2020-09-25 12:59:35

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 00/43] 5.4.68-rc1 review

This is the start of the stable review cycle for the 5.4.68 release.
There are 43 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun, 27 Sep 2020 12:47:02 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.68-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 5.4.68-rc1

Suravee Suthikulpanit <[email protected]>
iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE

Xunlei Pang <[email protected]>
mm: memcg: fix memcg reclaim soft lockup

Eric Dumazet <[email protected]>
net: add __must_check to skb_put_padto()

Eric Dumazet <[email protected]>
net: qrtr: check skb_put_padto() return value

Florian Fainelli <[email protected]>
net: phy: Do not warn in phy_stop() on PHY_DOWN

Florian Fainelli <[email protected]>
net: phy: Avoid NPD upon phy_detach() when driver is unbound

Hauke Mehrtens <[email protected]>
net: lantiq: Disable IRQs only if NAPI gets scheduled

Hauke Mehrtens <[email protected]>
net: lantiq: Use napi_complete_done()

Hauke Mehrtens <[email protected]>
net: lantiq: use netif_tx_napi_add() for TX NAPI

Hauke Mehrtens <[email protected]>
net: lantiq: Wake TX queue again

Michael Chan <[email protected]>
bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.

Edwin Peer <[email protected]>
bnxt_en: return proper error codes in bnxt_show_temp

Tariq Toukan <[email protected]>
net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported

Maor Dickman <[email protected]>
net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported

Xin Long <[email protected]>
tipc: use skb_unshare() instead in tipc_buf_append()

Tetsuo Handa <[email protected]>
tipc: fix shutdown() of connection oriented socket

Peilin Ye <[email protected]>
tipc: Fix memory leak in tipc_group_create_member()

Vinicius Costa Gomes <[email protected]>
taprio: Fix allowing too small intervals

Jakub Kicinski <[email protected]>
nfp: use correct define to return NONE fec

Henry Ptasinski <[email protected]>
net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant

Yunsheng Lin <[email protected]>
net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc

Maor Gottlieb <[email protected]>
net/mlx5: Fix FTE cleanup

Necip Fazil Yildiran <[email protected]>
net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC

Ido Schimmel <[email protected]>
net: Fix bridge enslavement failure

Linus Walleij <[email protected]>
net: dsa: rtl8366: Properly clear member config

Petr Machata <[email protected]>
net: DCB: Validate DCB_ATTR_DCB_BUFFER argument

Vladimir Oltean <[email protected]>
net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU

Eric Dumazet <[email protected]>
ipv6: avoid lockdep issue in fib6_del()

David Ahern <[email protected]>
ipv4: Update exception handling for multipath routes via same device

David Ahern <[email protected]>
ipv4: Initialize flowi4_multipath_hash in data path

Wei Wang <[email protected]>
ip: fix tos reflection in ack and reset packets

Dan Carpenter <[email protected]>
hdlc_ppp: add range checks in ppp_cp_parse_cr()

Mark Gray <[email protected]>
geneve: add transport ports in route lookup for geneve

Ganji Aravind <[email protected]>
cxgb4: Fix offset when clearing filter byte counters

Raju Rangoju <[email protected]>
cxgb4: fix memory leak during module unload

Vasundhara Volam <[email protected]>
bnxt_en: Fix NULL ptr dereference crash in bnxt_fw_reset_task()

Vasundhara Volam <[email protected]>
bnxt_en: Avoid sending firmware messages when AER error is detected.

Cong Wang <[email protected]>
act_ife: load meta modules before tcf_idr_check_alloc()

Ralph Campbell <[email protected]>
mm/thp: fix __split_huge_pmd_locked() for migration PMD

Muchun Song <[email protected]>
kprobes: fix kill kprobe which has been marked as gone

Jakub Kicinski <[email protected]>
ibmvnic: add missing parenthesis in do_reset()

Mingming Cao <[email protected]>
ibmvnic fix NULL tx_pools and rx_tools issue at do_reset

Mark Salyzyn <[email protected]>
af_key: pfkey_dump needs parameter validation


-------------

Diffstat:

Makefile | 4 +-
drivers/iommu/Kconfig | 2 +-
drivers/iommu/amd_iommu.c | 17 +++++--
drivers/iommu/amd_iommu_init.c | 21 ++++++++-
drivers/net/dsa/rtl8366.c | 20 ++++++---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 32 ++++++++-----
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 ++
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++-----
drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 9 ++--
drivers/net/ethernet/chelsio/cxgb4/cxgb4_mps.c | 2 +-
drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++--
drivers/net/ethernet/lantiq_xrx200.c | 21 +++++----
.../mellanox/mlx5/core/en_accel/tls_stats.c | 12 +++--
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 52 ++++++++++++----------
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 8 ++--
.../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 +-
drivers/net/geneve.c | 37 ++++++++++-----
drivers/net/phy/phy.c | 2 +-
drivers/net/phy/phy_device.c | 3 +-
drivers/net/wan/hdlc_ppp.c | 16 ++++---
include/linux/skbuff.h | 7 +--
include/net/flow.h | 1 +
include/net/sctp/structs.h | 8 ++--
kernel/kprobes.c | 9 +++-
mm/huge_memory.c | 40 ++++++++++-------
mm/vmscan.c | 8 ++++
net/bridge/br_vlan.c | 27 ++++++-----
net/core/dev.c | 2 +-
net/core/filter.c | 1 +
net/dcb/dcbnl.c | 8 ++++
net/ipv4/fib_frontend.c | 1 +
net/ipv4/ip_output.c | 3 +-
net/ipv4/route.c | 14 +++---
net/ipv6/Kconfig | 1 +
net/ipv6/ip6_fib.c | 13 ++++--
net/key/af_key.c | 7 +++
net/qrtr/qrtr.c | 20 +++++----
net/sched/act_ife.c | 44 +++++++++++++-----
net/sched/sch_generic.c | 49 +++++++++++++-------
net/sched/sch_taprio.c | 28 +++++++-----
net/sctp/socket.c | 9 ++--
net/tipc/group.c | 14 ++++--
net/tipc/msg.c | 3 +-
net/tipc/socket.c | 5 +--
44 files changed, 429 insertions(+), 211 deletions(-)



2020-09-25 13:00:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 12/43] hdlc_ppp: add range checks in ppp_cp_parse_cr()

From: Dan Carpenter <[email protected]>

[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]

There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.

In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop. In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.

Reported-by: ChenNan Of Chaitin Security Research Lab <[email protected]>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -383,11 +383,8 @@ static void ppp_cp_parse_cr(struct net_d
}

for (opt = data; len; len -= opt[1], opt += opt[1]) {
- if (len < 2 || len < opt[1]) {
- dev->stats.rx_errors++;
- kfree(out);
- return; /* bad packet, drop silently */
- }
+ if (len < 2 || opt[1] < 2 || len < opt[1])
+ goto err_out;

if (pid == PID_LCP)
switch (opt[0]) {
@@ -395,6 +392,8 @@ static void ppp_cp_parse_cr(struct net_d
continue; /* MRU always OK and > 1500 bytes? */

case LCP_OPTION_ACCM: /* async control character map */
+ if (opt[1] < sizeof(valid_accm))
+ goto err_out;
if (!memcmp(opt, valid_accm,
sizeof(valid_accm)))
continue;
@@ -406,6 +405,8 @@ static void ppp_cp_parse_cr(struct net_d
}
break;
case LCP_OPTION_MAGIC:
+ if (len < 6)
+ goto err_out;
if (opt[1] != 6 || (!opt[2] && !opt[3] &&
!opt[4] && !opt[5]))
break; /* reject invalid magic number */
@@ -424,6 +425,11 @@ static void ppp_cp_parse_cr(struct net_d
ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);

kfree(out);
+ return;
+
+err_out:
+ dev->stats.rx_errors++;
+ kfree(out);
}

static int ppp_rx(struct sk_buff *skb)


2020-09-25 13:00:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 14/43] ipv4: Initialize flowi4_multipath_hash in data path

From: David Ahern <[email protected]>

[ Upstream commit 1869e226a7b3ef75b4f70ede2f1b7229f7157fa4 ]

flowi4_multipath_hash was added by the commit referenced below for
tunnels. Unfortunately, the patch did not initialize the new field
for several fast path lookups that do not initialize the entire flow
struct to 0. Fix those locations. Currently, flowi4_multipath_hash
is random garbage and affects the hash value computed by
fib_multipath_hash for multipath selection.

Fixes: 24ba14406c5c ("route: Add multipath_hash in flowi_common to make user-define hash")
Signed-off-by: David Ahern <[email protected]>
Cc: wenxu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/net/flow.h | 1 +
net/core/filter.c | 1 +
net/ipv4/fib_frontend.c | 1 +
net/ipv4/route.c | 1 +
4 files changed, 4 insertions(+)

--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -116,6 +116,7 @@ static inline void flowi4_init_output(st
fl4->saddr = saddr;
fl4->fl4_dport = dport;
fl4->fl4_sport = sport;
+ fl4->flowi4_multipath_hash = 0;
}

/* Reset some input parameters after previous lookup */
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4650,6 +4650,7 @@ static int bpf_ipv4_fib_lookup(struct ne
fl4.saddr = params->ipv4_src;
fl4.fl4_sport = params->sport;
fl4.fl4_dport = params->dport;
+ fl4.flowi4_multipath_hash = 0;

if (flags & BPF_FIB_LOOKUP_DIRECT) {
u32 tbid = l3mdev_fib_table_rcu(dev) ? : RT_TABLE_MAIN;
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -372,6 +372,7 @@ static int __fib_validate_source(struct
fl4.flowi4_tun_key.tun_id = 0;
fl4.flowi4_flags = 0;
fl4.flowi4_uid = sock_net_uid(net, NULL);
+ fl4.flowi4_multipath_hash = 0;

no_addr = idev->ifa_list == NULL;

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2104,6 +2104,7 @@ static int ip_route_input_slow(struct sk
fl4.daddr = daddr;
fl4.saddr = saddr;
fl4.flowi4_uid = sock_net_uid(net, NULL);
+ fl4.flowi4_multipath_hash = 0;

if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
flkeys = &_flkeys;


2020-09-25 13:01:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 17/43] net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU

From: Vladimir Oltean <[email protected]>

[ Upstream commit 99f62a746066fa436aa15d4606a538569540db08 ]

When calling the RCU brother of br_vlan_get_pvid(), lockdep warns:

=============================
WARNING: suspicious RCU usage
5.9.0-rc3-01631-g13c17acb8e38-dirty #814 Not tainted
-----------------------------
net/bridge/br_private.h:1054 suspicious rcu_dereference_protected() usage!

Call trace:
lockdep_rcu_suspicious+0xd4/0xf8
__br_vlan_get_pvid+0xc0/0x100
br_vlan_get_pvid_rcu+0x78/0x108

The warning is because br_vlan_get_pvid_rcu() calls nbp_vlan_group()
which calls rtnl_dereference() instead of rcu_dereference(). In turn,
rtnl_dereference() calls rcu_dereference_protected() which assumes
operation under an RCU write-side critical section, which obviously is
not the case here. So, when the incorrect primitive is used to access
the RCU-protected VLAN group pointer, READ_ONCE() is not used, which may
cause various unexpected problems.

I'm sad to say that br_vlan_get_pvid() and br_vlan_get_pvid_rcu() cannot
share the same implementation. So fix the bug by splitting the 2
functions, and making br_vlan_get_pvid_rcu() retrieve the VLAN groups
under proper locking annotations.

Fixes: 7582f5b70f9a ("bridge: add br_vlan_get_pvid_rcu()")
Signed-off-by: Vladimir Oltean <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bridge/br_vlan.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)

--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -1229,11 +1229,13 @@ void br_vlan_get_stats(const struct net_
}
}

-static int __br_vlan_get_pvid(const struct net_device *dev,
- struct net_bridge_port *p, u16 *p_pvid)
+int br_vlan_get_pvid(const struct net_device *dev, u16 *p_pvid)
{
struct net_bridge_vlan_group *vg;
+ struct net_bridge_port *p;

+ ASSERT_RTNL();
+ p = br_port_get_check_rtnl(dev);
if (p)
vg = nbp_vlan_group(p);
else if (netif_is_bridge_master(dev))
@@ -1244,18 +1246,23 @@ static int __br_vlan_get_pvid(const stru
*p_pvid = br_get_pvid(vg);
return 0;
}
-
-int br_vlan_get_pvid(const struct net_device *dev, u16 *p_pvid)
-{
- ASSERT_RTNL();
-
- return __br_vlan_get_pvid(dev, br_port_get_check_rtnl(dev), p_pvid);
-}
EXPORT_SYMBOL_GPL(br_vlan_get_pvid);

int br_vlan_get_pvid_rcu(const struct net_device *dev, u16 *p_pvid)
{
- return __br_vlan_get_pvid(dev, br_port_get_check_rcu(dev), p_pvid);
+ struct net_bridge_vlan_group *vg;
+ struct net_bridge_port *p;
+
+ p = br_port_get_check_rcu(dev);
+ if (p)
+ vg = nbp_vlan_group_rcu(p);
+ else if (netif_is_bridge_master(dev))
+ vg = br_vlan_group_rcu(netdev_priv(dev));
+ else
+ return -EINVAL;
+
+ *p_pvid = br_get_pvid(vg);
+ return 0;
}
EXPORT_SYMBOL_GPL(br_vlan_get_pvid_rcu);



2020-09-25 13:01:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 01/43] af_key: pfkey_dump needs parameter validation

From: Mark Salyzyn <[email protected]>

commit 37bd22420f856fcd976989f1d4f1f7ad28e1fcac upstream.

In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return EINVAL if either
are out of range.

Signed-off-by: Mark Salyzyn <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Steffen Klassert <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Jakub Kicinski <[email protected]>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/key/af_key.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1849,6 +1849,13 @@ static int pfkey_dump(struct sock *sk, s
if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];

+ if ((xfilter->sadb_x_filter_splen >=
+ (sizeof(xfrm_address_t) << 3)) ||
+ (xfilter->sadb_x_filter_dplen >=
+ (sizeof(xfrm_address_t) << 3))) {
+ mutex_unlock(&pfk->dump_lock);
+ return -EINVAL;
+ }
filter = kmalloc(sizeof(*filter), GFP_KERNEL);
if (filter == NULL) {
mutex_unlock(&pfk->dump_lock);


2020-09-25 20:37:11

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/43] 5.4.68-rc1 review

On 9/25/20 6:48 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.68 release.
> There are 43 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 27 Sep 2020 12:47:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <[email protected]>

thanks,
-- Shuah

2020-09-26 12:42:26

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/43] 5.4.68-rc1 review

On Fri, 25 Sep 2020 at 18:21, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.68 release.
> There are 43 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 27 Sep 2020 12:47:02 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.68-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <[email protected]>

Summary
------------------------------------------------------------------------

kernel: 5.4.68-rc1
git repo: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
git branch: linux-5.4.y
git commit: a6d2801f4120fe0719556290e85ca7402b7c1fe2
git describe: v5.4.67-44-ga6d2801f4120
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y-sanity/build/v5.4.67-44-ga6d2801f4120


No regressions (compared to build v5.4.67)


No fixes (compared to build v5.4.67)

Ran 33349 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- juno-r2-compat
- juno-r2-kasan
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86
- x86-kasan

Test Suites
-----------
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-syscalls-tests
* libhugetlbfs
* ltp-fs-tests
* ltp-hugetlb-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* ltp-tracing-tests
* v4l2-compliance
* ltp-controllers-tests
* ltp-cve-tests
* ltp-open-posix-tests
* ltp-sched-tests
* network-basic-tests

--
Linaro LKFT
https://lkft.linaro.org

2020-09-26 15:47:28

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 5.4 00/43] 5.4.68-rc1 review

On Fri, Sep 25, 2020 at 02:48:12PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.68 release.
> There are 43 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 27 Sep 2020 12:47:02 +0000.
> Anything received after that time might be too late.
>

Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 430 pass: 430 fail: 0

Tested-by: Guenter Roeck <[email protected]>

Guenter