This is the start of the stable review cycle for the 5.4.55 release.
There are 19 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 01 Aug 2020 07:44:05 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.55-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.4.55-rc1
Vladimir Oltean <[email protected]>
Revert "dpaa_eth: fix usage as DSA master, try 3"
zhuguangqing <[email protected]>
PM: wakeup: Show statistics for deleted wakeup sources again
Peng Fan <[email protected]>
regmap: debugfs: check count when read regmap file
Kuniyuki Iwashima <[email protected]>
udp: Improve load balancing for SO_REUSEPORT.
Kuniyuki Iwashima <[email protected]>
udp: Copy has_conns in reuseport_grow().
Xin Long <[email protected]>
sctp: shrink stream outq when fails to do addstream reconf
Xin Long <[email protected]>
sctp: shrink stream outq only when new outcnt < old outcnt
Dan Carpenter <[email protected]>
AX.25: Prevent integer overflows in connect and sendmsg
Yuchung Cheng <[email protected]>
tcp: allow at most one TLP probe per flight
David Howells <[email protected]>
rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
Weilong Chen <[email protected]>
rtnetlink: Fix memory(net_device) leak when ->newlink fails
Cong Wang <[email protected]>
qrtr: orphan socket in qrtr_release()
Miaohe Lin <[email protected]>
net: udp: Fix wrong clean up for IS_UDPLITE macro
Xiongfeng Wang <[email protected]>
net-sysfs: add a newline when printing 'tx_timeout' by sysfs
Wei Yongjun <[email protected]>
ip6_gre: fix null-ptr-deref in ip6gre_init_net()
Xie He <[email protected]>
drivers/net/wan/x25_asy: Fix to make it work
Subash Abhinov Kasiviswanathan <[email protected]>
dev: Defer free of skbs in flush_backlog
Peilin Ye <[email protected]>
AX.25: Prevent out-of-bounds read in ax25_sendmsg()
Peilin Ye <[email protected]>
AX.25: Fix out-of-bounds read in ax25_connect()
-------------
Diffstat:
Makefile | 4 ++--
drivers/base/power/wakeup.c | 3 +++
drivers/base/regmap/regmap-debugfs.c | 6 ++++++
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +-
drivers/net/wan/x25_asy.c | 21 +++++++++++++-------
include/linux/tcp.h | 4 +++-
net/ax25/af_ax25.c | 10 ++++++++--
net/core/dev.c | 2 +-
net/core/net-sysfs.c | 2 +-
net/core/rtnetlink.c | 3 ++-
net/core/sock_reuseport.c | 1 +
net/ipv4/tcp_input.c | 11 ++++++-----
net/ipv4/tcp_output.c | 13 ++++++++-----
net/ipv4/udp.c | 17 +++++++++-------
net/ipv6/ip6_gre.c | 11 ++++++-----
net/ipv6/udp.c | 17 +++++++++-------
net/qrtr/qrtr.c | 1 +
net/rxrpc/recvmsg.c | 2 +-
net/rxrpc/sendmsg.c | 2 +-
net/sctp/stream.c | 27 +++++++++++++++++---------
20 files changed, 103 insertions(+), 56 deletions(-)
From: Xin Long <[email protected]>
[ Upstream commit 8f13399db22f909a35735bf8ae2f932e0c8f0e30 ]
It's not necessary to go list_for_each for outq->out_chunk_list
when new outcnt >= old outcnt, as no chunk with higher sid than
new (outcnt - 1) exists in the outqueue.
While at it, also move the list_for_each code in a new function
sctp_stream_shrink_out(), which will be used in the next patch.
Signed-off-by: Xin Long <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sctp/stream.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -22,17 +22,11 @@
#include <net/sctp/sm.h>
#include <net/sctp/stream_sched.h>
-/* Migrates chunks from stream queues to new stream queues if needed,
- * but not across associations. Also, removes those chunks to streams
- * higher than the new max.
- */
-static void sctp_stream_outq_migrate(struct sctp_stream *stream,
- struct sctp_stream *new, __u16 outcnt)
+static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt)
{
struct sctp_association *asoc;
struct sctp_chunk *ch, *temp;
struct sctp_outq *outq;
- int i;
asoc = container_of(stream, struct sctp_association, stream);
outq = &asoc->outqueue;
@@ -56,6 +50,19 @@ static void sctp_stream_outq_migrate(str
sctp_chunk_free(ch);
}
+}
+
+/* Migrates chunks from stream queues to new stream queues if needed,
+ * but not across associations. Also, removes those chunks to streams
+ * higher than the new max.
+ */
+static void sctp_stream_outq_migrate(struct sctp_stream *stream,
+ struct sctp_stream *new, __u16 outcnt)
+{
+ int i;
+
+ if (stream->outcnt > outcnt)
+ sctp_stream_shrink_out(stream, outcnt);
if (new) {
/* Here we actually move the old ext stuff into the new
From: Wei Yongjun <[email protected]>
[ Upstream commit 46ef5b89ec0ecf290d74c4aee844f063933c4da4 ]
KASAN report null-ptr-deref error when register_netdev() failed:
KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7]
CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ #12
Call Trace:
ip6gre_init_net+0x4ab/0x580
? ip6gre_tunnel_uninit+0x3f0/0x3f0
ops_init+0xa8/0x3c0
setup_net+0x2de/0x7e0
? rcu_read_lock_bh_held+0xb0/0xb0
? ops_init+0x3c0/0x3c0
? kasan_unpoison_shadow+0x33/0x40
? __kasan_kmalloc.constprop.0+0xc2/0xd0
copy_net_ns+0x27d/0x530
create_new_namespaces+0x382/0xa30
unshare_nsproxy_namespaces+0xa1/0x1d0
ksys_unshare+0x39c/0x780
? walk_process_tree+0x2a0/0x2a0
? trace_hardirqs_on+0x4a/0x1b0
? _raw_spin_unlock_irq+0x1f/0x30
? syscall_trace_enter+0x1a7/0x330
? do_syscall_64+0x1c/0xa0
__x64_sys_unshare+0x2d/0x40
do_syscall_64+0x56/0xa0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later
access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving
'ign->fb_tunnel_dev' to local variable ndev.
Fixes: dafabb6590cb ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Wei Yongjun <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv6/ip6_gre.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1560,17 +1560,18 @@ static void ip6gre_destroy_tunnels(struc
static int __net_init ip6gre_init_net(struct net *net)
{
struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
+ struct net_device *ndev;
int err;
if (!net_has_fallback_tunnels(net))
return 0;
- ign->fb_tunnel_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0",
- NET_NAME_UNKNOWN,
- ip6gre_tunnel_setup);
- if (!ign->fb_tunnel_dev) {
+ ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0",
+ NET_NAME_UNKNOWN, ip6gre_tunnel_setup);
+ if (!ndev) {
err = -ENOMEM;
goto err_alloc_dev;
}
+ ign->fb_tunnel_dev = ndev;
dev_net_set(ign->fb_tunnel_dev, net);
/* FB netdevice is special: we have one, and only one per netns.
* Allowing to move it to another netns is clearly unsafe.
@@ -1590,7 +1591,7 @@ static int __net_init ip6gre_init_net(st
return 0;
err_reg_dev:
- free_netdev(ign->fb_tunnel_dev);
+ free_netdev(ndev);
err_alloc_dev:
return err;
}
From: Kuniyuki Iwashima <[email protected]>
[ Upstream commit f2b2c55e512879a05456eaf5de4d1ed2f7757509 ]
If an unconnected socket in a UDP reuseport group connect()s, has_conns is
set to 1. Then, when a packet is received, udp[46]_lib_lookup2() scans all
sockets in udp_hslot looking for the connected socket with the highest
score.
However, when the number of sockets bound to the port exceeds max_socks,
reuseport_grow() resets has_conns to 0. It can cause udp[46]_lib_lookup2()
to return without scanning all sockets, resulting in that packets sent to
connected sockets may be distributed to unconnected sockets.
Therefore, reuseport_grow() should copy has_conns.
Fixes: acdcecc61285 ("udp: correct reuseport selection with connected sockets")
CC: Willem de Bruijn <[email protected]>
Reviewed-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Kuniyuki Iwashima <[email protected]>
Acked-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/core/sock_reuseport.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/sock_reuseport.c
+++ b/net/core/sock_reuseport.c
@@ -112,6 +112,7 @@ static struct sock_reuseport *reuseport_
more_reuse->prog = reuse->prog;
more_reuse->reuseport_id = reuse->reuseport_id;
more_reuse->bind_inany = reuse->bind_inany;
+ more_reuse->has_conns = reuse->has_conns;
memcpy(more_reuse->socks, reuse->socks,
reuse->num_socks * sizeof(struct sock *));
From: Peng Fan <[email protected]>
commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream.
When executing the following command, we met kernel dump.
dmesg -c > /dev/null; cd /sys;
for i in `ls /sys/kernel/debug/regmap/* -d`; do
echo "Checking regmap in $i";
cat $i/registers;
done && grep -ri "0x02d0" *;
It is because the count value is too big, and kmalloc fails. So add an
upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
Signed-off-by: Peng Fan <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/base/regmap/regmap-debugfs.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/base/regmap/regmap-debugfs.c
+++ b/drivers/base/regmap/regmap-debugfs.c
@@ -227,6 +227,9 @@ static ssize_t regmap_read_debugfs(struc
if (*ppos < 0 || !count)
return -EINVAL;
+ if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
+ count = PAGE_SIZE << (MAX_ORDER - 1);
+
buf = kmalloc(count, GFP_KERNEL);
if (!buf)
return -ENOMEM;
@@ -371,6 +374,9 @@ static ssize_t regmap_reg_ranges_read_fi
if (*ppos < 0 || !count)
return -EINVAL;
+ if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
+ count = PAGE_SIZE << (MAX_ORDER - 1);
+
buf = kmalloc(count, GFP_KERNEL);
if (!buf)
return -ENOMEM;
From: zhuguangqing <[email protected]>
commit e976eb4b91e906f20ec25b20c152d53c472fc3fd upstream.
After commit 00ee22c28915 (PM / wakeup: Use seq_open() to show wakeup
stats), print_wakeup_source_stats(m, &deleted_ws) is not called from
wakeup_sources_stats_seq_show() any more.
Because deleted_ws is one of the wakeup sources, it should be shown
too, so add it to the end of all other wakeup sources.
Signed-off-by: zhuguangqing <[email protected]>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/base/power/wakeup.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/base/power/wakeup.c
+++ b/drivers/base/power/wakeup.c
@@ -1073,6 +1073,9 @@ static void *wakeup_sources_stats_seq_ne
break;
}
+ if (!next_ws)
+ print_wakeup_source_stats(m, &deleted_ws);
+
return next_ws;
}
From: Kuniyuki Iwashima <[email protected]>
[ Upstream commit efc6b6f6c3113e8b203b9debfb72d81e0f3dcace ]
Currently, SO_REUSEPORT does not work well if connected sockets are in a
UDP reuseport group.
Then reuseport_has_conns() returns true and the result of
reuseport_select_sock() is discarded. Also, unconnected sockets have the
same score, hence only does the first unconnected socket in udp_hslot
always receive all packets sent to unconnected sockets.
So, the result of reuseport_select_sock() should be used for load
balancing.
The noteworthy point is that the unconnected sockets placed after
connected sockets in sock_reuseport.socks will receive more packets than
others because of the algorithm in reuseport_select_sock().
index | connected | reciprocal_scale | result
---------------------------------------------
0 | no | 20% | 40%
1 | no | 20% | 20%
2 | yes | 20% | 0%
3 | no | 20% | 40%
4 | yes | 20% | 0%
If most of the sockets are connected, this can be a problem, but it still
works better than now.
Fixes: acdcecc61285 ("udp: correct reuseport selection with connected sockets")
CC: Willem de Bruijn <[email protected]>
Reviewed-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Kuniyuki Iwashima <[email protected]>
Acked-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/udp.c | 15 +++++++++------
net/ipv6/udp.c | 15 +++++++++------
2 files changed, 18 insertions(+), 12 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -413,7 +413,7 @@ static struct sock *udp4_lib_lookup2(str
struct udp_hslot *hslot2,
struct sk_buff *skb)
{
- struct sock *sk, *result;
+ struct sock *sk, *result, *reuseport_result;
int score, badness;
u32 hash = 0;
@@ -423,17 +423,20 @@ static struct sock *udp4_lib_lookup2(str
score = compute_score(sk, net, saddr, sport,
daddr, hnum, dif, sdif);
if (score > badness) {
+ reuseport_result = NULL;
+
if (sk->sk_reuseport &&
sk->sk_state != TCP_ESTABLISHED) {
hash = udp_ehashfn(net, daddr, hnum,
saddr, sport);
- result = reuseport_select_sock(sk, hash, skb,
- sizeof(struct udphdr));
- if (result && !reuseport_has_conns(sk, false))
- return result;
+ reuseport_result = reuseport_select_sock(sk, hash, skb,
+ sizeof(struct udphdr));
+ if (reuseport_result && !reuseport_has_conns(sk, false))
+ return reuseport_result;
}
+
+ result = reuseport_result ? : sk;
badness = score;
- result = sk;
}
}
return result;
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -148,7 +148,7 @@ static struct sock *udp6_lib_lookup2(str
int dif, int sdif, struct udp_hslot *hslot2,
struct sk_buff *skb)
{
- struct sock *sk, *result;
+ struct sock *sk, *result, *reuseport_result;
int score, badness;
u32 hash = 0;
@@ -158,17 +158,20 @@ static struct sock *udp6_lib_lookup2(str
score = compute_score(sk, net, saddr, sport,
daddr, hnum, dif, sdif);
if (score > badness) {
+ reuseport_result = NULL;
+
if (sk->sk_reuseport &&
sk->sk_state != TCP_ESTABLISHED) {
hash = udp6_ehashfn(net, daddr, hnum,
saddr, sport);
- result = reuseport_select_sock(sk, hash, skb,
- sizeof(struct udphdr));
- if (result && !reuseport_has_conns(sk, false))
- return result;
+ reuseport_result = reuseport_select_sock(sk, hash, skb,
+ sizeof(struct udphdr));
+ if (reuseport_result && !reuseport_has_conns(sk, false))
+ return reuseport_result;
}
- result = sk;
+
+ result = reuseport_result ? : sk;
badness = score;
}
}
From: Miaohe Lin <[email protected]>
[ Upstream commit b0a422772fec29811e293c7c0e6f991c0fd9241d ]
We can't use IS_UDPLITE to replace udp_sk->pcflag when UDPLITE_RECV_CC is
checked.
Fixes: b2bf1e2659b1 ("[UDP]: Clean up for IS_UDPLITE macro")
Signed-off-by: Miaohe Lin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/udp.c | 2 +-
net/ipv6/udp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2045,7 +2045,7 @@ static int udp_queue_rcv_one_skb(struct
/*
* UDP-Lite specific tests, ignored on UDP sockets
*/
- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
+ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
/*
* MIB statistics other than incrementing the error count are
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -643,7 +643,7 @@ static int udpv6_queue_rcv_one_skb(struc
/*
* UDP-Lite specific tests, ignored on UDP sockets (see net/ipv4/udp.c).
*/
- if ((is_udplite & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
+ if ((up->pcflag & UDPLITE_RECV_CC) && UDP_SKB_CB(skb)->partial_cov) {
if (up->pcrlen == 0) { /* full coverage was set */
net_dbg_ratelimited("UDPLITE6: partial coverage %d while full coverage %d requested\n",
From: Cong Wang <[email protected]>
[ Upstream commit af9f691f0f5bdd1ade65a7b84927639882d7c3e5 ]
We have to detach sock from socket in qrtr_release(),
otherwise skb->sk may still reference to this socket
when the skb is released in tun->queue, particularly
sk->sk_wq still points to &sock->wq, which leads to
a UAF.
Reported-and-tested-by: [email protected]
Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space")
Cc: Bjorn Andersson <[email protected]>
Cc: Eric Dumazet <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/qrtr/qrtr.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -1004,6 +1004,7 @@ static int qrtr_release(struct socket *s
sk->sk_state_change(sk);
sock_set_flag(sk, SOCK_DEAD);
+ sock_orphan(sk);
sock->sk = NULL;
if (!sock_flag(sk, SOCK_ZAPPED))
From: Yuchung Cheng <[email protected]>
[ Upstream commit 76be93fc0702322179bb0ea87295d820ee46ad14 ]
Previously TLP may send multiple probes of new data in one
flight. This happens when the sender is cwnd limited. After the
initial TLP containing new data is sent, the sender receives another
ACK that acks partial inflight. It may re-arm another TLP timer
to send more, if no further ACK returns before the next TLP timeout
(PTO) expires. The sender may send in theory a large amount of TLP
until send queue is depleted. This only happens if the sender sees
such irregular uncommon ACK pattern. But it is generally undesirable
behavior during congestion especially.
The original TLP design restrict only one TLP probe per inflight as
published in "Reducing Web Latency: the Virtue of Gentle Aggression",
SIGCOMM 2013. This patch changes TLP to send at most one probe
per inflight.
Note that if the sender is app-limited, TLP retransmits old data
and did not have this issue.
Signed-off-by: Yuchung Cheng <[email protected]>
Signed-off-by: Neal Cardwell <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/tcp.h | 4 +++-
net/ipv4/tcp_input.c | 11 ++++++-----
net/ipv4/tcp_output.c | 13 ++++++++-----
3 files changed, 17 insertions(+), 11 deletions(-)
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -216,6 +216,8 @@ struct tcp_sock {
} rack;
u16 advmss; /* Advertised MSS */
u8 compressed_ack;
+ u8 tlp_retrans:1, /* TLP is a retransmission */
+ unused_1:7;
u32 chrono_start; /* Start time in jiffies of a TCP chrono */
u32 chrono_stat[3]; /* Time in jiffies for chrono_stat stats */
u8 chrono_type:2, /* current chronograph type */
@@ -238,7 +240,7 @@ struct tcp_sock {
save_syn:1, /* Save headers of SYN packet */
is_cwnd_limited:1,/* forward progress limited by snd_cwnd? */
syn_smc:1; /* SYN includes SMC */
- u32 tlp_high_seq; /* snd_nxt at the time of TLP retransmit. */
+ u32 tlp_high_seq; /* snd_nxt at the time of TLP */
u32 tcp_tx_delay; /* delay (in usec) added to TX packets */
u64 tcp_wstamp_ns; /* departure time for next sent data packet */
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3505,10 +3505,8 @@ static void tcp_replace_ts_recent(struct
}
}
-/* This routine deals with acks during a TLP episode.
- * We mark the end of a TLP episode on receiving TLP dupack or when
- * ack is after tlp_high_seq.
- * Ref: loss detection algorithm in draft-dukkipati-tcpm-tcp-loss-probe.
+/* This routine deals with acks during a TLP episode and ends an episode by
+ * resetting tlp_high_seq. Ref: TLP algorithm in draft-ietf-tcpm-rack
*/
static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag)
{
@@ -3517,7 +3515,10 @@ static void tcp_process_tlp_ack(struct s
if (before(ack, tp->tlp_high_seq))
return;
- if (flag & FLAG_DSACKING_ACK) {
+ if (!tp->tlp_retrans) {
+ /* TLP of new data has been acknowledged */
+ tp->tlp_high_seq = 0;
+ } else if (flag & FLAG_DSACKING_ACK) {
/* This DSACK means original and TLP probe arrived; no loss */
tp->tlp_high_seq = 0;
} else if (after(ack, tp->tlp_high_seq)) {
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2564,6 +2564,11 @@ void tcp_send_loss_probe(struct sock *sk
int pcount;
int mss = tcp_current_mss(sk);
+ /* At most one outstanding TLP */
+ if (tp->tlp_high_seq)
+ goto rearm_timer;
+
+ tp->tlp_retrans = 0;
skb = tcp_send_head(sk);
if (skb && tcp_snd_wnd_test(tp, skb, mss)) {
pcount = tp->packets_out;
@@ -2581,10 +2586,6 @@ void tcp_send_loss_probe(struct sock *sk
return;
}
- /* At most one outstanding TLP retransmission. */
- if (tp->tlp_high_seq)
- goto rearm_timer;
-
if (skb_still_in_host_queue(sk, skb))
goto rearm_timer;
@@ -2606,10 +2607,12 @@ void tcp_send_loss_probe(struct sock *sk
if (__tcp_retransmit_skb(sk, skb, 1))
goto rearm_timer;
+ tp->tlp_retrans = 1;
+
+probe_sent:
/* Record snd_nxt for loss detection. */
tp->tlp_high_seq = tp->snd_nxt;
-probe_sent:
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPLOSSPROBES);
/* Reset s.t. tcp_rearm_rto will restart timer from now */
inet_csk(sk)->icsk_pending = 0;
From: Peilin Ye <[email protected]>
[ Upstream commit 2f2a7ffad5c6cbf3d438e813cfdc88230e185ba6 ]
Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis`
equals to 7 or 8. Fix it.
This issue has been reported as a KMSAN uninit-value bug, because in such
a case, ax25_connect() reaches into the uninitialized portion of the
`struct sockaddr_storage` statically allocated in __sys_connect().
It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because
`addr_len` is guaranteed to be less than or equal to
`sizeof(struct full_sockaddr_ax25)`.
Reported-by: [email protected]
Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66
Signed-off-by: Peilin Ye <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ax25/af_ax25.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1187,7 +1187,9 @@ static int __must_check ax25_connect(str
if (addr_len > sizeof(struct sockaddr_ax25) &&
fsa->fsa_ax25.sax25_ndigis != 0) {
/* Valid number of digipeaters ? */
- if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) {
+ if (fsa->fsa_ax25.sax25_ndigis < 1 ||
+ addr_len < sizeof(struct sockaddr_ax25) +
+ sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {
err = -EINVAL;
goto out_release;
}
From: Xin Long <[email protected]>
[ Upstream commit 3ecdda3e9ad837cf9cb41b6faa11b1af3a5abc0c ]
When adding a stream with stream reconf, the new stream firstly is in
CLOSED state but new out chunks can still be enqueued. Then once gets
the confirmation from the peer, the state will change to OPEN.
However, if the peer denies, it needs to roll back the stream. But when
doing that, it only sets the stream outcnt back, and the chunks already
in the new stream don't get purged. It caused these chunks can still be
dequeued in sctp_outq_dequeue_data().
As its stream is still in CLOSE, the chunk will be enqueued to the head
again by sctp_outq_head_data(). This chunk will never be sent out, and
the chunks after it can never be dequeued. The assoc will be 'hung' in
a dead loop of sending this chunk.
To fix it, this patch is to purge these chunks already in the new
stream by calling sctp_stream_shrink_out() when failing to do the
addstream reconf.
Fixes: 11ae76e67a17 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
Reported-by: Ying Xu <[email protected]>
Signed-off-by: Xin Long <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sctp/stream.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -1045,11 +1045,13 @@ struct sctp_chunk *sctp_process_strreset
nums = ntohs(addstrm->number_of_streams);
number = stream->outcnt - nums;
- if (result == SCTP_STRRESET_PERFORMED)
+ if (result == SCTP_STRRESET_PERFORMED) {
for (i = number; i < stream->outcnt; i++)
SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
- else
+ } else {
+ sctp_stream_shrink_out(stream, number);
stream->outcnt = number;
+ }
*evp = sctp_ulpevent_make_stream_change_event(asoc, flags,
0, nums, GFP_ATOMIC);
On Thu, Jul 30, 2020 at 10:04:02AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.55 release.
> There are 19 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 01 Aug 2020 07:44:05 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 429 pass: 429 fail: 0
Guenter
On Thu, 30 Jul 2020 at 13:36, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.55 release.
> There are 19 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 01 Aug 2020 07:44:05 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
Regressions on arm64 Juno-r2 device running LTP controllers-tests
CONFIG_ARM64_64K_PAGES=y
Unable to handle kernel paging request at virtual address dead000000000108
[dead000000000108] address between user and kernel address ranges
Internal error: Oops: 96000044 [#1] PREEMPT SMP
pc : get_page_from_freelist+0xa64/0x1030
lr : get_page_from_freelist+0x9c4/0x1030
We are trying to reproduce this kernel panic and trying to narrow down to
specific test cases.
Summary
------------------------------------------------------------------------
kernel: 5.4.55-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 6666ca784e9e47288180a15935061d88debc9e4b
git describe: v5.4.54-20-g6666ca784e9e
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.54-20-g6666ca784e9e
arm64 kernel config and details:
config: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/kernel.config
vmlinux: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/vmlinux.xz
System.map: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/System.map
steps to reproduce:
- boot juno-r2 with 64k page size config
- run ltp controllers
# cd /opt/ltp
# ./runltp -f controllers
memcg_process: shmget() failed: Invalid argument
[ 248.372285] Unable to handle kernel paging request at virtual
address dead000000000108
[ 248.380223] Mem abort info:
[ 248.383015] ESR = 0x96000044
[ 248.386071] EC = 0x25: DABT (current EL), IL = 32 bits
[ 248.391387] SET = 0, FnV = 0
[ 248.394440] EA = 0, S1PTW = 0
[ 248.397580] Data abort info:
[ 248.400460] ISV = 0, ISS = 0x00000044
[ 248.404296] CM = 0, WnR = 1
[ 248.407264] [dead000000000108] address between user and kernel address ranges
[ 248.414410] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 248.419989] Modules linked in: tda998x drm_kms_helper drm crct10dif_ce fuse
[ 248.426975] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.55-rc1 #1
[ 248.433249] Hardware name: ARM Juno development board (r2) (DT)
[ 248.439178] pstate: a0000085 (NzCv daIf -PAN -UAO)
[ 248.443984] pc : get_page_from_freelist+0xa64/0x1030
[ 248.448955] lr : get_page_from_freelist+0x9c4/0x1030
[ 248.453923] sp : ffff80001000fbb0
[ 248.457238] x29: ffff80001000fbb0 x28: ffff00097fdbfe48
[ 248.462557] x27: 0000000000000010 x26: 0000000000000000
[ 248.467877] x25: ffff00097feabdc0 x24: 0000000000000000
[ 248.473196] x23: 0000000000000000 x22: 0000000000000000
[ 248.478515] x21: 0000fff680154180 x20: ffff00097fdbfe38
[ 248.483835] x19: 0000000000000000 x18: 0000000000000000
[ 248.489154] x17: 0000000000000000 x16: 0000000000000000
[ 248.494473] x15: 0000000000000000 x14: 0000000000000000
[ 248.499792] x13: 0000000000000000 x12: 0000000034d4d91d
[ 248.505111] x11: 0000000000000000 x10: 0000000000000000
[ 248.510430] x9 : ffff80096e790000 x8 : ffffffffffffff40
[ 248.515749] x7 : 0000000000000000 x6 : ffffffe002308b48
[ 248.521068] x5 : ffff00097fdbfe38 x4 : dead000000000100
[ 248.526387] x3 : 0000000000000000 x2 : 0000000000000000
[ 248.531706] x1 : 0000000000000000 x0 : ffffffe002308b40
[ 248.537026] Call trace:
[ 248.539475] get_page_from_freelist+0xa64/0x1030
[ 248.544099] __alloc_pages_nodemask+0x144/0x280
[ 248.548635] page_frag_alloc+0x70/0x140
[ 248.552479] __netdev_alloc_skb+0x158/0x188
[ 248.556667] smsc911x_poll+0x90/0x268
[ 248.560342] net_rx_action+0x114/0x340
[ 248.564096] __do_softirq+0x120/0x25c
[ 248.567766] irq_exit+0xb8/0xd8
[ 248.570910] __handle_domain_irq+0x64/0xb8
[ 248.575010] gic_handle_irq+0x50/0xa8
[ 248.578675] el1_irq+0xb8/0x180
[ 248.581820] tick_check_broadcast_expired+0x34/0x40
[ 248.586705] do_idle+0x8c/0x280
[ 248.589848] cpu_startup_entry+0x20/0x80
[ 248.593777] rest_init+0xd4/0xe0
[ 248.597010] arch_call_rest_init+0xc/0x14
[ 248.601024] start_kernel+0x418/0x44c
[ 248.604693] Code: 54000a00 f10020c0 540009c0 a9400cc4 (f9000483)
[ 248.610803] ---[ end trace 358f513e280e4dfd ]---
[ 248.615426] Kernel panic - not syncing: Fatal exception in interrupt
[ 248.621789] SMP: stopping secondary CPUs
[ 249.740564] SMP: failed to stop secondary CPUs 0-2
[ 249.745359] Kernel Offset: disabled
[ 249.748849] CPU features: 0x0002,24006000
[ 249.752859] Memory Limit: none
[ 249.755921] ---[ end Kernel panic - not syncing: Fatal exception in
interrupt ]---
--
Linaro LKFT
https://lkft.linaro.org
On Fri, Jul 31, 2020 at 12:32 PM Naresh Kamboju
<[email protected]> wrote:
>
> On Thu, 30 Jul 2020 at 13:36, Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 5.4.55 release.
> > There are 19 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 01 Aug 2020 07:44:05 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.55-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Results from Linaro’s test farm.
> Regressions on arm64 Juno-r2 device running LTP controllers-tests
>
> CONFIG_ARM64_64K_PAGES=y
>
> Unable to handle kernel paging request at virtual address dead000000000108
This is LIST_POISON1+8, so something was following a list_head that got
deleted from a list.
> [dead000000000108] address between user and kernel address ranges
> Internal error: Oops: 96000044 [#1] PREEMPT SMP
>
> pc : get_page_from_freelist+0xa64/0x1030
> lr : get_page_from_freelist+0x9c4/0x1030
>
> We are trying to reproduce this kernel panic and trying to narrow down to
> specific test cases.
>
> Summary
> ------------------------------------------------------------------------
>
> kernel: 5.4.55-rc1
> git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> git branch: linux-5.4.y
> git commit: 6666ca784e9e47288180a15935061d88debc9e4b
> git describe: v5.4.54-20-g6666ca784e9e
> Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.54-20-g6666ca784e9e
>
> arm64 kernel config and details:
> config: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/kernel.config
> vmlinux: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/vmlinux.xz
> System.map: https://builds.tuxbuild.com/iIsSV-1_WtyDUTe88iKaqw/System.map
>
> steps to reproduce:
> - boot juno-r2 with 64k page size config
> - run ltp controllers
> # cd /opt/ltp
> # ./runltp -f controllers
>
> memcg_process: shmget() failed: Invalid argument
> [ 248.372285] Unable to handle kernel paging request at virtual
> address dead000000000108
> [ 248.380223] Mem abort info:
> [ 248.383015] ESR = 0x96000044
> [ 248.386071] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 248.391387] SET = 0, FnV = 0
> [ 248.394440] EA = 0, S1PTW = 0
> [ 248.397580] Data abort info:
> [ 248.400460] ISV = 0, ISS = 0x00000044
> [ 248.404296] CM = 0, WnR = 1
> [ 248.407264] [dead000000000108] address between user and kernel address ranges
> [ 248.414410] Internal error: Oops: 96000044 [#1] PREEMPT SMP
> [ 248.419989] Modules linked in: tda998x drm_kms_helper drm crct10dif_ce fuse
> [ 248.426975] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.55-rc1 #1
> [ 248.433249] Hardware name: ARM Juno development board (r2) (DT)
> [ 248.439178] pstate: a0000085 (NzCv daIf -PAN -UAO)
> [ 248.443984] pc : get_page_from_freelist+0xa64/0x1030
> [ 248.448955] lr : get_page_from_freelist+0x9c4/0x1030
The function is a little too long for me to see immediately which list this is.
Using addr2line should help.
> [ 248.453923] sp : ffff80001000fbb0
> [ 248.457238] x29: ffff80001000fbb0 x28: ffff00097fdbfe48
> [ 248.462557] x27: 0000000000000010 x26: 0000000000000000
> [ 248.467877] x25: ffff00097feabdc0 x24: 0000000000000000
> [ 248.473196] x23: 0000000000000000 x22: 0000000000000000
> [ 248.478515] x21: 0000fff680154180 x20: ffff00097fdbfe38
> [ 248.483835] x19: 0000000000000000 x18: 0000000000000000
> [ 248.489154] x17: 0000000000000000 x16: 0000000000000000
> [ 248.494473] x15: 0000000000000000 x14: 0000000000000000
> [ 248.499792] x13: 0000000000000000 x12: 0000000034d4d91d
> [ 248.505111] x11: 0000000000000000 x10: 0000000000000000
> [ 248.510430] x9 : ffff80096e790000 x8 : ffffffffffffff40
> [ 248.515749] x7 : 0000000000000000 x6 : ffffffe002308b48
> [ 248.521068] x5 : ffff00097fdbfe38 x4 : dead000000000100
> [ 248.526387] x3 : 0000000000000000 x2 : 0000000000000000
> [ 248.531706] x1 : 0000000000000000 x0 : ffffffe002308b40
> [ 248.537026] Call trace:
> [ 248.539475] get_page_from_freelist+0xa64/0x1030
> [ 248.544099] __alloc_pages_nodemask+0x144/0x280
> [ 248.548635] page_frag_alloc+0x70/0x140
> [ 248.552479] __netdev_alloc_skb+0x158/0x188
> [ 248.556667] smsc911x_poll+0x90/0x268
This looks like a regular memory allocation, one common thing that may
have gone wrong here would be an earlier double-free.
There are not a lot of commits in v5.4.55-rc1, and most of these
are surely unrelated:
6666ca784e9e (HEAD, stable-rc/linux-5.4.y) Linux 5.4.55-rc1
ee4984bf5748 Revert "dpaa_eth: fix usage as DSA master, try 3"
783efa432aa4 PM: wakeup: Show statistics for deleted wakeup sources again
967783c61b31 regmap: debugfs: check count when read regmap file
3999cdbf89f0 drivers/net/wan/x25_asy: Fix to make it work
eb8b6691d757 AX.25: Prevent integer overflows in connect and sendmsg
3c3ae3e4c529 AX.25: Prevent out-of-bounds read in ax25_sendmsg()
e9380b1e9f82 AX.25: Fix out-of-bounds read in ax25_connect()
71e00f341e74 rxrpc: Fix sendmsg() returning EPIPE due to recvmsg()
returning ENODATA
a385dfd083fb ip6_gre: fix null-ptr-deref in ip6gre_init_net()
161727c98eb6 net-sysfs: add a newline when printing 'tx_timeout' by sysfs
a93155189546 qrtr: orphan socket in qrtr_release()
I don't think any of the above are in use on your machine.
1365360e789d udp: Improve load balancing for SO_REUSEPORT.
efb2848c55b3 udp: Copy has_conns in reuseport_grow().
829a46fae4fd sctp: shrink stream outq when fails to do addstream reconf
a4842355118b sctp: shrink stream outq only when new outcnt < old outcnt
e99e79382d46 tcp: allow at most one TLP probe per flight
66007a7d7f4b net: udp: Fix wrong clean up for IS_UDPLITE macro
These seem possible but unlikely to be the culprit
8508b3ca8595 rtnetlink: Fix memory(net_device) leak when ->newlink fails
c1efeaaebc74 dev: Defer free of skbs in flush_backlog
These both deal with memory allocation in some form, I would try reverting
the last one first.
Arnd
On Fri, Jul 31, 2020 at 04:02:16PM +0530, Naresh Kamboju wrote:
> On Thu, 30 Jul 2020 at 13:36, Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 5.4.55 release.
> > There are 19 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 01 Aug 2020 07:44:05 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.55-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Results from Linaro’s test farm.
> Regressions on arm64 Juno-r2 device running LTP controllers-tests
>
> CONFIG_ARM64_64K_PAGES=y
>
> Unable to handle kernel paging request at virtual address dead000000000108
> [dead000000000108] address between user and kernel address ranges
> Internal error: Oops: 96000044 [#1] PREEMPT SMP
>
> pc : get_page_from_freelist+0xa64/0x1030
> lr : get_page_from_freelist+0x9c4/0x1030
>
> We are trying to reproduce this kernel panic and trying to narrow down to
> specific test cases.
If you come up with something that needs to be reverted, please let me
know.
Otherwise, thanks for testing all of these.
greg k-h