From c8ea35f8d1e01bdfb82132ef823e5c1b0c513446 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 25 Sep 2020 11:10:35 +0200 Subject: [PATCH] 4.14-stable patches added patches: bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch geneve-add-transport-ports-in-route-lookup-for-geneve.patch hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch ip-fix-tos-reflection-in-ack-and-reset-packets.patch ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch net-add-__must_check-to-skb_put_padto.patch net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch tipc-fix-shutdown-of-connection-oriented-socket.patch tipc-use-skb_unshare-instead-in-tipc_buf_append.patch --- ...e-and-bnxt_set_pauseparam-with-mutex.patch | 109 +++++++++++ ...ort-ports-in-route-lookup-for-geneve.patch | 184 ++++++++++++++++++ ...-add-range-checks-in-ppp_cp_parse_cr.patch | 80 ++++++++ ...-reflection-in-ack-and-reset-packets.patch | 43 ++++ ...for-multipath-routes-via-same-device.patch | 159 +++++++++++++++ ...et-add-__must_check-to-skb_put_padto.patch | 42 ++++ ...ependency-warning-for-ipv6_seg6_hmac.patch | 51 +++++ ...on-phy_detach-when-driver-is-unbound.patch | 37 ++++ ...context-reference-leak-in-error-path.patch | 9 +- queue-4.14/series | 10 + ...utdown-of-connection-oriented-socket.patch | 55 ++++++ ...b_unshare-instead-in-tipc_buf_append.patch | 67 +++++++ 12 files changed, 839 insertions(+), 7 deletions(-) create mode 100644 queue-4.14/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch create mode 100644 queue-4.14/geneve-add-transport-ports-in-route-lookup-for-geneve.patch create mode 100644 queue-4.14/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch create mode 100644 queue-4.14/ip-fix-tos-reflection-in-ack-and-reset-packets.patch create mode 100644 queue-4.14/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch create mode 100644 queue-4.14/net-add-__must_check-to-skb_put_padto.patch create mode 100644 queue-4.14/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch create mode 100644 queue-4.14/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch create mode 100644 queue-4.14/tipc-fix-shutdown-of-connection-oriented-socket.patch create mode 100644 queue-4.14/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch diff --git a/queue-4.14/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch b/queue-4.14/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch new file mode 100644 index 00000000000..f93da5cadab --- /dev/null +++ b/queue-4.14/bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch @@ -0,0 +1,109 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Michael Chan +Date: Sun, 20 Sep 2020 21:08:56 -0400 +Subject: bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. + +From: Michael Chan + +[ Upstream commit a53906908148d64423398a62c4435efb0d09652c ] + +All changes related to bp->link_info require the protection of the +link_lock mutex. It's not sufficient to rely just on RTNL. + +Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.") +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++++++++-------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1264,9 +1264,12 @@ static int bnxt_set_pauseparam(struct ne + if (!BNXT_SINGLE_PF(bp)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); + if (epause->autoneg) { +- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) +- return -EINVAL; ++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { ++ rc = -EINVAL; ++ goto pause_exit; ++ } + + link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL; + if (bp->hwrm_spec_code >= 0x10201) +@@ -1287,11 +1290,11 @@ static int bnxt_set_pauseparam(struct ne + if (epause->tx_pause) + link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX; + +- if (netif_running(dev)) { +- mutex_lock(&bp->link_lock); ++ if (netif_running(dev)) + rc = bnxt_hwrm_set_pause(bp); +- mutex_unlock(&bp->link_lock); +- } ++ ++pause_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +@@ -1977,8 +1980,7 @@ static int bnxt_set_eee(struct net_devic + struct bnxt *bp = netdev_priv(dev); + struct ethtool_eee *eee = &bp->eee; + struct bnxt_link_info *link_info = &bp->link_info; +- u32 advertising = +- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); ++ u32 advertising; + int rc = 0; + + if (!BNXT_SINGLE_PF(bp)) +@@ -1987,19 +1989,23 @@ static int bnxt_set_eee(struct net_devic + if (!(bp->flags & BNXT_FLAG_EEE_CAP)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); ++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0); + if (!edata->eee_enabled) + goto eee_ok; + + if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) { + netdev_warn(dev, "EEE requires autoneg\n"); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + if (edata->tx_lpi_enabled) { + if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi || + edata->tx_lpi_timer < bp->lpi_tmr_lo)) { + netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n", + bp->lpi_tmr_lo, bp->lpi_tmr_hi); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } else if (!bp->lpi_tmr_hi) { + edata->tx_lpi_timer = eee->tx_lpi_timer; + } +@@ -2009,7 +2015,8 @@ static int bnxt_set_eee(struct net_devic + } else if (edata->advertised & ~advertising) { + netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n", + edata->advertised, advertising); +- return -EINVAL; ++ rc = -EINVAL; ++ goto eee_exit; + } + + eee->advertised = edata->advertised; +@@ -2021,6 +2028,8 @@ eee_ok: + if (netif_running(dev)) + rc = bnxt_hwrm_set_link_setting(bp, false, true); + ++eee_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + diff --git a/queue-4.14/geneve-add-transport-ports-in-route-lookup-for-geneve.patch b/queue-4.14/geneve-add-transport-ports-in-route-lookup-for-geneve.patch new file mode 100644 index 00000000000..baee698ae5e --- /dev/null +++ b/queue-4.14/geneve-add-transport-ports-in-route-lookup-for-geneve.patch @@ -0,0 +1,184 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Mark Gray +Date: Wed, 16 Sep 2020 05:19:35 -0400 +Subject: geneve: add transport ports in route lookup for geneve + +From: Mark Gray + +[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ] + +This patch adds transport ports information for route lookup so that +IPsec can select Geneve tunnel traffic to do encryption. This is +needed for OVS/OVN IPsec with encrypted Geneve tunnels. + +This can be tested by configuring a host-host VPN using an IKE +daemon and specifying port numbers. For example, for an +Openswan-type configuration, the following parameters should be +configured on both hosts and IPsec set up as-per normal: + +$ cat /etc/ipsec.conf + +conn in +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp/6081 +rightprotoport=udp +... +conn out +... +left=$IP1 +right=$IP2 +... +leftprotoport=udp +rightprotoport=udp/6081 +... + +The tunnel can then be setup using "ip" on both hosts (but +changing the relevant IP addresses): + +$ ip link add tun type geneve id 1000 remote $IP2 +$ ip addr add 192.168.0.1/24 dev tun +$ ip link set tun up + +This can then be tested by pinging from $IP1: + +$ ping 192.168.0.2 + +Without this patch the traffic is unencrypted on the wire. + +Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") +Signed-off-by: Qiuyu Xiao +Signed-off-by: Mark Gray +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -716,7 +716,8 @@ static struct rtable *geneve_get_v4_rt(s + struct net_device *dev, + struct geneve_sock *gs4, + struct flowi4 *fl4, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -732,6 +733,8 @@ static struct rtable *geneve_get_v4_rt(s + fl4->flowi4_proto = IPPROTO_UDP; + fl4->daddr = info->key.u.ipv4.dst; + fl4->saddr = info->key.u.ipv4.src; ++ fl4->fl4_dport = dport; ++ fl4->fl4_sport = sport; + + tos = info->key.tos; + if ((tos == 1) && !geneve->collect_md) { +@@ -766,7 +769,8 @@ static struct dst_entry *geneve_get_v6_d + struct net_device *dev, + struct geneve_sock *gs6, + struct flowi6 *fl6, +- const struct ip_tunnel_info *info) ++ const struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + bool use_cache = ip_tunnel_dst_cache_usable(skb, info); + struct geneve_dev *geneve = netdev_priv(dev); +@@ -782,6 +786,9 @@ static struct dst_entry *geneve_get_v6_d + fl6->flowi6_proto = IPPROTO_UDP; + fl6->daddr = info->key.u.ipv6.dst; + fl6->saddr = info->key.u.ipv6.src; ++ fl6->fl6_dport = dport; ++ fl6->fl6_sport = sport; ++ + prio = info->key.tos; + if ((prio == 1) && !geneve->collect_md) { + prio = ip_tunnel_get_dsfield(ip_hdr(skb), skb); +@@ -828,7 +835,9 @@ static int geneve_xmit_skb(struct sk_buf + __be16 df; + int err; + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -839,7 +848,6 @@ static int geneve_xmit_skb(struct sk_buf + skb_dst_update_pmtu(skb, mtu); + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -874,7 +882,9 @@ static int geneve6_xmit_skb(struct sk_bu + __be16 sport; + int err; + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -885,7 +895,6 @@ static int geneve6_xmit_skb(struct sk_bu + skb_dst_update_pmtu(skb, mtu); + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + if (geneve->collect_md) { + prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb); + ttl = key->ttl; +@@ -963,13 +972,18 @@ static int geneve_fill_metadata_dst(stru + { + struct ip_tunnel_info *info = skb_tunnel_info(skb); + struct geneve_dev *geneve = netdev_priv(dev); ++ __be16 sport; + + if (ip_tunnel_info_af(info) == AF_INET) { + struct rtable *rt; + struct flowi4 fl4; ++ + struct geneve_sock *gs4 = rcu_dereference(geneve->sock4); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info); ++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -979,9 +993,13 @@ static int geneve_fill_metadata_dst(stru + } else if (ip_tunnel_info_af(info) == AF_INET6) { + struct dst_entry *dst; + struct flowi6 fl6; ++ + struct geneve_sock *gs6 = rcu_dereference(geneve->sock6); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); + +- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info); ++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info, ++ geneve->info.key.tp_dst, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -992,8 +1010,7 @@ static int geneve_fill_metadata_dst(stru + return -EINVAL; + } + +- info->key.tp_src = udp_flow_src_port(geneve->net, skb, +- 1, USHRT_MAX, true); ++ info->key.tp_src = sport; + info->key.tp_dst = geneve->info.key.tp_dst; + return 0; + } diff --git a/queue-4.14/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch b/queue-4.14/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch new file mode 100644 index 00000000000..e33782bcf9d --- /dev/null +++ b/queue-4.14/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch @@ -0,0 +1,80 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Dan Carpenter +Date: Wed, 9 Sep 2020 12:46:48 +0300 +Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr() + +From: Dan Carpenter + +[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ] + +There are a couple bugs here: +1) If opt[1] is zero then this results in a forever loop. If the value + is less than 2 then it is invalid. +2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can + result in memory corruption. + +In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead +of "len" because, if "opt[1]" is less than sizeof(valid_accm) then +"nak_len" gets out of sync and it can lead to memory corruption in the +next iterations through the loop. In case of LCP_OPTION_MAGIC, the +only valid value for opt[1] is 6, but the code is trying to log invalid +data so we should only discard the data when "len" is less than 6 +because that leads to a read overflow. + +Reported-by: ChenNan Of Chaitin Security Research Lab +Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.") +Signed-off-by: Dan Carpenter +Reviewed-by: Eric Dumazet +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/hdlc_ppp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/net/wan/hdlc_ppp.c ++++ b/drivers/net/wan/hdlc_ppp.c +@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d + } + + for (opt = data; len; len -= opt[1], opt += opt[1]) { +- if (len < 2 || len < opt[1]) { +- dev->stats.rx_errors++; +- kfree(out); +- return; /* bad packet, drop silently */ +- } ++ if (len < 2 || opt[1] < 2 || len < opt[1]) ++ goto err_out; + + if (pid == PID_LCP) + switch (opt[0]) { +@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d + continue; /* MRU always OK and > 1500 bytes? */ + + case LCP_OPTION_ACCM: /* async control character map */ ++ if (opt[1] < sizeof(valid_accm)) ++ goto err_out; + if (!memcmp(opt, valid_accm, + sizeof(valid_accm))) + continue; +@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d + } + break; + case LCP_OPTION_MAGIC: ++ if (len < 6) ++ goto err_out; + if (opt[1] != 6 || (!opt[2] && !opt[3] && + !opt[4] && !opt[5])) + break; /* reject invalid magic number */ +@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d + ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data); + + kfree(out); ++ return; ++ ++err_out: ++ dev->stats.rx_errors++; ++ kfree(out); + } + + static int ppp_rx(struct sk_buff *skb) diff --git a/queue-4.14/ip-fix-tos-reflection-in-ack-and-reset-packets.patch b/queue-4.14/ip-fix-tos-reflection-in-ack-and-reset-packets.patch new file mode 100644 index 00000000000..5929dc50357 --- /dev/null +++ b/queue-4.14/ip-fix-tos-reflection-in-ack-and-reset-packets.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Wei Wang +Date: Tue, 8 Sep 2020 14:09:34 -0700 +Subject: ip: fix tos reflection in ack and reset packets + +From: Wei Wang + +[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ] + +Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we +echo the TOS value of the received packets in the response. +However, we do not want to echo the lower 2 ECN bits in accordance +with RFC 3168 6.1.5 robustness principles. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") + +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -73,6 +73,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1562,7 +1563,7 @@ void ip_send_unicast_reply(struct sock * + if (IS_ERR(rt)) + return; + +- inet_sk(sk)->tos = arg->tos; ++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK; + + sk->sk_priority = skb->priority; + sk->sk_protocol = ip_hdr(skb)->protocol; diff --git a/queue-4.14/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch b/queue-4.14/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch new file mode 100644 index 00000000000..0a47546962b --- /dev/null +++ b/queue-4.14/ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch @@ -0,0 +1,159 @@ +From foo@baz Fri Sep 25 10:42:33 AM CEST 2020 +From: David Ahern +Date: Mon, 14 Sep 2020 21:03:54 -0600 +Subject: ipv4: Update exception handling for multipath routes via same device + +From: David Ahern + +[ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ] + +Kfir reported that pmtu exceptions are not created properly for +deployments where multipath routes use the same device. + +After some digging I see 2 compounding problems: +1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after* + the route lookup. This is the second use case where this has + been a problem (the first is related to use of vti devices with + VRF). I can not find any reason for the oif to be changed after the + lookup; the code goes back to the start of git. It does not seem + logical so remove it. + +2. fib_lookups for exceptions do not call fib_select_path to handle + multipath route selection based on the hash. + +The end result is that the fib_lookup used to add the exception +always creates it based using the first leg of the route. + +An example topology showing the problem: + + | host1 + +------+ + | eth0 | .209 + +------+ + | + +------+ + switch | br0 | + +------+ + | + +---------+---------+ + | host2 | host3 + +------+ +------+ + | eth0 | .250 | eth0 | 192.168.252.252 + +------+ +------+ + + +-----+ +-----+ + | vti | .2 | vti | 192.168.247.3 + +-----+ +-----+ + \ / + ================================= + tunnels + 192.168.247.1/24 + +for h in host1 host2 host3; do + ip netns add ${h} + ip -netns ${h} link set lo up + ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1 +done + +ip netns add switch +ip -netns switch li set lo up +ip -netns switch link add br0 type bridge stp 0 +ip -netns switch link set br0 up + +for n in 1 2 3; do + ip -netns switch link add eth-sw type veth peer name eth-h${n} + ip -netns switch li set eth-h${n} master br0 up + ip -netns switch li set eth-sw netns host${n} name eth0 +done + +ip -netns host1 addr add 192.168.252.209/24 dev eth0 +ip -netns host1 link set dev eth0 up +ip -netns host1 route add 192.168.247.0/24 \ + nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0 + +ip -netns host2 addr add 192.168.252.250/24 dev eth0 +ip -netns host2 link set dev eth0 up + +ip -netns host2 addr add 192.168.252.252/24 dev eth0 +ip -netns host3 link set dev eth0 up + +ip netns add tunnel +ip -netns tunnel li set lo up +ip -netns tunnel li add br0 type bridge +ip -netns tunnel li set br0 up +for n in $(seq 11 20); do + ip -netns tunnel addr add dev br0 192.168.247.${n}/24 +done + +for n in 2 3 +do + ip -netns tunnel link add vti${n} type veth peer name eth${n} + ip -netns tunnel link set eth${n} mtu 1360 master br0 up + ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up + ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24 +done +ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3 + +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11 +ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15 +ip -netns host1 ro ls cache + +Before this patch the cache always shows exceptions against the first +leg in the multipath route; 192.168.252.250 per this example. Since the +hash has an initial random seed, you may need to vary the final octet +more than what is listed. In my tests, using addresses between 11 and 19 +usually found 1 that used both legs. + +With this patch, the cache will have exceptions for both legs. + +Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions") +Reported-by: Kfir Itzhak +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -794,6 +794,8 @@ static void __ip_do_redirect(struct rtab + if (fib_lookup(net, fl4, &res, 0) == 0) { + struct fib_nh *nh = &FIB_RES_NH(res); + ++ fib_select_path(net, &res, fl4, skb); ++ nh = &FIB_RES_NH(res); + update_or_create_fnhe(nh, fl4->daddr, new_gw, + 0, false, + jiffies + ip_rt_gc_timeout); +@@ -1010,6 +1012,7 @@ out: kfree_skb(skb); + static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu) + { + struct dst_entry *dst = &rt->dst; ++ struct net *net = dev_net(dst->dev); + u32 old_mtu = ipv4_mtu(dst); + struct fib_result res; + bool lock = false; +@@ -1030,9 +1033,11 @@ static void __ip_rt_update_pmtu(struct r + return; + + rcu_read_lock(); +- if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { +- struct fib_nh *nh = &FIB_RES_NH(res); ++ if (fib_lookup(net, fl4, &res, 0) == 0) { ++ struct fib_nh *nh; + ++ fib_select_path(net, &res, fl4, NULL); ++ nh = &FIB_RES_NH(res); + update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } +@@ -2505,8 +2510,6 @@ struct rtable *ip_route_output_key_hash_ + fib_select_path(net, res, fl4, skb); + + dev_out = FIB_RES_DEV(*res); +- fl4->flowi4_oif = dev_out->ifindex; +- + + make_route: + rth = __mkroute_output(res, fl4, orig_oif, dev_out, flags); diff --git a/queue-4.14/net-add-__must_check-to-skb_put_padto.patch b/queue-4.14/net-add-__must_check-to-skb_put_padto.patch new file mode 100644 index 00000000000..53fe425dba6 --- /dev/null +++ b/queue-4.14/net-add-__must_check-to-skb_put_padto.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Eric Dumazet +Date: Wed, 9 Sep 2020 01:27:40 -0700 +Subject: net: add __must_check to skb_put_padto() + +From: Eric Dumazet + +[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ] + +skb_put_padto() and __skb_put_padto() callers +must check return values or risk use-after-free. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2999,8 +2999,9 @@ static inline int skb_padto(struct sk_bu + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error if @free_on_error is true. + */ +-static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len, +- bool free_on_error) ++static inline int __must_check __skb_put_padto(struct sk_buff *skb, ++ unsigned int len, ++ bool free_on_error) + { + unsigned int size = skb->len; + +@@ -3023,7 +3024,7 @@ static inline int __skb_put_padto(struct + * is untouched. Otherwise it is extended. Returns zero on + * success. The skb is freed on error. + */ +-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len) ++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len) + { + return __skb_put_padto(skb, len, true); + } diff --git a/queue-4.14/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch b/queue-4.14/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch new file mode 100644 index 00000000000..c838e5a84ba --- /dev/null +++ b/queue-4.14/net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch @@ -0,0 +1,51 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Necip Fazil Yildiran +Date: Thu, 17 Sep 2020 19:46:43 +0300 +Subject: net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC + +From: Necip Fazil Yildiran + +[ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ] + +When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_HMAC + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA1 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +WARNING: unmet direct dependencies detected for CRYPTO_SHA256 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y] + +The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and +CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs +are subordinate to CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/Kconfig ++++ b/net/ipv6/Kconfig +@@ -321,6 +321,7 @@ config IPV6_SEG6_LWTUNNEL + config IPV6_SEG6_HMAC + bool "IPv6: Segment Routing HMAC support" + depends on IPV6 ++ select CRYPTO + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_SHA256 diff --git a/queue-4.14/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch b/queue-4.14/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch new file mode 100644 index 00000000000..266d4e46074 --- /dev/null +++ b/queue-4.14/net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Florian Fainelli +Date: Wed, 16 Sep 2020 20:43:09 -0700 +Subject: net: phy: Avoid NPD upon phy_detach() when driver is unbound + +From: Florian Fainelli + +[ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ] + +If we have unbound the PHY driver prior to calling phy_detach() (often +via phy_disconnect()) then we can cause a NULL pointer de-reference +accessing the driver owner member. The steps to reproduce are: + +echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind +ip link set eth0 down + +Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1121,7 +1121,8 @@ void phy_detach(struct phy_device *phyde + + phy_led_triggers_unregister(phydev); + +- module_put(phydev->mdio.dev.driver->owner); ++ if (phydev->mdio.dev.driver) ++ module_put(phydev->mdio.dev.driver->owner); + + /* If the device had no specific driver before (i.e. - it + * was using the generic driver), we unbind the device diff --git a/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch b/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch index bf20a4d545b..39de750bd24 100644 --- a/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch +++ b/queue-4.14/rdma-ucma-ucma_context-reference-leak-in-error-path.patch @@ -18,14 +18,12 @@ Signed-off-by: Jason Gunthorpe Signed-off-by: Nobuhiro Iwamatsu (CIP) Signed-off-by: Sasha Levin --- - drivers/infiniband/core/ucma.c | 6 +++--- + drivers/infiniband/core/ucma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c -index c3e5f921da12e..4002a8ddf6d0a 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c -@@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, +@@ -1315,13 +1315,13 @@ static ssize_t ucma_set_option(struct uc if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; @@ -42,6 +40,3 @@ index c3e5f921da12e..4002a8ddf6d0a 100644 optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) { --- -2.25.1 - diff --git a/queue-4.14/series b/queue-4.14/series index 8c7dbef9385..9256831f82b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,13 @@ kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch rdma-ucma-ucma_context-reference-leak-in-error-path.patch +hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch +ip-fix-tos-reflection-in-ack-and-reset-packets.patch +net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch +tipc-fix-shutdown-of-connection-oriented-socket.patch +tipc-use-skb_unshare-instead-in-tipc_buf_append.patch +bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch +net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch +net-add-__must_check-to-skb_put_padto.patch +ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch +geneve-add-transport-ports-in-route-lookup-for-geneve.patch diff --git a/queue-4.14/tipc-fix-shutdown-of-connection-oriented-socket.patch b/queue-4.14/tipc-fix-shutdown-of-connection-oriented-socket.patch new file mode 100644 index 00000000000..b9130c561cd --- /dev/null +++ b/queue-4.14/tipc-fix-shutdown-of-connection-oriented-socket.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Tetsuo Handa +Date: Sat, 5 Sep 2020 15:14:47 +0900 +Subject: tipc: fix shutdown() of connection oriented socket + +From: Tetsuo Handa + +[ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ] + +I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix +shutdown() of connectionless socket") also applies to stream socket. + +---------- +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int fds[2] = { -1, -1 }; + socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds); + if (fork() == 0) + _exit(read(fds[0], NULL, 1)); + shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */ + wait(NULL); /* To be woken up by _exit(). */ + return 0; +} +---------- + +Since shutdown(SHUT_RDWR) should affect all processes sharing that socket, +unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right +behavior. + +Signed-off-by: Tetsuo Handa +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2126,10 +2126,7 @@ static int tipc_shutdown(struct socket * + lock_sock(sk); + + __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN); +- if (tipc_sk_type_connectionless(sk)) +- sk->sk_shutdown = SHUTDOWN_MASK; +- else +- sk->sk_shutdown = SEND_SHUTDOWN; ++ sk->sk_shutdown = SHUTDOWN_MASK; + + if (sk->sk_state == TIPC_DISCONNECTING) { + /* Discard any unreceived messages */ diff --git a/queue-4.14/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch b/queue-4.14/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch new file mode 100644 index 00000000000..da6b9352418 --- /dev/null +++ b/queue-4.14/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch @@ -0,0 +1,67 @@ +From foo@baz Fri Sep 25 10:56:27 AM CEST 2020 +From: Xin Long +Date: Sun, 13 Sep 2020 19:37:31 +0800 +Subject: tipc: use skb_unshare() instead in tipc_buf_append() + +From: Xin Long + +[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ] + +In tipc_buf_append() it may change skb's frag_list, and it causes +problems when this skb is cloned. skb_unclone() doesn't really +make this skb's flag_list available to change. + +Shuang Li has reported an use-after-free issue because of this +when creating quite a few macvlan dev over the same dev, where +the broadcast packets will be cloned and go up to the stack: + + [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0 + [ ] Call Trace: + [ ] dump_stack+0x7c/0xb0 + [ ] print_address_description.constprop.7+0x1a/0x220 + [ ] kasan_report.cold.10+0x37/0x7c + [ ] check_memory_region+0x183/0x1e0 + [ ] pskb_expand_head+0x86d/0xea0 + [ ] process_backlog+0x1df/0x660 + [ ] net_rx_action+0x3b4/0xc90 + [ ] + [ ] Allocated by task 1786: + [ ] kmem_cache_alloc+0xbf/0x220 + [ ] skb_clone+0x10a/0x300 + [ ] macvlan_broadcast+0x2f6/0x590 [macvlan] + [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan] + [ ] process_one_work+0x66a/0x1060 + [ ] worker_thread+0x87/0xb10 + [ ] + [ ] Freed by task 3253: + [ ] kmem_cache_free+0x82/0x2a0 + [ ] skb_release_data+0x2c3/0x6e0 + [ ] kfree_skb+0x78/0x1d0 + [ ] tipc_recvmsg+0x3be/0xa40 [tipc] + +So fix it by using skb_unshare() instead, which would create a new +skb for the cloned frag and it'll be safe to change its frag_list. +The similar things were also done in sctp_make_reassembled_event(), +which is using skb_copy(). + +Reported-by: Shuang Li +Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **hea + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- if (unlikely(skb_unclone(frag, GFP_ATOMIC))) ++ frag = skb_unshare(frag, GFP_ATOMIC); ++ if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + *buf = NULL; -- 2.47.3