+++ /dev/null
-From foo@baz Thu Jun 21 09:58:50 JST 2018
-From: "Bjørn Mork" <bjorn@mork.no>
-Date: Fri, 8 Jun 2018 09:15:24 +0200
-Subject: cdc_ncm: avoid padding beyond end of skb
-
-From: "Bjørn Mork" <bjorn@mork.no>
-
-[ Upstream commit 49c2c3f246e2fc3009039e31a826333dcd0283cd ]
-
-Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
-of NCM frame") added logic to reserve space for the NDP at the
-end of the NTB/skb. This reservation did not take the final
-alignment of the NDP into account, causing us to reserve too
-little space. Additionally the padding prior to NDP addition did
-not ensure there was enough space for the NDP.
-
-The NTB/skb with the NDP appended would then exceed the configured
-max size. This caused the final padding of the NTB to use a
-negative count, padding to almost INT_MAX, and resulting in:
-
-[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
-[60103.825998] IP: __memset+0x24/0x30
-[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
-[60103.826013] Oops: 0002 [#1] SMP NOPTI
-[60103.826018] Modules linked in: (removed(
-[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G O 4.14.0-3-amd64 #1 Debian 4.14.17-1
-[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
-[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
-[60103.826171] RIP: 0010:__memset+0x24/0x30
-[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
-[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
-[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
-[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
-[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
-[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
-[60103.826194] FS: 00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
-[60103.826197] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
-[60103.826204] Call Trace:
-[60103.826212] <IRQ>
-[60103.826225] cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
-[60103.826236] cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
-[60103.826246] usbnet_start_xmit+0x5d/0x710 [usbnet]
-[60103.826254] ? netif_skb_features+0x119/0x250
-[60103.826259] dev_hard_start_xmit+0xa1/0x200
-[60103.826267] sch_direct_xmit+0xf2/0x1b0
-[60103.826273] __dev_queue_xmit+0x5e3/0x7c0
-[60103.826280] ? ip_finish_output2+0x263/0x3c0
-[60103.826284] ip_finish_output2+0x263/0x3c0
-[60103.826289] ? ip_output+0x6c/0xe0
-[60103.826293] ip_output+0x6c/0xe0
-[60103.826298] ? ip_forward_options+0x1a0/0x1a0
-[60103.826303] tcp_transmit_skb+0x516/0x9b0
-[60103.826309] tcp_write_xmit+0x1aa/0xee0
-[60103.826313] ? sch_direct_xmit+0x71/0x1b0
-[60103.826318] tcp_tasklet_func+0x177/0x180
-[60103.826325] tasklet_action+0x5f/0x110
-[60103.826332] __do_softirq+0xde/0x2b3
-[60103.826337] irq_exit+0xae/0xb0
-[60103.826342] do_IRQ+0x81/0xd0
-[60103.826347] common_interrupt+0x98/0x98
-[60103.826351] </IRQ>
-[60103.826355] RIP: 0033:0x7f397bdf2282
-[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
-[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
-[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
-[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
-[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
-[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
-[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
-e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
-ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
-[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
-[60103.826444] CR2: ffff9641f2004000
-
-Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
-memory low") made this bug much more likely to trigger by reducing
-the NTB size under memory pressure.
-
-Link: https://bugs.debian.org/893393
-Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
-Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
-Cc: Enrico Mioso <mrkiko.rs@gmail.com>
-Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/cdc_ncm.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index 9e1b74590682..f5316ab68a0a 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -1124,7 +1124,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
- * accordingly. Otherwise, we should check here.
- */
- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
-- delayed_ndp_size = ctx->max_ndp_size;
-+ delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus);
- else
- delayed_ndp_size = 0;
-
-@@ -1285,7 +1285,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
- /* If requested, put NDP at end of frame. */
- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
- nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
-- cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_curr_size);
-+ cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_curr_size - ctx->max_ndp_size);
- nth16->wNdpIndex = cpu_to_le16(skb_out->len);
- skb_put_data(skb_out, ctx->delayed_ndp16, ctx->max_ndp_size);
-
---
-2.17.1
-
+++ /dev/null
-From foo@baz Thu Jun 21 09:58:50 JST 2018
-From: Zhouyang Jia <jiazhouyang09@gmail.com>
-Date: Mon, 11 Jun 2018 13:26:35 +0800
-Subject: net: dsa: add error handling for pskb_trim_rcsum
-
-From: Zhouyang Jia <jiazhouyang09@gmail.com>
-
-[ Upstream commit 349b71d6f427ff8211adf50839dbbff3f27c1805 ]
-
-When pskb_trim_rcsum fails, the lack of error-handling code may
-cause unexpected results.
-
-This patch adds error-handling code after calling pskb_trim_rcsum.
-
-Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/dsa/tag_trailer.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/dsa/tag_trailer.c
-+++ b/net/dsa/tag_trailer.c
-@@ -85,7 +85,8 @@ static int trailer_rcv(struct sk_buff *s
- if (source_port >= DSA_MAX_PORTS || !ds->ports[source_port].netdev)
- goto out_drop;
-
-- pskb_trim_rcsum(skb, skb->len - 4);
-+ if (pskb_trim_rcsum(skb, skb->len - 4))
-+ return NULL;
-
- skb->dev = ds->ports[source_port].netdev;
- skb_push(skb, ETH_HLEN);
+++ /dev/null
-From foo@baz Thu Jun 21 09:58:50 JST 2018
-From: Willem de Bruijn <willemb@google.com>
-Date: Wed, 6 Jun 2018 11:23:01 -0400
-Subject: net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan
-
-From: Willem de Bruijn <willemb@google.com>
-
-[ Upstream commit fd3a88625844907151737fc3b4201676effa6d27 ]
-
-Tun, tap, virtio, packet and uml vector all use struct virtio_net_hdr
-to communicate packet metadata to userspace.
-
-For skbuffs with vlan, the first two return the packet as it may have
-existed on the wire, inserting the VLAN tag in the user buffer. Then
-virtio_net_hdr.csum_start needs to be adjusted by VLAN_HLEN bytes.
-
-Commit f09e2249c4f5 ("macvtap: restore vlan header on user read")
-added this feature to macvtap. Commit 3ce9b20f1971 ("macvtap: Fix
-csum_start when VLAN tags are present") then fixed up csum_start.
-
-Virtio, packet and uml do not insert the vlan header in the user
-buffer.
-
-When introducing virtio_net_hdr_from_skb to deduplicate filling in
-the virtio_net_hdr, the variant from macvtap which adds VLAN_HLEN was
-applied uniformly, breaking csum offset for packets with vlan on
-virtio and packet.
-
-Make insertion of VLAN_HLEN optional. Convert the callers to pass it
-when needed.
-
-Fixes: e858fae2b0b8f4 ("virtio_net: use common code for virtio_net_hdr and skb GSO conversion")
-Fixes: 1276f24eeef2 ("packet: use common code for virtio_net_hdr and skb GSO conversion")
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/tap.c | 5 ++++-
- drivers/net/tun.c | 3 ++-
- drivers/net/virtio_net.c | 3 ++-
- include/linux/virtio_net.h | 11 ++++-------
- net/packet/af_packet.c | 4 ++--
- 5 files changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/net/tap.c b/drivers/net/tap.c
-index 9b6cb780affe..f0f7cd977667 100644
---- a/drivers/net/tap.c
-+++ b/drivers/net/tap.c
-@@ -774,13 +774,16 @@ static ssize_t tap_put_user(struct tap_queue *q,
- int total;
-
- if (q->flags & IFF_VNET_HDR) {
-+ int vlan_hlen = skb_vlan_tag_present(skb) ? VLAN_HLEN : 0;
- struct virtio_net_hdr vnet_hdr;
-+
- vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
- if (iov_iter_count(iter) < vnet_hdr_len)
- return -EINVAL;
-
- if (virtio_net_hdr_from_skb(skb, &vnet_hdr,
-- tap_is_little_endian(q), true))
-+ tap_is_little_endian(q), true,
-+ vlan_hlen))
- BUG();
-
- if (copy_to_iter(&vnet_hdr, sizeof(vnet_hdr), iter) !=
-diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 24e645c86ae7..b3c58890ef33 100644
---- a/drivers/net/tun.c
-+++ b/drivers/net/tun.c
-@@ -2062,7 +2062,8 @@ static ssize_t tun_put_user(struct tun_struct *tun,
- return -EINVAL;
-
- if (virtio_net_hdr_from_skb(skb, &gso,
-- tun_is_little_endian(tun), true)) {
-+ tun_is_little_endian(tun), true,
-+ vlan_hlen)) {
- struct skb_shared_info *sinfo = skb_shinfo(skb);
- pr_err("unexpected GSO type: "
- "0x%x, gso_size %d, hdr_len %d\n",
-diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index 8911e3466e61..89bc5cd4d02f 100644
---- a/drivers/net/virtio_net.c
-+++ b/drivers/net/virtio_net.c
-@@ -1358,7 +1358,8 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
- hdr = skb_vnet_hdr(skb);
-
- if (virtio_net_hdr_from_skb(skb, &hdr->hdr,
-- virtio_is_little_endian(vi->vdev), false))
-+ virtio_is_little_endian(vi->vdev), false,
-+ 0))
- BUG();
-
- if (vi->mergeable_rx_bufs)
-diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
-index f144216febc6..9397628a1967 100644
---- a/include/linux/virtio_net.h
-+++ b/include/linux/virtio_net.h
-@@ -58,7 +58,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
- static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
- struct virtio_net_hdr *hdr,
- bool little_endian,
-- bool has_data_valid)
-+ bool has_data_valid,
-+ int vlan_hlen)
- {
- memset(hdr, 0, sizeof(*hdr)); /* no info leak */
-
-@@ -83,12 +84,8 @@ static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
-
- if (skb->ip_summed == CHECKSUM_PARTIAL) {
- hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
-- if (skb_vlan_tag_present(skb))
-- hdr->csum_start = __cpu_to_virtio16(little_endian,
-- skb_checksum_start_offset(skb) + VLAN_HLEN);
-- else
-- hdr->csum_start = __cpu_to_virtio16(little_endian,
-- skb_checksum_start_offset(skb));
-+ hdr->csum_start = __cpu_to_virtio16(little_endian,
-+ skb_checksum_start_offset(skb) + vlan_hlen);
- hdr->csum_offset = __cpu_to_virtio16(little_endian,
- skb->csum_offset);
- } else if (has_data_valid &&
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index c9432a0ccd56..29102f3639fe 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -2037,7 +2037,7 @@ static int packet_rcv_vnet(struct msghdr *msg, const struct sk_buff *skb,
- return -EINVAL;
- *len -= sizeof(vnet_hdr);
-
-- if (virtio_net_hdr_from_skb(skb, &vnet_hdr, vio_le(), true))
-+ if (virtio_net_hdr_from_skb(skb, &vnet_hdr, vio_le(), true, 0))
- return -EINVAL;
-
- return memcpy_to_msg(msg, (void *)&vnet_hdr, sizeof(vnet_hdr));
-@@ -2304,7 +2304,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
- if (do_vnet) {
- if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
- sizeof(struct virtio_net_hdr),
-- vio_le(), true)) {
-+ vio_le(), true, 0)) {
- spin_lock(&sk->sk_receive_queue.lock);
- goto drop_n_account;
- }
---
-2.17.1
-
usb-musb-fix-remote-wakeup-racing-with-suspend.patch
bonding-re-evaluate-force_primary-when-the-primary-slave-name-changes.patch
ipv6-allow-pmtu-exceptions-to-local-routes.patch
-net-dsa-add-error-handling-for-pskb_trim_rcsum.patch
net-sched-act_simple-fix-parsing-of-tca_def_data.patch
tcp-verify-the-checksum-of-the-first-data-segment-in-a-new-connection.patch
-net-in-virtio_net_hdr-only-add-vlan_hlen-to-csum_start-if-payload-holds-vlan.patch
-cdc_ncm-avoid-padding-beyond-end-of-skb.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
