From 5306e51bbca5c0e9c5f218c41d87442af4269265 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 9 Apr 2020 16:04:13 +0200 Subject: [PATCH] 4.14-stable patches added patches: ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch --- ...-add-link-local-address-to-lag-ports.patch | 91 +++++++++++++++++++ ...-not-stop-at-flow_action_vlan_mangle.patch | 41 +++++++++ ...f2-ensure-correct-sub-node-is-parsed.patch | 48 ++++++++++ ...esume-before-accessing-phy-registers.patch | 63 +++++++++++++ ...ut-of-bounds-mac-address-reg-setting.patch | 35 +++++++ queue-4.14/series | 6 ++ ...-uninitialized-stack-data-in-padding.patch | 51 +++++++++++ 7 files changed, 335 insertions(+) create mode 100644 queue-4.14/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch create mode 100644 queue-4.14/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch create mode 100644 queue-4.14/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch create mode 100644 queue-4.14/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch create mode 100644 queue-4.14/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch create mode 100644 queue-4.14/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch diff --git a/queue-4.14/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch b/queue-4.14/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch new file mode 100644 index 00000000000..66a3033b08d --- /dev/null +++ b/queue-4.14/ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch @@ -0,0 +1,91 @@ +From foo@baz Thu 09 Apr 2020 03:41:19 PM CEST +From: Jarod Wilson +Date: Mon, 30 Mar 2020 11:22:19 -0400 +Subject: ipv6: don't auto-add link-local address to lag ports + +From: Jarod Wilson + +[ Upstream commit 744fdc8233f6aa9582ce08a51ca06e59796a3196 ] + +Bonding slave and team port devices should not have link-local addresses +automatically added to them, as it can interfere with openvswitch being +able to properly add tc ingress. + +Basic reproducer, courtesy of Marcelo: + +$ ip link add name bond0 type bond +$ ip link set dev ens2f0np0 master bond0 +$ ip link set dev ens2f1np2 master bond0 +$ ip link set dev bond0 up +$ ip a s +1: lo: mtu 65536 qdisc noqueue state UNKNOWN +group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: ens2f0np0: mtu 1500 qdisc +mq master bond0 state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff +5: ens2f1np2: mtu 1500 qdisc +mq master bond0 state DOWN group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff +11: bond0: mtu 1500 qdisc +noqueue state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link + valid_lft forever preferred_lft forever + +(above trimmed to relevant entries, obviously) + +$ sysctl net.ipv6.conf.ens2f0np0.addr_gen_mode=0 +net.ipv6.conf.ens2f0np0.addr_gen_mode = 0 +$ sysctl net.ipv6.conf.ens2f1np2.addr_gen_mode=0 +net.ipv6.conf.ens2f1np2.addr_gen_mode = 0 + +$ ip a l ens2f0np0 +2: ens2f0np0: mtu 1500 qdisc +mq master bond0 state UP group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link tentative + valid_lft forever preferred_lft forever +$ ip a l ens2f1np2 +5: ens2f1np2: mtu 1500 qdisc +mq master bond0 state DOWN group default qlen 1000 + link/ether 00:0f:53:2f:ea:40 brd ff:ff:ff:ff:ff:ff + inet6 fe80::20f:53ff:fe2f:ea40/64 scope link tentative + valid_lft forever preferred_lft forever + +Looks like addrconf_sysctl_addr_gen_mode() bypasses the original "is +this a slave interface?" check added by commit c2edacf80e15, and +results in an address getting added, while w/the proposed patch added, +no address gets added. This simply adds the same gating check to another +code path, and thus should prevent the same devices from erroneously +obtaining an ipv6 link-local address. + +Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode") +Reported-by: Moshe Levi +CC: Stephen Hemminger +CC: Marcelo Ricardo Leitner +CC: netdev@vger.kernel.org +Signed-off-by: Jarod Wilson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3175,6 +3175,10 @@ static void addrconf_addr_gen(struct ine + if (netif_is_l3_master(idev->dev)) + return; + ++ /* no link local addresses on devices flagged as slaves */ ++ if (idev->dev->flags & IFF_SLAVE) ++ return; ++ + ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0); + + switch (idev->cnf.addr_gen_mode) { diff --git a/queue-4.14/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch b/queue-4.14/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch new file mode 100644 index 00000000000..1e3f69a2b8a --- /dev/null +++ b/queue-4.14/mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch @@ -0,0 +1,41 @@ +From foo@baz Thu 09 Apr 2020 01:26:03 PM CEST +From: Petr Machata +Date: Sun, 5 Apr 2020 09:50:22 +0300 +Subject: mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE + +From: Petr Machata + +[ Upstream commit ccfc569347f870830e7c7cf854679a06cf9c45b5 ] + +The handler for FLOW_ACTION_VLAN_MANGLE ends by returning whatever the +lower-level function that it calls returns. If there are more actions lined +up after this action, those are never offloaded. Fix by only bailing out +when the called function returns an error. + +Fixes: a150201a70da ("mlxsw: spectrum: Add support for vlan modify TC action") +Signed-off-by: Petr Machata +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -112,9 +112,11 @@ static int mlxsw_sp_flower_parse_actions + u8 prio = tcf_vlan_push_prio(a); + u16 vid = tcf_vlan_push_vid(a); + +- return mlxsw_sp_acl_rulei_act_vlan(mlxsw_sp, rulei, +- action, vid, +- proto, prio); ++ err = mlxsw_sp_acl_rulei_act_vlan(mlxsw_sp, rulei, ++ action, vid, ++ proto, prio); ++ if (err) ++ return err; + } else { + dev_err(mlxsw_sp->bus_info->dev, "Unsupported action\n"); + return -EOPNOTSUPP; diff --git a/queue-4.14/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch b/queue-4.14/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch new file mode 100644 index 00000000000..dc24fadfe2b --- /dev/null +++ b/queue-4.14/net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch @@ -0,0 +1,48 @@ +From foo@baz Thu 09 Apr 2020 03:41:19 PM CEST +From: Florian Fainelli +Date: Sun, 5 Apr 2020 13:00:30 -0700 +Subject: net: dsa: bcm_sf2: Ensure correct sub-node is parsed + +From: Florian Fainelli + +[ Upstream commit afa3b592953bfaecfb4f2f335ec5f935cff56804 ] + +When the bcm_sf2 was converted into a proper platform device driver and +used the new dsa_register_switch() interface, we would still be parsing +the legacy DSA node that contained all the port information since the +platform firmware has intentionally maintained backward and forward +compatibility to client programs. Ensure that we do parse the correct +node, which is "ports" per the revised DSA binding. + +Fixes: d9338023fb8e ("net: dsa: bcm_sf2: Make it a real platform device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -1112,6 +1112,7 @@ static int bcm_sf2_sw_probe(struct platf + const struct bcm_sf2_of_data *data; + struct b53_platform_data *pdata; + struct dsa_switch_ops *ops; ++ struct device_node *ports; + struct bcm_sf2_priv *priv; + struct b53_device *dev; + struct dsa_switch *ds; +@@ -1174,7 +1175,11 @@ static int bcm_sf2_sw_probe(struct platf + */ + set_bit(0, priv->cfp.used); + +- bcm_sf2_identify_ports(priv, dn->child); ++ ports = of_find_node_by_name(dn, "ports"); ++ if (ports) { ++ bcm_sf2_identify_ports(priv, ports); ++ of_node_put(ports); ++ } + + priv->irq0 = irq_of_parse_and_map(dn, 0); + priv->irq1 = irq_of_parse_and_map(dn, 1); diff --git a/queue-4.14/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch b/queue-4.14/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch new file mode 100644 index 00000000000..18dd4775d73 --- /dev/null +++ b/queue-4.14/net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch @@ -0,0 +1,63 @@ +From foo@baz Thu 09 Apr 2020 03:41:19 PM CEST +From: Oleksij Rempel +Date: Fri, 3 Apr 2020 09:53:25 +0200 +Subject: net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers + +From: Oleksij Rempel + +[ Upstream commit 6110dff776f7fa65c35850ef65b41d3b39e2fac2 ] + +After the power-down bit is cleared, the chip internally triggers a +global reset. According to the KSZ9031 documentation, we have to wait at +least 1ms for the reset to finish. + +If the chip is accessed during reset, read will return 0xffff, while +write will be ignored. Depending on the system performance and MDIO bus +speed, we may or may not run in to this issue. + +This bug was discovered on an iMX6QP system with KSZ9031 PHY and +attached PHY interrupt line. If IRQ was used, the link status update was +lost. In polling mode, the link status update was always correct. + +The investigation showed, that during a read-modify-write access, the +read returned 0xffff (while the chip was still in reset) and +corresponding write hit the chip _after_ reset and triggered (due to the +0xffff) another reset in an undocumented bit (register 0x1f, bit 1), +resulting in the next write being lost due to the new reset cycle. + +This patch fixes the issue by adding a 1...2 ms sleep after the +genphy_resume(). + +Fixes: 836384d2501d ("net: phy: micrel: Add specific suspend") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + /* Operation Mode Strap Override */ + #define MII_KSZPHY_OMSO 0x16 +@@ -727,6 +728,12 @@ static int kszphy_resume(struct phy_devi + + genphy_resume(phydev); + ++ /* After switching from power-down to normal mode, an internal global ++ * reset is automatically generated. Wait a minimum of 1 ms before ++ * read/write access to the PHY registers. ++ */ ++ usleep_range(1000, 2000); ++ + ret = kszphy_config_reset(phydev); + if (ret) + return ret; diff --git a/queue-4.14/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch b/queue-4.14/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch new file mode 100644 index 00000000000..eaa21c2a877 --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 09 Apr 2020 03:41:19 PM CEST +From: Jisheng Zhang +Date: Fri, 3 Apr 2020 10:23:29 +0800 +Subject: net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting + +From: Jisheng Zhang + +[ Upstream commit 3e1221acf6a8f8595b5ce354bab4327a69d54d18 ] + +Commit 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address +entries") cleared the unused mac address entries, but introduced an +out-of bounds mac address register programming bug -- After setting +the secondary unicast mac addresses, the "reg" value has reached +netdev_uc_count() + 1, thus we should only clear address entries +if (addr < perfect_addr_number) + +Fixes: 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address entries") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -218,7 +218,7 @@ static void dwmac1000_set_filter(struct + reg++; + } + +- while (reg <= perfect_addr_number) { ++ while (reg < perfect_addr_number) { + writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); + writel(0, ioaddr + GMAC_ADDR_LOW(reg)); + reg++; diff --git a/queue-4.14/series b/queue-4.14/series index fa82865e853..3a847b4914b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,9 @@ misc-pci_endpoint_test-fix-to-support-10-pci-endpoint-test-devices.patch coresight-do-not-use-the-bit-macro-in-the-uapi-header.patch padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch +ipv6-don-t-auto-add-link-local-address-to-lag-ports.patch +net-dsa-bcm_sf2-ensure-correct-sub-node-is-parsed.patch +net-phy-micrel-kszphy_resume-add-delay-after-genphy_resume-before-accessing-phy-registers.patch +net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch +slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch +mlxsw-spectrum_flower-do-not-stop-at-flow_action_vlan_mangle.patch diff --git a/queue-4.14/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch b/queue-4.14/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch new file mode 100644 index 00000000000..723dc588747 --- /dev/null +++ b/queue-4.14/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch @@ -0,0 +1,51 @@ +From foo@baz Thu 09 Apr 2020 03:41:19 PM CEST +From: Richard Palethorpe +Date: Wed, 1 Apr 2020 12:06:39 +0200 +Subject: slcan: Don't transmit uninitialized stack data in padding + +From: Richard Palethorpe + +[ Upstream commit b9258a2cece4ec1f020715fe3554bc2e360f6264 ] + +struct can_frame contains some padding which is not explicitly zeroed in +slc_bump. This uninitialized data will then be transmitted if the stack +initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). + +This commit just zeroes the whole struct including the padding. + +Signed-off-by: Richard Palethorpe +Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters") +Reviewed-by: Kees Cook +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: security@kernel.org +Cc: wg@grandegger.com +Cc: mkl@pengutronix.de +Cc: davem@davemloft.net +Acked-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -147,7 +147,7 @@ static void slc_bump(struct slcan *sl) + u32 tmpid; + char *cmd = sl->rbuff; + +- cf.can_id = 0; ++ memset(&cf, 0, sizeof(cf)); + + switch (*cmd) { + case 'r': +@@ -186,8 +186,6 @@ static void slc_bump(struct slcan *sl) + else + return; + +- *(u64 *) (&cf.data) = 0; /* clear payload */ +- + /* RTR frames may have a dlc > 0 but they never have any data bytes */ + if (!(cf.can_id & CAN_RTR_FLAG)) { + for (i = 0; i < cf.can_dlc; i++) { -- 2.47.3