--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: Menglong Dong <dong.menglong@zte.com.cn>
+Date: Mon, 25 Nov 2019 16:58:09 +0800
+Subject: macvlan: schedule bc_work even if error
+
+From: Menglong Dong <dong.menglong@zte.com.cn>
+
+[ Upstream commit 1d7ea55668878bb350979c377fc72509dd6f5b21 ]
+
+While enqueueing a broadcast skb to port->bc_queue, schedule_work()
+is called to add port->bc_work, which processes the skbs in
+bc_queue, to "events" work queue. If port->bc_queue is full, the
+skb will be discarded and schedule_work(&port->bc_work) won't be
+called. However, if port->bc_queue is full and port->bc_work is not
+running or pending, port->bc_queue will keep full and schedule_work()
+won't be called any more, and all broadcast skbs to macvlan will be
+discarded. This case can happen:
+
+macvlan_process_broadcast() is the pending function of port->bc_work,
+it moves all the skbs in port->bc_queue to the queue "list", and
+processes the skbs in "list". During this, new skbs will keep being
+added to port->bc_queue in macvlan_broadcast_enqueue(), and
+port->bc_queue may already full when macvlan_process_broadcast()
+return. This may happen, especially when there are a lot of real-time
+threads and the process is preempted.
+
+Fix this by calling schedule_work(&port->bc_work) even if
+port->bc_work is full in macvlan_broadcast_enqueue().
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -326,10 +326,11 @@ static void macvlan_broadcast_enqueue(st
+ }
+ spin_unlock(&port->bc_queue.lock);
+
++ schedule_work(&port->bc_work);
++
+ if (err)
+ goto free_nskb;
+
+- schedule_work(&port->bc_work);
+ return;
+
+ free_nskb:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:28:24 AM CET
+From: Dust Li <dust.li@linux.alibaba.com>
+Date: Thu, 28 Nov 2019 14:29:09 +0800
+Subject: net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
+
+From: Dust Li <dust.li@linux.alibaba.com>
+
+[ Upstream commit 14e54ab9143fa60794d13ea0a66c792a2046a8f3 ]
+
+When a classful qdisc's child qdisc has set the flag
+TCQ_F_CPUSTATS (pfifo_fast for example), the child qdisc's
+cpu_bstats should be passed to gnet_stats_copy_basic(),
+but many classful qdisc didn't do that. As a result,
+`tc -s class show dev DEV` always return 0 for bytes and
+packets in this case.
+
+Pass the child qdisc's cpu_bstats to gnet_stats_copy_basic()
+to fix this issue.
+
+The qstats also has this problem, but it has been fixed
+in 5dd431b6b9 ("net: sched: introduce and use qstats read...")
+and bstats still remains buggy.
+
+Fixes: 22e0f8b9322c ("net: sched: make bstats per cpu and estimator RCU safe")
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_mq.c | 2 +-
+ net/sched/sch_mqprio.c | 3 ++-
+ net/sched/sch_multiq.c | 2 +-
+ net/sched/sch_prio.c | 2 +-
+ 4 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_mq.c
++++ b/net/sched/sch_mq.c
+@@ -195,7 +195,7 @@ static int mq_dump_class_stats(struct Qd
+ struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(d, sch->cpu_bstats, &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+ return 0;
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -355,7 +355,8 @@ static int mqprio_dump_class_stats(struc
+ struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(d, sch->cpu_bstats,
++ &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL,
+ &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+--- a/net/sched/sch_multiq.c
++++ b/net/sched/sch_multiq.c
+@@ -351,7 +351,7 @@ static int multiq_dump_class_stats(struc
+ struct Qdisc *cl_q;
+
+ cl_q = q->queues[cl - 1];
+- if (gnet_stats_copy_basic(d, NULL, &cl_q->bstats) < 0 ||
++ if (gnet_stats_copy_basic(d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
+--- a/net/sched/sch_prio.c
++++ b/net/sched/sch_prio.c
+@@ -319,7 +319,7 @@ static int prio_dump_class_stats(struct
+ struct Qdisc *cl_q;
+
+ cl_q = q->queues[cl - 1];
+- if (gnet_stats_copy_basic(d, NULL, &cl_q->bstats) < 0 ||
++ if (gnet_stats_copy_basic(d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:24 +0100
+Subject: openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8ffeb03fbba3b599690b361467bfd2373e8c450f ]
+
+All the callers of ovs_flow_cmd_build_info() already deal with
+error return code correctly, so we can handle the error condition
+in a more gracefull way. Still dump a warning to preserve
+debuggability.
+
+v1 -> v2:
+ - clarify the commit message
+ - clean the skb and report the error (DaveM)
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -904,7 +904,10 @@ static struct sk_buff *ovs_flow_cmd_buil
+ retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb,
+ info->snd_portid, info->snd_seq, 0,
+ cmd, ufid_flags);
+- BUG_ON(retval < 0);
++ if (WARN_ON_ONCE(retval < 0)) {
++ kfree_skb(skb);
++ skb = ERR_PTR(retval);
++ }
+ return skb;
+ }
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 26 Nov 2019 12:55:50 +0100
+Subject: openvswitch: fix flow command message size
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 4e81c0b3fa93d07653e2415fa71656b080a112fd ]
+
+When user-space sets the OVS_UFID_F_OMIT_* flags, and the relevant
+flow has no UFID, we can exceed the computed size, as
+ovs_nla_put_identifier() will always dump an OVS_FLOW_ATTR_KEY
+attribute.
+Take the above in account when computing the flow command message
+size.
+
+Fixes: 74ed7ab9264c ("openvswitch: Add support for unique flow IDs.")
+Reported-by: Qi Jun Ding <qding@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -725,9 +725,13 @@ static size_t ovs_flow_cmd_msg_size(cons
+ {
+ size_t len = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+- /* OVS_FLOW_ATTR_UFID */
++ /* OVS_FLOW_ATTR_UFID, or unmasked flow key as fallback
++ * see ovs_nla_put_identifier()
++ */
+ if (sfid && ovs_identifier_is_ufid(sfid))
+ len += nla_total_size(sfid->ufid_len);
++ else
++ len += nla_total_size(ovs_key_attr_size());
+
+ /* OVS_FLOW_ATTR_KEY */
+ if (!sfid || should_fill_key(sfid, ufid_flags))
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:25 +0100
+Subject: openvswitch: remove another BUG_ON()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8a574f86652a4540a2433946ba826ccb87f398cc ]
+
+If we can't build the flow del notification, we can simply delete
+the flow, no need to crash the kernel. Still keep a WARN_ON to
+preserve debuggability.
+
+Note: the BUG_ON() predates the Fixes tag, but this change
+can be applied only after the mentioned commit.
+
+v1 -> v2:
+ - do not leak an skb on error
+
+Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1325,7 +1325,10 @@ static int ovs_flow_cmd_del(struct sk_bu
+ OVS_FLOW_CMD_DEL,
+ ufid_flags);
+ rcu_read_unlock();
+- BUG_ON(err < 0);
++ if (WARN_ON_ONCE(err < 0)) {
++ kfree_skb(reply);
++ goto out_free;
++ }
+
+ ovs_notify(&dp_flow_genl_family, reply, info);
+ } else {
+@@ -1333,6 +1336,7 @@ static int ovs_flow_cmd_del(struct sk_bu
+ }
+ }
+
++out_free:
+ ovs_flow_free(flow, true);
+ return 0;
+ unlock:
media-v4l2-ctrl-fix-flags-for-do_white_balance.patch
net-macb-fix-error-format-in-dev_err.patch
pwm-clear-chip_data-in-pwm_put.patch
+macvlan-schedule-bc_work-even-if-error.patch
+openvswitch-fix-flow-command-message-size.patch
+slip-fix-use-after-free-read-in-slip_open.patch
+openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch
+openvswitch-remove-another-bug_on.patch
+tipc-fix-link-name-length-check.patch
+net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Mon, 25 Nov 2019 14:23:43 +0200
+Subject: slip: Fix use-after-free Read in slip_open
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
+
+Slip_open doesn't clean-up device which registration failed from the
+slip_devs device list. On next open after failure this list is iterated
+and freed device is accessed. Fix this by calling sl_free_netdev in error
+path.
+
+Here is the trace from the Syzbot:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
+Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -860,6 +860,7 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ sl_free_netdev(sl->dev);
+ free_netdev(sl->dev);
+
+ err_exit:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:22:48 AM CET
+From: John Rutherford <john.rutherford@dektech.com.au>
+Date: Tue, 26 Nov 2019 13:52:55 +1100
+Subject: tipc: fix link name length check
+
+From: John Rutherford <john.rutherford@dektech.com.au>
+
+[ Upstream commit fd567ac20cb0377ff466d3337e6e9ac5d0cb15e4 ]
+
+In commit 4f07b80c9733 ("tipc: check msg->req data len in
+tipc_nl_compat_bearer_disable") the same patch code was copied into
+routines: tipc_nl_compat_bearer_disable(),
+tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
+The two link routine occurrences should have been modified to check
+the maximum link name length and not bearer name length.
+
+Fixes: 4f07b80c9733 ("tipc: check msg->reg data len in tipc_nl_compat_bearer_disable")
+Signed-off-by: John Rutherford <john.rutherford@dektech.com.au>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -516,7 +516,7 @@ static int tipc_nl_compat_link_stat_dump
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -791,7 +791,7 @@ static int tipc_nl_compat_link_reset_sta
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
