_endpoint *sctp_endpoi + /* Initialize the bind addr area */ + sctp_bind_addr_init(&ep->base.bind_addr, 0); + +- /* Remember who we are attached to. */ +- ep->base.sk = sk; +- sock_hold(ep->base.sk); +- + /* Create the lists of associations. */ + INIT_LIST_HEAD(&ep->asocs); + +@@ -169,6 +165,10 @@ static struct sctp_endpoint *sctp_endpoi + ep->prsctp_enable = net->sctp.prsctp_enable; + ep->reconf_enable = net->sctp.reconf_enable; + ++ /* Remember who we are attached to. */ ++ ep->base.sk = sk; ++ sock_hold(ep->base.sk); ++ + return ep; + + nomem_shkey: diff --git a/queue-5.1/series b/queue-5.1/series index dabe045a43f..df5c310d9b8 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -27,3 +27,17 @@ nfs-flexfiles-use-the-correct-tcp-timeout-for-flexfiles-i-o.patch cpu-speculation-warn-on-unsupported-mitigations-parameter.patch sunrpc-fix-up-calculation-of-client-message-length.patch irqchip-mips-gic-use-the-correct-local-interrupt-map-registers.patch +af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch +bonding-always-enable-vlan-tx-offload.patch +ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch +net-packet-fix-memory-leak-in-packet_set_ring.patch +net-remove-duplicate-fetch-in-sock_getsockopt.patch +net-stmmac-fixed-new-system-time-seconds-value-calculation.patch +net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch +net-tls-fix-page-double-free-on-tx-cleanup.patch +sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch +team-always-enable-vlan-tx-offload.patch +tipc-change-to-use-register_pernet_device.patch +tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch +tun-wake-up-waitqueues-after-iff_up-is-set.patch +net-aquantia-fix-vlans-not-working-over-bridged-network.patch diff --git a/queue-5.1/team-always-enable-vlan-tx-offload.patch b/queue-5.1/team-always-enable-vlan-tx-offload.patch new file mode 100644 index 00000000000..63e681bab1d --- /dev/null +++ b/queue-5.1/team-always-enable-vlan-tx-offload.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: YueHaibing +Date: Thu, 27 Jun 2019 00:03:39 +0800 +Subject: team: Always enable vlan tx offload + +From: YueHaibing + +[ Upstream commit ee4297420d56a0033a8593e80b33fcc93fda8509 ] + +We should rather have vlan_tci filled all the way down +to the transmitting netdevice and let it do the hw/sw +vlan implementation. + +Suggested-by: Jiri Pirko +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2135,12 +2135,12 @@ static void team_setup(struct net_device + dev->features |= NETIF_F_NETNS_LOCAL; + + dev->hw_features = TEAM_VLAN_FEATURES | +- NETIF_F_HW_VLAN_CTAG_TX | + NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_CTAG_FILTER; + + dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4; + dev->features |= dev->hw_features; ++ dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX; + } + + static int team_newlink(struct net *src_net, struct net_device *dev, diff --git a/queue-5.1/tipc-change-to-use-register_pernet_device.patch b/queue-5.1/tipc-change-to-use-register_pernet_device.patch new file mode 100644 index 00000000000..5095eefaa0c --- /dev/null +++ b/queue-5.1/tipc-change-to-use-register_pernet_device.patch @@ -0,0 +1,100 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Xin Long +Date: Thu, 20 Jun 2019 18:39:28 +0800 +Subject: tipc: change to use register_pernet_device + +From: Xin Long + +[ Upstream commit c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5 ] + +This patch is to fix a dst defcnt leak, which can be reproduced by doing: + + # ip net a c; ip net a s; modprobe tipc + # ip net e s ip l a n eth1 type veth peer n eth1 netns c + # ip net e c ip l s lo up; ip net e c ip l s eth1 up + # ip net e s ip l s lo up; ip net e s ip l s eth1 up + # ip net e c ip a a 1.1.1.2/8 dev eth1 + # ip net e s ip a a 1.1.1.1/8 dev eth1 + # ip net e c tipc b e m udp n u1 localip 1.1.1.2 + # ip net e s tipc b e m udp n u1 localip 1.1.1.1 + # ip net d c; ip net d s; rmmod tipc + +and it will get stuck and keep logging the error: + + unregister_netdevice: waiting for lo to become free. Usage count = 1 + +The cause is that a dst is held by the udp sock's sk_rx_dst set on udp rx +path with udp_early_demux == 1, and this dst (eventually holding lo dev) +can't be released as bearer's removal in tipc pernet .exit happens after +lo dev's removal, default_device pernet .exit. + + "There are two distinct types of pernet_operations recognized: subsys and + device. At creation all subsys init functions are called before device + init functions, and at destruction all device exit functions are called + before subsys exit function." + +So by calling register_pernet_device instead to register tipc_net_ops, the +pernet .exit() will be invoked earlier than loopback dev's removal when a +netns is being destroyed, as fou/gue does. + +Note that vxlan and geneve udp tunnels don't have this issue, as the udp +sock is released in their device ndo_stop(). + +This fix is also necessary for tipc dst_cache, which will hold dsts on tx +path and I will introduce in my next patch. + +Reported-by: Li Shuang +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -132,7 +132,7 @@ static int __init tipc_init(void) + if (err) + goto out_sysctl; + +- err = register_pernet_subsys(&tipc_net_ops); ++ err = register_pernet_device(&tipc_net_ops); + if (err) + goto out_pernet; + +@@ -140,7 +140,7 @@ static int __init tipc_init(void) + if (err) + goto out_socket; + +- err = register_pernet_subsys(&tipc_topsrv_net_ops); ++ err = register_pernet_device(&tipc_topsrv_net_ops); + if (err) + goto out_pernet_topsrv; + +@@ -151,11 +151,11 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: +- unregister_pernet_subsys(&tipc_topsrv_net_ops); ++ unregister_pernet_device(&tipc_topsrv_net_ops); + out_pernet_topsrv: + tipc_socket_stop(); + out_socket: +- unregister_pernet_subsys(&tipc_net_ops); ++ unregister_pernet_device(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); + out_sysctl: +@@ -170,9 +170,9 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); +- unregister_pernet_subsys(&tipc_topsrv_net_ops); ++ unregister_pernet_device(&tipc_topsrv_net_ops); + tipc_socket_stop(); +- unregister_pernet_subsys(&tipc_net_ops); ++ unregister_pernet_device(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); + tipc_unregister_sysctl(); diff --git a/queue-5.1/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch b/queue-5.1/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch new file mode 100644 index 00000000000..37fdb348f1f --- /dev/null +++ b/queue-5.1/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Xin Long +Date: Tue, 25 Jun 2019 00:28:19 +0800 +Subject: tipc: check msg->req data len in tipc_nl_compat_bearer_disable + +From: Xin Long + +[ Upstream commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 ] + +This patch is to fix an uninit-value issue, reported by syzbot: + + BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + memchr+0xce/0x110 lib/string.c:981 + string_is_valid net/tipc/netlink_compat.c:176 [inline] + tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline] + tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline] + tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281 + +TLV_GET_DATA_LEN() may return a negtive int value, which will be +used as size_t (becoming a big unsigned long) passed into memchr, +cause this issue. + +Similar to what it does in tipc_nl_compat_bearer_enable(), this +fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in +tipc_nl_compat_bearer_disable(), as well as in +tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats(). + +v1->v2: + - add the missing Fixes tags per Eric's request. + +Fixes: 0762216c0ad2 ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable") +Fixes: 8b66fee7f8ee ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats") +Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -445,7 +445,11 @@ static int tipc_nl_compat_bearer_disable + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(name, len)) + return -EINVAL; + +@@ -537,7 +541,11 @@ static int tipc_nl_compat_link_stat_dump + + name = (char *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(name, len)) + return -EINVAL; + +@@ -815,7 +823,11 @@ static int tipc_nl_compat_link_reset_sta + if (!link) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(name, len)) + return -EINVAL; + diff --git a/queue-5.1/tun-wake-up-waitqueues-after-iff_up-is-set.patch b/queue-5.1/tun-wake-up-waitqueues-after-iff_up-is-set.patch new file mode 100644 index 00000000000..bb9de4d422e --- /dev/null +++ b/queue-5.1/tun-wake-up-waitqueues-after-iff_up-is-set.patch @@ -0,0 +1,76 @@ +From foo@baz Tue 02 Jul 2019 06:09:00 AM CEST +From: Fei Li +Date: Mon, 17 Jun 2019 21:26:36 +0800 +Subject: tun: wake up waitqueues after IFF_UP is set + +From: Fei Li + +[ Upstream commit 72b319dc08b4924a29f5e2560ef6d966fa54c429 ] + +Currently after setting tap0 link up, the tun code wakes tx/rx waited +queues up in tun_net_open() when .ndo_open() is called, however the +IFF_UP flag has not been set yet. If there's already a wait queue, it +would fail to transmit when checking the IFF_UP flag in tun_sendmsg(). +Then the saving vhost_poll_start() will add the wq into wqh until it +is waken up again. Although this works when IFF_UP flag has been set +when tun_chr_poll detects; this is not true if IFF_UP flag has not +been set at that time. Sadly the latter case is a fatal error, as +the wq will never be waken up in future unless later manually +setting link up on purpose. + +Fix this by moving the wakeup process into the NETDEV_UP event +notifying process, this makes sure IFF_UP has been set before all +waited queues been waken up. + +Signed-off-by: Fei Li +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1024,18 +1024,8 @@ static void tun_net_uninit(struct net_de + /* Net device open. */ + static int tun_net_open(struct net_device *dev) + { +- struct tun_struct *tun = netdev_priv(dev); +- int i; +- + netif_tx_start_all_queues(dev); + +- for (i = 0; i < tun->numqueues; i++) { +- struct tun_file *tfile; +- +- tfile = rtnl_dereference(tun->tfiles[i]); +- tfile->socket.sk->sk_write_space(tfile->socket.sk); +- } +- + return 0; + } + +@@ -3636,6 +3626,7 @@ static int tun_device_event(struct notif + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct tun_struct *tun = netdev_priv(dev); ++ int i; + + if (dev->rtnl_link_ops != &tun_link_ops) + return NOTIFY_DONE; +@@ -3645,6 +3636,14 @@ static int tun_device_event(struct notif + if (tun_queue_resize(tun)) + return NOTIFY_BAD; + break; ++ case NETDEV_UP: ++ for (i = 0; i < tun->numqueues; i++) { ++ struct tun_file *tfile; ++ ++ tfile = rtnl_dereference(tun->tfiles[i]); ++ tfile->socket.sk->sk_write_space(tfile->socket.sk); ++ } ++ break; + default: + break; + } -- 2.47.3