--- /dev/null
+From 4c4a39dd5fe2d13e2d2fa5fceb8ef95d19fc389a Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 4 Jul 2018 23:07:45 +0100
+Subject: arm64: Fix mismatched cache line size detection
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 4c4a39dd5fe2d13e2d2fa5fceb8ef95d19fc389a upstream.
+
+If there is a mismatch in the I/D min line size, we must
+always use the system wide safe value both in applications
+and in the kernel, while performing cache operations. However,
+we have been checking more bits than just the min line sizes,
+which triggers false negatives. We may need to trap the user
+accesses in such cases, but not necessarily patch the kernel.
+
+This patch fixes the check to do the right thing as advertised.
+A new capability will be added to check mismatches in other
+fields and ensure we trap the CTR accesses.
+
+Fixes: be68a8aaf925 ("arm64: cpufeature: Fix CTR_EL0 field definitions")
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm64/include/asm/cachetype.h | 5 +++++
+ arch/arm64/kernel/cpu_errata.c | 7 +++++--
+ arch/arm64/kernel/cpufeature.c | 4 ++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/cachetype.h
++++ b/arch/arm64/include/asm/cachetype.h
+@@ -22,6 +22,11 @@
+ #define CTR_L1IP_MASK 3
+ #define CTR_CWG_SHIFT 24
+ #define CTR_CWG_MASK 15
++#define CTR_DMINLINE_SHIFT 16
++#define CTR_IMINLINE_SHIFT 0
++
++#define CTR_CACHE_MINLINE_MASK \
++ ((0xf << CTR_DMINLINE_SHIFT) | (0xf << CTR_IMINLINE_SHIFT))
+
+ #define ICACHE_POLICY_RESERVED 0
+ #define ICACHE_POLICY_AIVIVT 1
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -17,6 +17,7 @@
+ */
+
+ #include <linux/types.h>
++#include <asm/cachetype.h>
+ #include <asm/cpu.h>
+ #include <asm/cputype.h>
+ #include <asm/cpufeature.h>
+@@ -34,9 +35,11 @@ static bool
+ has_mismatched_cache_line_size(const struct arm64_cpu_capabilities *entry,
+ int scope)
+ {
++ u64 mask = CTR_CACHE_MINLINE_MASK;
++
+ WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
+- return (read_cpuid_cachetype() & arm64_ftr_reg_ctrel0.strict_mask) !=
+- (arm64_ftr_reg_ctrel0.sys_val & arm64_ftr_reg_ctrel0.strict_mask);
++ return (read_cpuid_cachetype() & mask) !=
++ (arm64_ftr_reg_ctrel0.sys_val & mask);
+ }
+
+ static int cpu_enable_trap_ctr_access(void *__unused)
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -152,7 +152,7 @@ static const struct arm64_ftr_bits ftr_c
+ ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 28, 3, 0),
+ ARM64_FTR_BITS(FTR_STRICT, FTR_HIGHER_SAFE, 24, 4, 0), /* CWG */
+ ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 20, 4, 0), /* ERG */
+- ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 16, 4, 1), /* DminLine */
++ ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, CTR_DMINLINE_SHIFT, 4, 1),
+ /*
+ * Linux can handle differing I-cache policies. Userspace JITs will
+ * make use of *minLine.
+@@ -160,7 +160,7 @@ static const struct arm64_ftr_bits ftr_c
+ */
+ ARM64_FTR_BITS(FTR_NONSTRICT, FTR_EXACT, 14, 2, ICACHE_POLICY_AIVIVT), /* L1Ip */
+ ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 4, 10, 0), /* RAZ */
+- ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 0, 4, 0), /* IminLine */
++ ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, CTR_IMINLINE_SHIFT, 4, 0),
+ ARM64_FTR_END,
+ };
+
--- /dev/null
+From 314d53d297980676011e6fd83dac60db4a01dc70 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 4 Jul 2018 23:07:46 +0100
+Subject: arm64: Handle mismatched cache type
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 314d53d297980676011e6fd83dac60db4a01dc70 upstream.
+
+Track mismatches in the cache type register (CTR_EL0), other
+than the D/I min line sizes and trap user accesses if there are any.
+
+Fixes: be68a8aaf925 ("arm64: cpufeature: Fix CTR_EL0 field definitions")
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/cpucaps.h | 3 ++-
+ arch/arm64/kernel/cpu_errata.c | 17 ++++++++++++++---
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/cpucaps.h
++++ b/arch/arm64/include/asm/cpucaps.h
+@@ -37,7 +37,8 @@
+ #define ARM64_UNMAP_KERNEL_AT_EL0 16
+ #define ARM64_HARDEN_BRANCH_PREDICTOR 17
+ #define ARM64_SSBD 18
++#define ARM64_MISMATCHED_CACHE_TYPE 19
+
+-#define ARM64_NCAPS 19
++#define ARM64_NCAPS 20
+
+ #endif /* __ASM_CPUCAPS_H */
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -32,11 +32,15 @@ is_affected_midr_range(const struct arm6
+ }
+
+ static bool
+-has_mismatched_cache_line_size(const struct arm64_cpu_capabilities *entry,
+- int scope)
++has_mismatched_cache_type(const struct arm64_cpu_capabilities *entry,
++ int scope)
+ {
+ u64 mask = CTR_CACHE_MINLINE_MASK;
+
++ /* Skip matching the min line sizes for cache type check */
++ if (entry->capability == ARM64_MISMATCHED_CACHE_TYPE)
++ mask ^= arm64_ftr_reg_ctrel0.strict_mask;
++
+ WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
+ return (read_cpuid_cachetype() & mask) !=
+ (arm64_ftr_reg_ctrel0.sys_val & mask);
+@@ -449,7 +453,14 @@ const struct arm64_cpu_capabilities arm6
+ {
+ .desc = "Mismatched cache line size",
+ .capability = ARM64_MISMATCHED_CACHE_LINE_SIZE,
+- .matches = has_mismatched_cache_line_size,
++ .matches = has_mismatched_cache_type,
++ .def_scope = SCOPE_LOCAL_CPU,
++ .enable = cpu_enable_trap_ctr_access,
++ },
++ {
++ .desc = "Mismatched cache type",
++ .capability = ARM64_MISMATCHED_CACHE_TYPE,
++ .matches = has_mismatched_cache_type,
+ .def_scope = SCOPE_LOCAL_CPU,
+ .enable = cpu_enable_trap_ctr_access,
+ },
--- /dev/null
+From ad0eaee6195db1db1749dd46b9e6f4466793d178 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 6 Aug 2018 07:14:51 -0500
+Subject: ASoC: wm8994: Fix missing break in switch
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit ad0eaee6195db1db1749dd46b9e6f4466793d178 upstream.
+
+Add missing break statement in order to prevent the code from falling
+through to the default case.
+
+Addresses-Coverity-ID: 115050 ("Missing break in switch")
+Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+[Gustavo: Backported to 3.16..4.18 - Remove code comment removal]
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wm8994.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/wm8994.c
++++ b/sound/soc/codecs/wm8994.c
+@@ -2431,6 +2431,7 @@ static int wm8994_set_dai_sysclk(struct
+ snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_2,
+ WM8994_OPCLK_ENA, 0);
+ }
++ break;
+
+ default:
+ return -EINVAL;
--- /dev/null
+From d814a49198eafa6163698bdd93961302f3a877a4 Mon Sep 17 00:00:00 2001
+From: Ethan Lien <ethanlien@synology.com>
+Date: Mon, 2 Jul 2018 15:44:58 +0800
+Subject: btrfs: use correct compare function of dirty_metadata_bytes
+
+From: Ethan Lien <ethanlien@synology.com>
+
+commit d814a49198eafa6163698bdd93961302f3a877a4 upstream.
+
+We use customized, nodesize batch value to update dirty_metadata_bytes.
+We should also use batch version of compare function or we will easily
+goto fast path and get false result from percpu_counter_compare().
+
+Fixes: e2d845211eda ("Btrfs: use percpu counter for dirty metadata count")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Ethan Lien <ethanlien@synology.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+nb: Rebased on 4.4.y ]
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1096,8 +1096,9 @@ static int btree_writepages(struct addre
+
+ fs_info = BTRFS_I(mapping->host)->root->fs_info;
+ /* this is a bit racy, but that's ok */
+- ret = percpu_counter_compare(&fs_info->dirty_metadata_bytes,
+- BTRFS_DIRTY_METADATA_THRESH);
++ ret = __percpu_counter_compare(&fs_info->dirty_metadata_bytes,
++ BTRFS_DIRTY_METADATA_THRESH,
++ fs_info->dirty_metadata_batch);
+ if (ret < 0)
+ return 0;
+ }
+@@ -4107,8 +4108,9 @@ static void __btrfs_btree_balance_dirty(
+ if (flush_delayed)
+ btrfs_balance_delayed_items(root);
+
+- ret = percpu_counter_compare(&root->fs_info->dirty_metadata_bytes,
+- BTRFS_DIRTY_METADATA_THRESH);
++ ret = __percpu_counter_compare(&root->fs_info->dirty_metadata_bytes,
++ BTRFS_DIRTY_METADATA_THRESH,
++ root->fs_info->dirty_metadata_batch);
+ if (ret > 0) {
+ balance_dirty_pages_ratelimited(
+ root->fs_info->btree_inode->i_mapping);
--- /dev/null
+From cc365dcf0e56271bedf3de95f88922abe248e951 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Tue, 2 Jan 2018 12:01:41 +0200
+Subject: mei: me: allow runtime pm for platform with D0i3
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit cc365dcf0e56271bedf3de95f88922abe248e951 upstream.
+
+>From the pci power documentation:
+"The driver itself should not call pm_runtime_allow(), though. Instead,
+it should let user space or some platform-specific code do that (user space
+can do it via sysfs as stated above)..."
+
+However, the S0ix residency cannot be reached without MEI device getting
+into low power state. Hence, for mei devices that support D0i3, it's better
+to make runtime power management mandatory and not rely on the system
+integration such as udev rules.
+This policy cannot be applied globally as some older platforms
+were found to have broken power management.
+
+Cc: <stable@vger.kernel.org> v4.13+
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/pci-me.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -229,8 +229,11 @@ static int mei_me_probe(struct pci_dev *
+ if (!pci_dev_run_wake(pdev))
+ mei_me_set_pm_domain(dev);
+
+- if (mei_pg_is_enabled(dev))
++ if (mei_pg_is_enabled(dev)) {
+ pm_runtime_put_noidle(&pdev->dev);
++ if (hw->d0i3_supported)
++ pm_runtime_allow(&pdev->dev);
++ }
+
+ dev_dbg(&pdev->dev, "initialization successful.\n");
+
--- /dev/null
+From 5eda25b10297684c1f46a14199ec00210f3c346e Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 6 Aug 2018 13:49:47 +0200
+Subject: s390/lib: use expoline for all bcr instructions
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 5eda25b10297684c1f46a14199ec00210f3c346e upstream.
+
+The memove, memset, memcpy, __memset16, __memset32 and __memset64
+function have an additional indirect return branch in form of a
+"bzr" instruction. These need to use expolines as well.
+
+Cc: <stable@vger.kernel.org> # v4.17+
+Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches")
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/s390/lib/mem.S | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/lib/mem.S
++++ b/arch/s390/lib/mem.S
+@@ -27,7 +27,7 @@
+ */
+ ENTRY(memset)
+ ltgr %r4,%r4
+- bzr %r14
++ jz .Lmemset_exit
+ ltgr %r3,%r3
+ jnz .Lmemset_fill
+ aghi %r4,-1
+@@ -42,12 +42,13 @@ ENTRY(memset)
+ .Lmemset_clear_rest:
+ larl %r3,.Lmemset_xc
+ ex %r4,0(%r3)
++.Lmemset_exit:
+ BR_EX %r14
+ .Lmemset_fill:
+ stc %r3,0(%r2)
+ cghi %r4,1
+ lgr %r1,%r2
+- ber %r14
++ je .Lmemset_fill_exit
+ aghi %r4,-2
+ srlg %r3,%r4,8
+ ltgr %r3,%r3
+@@ -59,6 +60,7 @@ ENTRY(memset)
+ .Lmemset_fill_rest:
+ larl %r3,.Lmemset_mvc
+ ex %r4,0(%r3)
++.Lmemset_fill_exit:
+ BR_EX %r14
+ .Lmemset_xc:
+ xc 0(1,%r1),0(%r1)
+@@ -73,7 +75,7 @@ EXPORT_SYMBOL(memset)
+ */
+ ENTRY(memcpy)
+ ltgr %r4,%r4
+- bzr %r14
++ jz .Lmemcpy_exit
+ aghi %r4,-1
+ srlg %r5,%r4,8
+ ltgr %r5,%r5
+@@ -82,6 +84,7 @@ ENTRY(memcpy)
+ .Lmemcpy_rest:
+ larl %r5,.Lmemcpy_mvc
+ ex %r4,0(%r5)
++.Lmemcpy_exit:
+ BR_EX %r14
+ .Lmemcpy_loop:
+ mvc 0(256,%r1),0(%r3)
--- /dev/null
+From 32db864d33c21fd70a217ba53cb7224889354ffb Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 30 Aug 2017 12:48:59 +0300
+Subject: sch_hhf: fix null pointer dereference on init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream.
+
+If sch_hhf fails in its ->init() function (either due to wrong
+user-space arguments as below or memory alloc failure of hh_flows) it
+will do a null pointer deref of q->hh_flows in its ->destroy() function.
+
+To reproduce the crash:
+$ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000
+
+Crash log:
+[ 690.654882] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 690.655565] IP: hhf_destroy+0x48/0xbc
+[ 690.655944] PGD 37345067
+[ 690.655948] P4D 37345067
+[ 690.656252] PUD 58402067
+[ 690.656554] PMD 0
+[ 690.656857]
+[ 690.657362] Oops: 0000 [#1] SMP
+[ 690.657696] Modules linked in:
+[ 690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57
+[ 690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 690.659255] task: ffff880058578000 task.stack: ffff88005acbc000
+[ 690.659747] RIP: 0010:hhf_destroy+0x48/0xbc
+[ 690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246
+[ 690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
+[ 690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0
+[ 690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000
+[ 690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea
+[ 690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000
+[ 690.663769] FS: 00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
+[ 690.667069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0
+[ 690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 690.671003] Call Trace:
+[ 690.671743] qdisc_create+0x377/0x3fd
+[ 690.672534] tc_modify_qdisc+0x4d2/0x4fd
+[ 690.673324] rtnetlink_rcv_msg+0x188/0x197
+[ 690.674204] ? rcu_read_unlock+0x3e/0x5f
+[ 690.675091] ? rtnl_newlink+0x729/0x729
+[ 690.675877] netlink_rcv_skb+0x6c/0xce
+[ 690.676648] rtnetlink_rcv+0x23/0x2a
+[ 690.677405] netlink_unicast+0x103/0x181
+[ 690.678179] netlink_sendmsg+0x326/0x337
+[ 690.678958] sock_sendmsg_nosec+0x14/0x3f
+[ 690.679743] sock_sendmsg+0x29/0x2e
+[ 690.680506] ___sys_sendmsg+0x209/0x28b
+[ 690.681283] ? __handle_mm_fault+0xc7d/0xdb1
+[ 690.681915] ? check_chain_key+0xb0/0xfd
+[ 690.682449] __sys_sendmsg+0x45/0x63
+[ 690.682954] ? __sys_sendmsg+0x45/0x63
+[ 690.683471] SyS_sendmsg+0x19/0x1b
+[ 690.683974] entry_SYSCALL_64_fastpath+0x23/0xc2
+[ 690.684516] RIP: 0033:0x7f8ae529d690
+[ 690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690
+[ 690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003
+[ 690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000
+[ 690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002
+[ 690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000
+[ 690.688475] ? trace_hardirqs_off_caller+0xa7/0xcf
+[ 690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83
+c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02
+00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1
+[ 690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0
+[ 690.690636] CR2: 0000000000000000
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_hhf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/sch_hhf.c
++++ b/net/sched/sch_hhf.c
+@@ -492,6 +492,9 @@ static void hhf_destroy(struct Qdisc *sc
+ hhf_free(q->hhf_valid_bits[i]);
+ }
+
++ if (!q->hh_flows)
++ return;
++
+ for (i = 0; i < HH_FLOWS_CNT; i++) {
+ struct hh_flow_state *flow, *next;
+ struct list_head *head = &q->hh_flows[i];
--- /dev/null
+From 88c2ace69dbef696edba77712882af03879abc9c Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 30 Aug 2017 12:48:57 +0300
+Subject: sch_htb: fix crash on init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 88c2ace69dbef696edba77712882af03879abc9c upstream.
+
+The commit below added a call to the ->destroy() callback for all qdiscs
+which failed in their ->init(), but some were not prepared for such
+change and can't handle partially initialized qdisc. HTB is one of them
+and if any error occurs before the qdisc watchdog timer and qdisc work are
+initialized then we can hit either a null ptr deref (timer->base) when
+canceling in ->destroy or lockdep error info about trying to register
+a non-static key and a stack dump. So to fix these two move the watchdog
+timer and workqueue init before anything that can err out.
+To reproduce userspace needs to send broken htb qdisc create request,
+tested with a modified tc (q_htb.c).
+
+Trace log:
+[ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 2710.897977] IP: hrtimer_active+0x17/0x8a
+[ 2710.898174] PGD 58fab067
+[ 2710.898175] P4D 58fab067
+[ 2710.898353] PUD 586c0067
+[ 2710.898531] PMD 0
+[ 2710.898710]
+[ 2710.899045] Oops: 0000 [#1] SMP
+[ 2710.899232] Modules linked in:
+[ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
+[ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000
+[ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
+[ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246
+[ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000
+[ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298
+[ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001
+[ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000
+[ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0
+[ 2710.901907] FS: 00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
+[ 2710.902277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0
+[ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 2710.903180] Call Trace:
+[ 2710.903332] hrtimer_try_to_cancel+0x1a/0x93
+[ 2710.903504] hrtimer_cancel+0x15/0x20
+[ 2710.903667] qdisc_watchdog_cancel+0x12/0x14
+[ 2710.903866] htb_destroy+0x2e/0xf7
+[ 2710.904097] qdisc_create+0x377/0x3fd
+[ 2710.904330] tc_modify_qdisc+0x4d2/0x4fd
+[ 2710.904511] rtnetlink_rcv_msg+0x188/0x197
+[ 2710.904682] ? rcu_read_unlock+0x3e/0x5f
+[ 2710.904849] ? rtnl_newlink+0x729/0x729
+[ 2710.905017] netlink_rcv_skb+0x6c/0xce
+[ 2710.905183] rtnetlink_rcv+0x23/0x2a
+[ 2710.905345] netlink_unicast+0x103/0x181
+[ 2710.905511] netlink_sendmsg+0x326/0x337
+[ 2710.905679] sock_sendmsg_nosec+0x14/0x3f
+[ 2710.905847] sock_sendmsg+0x29/0x2e
+[ 2710.906010] ___sys_sendmsg+0x209/0x28b
+[ 2710.906176] ? do_raw_spin_unlock+0xcd/0xf8
+[ 2710.906346] ? _raw_spin_unlock+0x27/0x31
+[ 2710.906514] ? __handle_mm_fault+0x651/0xdb1
+[ 2710.906685] ? check_chain_key+0xb0/0xfd
+[ 2710.906855] __sys_sendmsg+0x45/0x63
+[ 2710.907018] ? __sys_sendmsg+0x45/0x63
+[ 2710.907185] SyS_sendmsg+0x19/0x1b
+[ 2710.907344] entry_SYSCALL_64_fastpath+0x23/0xc2
+
+Note that probably this bug goes further back because the default qdisc
+handling always calls ->destroy on init failure too.
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_htb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_htb.c
++++ b/net/sched/sch_htb.c
+@@ -1013,6 +1013,9 @@ static int htb_init(struct Qdisc *sch, s
+ int err;
+ int i;
+
++ qdisc_watchdog_init(&q->watchdog, sch);
++ INIT_WORK(&q->work, htb_work_func);
++
+ if (!opt)
+ return -EINVAL;
+
+@@ -1033,8 +1036,6 @@ static int htb_init(struct Qdisc *sch, s
+ for (i = 0; i < TC_HTB_NUMPRIO; i++)
+ INIT_LIST_HEAD(q->drops + i);
+
+- qdisc_watchdog_init(&q->watchdog, sch);
+- INIT_WORK(&q->work, htb_work_func);
+ qdisc_skb_head_init(&q->direct_queue);
+
+ if (tb[TCA_HTB_DIRECT_QLEN])
--- /dev/null
+From e89d469e3be3ed3d7124a803211a463ff83d0964 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 30 Aug 2017 12:48:58 +0300
+Subject: sch_multiq: fix double free on init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream.
+
+The below commit added a call to ->destroy() on init failure, but multiq
+still frees ->queues on error in init, but ->queues is also freed by
+->destroy() thus we get double free and corrupted memory.
+
+Very easy to reproduce (eth0 not multiqueue):
+$ tc qdisc add dev eth0 root multiq
+RTNETLINK answers: Operation not supported
+$ ip l add dumdum type dummy
+(crash)
+
+Trace log:
+[ 3929.467747] general protection fault: 0000 [#1] SMP
+[ 3929.468083] Modules linked in:
+[ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
+[ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000
+[ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
+[ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246
+[ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df
+[ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020
+[ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000
+[ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564
+[ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00
+[ 3929.471869] FS: 00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
+[ 3929.472286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0
+[ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3929.474873] Call Trace:
+[ 3929.475337] ? kstrdup_const+0x23/0x25
+[ 3929.475863] kstrdup+0x2e/0x4b
+[ 3929.476338] kstrdup_const+0x23/0x25
+[ 3929.478084] __kernfs_new_node+0x28/0xbc
+[ 3929.478478] kernfs_new_node+0x35/0x55
+[ 3929.478929] kernfs_create_link+0x23/0x76
+[ 3929.479478] sysfs_do_create_link_sd.isra.2+0x85/0xd7
+[ 3929.480096] sysfs_create_link+0x33/0x35
+[ 3929.480649] device_add+0x200/0x589
+[ 3929.481184] netdev_register_kobject+0x7c/0x12f
+[ 3929.481711] register_netdevice+0x373/0x471
+[ 3929.482174] rtnl_newlink+0x614/0x729
+[ 3929.482610] ? rtnl_newlink+0x17f/0x729
+[ 3929.483080] rtnetlink_rcv_msg+0x188/0x197
+[ 3929.483533] ? rcu_read_unlock+0x3e/0x5f
+[ 3929.483984] ? rtnl_newlink+0x729/0x729
+[ 3929.484420] netlink_rcv_skb+0x6c/0xce
+[ 3929.484858] rtnetlink_rcv+0x23/0x2a
+[ 3929.485291] netlink_unicast+0x103/0x181
+[ 3929.485735] netlink_sendmsg+0x326/0x337
+[ 3929.486181] sock_sendmsg_nosec+0x14/0x3f
+[ 3929.486614] sock_sendmsg+0x29/0x2e
+[ 3929.486973] ___sys_sendmsg+0x209/0x28b
+[ 3929.487340] ? do_raw_spin_unlock+0xcd/0xf8
+[ 3929.487719] ? _raw_spin_unlock+0x27/0x31
+[ 3929.488092] ? __handle_mm_fault+0x651/0xdb1
+[ 3929.488471] ? check_chain_key+0xb0/0xfd
+[ 3929.488847] __sys_sendmsg+0x45/0x63
+[ 3929.489206] ? __sys_sendmsg+0x45/0x63
+[ 3929.489576] SyS_sendmsg+0x19/0x1b
+[ 3929.489901] entry_SYSCALL_64_fastpath+0x23/0xc2
+[ 3929.490172] RIP: 0033:0x7f0b6fb93690
+[ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690
+[ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003
+[ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000
+[ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002
+[ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000
+[ 3929.492352] ? trace_hardirqs_off_caller+0xa7/0xcf
+[ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
+89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
+8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
+[ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Fixes: f07d1501292b ("multiq: Further multiqueue cleanup")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[AmitP: Removed unused variable 'err' in multiq_init()]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_multiq.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/sched/sch_multiq.c
++++ b/net/sched/sch_multiq.c
+@@ -234,7 +234,7 @@ static int multiq_tune(struct Qdisc *sch
+ static int multiq_init(struct Qdisc *sch, struct nlattr *opt)
+ {
+ struct multiq_sched_data *q = qdisc_priv(sch);
+- int i, err;
++ int i;
+
+ q->queues = NULL;
+
+@@ -249,12 +249,7 @@ static int multiq_init(struct Qdisc *sch
+ for (i = 0; i < q->max_bands; i++)
+ q->queues[i] = &noop_qdisc;
+
+- err = multiq_tune(sch, opt);
+-
+- if (err)
+- kfree(q->queues);
+-
+- return err;
++ return multiq_tune(sch, opt);
+ }
+
+ static int multiq_dump(struct Qdisc *sch, struct sk_buff *skb)
--- /dev/null
+From 634576a1844dba15bc5e6fc61d72f37e13a21615 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 30 Aug 2017 12:49:03 +0300
+Subject: sch_netem: avoid null pointer deref on init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream.
+
+netem can fail in ->init due to missing options (either not supplied by
+user-space or used as a default qdisc) causing a timer->base null
+pointer deref in its ->destroy() and ->reset() callbacks.
+
+Reproduce:
+$ sysctl net.core.default_qdisc=netem
+$ ip l set ethX up
+
+Crash log:
+[ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 1814.847181] IP: hrtimer_active+0x17/0x8a
+[ 1814.847270] PGD 59c34067
+[ 1814.847271] P4D 59c34067
+[ 1814.847337] PUD 37374067
+[ 1814.847403] PMD 0
+[ 1814.847468]
+[ 1814.847582] Oops: 0000 [#1] SMP
+[ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O)
+[ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G O 4.13.0-rc6+ #62
+[ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000
+[ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a
+[ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246
+[ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000
+[ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8
+[ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff
+[ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000
+[ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001
+[ 1814.849616] FS: 00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
+[ 1814.849919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0
+[ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1814.850723] Call Trace:
+[ 1814.850875] hrtimer_try_to_cancel+0x1a/0x93
+[ 1814.851047] hrtimer_cancel+0x15/0x20
+[ 1814.851211] qdisc_watchdog_cancel+0x12/0x14
+[ 1814.851383] netem_reset+0xe6/0xed [sch_netem]
+[ 1814.851561] qdisc_destroy+0x8b/0xe5
+[ 1814.851723] qdisc_create_dflt+0x86/0x94
+[ 1814.851890] ? dev_activate+0x129/0x129
+[ 1814.852057] attach_one_default_qdisc+0x36/0x63
+[ 1814.852232] netdev_for_each_tx_queue+0x3d/0x48
+[ 1814.852406] dev_activate+0x4b/0x129
+[ 1814.852569] __dev_open+0xe7/0x104
+[ 1814.852730] __dev_change_flags+0xc6/0x15c
+[ 1814.852899] dev_change_flags+0x25/0x59
+[ 1814.853064] do_setlink+0x30c/0xb3f
+[ 1814.853228] ? check_chain_key+0xb0/0xfd
+[ 1814.853396] ? check_chain_key+0xb0/0xfd
+[ 1814.853565] rtnl_newlink+0x3a4/0x729
+[ 1814.853728] ? rtnl_newlink+0x117/0x729
+[ 1814.853905] ? ns_capable_common+0xd/0xb1
+[ 1814.854072] ? ns_capable+0x13/0x15
+[ 1814.854234] rtnetlink_rcv_msg+0x188/0x197
+[ 1814.854404] ? rcu_read_unlock+0x3e/0x5f
+[ 1814.854572] ? rtnl_newlink+0x729/0x729
+[ 1814.854737] netlink_rcv_skb+0x6c/0xce
+[ 1814.854902] rtnetlink_rcv+0x23/0x2a
+[ 1814.855064] netlink_unicast+0x103/0x181
+[ 1814.855230] netlink_sendmsg+0x326/0x337
+[ 1814.855398] sock_sendmsg_nosec+0x14/0x3f
+[ 1814.855584] sock_sendmsg+0x29/0x2e
+[ 1814.855747] ___sys_sendmsg+0x209/0x28b
+[ 1814.855912] ? do_raw_spin_unlock+0xcd/0xf8
+[ 1814.856082] ? _raw_spin_unlock+0x27/0x31
+[ 1814.856251] ? __handle_mm_fault+0x651/0xdb1
+[ 1814.856421] ? check_chain_key+0xb0/0xfd
+[ 1814.856592] __sys_sendmsg+0x45/0x63
+[ 1814.856755] ? __sys_sendmsg+0x45/0x63
+[ 1814.856923] SyS_sendmsg+0x19/0x1b
+[ 1814.857083] entry_SYSCALL_64_fastpath+0x23/0xc2
+[ 1814.857256] RIP: 0033:0x7f733b2dd690
+[ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690
+[ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003
+[ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003
+[ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002
+[ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000
+[ 1814.859267] ? trace_hardirqs_off_caller+0xa7/0xcf
+[ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3
+31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b
+45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89
+[ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590
+[ 1814.860214] CR2: 0000000000000000
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/sch_netem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -937,11 +937,11 @@ static int netem_init(struct Qdisc *sch,
+ struct netem_sched_data *q = qdisc_priv(sch);
+ int ret;
+
++ qdisc_watchdog_init(&q->watchdog, sch);
++
+ if (!opt)
+ return -EINVAL;
+
+- qdisc_watchdog_init(&q->watchdog, sch);
+-
+ q->loss_model = CLG_RANDOM;
+ ret = netem_change(sch, opt);
+ if (ret)
--- /dev/null
+From c2d6511e6a4f1f3673d711569c00c3849549e9b0 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 30 Aug 2017 12:49:05 +0300
+Subject: sch_tbf: fix two null pointer dereferences on init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream.
+
+sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy
+callbacks but it may fail before the timer is initialized due to missing
+options (either not supplied by user-space or set as a default qdisc),
+also q->qdisc is used by ->reset and ->destroy so we need it initialized.
+
+Reproduce:
+$ sysctl net.core.default_qdisc=tbf
+$ ip l set ethX up
+
+Crash log:
+[ 959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+[ 959.160323] IP: qdisc_reset+0xa/0x5c
+[ 959.160400] PGD 59cdb067
+[ 959.160401] P4D 59cdb067
+[ 959.160466] PUD 59ccb067
+[ 959.160532] PMD 0
+[ 959.160597]
+[ 959.160706] Oops: 0000 [#1] SMP
+[ 959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem
+[ 959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62
+[ 959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000
+[ 959.161263] RIP: 0010:qdisc_reset+0xa/0x5c
+[ 959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286
+[ 959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000
+[ 959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000
+[ 959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff
+[ 959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0
+[ 959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001
+[ 959.162546] FS: 00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000
+[ 959.162844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0
+[ 959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 959.163638] Call Trace:
+[ 959.163788] tbf_reset+0x19/0x64 [sch_tbf]
+[ 959.163957] qdisc_destroy+0x8b/0xe5
+[ 959.164119] qdisc_create_dflt+0x86/0x94
+[ 959.164284] ? dev_activate+0x129/0x129
+[ 959.164449] attach_one_default_qdisc+0x36/0x63
+[ 959.164623] netdev_for_each_tx_queue+0x3d/0x48
+[ 959.164795] dev_activate+0x4b/0x129
+[ 959.164957] __dev_open+0xe7/0x104
+[ 959.165118] __dev_change_flags+0xc6/0x15c
+[ 959.165287] dev_change_flags+0x25/0x59
+[ 959.165451] do_setlink+0x30c/0xb3f
+[ 959.165613] ? check_chain_key+0xb0/0xfd
+[ 959.165782] rtnl_newlink+0x3a4/0x729
+[ 959.165947] ? rtnl_newlink+0x117/0x729
+[ 959.166121] ? ns_capable_common+0xd/0xb1
+[ 959.166288] ? ns_capable+0x13/0x15
+[ 959.166450] rtnetlink_rcv_msg+0x188/0x197
+[ 959.166617] ? rcu_read_unlock+0x3e/0x5f
+[ 959.166783] ? rtnl_newlink+0x729/0x729
+[ 959.166948] netlink_rcv_skb+0x6c/0xce
+[ 959.167113] rtnetlink_rcv+0x23/0x2a
+[ 959.167273] netlink_unicast+0x103/0x181
+[ 959.167439] netlink_sendmsg+0x326/0x337
+[ 959.167607] sock_sendmsg_nosec+0x14/0x3f
+[ 959.167772] sock_sendmsg+0x29/0x2e
+[ 959.167932] ___sys_sendmsg+0x209/0x28b
+[ 959.168098] ? do_raw_spin_unlock+0xcd/0xf8
+[ 959.168267] ? _raw_spin_unlock+0x27/0x31
+[ 959.168432] ? __handle_mm_fault+0x651/0xdb1
+[ 959.168602] ? check_chain_key+0xb0/0xfd
+[ 959.168773] __sys_sendmsg+0x45/0x63
+[ 959.168934] ? __sys_sendmsg+0x45/0x63
+[ 959.169100] SyS_sendmsg+0x19/0x1b
+[ 959.169260] entry_SYSCALL_64_fastpath+0x23/0xc2
+[ 959.169432] RIP: 0033:0x7fcc5097e690
+[ 959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690
+[ 959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003
+[ 959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003
+[ 959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006
+[ 959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000
+[ 959.170900] ? trace_hardirqs_off_caller+0xa7/0xcf
+[ 959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24
+98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89
+e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb
+[ 959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610
+[ 959.171821] CR2: 0000000000000018
+
+Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
+Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_tbf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_tbf.c
++++ b/net/sched/sch_tbf.c
+@@ -423,12 +423,13 @@ static int tbf_init(struct Qdisc *sch, s
+ {
+ struct tbf_sched_data *q = qdisc_priv(sch);
+
++ qdisc_watchdog_init(&q->watchdog, sch);
++ q->qdisc = &noop_qdisc;
++
+ if (opt == NULL)
+ return -EINVAL;
+
+ q->t_c = ktime_get_ns();
+- qdisc_watchdog_init(&q->watchdog, sch);
+- q->qdisc = &noop_qdisc;
+
+ return tbf_change(sch, opt);
+ }
revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch
enic-do-not-call-enic_change_mtu-in-enic_probe.patch
fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch
+sch_htb-fix-crash-on-init-failure.patch
+sch_multiq-fix-double-free-on-init-failure.patch
+sch_hhf-fix-null-pointer-dereference-on-init-failure.patch
+sch_netem-avoid-null-pointer-deref-on-init-failure.patch
+sch_tbf-fix-two-null-pointer-dereferences-on-init-failure.patch
+mei-me-allow-runtime-pm-for-platform-with-d0i3.patch
+s390-lib-use-expoline-for-all-bcr-instructions.patch
+asoc-wm8994-fix-missing-break-in-switch.patch
+btrfs-use-correct-compare-function-of-dirty_metadata_bytes.patch
+arm64-fix-mismatched-cache-line-size-detection.patch
+arm64-handle-mismatched-cache-type.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
