From b9db7811f0756c3ff0428f1b816e8cb189788713 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 2 Apr 2020 22:22:55 +0200 Subject: [PATCH] 5.6-stable patches added patches: ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch net-dsa-ksz-select-ksz-protocol-tag.patch net-fix-fraglist-segmentation-reference-count-leak.patch net-ip_tunnel-fix-interface-lookup-with-no-key.patch net-macb-fix-handling-of-fixed-link-node.patch sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch sctp-fix-refcount-bug-in-sctp_wfree.patch udp-initialize-is_flist-with-0-in-udp_gro_receive.patch --- ...u-list-lock-in-fib_triestat_seq_show.patch | 63 ++++++ .../net-dsa-ksz-select-ksz-protocol-tag.patch | 31 +++ ...st-segmentation-reference-count-leak.patch | 43 ++++ ...nel-fix-interface-lookup-with-no-key.patch | 54 +++++ ...macb-fix-handling-of-fixed-link-node.patch | 34 ++++ ...y-using-a-bad-saddr-with-a-given-dst.patch | 188 ++++++++++++++++++ .../sctp-fix-refcount-bug-in-sctp_wfree.patch | 115 +++++++++++ queue-5.6/series | 8 + ...e-is_flist-with-0-in-udp_gro_receive.patch | 34 ++++ 9 files changed, 570 insertions(+) create mode 100644 queue-5.6/ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch create mode 100644 queue-5.6/net-dsa-ksz-select-ksz-protocol-tag.patch create mode 100644 queue-5.6/net-fix-fraglist-segmentation-reference-count-leak.patch create mode 100644 queue-5.6/net-ip_tunnel-fix-interface-lookup-with-no-key.patch create mode 100644 queue-5.6/net-macb-fix-handling-of-fixed-link-node.patch create mode 100644 queue-5.6/sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch create mode 100644 queue-5.6/sctp-fix-refcount-bug-in-sctp_wfree.patch create mode 100644 queue-5.6/series create mode 100644 queue-5.6/udp-initialize-is_flist-with-0-in-udp_gro_receive.patch diff --git a/queue-5.6/ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch b/queue-5.6/ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch new file mode 100644 index 00000000000..faf491b585c --- /dev/null +++ b/queue-5.6/ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch @@ -0,0 +1,63 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Qian Cai +Date: Wed, 25 Mar 2020 18:01:00 -0400 +Subject: ipv4: fix a RCU-list lock in fib_triestat_seq_show + +From: Qian Cai + +[ Upstream commit fbe4e0c1b298b4665ee6915266c9d6c5b934ef4a ] + +fib_triestat_seq_show() calls hlist_for_each_entry_rcu(tb, head, +tb_hlist) without rcu_read_lock() will trigger a warning, + + net/ipv4/fib_trie.c:2579 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by proc01/115277: + #0: c0000014507acf00 (&p->lock){+.+.}-{3:3}, at: seq_read+0x58/0x670 + + Call Trace: + dump_stack+0xf4/0x164 (unreliable) + lockdep_rcu_suspicious+0x140/0x164 + fib_triestat_seq_show+0x750/0x880 + seq_read+0x1a0/0x670 + proc_reg_read+0x10c/0x1b0 + __vfs_read+0x3c/0x70 + vfs_read+0xac/0x170 + ksys_read+0x7c/0x140 + system_call+0x5c/0x68 + +Fix it by adding a pair of rcu_read_lock/unlock() and use +cond_resched_rcu() to avoid the situation where walking of a large +number of items may prevent scheduling for a long time. + +Signed-off-by: Qian Cai +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_trie.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2577,6 +2577,7 @@ static int fib_triestat_seq_show(struct + " %zd bytes, size of tnode: %zd bytes.\n", + LEAF_SIZE, TNODE_SIZE(0)); + ++ rcu_read_lock(); + for (h = 0; h < FIB_TABLE_HASHSZ; h++) { + struct hlist_head *head = &net->ipv4.fib_table_hash[h]; + struct fib_table *tb; +@@ -2596,7 +2597,9 @@ static int fib_triestat_seq_show(struct + trie_show_usage(seq, t->stats); + #endif + } ++ cond_resched_rcu(); + } ++ rcu_read_unlock(); + + return 0; + } diff --git a/queue-5.6/net-dsa-ksz-select-ksz-protocol-tag.patch b/queue-5.6/net-dsa-ksz-select-ksz-protocol-tag.patch new file mode 100644 index 00000000000..010d8b11b6f --- /dev/null +++ b/queue-5.6/net-dsa-ksz-select-ksz-protocol-tag.patch @@ -0,0 +1,31 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Codrin Ciubotariu +Date: Tue, 31 Mar 2020 12:36:51 +0300 +Subject: net: dsa: ksz: Select KSZ protocol tag + +From: Codrin Ciubotariu + +[ Upstream commit f772148eb757b0823fbfdc2fe592d5e06c7f19b0 ] + +KSZ protocol tag is needed by the KSZ DSA drivers. + +Fixes: 0b9f9dfbfab4 ("dsa: Allow tag drivers to be built as modules") +Tested-by: Cristian Birsan +Signed-off-by: Codrin Ciubotariu +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/microchip/Kconfig ++++ b/drivers/net/dsa/microchip/Kconfig +@@ -1,5 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0-only + config NET_DSA_MICROCHIP_KSZ_COMMON ++ select NET_DSA_TAG_KSZ + tristate + + menuconfig NET_DSA_MICROCHIP_KSZ9477 diff --git a/queue-5.6/net-fix-fraglist-segmentation-reference-count-leak.patch b/queue-5.6/net-fix-fraglist-segmentation-reference-count-leak.patch new file mode 100644 index 00000000000..074c1daa3d1 --- /dev/null +++ b/queue-5.6/net-fix-fraglist-segmentation-reference-count-leak.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Florian Westphal +Date: Mon, 30 Mar 2020 18:51:29 +0200 +Subject: net: fix fraglist segmentation reference count leak + +From: Florian Westphal + +[ Upstream commit cf673ed0e057a2dd68d930c6d7e30d53c70c5789 ] + +Xin Long says: + On udp rx path udp_rcv_segment() may do segment where the frag skbs + will get the header copied from the head skb in skb_segment_list() + by calling __copy_skb_header(), which could overwrite the frag skbs' + extensions by __skb_ext_copy() and cause a leak. + + This issue was found after loading esp_offload where a sec path ext + is set in the skb. + +Fix this by discarding head state of the fraglist skb before replacing +its contents. + +Fixes: 3a1296a38d0cf62 ("net: Support GRO/GSO fraglist chaining.") +Cc: Steffen Klassert +Reported-by: Xiumei Mu +Tested-by: Xin Long +Signed-off-by: Florian Westphal +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3668,6 +3668,7 @@ struct sk_buff *skb_segment_list(struct + + skb_push(nskb, -skb_network_offset(nskb) + offset); + ++ skb_release_head_state(nskb); + __copy_skb_header(nskb, skb); + + skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb)); diff --git a/queue-5.6/net-ip_tunnel-fix-interface-lookup-with-no-key.patch b/queue-5.6/net-ip_tunnel-fix-interface-lookup-with-no-key.patch new file mode 100644 index 00000000000..5562688139e --- /dev/null +++ b/queue-5.6/net-ip_tunnel-fix-interface-lookup-with-no-key.patch @@ -0,0 +1,54 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: William Dauchy +Date: Fri, 27 Mar 2020 19:56:39 +0100 +Subject: net, ip_tunnel: fix interface lookup with no key + +From: William Dauchy + +[ Upstream commit 25629fdaff2ff509dd0b3f5ff93d70a75e79e0a1 ] + +when creating a new ipip interface with no local/remote configuration, +the lookup is done with TUNNEL_NO_KEY flag, making it impossible to +match the new interface (only possible match being fallback or metada +case interface); e.g: `ip link add tunl1 type ipip dev eth0` + +To fix this case, adding a flag check before the key comparison so we +permit to match an interface with no local/remote config; it also avoids +breaking possible userland tools relying on TUNNEL_NO_KEY flag and +uninitialised key. + +context being on my side, I'm creating an extra ipip interface attached +to the physical one, and moving it to a dedicated namespace. + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: William Dauchy +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -142,11 +142,8 @@ struct ip_tunnel *ip_tunnel_lookup(struc + cand = t; + } + +- if (flags & TUNNEL_NO_KEY) +- goto skip_key_lookup; +- + hlist_for_each_entry_rcu(t, head, hash_node) { +- if (t->parms.i_key != key || ++ if ((!(flags & TUNNEL_NO_KEY) && t->parms.i_key != key) || + t->parms.iph.saddr != 0 || + t->parms.iph.daddr != 0 || + !(t->dev->flags & IFF_UP)) +@@ -158,7 +155,6 @@ struct ip_tunnel *ip_tunnel_lookup(struc + cand = t; + } + +-skip_key_lookup: + if (cand) + return cand; + diff --git a/queue-5.6/net-macb-fix-handling-of-fixed-link-node.patch b/queue-5.6/net-macb-fix-handling-of-fixed-link-node.patch new file mode 100644 index 00000000000..7e28dca1e07 --- /dev/null +++ b/queue-5.6/net-macb-fix-handling-of-fixed-link-node.patch @@ -0,0 +1,34 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Codrin Ciubotariu +Date: Tue, 31 Mar 2020 12:39:35 +0300 +Subject: net: macb: Fix handling of fixed-link node + +From: Codrin Ciubotariu + +[ Upstream commit 79540d133ed6f65a37dacb54b7a704cc8a24c52d ] + +fixed-link nodes are treated as PHY nodes by of_mdiobus_child_is_phy(). +We must check if the interface is a fixed-link before looking up for PHY +nodes. + +Fixes: 7897b071ac3b ("net: macb: convert to phylink") +Tested-by: Cristian Birsan +Signed-off-by: Codrin Ciubotariu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -724,6 +724,9 @@ static int macb_mdiobus_register(struct + { + struct device_node *child, *np = bp->pdev->dev.of_node; + ++ if (of_phy_is_fixed_link(np)) ++ return mdiobus_register(bp->mii_bus); ++ + /* Only create the PHY from the device tree if at least one PHY is + * described. Otherwise scan the entire MDIO bus. We do this to support + * old device tree that did not follow the best practices and did not diff --git a/queue-5.6/sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch b/queue-5.6/sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch new file mode 100644 index 00000000000..373a98ded87 --- /dev/null +++ b/queue-5.6/sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch @@ -0,0 +1,188 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Marcelo Ricardo Leitner +Date: Thu, 26 Mar 2020 20:47:46 -0300 +Subject: sctp: fix possibly using a bad saddr with a given dst + +From: Marcelo Ricardo Leitner + +[ Upstream commit 582eea230536a6f104097dd46205822005d5fe3a ] + +Under certain circumstances, depending on the order of addresses on the +interfaces, it could be that sctp_v[46]_get_dst() would return a dst +with a mismatched struct flowi. + +For example, if when walking through the bind addresses and the first +one is not a match, it saves the dst as a fallback (added in +410f03831c07), but not the flowi. Then if the next one is also not a +match, the previous dst will be returned but with the flowi information +for the 2nd address, which is wrong. + +The fix is to use a locally stored flowi that can be used for such +attempts, and copy it to the parameter only in case it is a possible +match, together with the corresponding dst entry. + +The patch updates IPv6 code mostly just to be in sync. Even though the issue +is also present there, it fallback is not expected to work with IPv6. + +Fixes: 410f03831c07 ("sctp: add routing output fallback") +Reported-by: Jin Meng +Signed-off-by: Marcelo Ricardo Leitner +Tested-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 20 ++++++++++++++------ + net/sctp/protocol.c | 28 +++++++++++++++++++--------- + 2 files changed, 33 insertions(+), 15 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -228,7 +228,8 @@ static void sctp_v6_get_dst(struct sctp_ + { + struct sctp_association *asoc = t->asoc; + struct dst_entry *dst = NULL; +- struct flowi6 *fl6 = &fl->u.ip6; ++ struct flowi _fl; ++ struct flowi6 *fl6 = &_fl.u.ip6; + struct sctp_bind_addr *bp; + struct ipv6_pinfo *np = inet6_sk(sk); + struct sctp_sockaddr_entry *laddr; +@@ -238,7 +239,7 @@ static void sctp_v6_get_dst(struct sctp_ + enum sctp_scope scope; + __u8 matchlen = 0; + +- memset(fl6, 0, sizeof(struct flowi6)); ++ memset(&_fl, 0, sizeof(_fl)); + fl6->daddr = daddr->v6.sin6_addr; + fl6->fl6_dport = daddr->v6.sin6_port; + fl6->flowi6_proto = IPPROTO_SCTP; +@@ -276,8 +277,11 @@ static void sctp_v6_get_dst(struct sctp_ + rcu_read_unlock(); + + dst = ip6_dst_lookup_flow(sock_net(sk), sk, fl6, final_p); +- if (!asoc || saddr) ++ if (!asoc || saddr) { ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); + goto out; ++ } + + bp = &asoc->base.bind_addr; + scope = sctp_scope(daddr); +@@ -300,6 +304,8 @@ static void sctp_v6_get_dst(struct sctp_ + if ((laddr->a.sa.sa_family == AF_INET6) && + (sctp_v6_cmp_addr(&dst_saddr, &laddr->a))) { + rcu_read_unlock(); ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); + goto out; + } + } +@@ -338,6 +344,8 @@ static void sctp_v6_get_dst(struct sctp_ + if (!IS_ERR_OR_NULL(dst)) + dst_release(dst); + dst = bdst; ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); + break; + } + +@@ -351,6 +359,8 @@ static void sctp_v6_get_dst(struct sctp_ + dst_release(dst); + dst = bdst; + matchlen = bmatchlen; ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); + } + rcu_read_unlock(); + +@@ -359,14 +369,12 @@ out: + struct rt6_info *rt; + + rt = (struct rt6_info *)dst; +- t->dst = dst; + t->dst_cookie = rt6_get_cookie(rt); + pr_debug("rt6_dst:%pI6/%d rt6_src:%pI6\n", + &rt->rt6i_dst.addr, rt->rt6i_dst.plen, +- &fl6->saddr); ++ &fl->u.ip6.saddr); + } else { + t->dst = NULL; +- + pr_debug("no route\n"); + } + } +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -409,7 +409,8 @@ static void sctp_v4_get_dst(struct sctp_ + { + struct sctp_association *asoc = t->asoc; + struct rtable *rt; +- struct flowi4 *fl4 = &fl->u.ip4; ++ struct flowi _fl; ++ struct flowi4 *fl4 = &_fl.u.ip4; + struct sctp_bind_addr *bp; + struct sctp_sockaddr_entry *laddr; + struct dst_entry *dst = NULL; +@@ -419,7 +420,7 @@ static void sctp_v4_get_dst(struct sctp_ + + if (t->dscp & SCTP_DSCP_SET_MASK) + tos = t->dscp & SCTP_DSCP_VAL_MASK; +- memset(fl4, 0x0, sizeof(struct flowi4)); ++ memset(&_fl, 0x0, sizeof(_fl)); + fl4->daddr = daddr->v4.sin_addr.s_addr; + fl4->fl4_dport = daddr->v4.sin_port; + fl4->flowi4_proto = IPPROTO_SCTP; +@@ -438,8 +439,11 @@ static void sctp_v4_get_dst(struct sctp_ + &fl4->saddr); + + rt = ip_route_output_key(sock_net(sk), fl4); +- if (!IS_ERR(rt)) ++ if (!IS_ERR(rt)) { + dst = &rt->dst; ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); ++ } + + /* If there is no association or if a source address is passed, no + * more validation is required. +@@ -502,27 +506,33 @@ static void sctp_v4_get_dst(struct sctp_ + odev = __ip_dev_find(sock_net(sk), laddr->a.v4.sin_addr.s_addr, + false); + if (!odev || odev->ifindex != fl4->flowi4_oif) { +- if (!dst) ++ if (!dst) { + dst = &rt->dst; +- else ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); ++ } else { + dst_release(&rt->dst); ++ } + continue; + } + + dst_release(dst); + dst = &rt->dst; ++ t->dst = dst; ++ memcpy(fl, &_fl, sizeof(_fl)); + break; + } + + out_unlock: + rcu_read_unlock(); + out: +- t->dst = dst; +- if (dst) ++ if (dst) { + pr_debug("rt_dst:%pI4, rt_src:%pI4\n", +- &fl4->daddr, &fl4->saddr); +- else ++ &fl->u.ip4.daddr, &fl->u.ip4.saddr); ++ } else { ++ t->dst = NULL; + pr_debug("no route\n"); ++ } + } + + /* For v4, the source address is cached in the route entry(dst). So no need diff --git a/queue-5.6/sctp-fix-refcount-bug-in-sctp_wfree.patch b/queue-5.6/sctp-fix-refcount-bug-in-sctp_wfree.patch new file mode 100644 index 00000000000..fbd75c1b090 --- /dev/null +++ b/queue-5.6/sctp-fix-refcount-bug-in-sctp_wfree.patch @@ -0,0 +1,115 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Qiujun Huang +Date: Fri, 27 Mar 2020 11:07:51 +0800 +Subject: sctp: fix refcount bug in sctp_wfree + +From: Qiujun Huang + +[ Upstream commit 5c3e82fe159622e46e91458c1a6509c321a62820 ] + +We should iterate over the datamsgs to move +all chunks(skbs) to newsk. + +The following case cause the bug: +for the trouble SKB, it was in outq->transmitted list + +sctp_outq_sack + sctp_check_transmitted + SKB was moved to outq->sacked list + then throw away the sack queue + SKB was deleted from outq->sacked +(but it was held by datamsg at sctp_datamsg_to_asoc +So, sctp_wfree was not called here) + +then migrate happened + + sctp_for_each_tx_datachunk( + sctp_clear_owner_w); + sctp_assoc_migrate(); + sctp_for_each_tx_datachunk( + sctp_set_owner_w); +SKB was not in the outq, and was not changed to newsk + +finally + +__sctp_outq_teardown + sctp_chunk_put (for another skb) + sctp_datamsg_put + __kfree_skb(msg->frag_list) + sctp_wfree (for SKB) + SKB->sk was still oldsk (skb->sk != asoc->base.sk). + +Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -147,29 +147,44 @@ static void sctp_clear_owner_w(struct sc + skb_orphan(chunk->skb); + } + ++#define traverse_and_process() \ ++do { \ ++ msg = chunk->msg; \ ++ if (msg == prev_msg) \ ++ continue; \ ++ list_for_each_entry(c, &msg->chunks, frag_list) { \ ++ if ((clear && asoc->base.sk == c->skb->sk) || \ ++ (!clear && asoc->base.sk != c->skb->sk)) \ ++ cb(c); \ ++ } \ ++ prev_msg = msg; \ ++} while (0) ++ + static void sctp_for_each_tx_datachunk(struct sctp_association *asoc, ++ bool clear, + void (*cb)(struct sctp_chunk *)) + + { ++ struct sctp_datamsg *msg, *prev_msg = NULL; + struct sctp_outq *q = &asoc->outqueue; ++ struct sctp_chunk *chunk, *c; + struct sctp_transport *t; +- struct sctp_chunk *chunk; + + list_for_each_entry(t, &asoc->peer.transport_addr_list, transports) + list_for_each_entry(chunk, &t->transmitted, transmitted_list) +- cb(chunk); ++ traverse_and_process(); + + list_for_each_entry(chunk, &q->retransmit, transmitted_list) +- cb(chunk); ++ traverse_and_process(); + + list_for_each_entry(chunk, &q->sacked, transmitted_list) +- cb(chunk); ++ traverse_and_process(); + + list_for_each_entry(chunk, &q->abandoned, transmitted_list) +- cb(chunk); ++ traverse_and_process(); + + list_for_each_entry(chunk, &q->out_chunk_list, list) +- cb(chunk); ++ traverse_and_process(); + } + + static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk, +@@ -9574,9 +9589,9 @@ static int sctp_sock_migrate(struct sock + * paths won't try to lock it and then oldsk. + */ + lock_sock_nested(newsk, SINGLE_DEPTH_NESTING); +- sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w); ++ sctp_for_each_tx_datachunk(assoc, true, sctp_clear_owner_w); + sctp_assoc_migrate(assoc, newsk); +- sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w); ++ sctp_for_each_tx_datachunk(assoc, false, sctp_set_owner_w); + + /* If the association on the newsk is already closed before accept() + * is called, set RCV_SHUTDOWN flag. diff --git a/queue-5.6/series b/queue-5.6/series new file mode 100644 index 00000000000..d13a0fb951c --- /dev/null +++ b/queue-5.6/series @@ -0,0 +1,8 @@ +ipv4-fix-a-rcu-list-lock-in-fib_triestat_seq_show.patch +net-dsa-ksz-select-ksz-protocol-tag.patch +net-ip_tunnel-fix-interface-lookup-with-no-key.patch +sctp-fix-possibly-using-a-bad-saddr-with-a-given-dst.patch +sctp-fix-refcount-bug-in-sctp_wfree.patch +net-macb-fix-handling-of-fixed-link-node.patch +net-fix-fraglist-segmentation-reference-count-leak.patch +udp-initialize-is_flist-with-0-in-udp_gro_receive.patch diff --git a/queue-5.6/udp-initialize-is_flist-with-0-in-udp_gro_receive.patch b/queue-5.6/udp-initialize-is_flist-with-0-in-udp_gro_receive.patch new file mode 100644 index 00000000000..3a9993ca848 --- /dev/null +++ b/queue-5.6/udp-initialize-is_flist-with-0-in-udp_gro_receive.patch @@ -0,0 +1,34 @@ +From foo@baz Thu 02 Apr 2020 10:21:59 PM CEST +From: Xin Long +Date: Mon, 30 Mar 2020 23:31:45 +0800 +Subject: udp: initialize is_flist with 0 in udp_gro_receive + +From: Xin Long + +[ Upstream commit bde1b56f898ca8112912d7b36e55e1543b3be0cf ] + +Without NAPI_GRO_CB(skb)->is_flist initialized, when the dev doesn't +support NETIF_F_GRO_FRAGLIST, is_flist can still be set and fraglist +will be used in udp_gro_receive(). + +So fix it by initializing is_flist with 0 in udp_gro_receive. + +Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.") +Signed-off-by: Xin Long +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_offload.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -453,6 +453,7 @@ struct sk_buff *udp_gro_receive(struct l + unsigned int off = skb_gro_offset(skb); + int flush = 1; + ++ NAPI_GRO_CB(skb)->is_flist = 0; + if (skb->dev->features & NETIF_F_GRO_FRAGLIST) + NAPI_GRO_CB(skb)->is_flist = sk ? !udp_sk(sk)->gro_enabled: 1; + -- 2.47.3