queue sch_netem-restore-skb-dev-after-dequeuing-from-the-r.patch for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/sch_netem-restore-skb-dev-after-dequeuing-from-the-r.patch b/queue-4.14/sch_netem-restore-skb-dev-after-dequeuing-from-the-r.patch
new file mode 100644 (file)
index 0000000..b554d49
--- /dev/null
+++ b/queue-4.14/sch_netem-restore-skb-dev-after-dequeuing-from-the-r.patch
@@ -0,0 +1,91 @@
+From 8ca285d0ba87e4a7d1e02d1ce5b716fa1f26ec54 Mon Sep 17 00:00:00 2001
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Thu, 18 Oct 2018 13:38:40 -0700
+Subject: sch_netem: restore skb->dev after dequeuing from the rbtree
+
+Upstream commit bffa72cf7f9d ("net: sk_buff rbnode reorg") got
+backported as commit 6b921536f170 ("net: sk_buff rbnode reorg") into the
+v4.14.x-tree.
+
+However, the backport does not include the changes in sch_netem.c
+
+We need these, as otherwise the skb->dev pointer is not set when
+dequeueing from the netem rbtree, resulting in a panic:
+
+[   15.427748] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
+[   15.428863] IP: netif_skb_features+0x24/0x230
+[   15.429402] PGD 0 P4D 0
+[   15.429733] Oops: 0000 [#1] SMP PTI
+[   15.430169] Modules linked in:
+[   15.430614] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.77.mptcp #77
+[   15.431497] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
+[   15.432568] task: ffff88042db19680 task.stack: ffffc90000070000
+[   15.433356] RIP: 0010:netif_skb_features+0x24/0x230
+[   15.433977] RSP: 0018:ffff88043fd83e70 EFLAGS: 00010286
+[   15.434665] RAX: ffff880429ad80c0 RBX: ffff88042bd0e400 RCX: ffff880429ad8000
+[   15.435585] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88042bd0e400
+[   15.436551] RBP: ffff88042bd0e400 R08: ffff88042a4b6c9c R09: 0000000000000001
+[   15.437485] R10: 0000000000000004 R11: 0000000000000000 R12: ffff88042c700000
+[   15.438393] R13: ffff88042c700000 R14: ffff88042a4b6c00 R15: ffff88042c6bb000
+[   15.439315] FS:  0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
+[   15.440314] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   15.441084] CR2: 00000000000000d0 CR3: 000000042c374000 CR4: 00000000000006e0
+[   15.442016] Call Trace:
+[   15.442333]  <IRQ>
+[   15.442596]  validate_xmit_skb+0x17/0x270
+[   15.443134]  validate_xmit_skb_list+0x38/0x60
+[   15.443698]  sch_direct_xmit+0x102/0x190
+[   15.444198]  __qdisc_run+0xe3/0x240
+[   15.444671]  net_tx_action+0x121/0x140
+[   15.445177]  __do_softirq+0xe2/0x224
+[   15.445654]  irq_exit+0xbf/0xd0
+[   15.446072]  smp_apic_timer_interrupt+0x5d/0x90
+[   15.446654]  apic_timer_interrupt+0x7d/0x90
+[   15.447185]  </IRQ>
+[   15.447460] RIP: 0010:native_safe_halt+0x2/0x10
+[   15.447992] RSP: 0018:ffffc90000073f10 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
+[   15.449008] RAX: ffffffff816667d0 RBX: ffffffff820946b0 RCX: 0000000000000000
+[   15.449895] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+[   15.450768] RBP: ffffffff82026940 R08: 00000004e858e5e1 R09: ffff88042a4b6d58
+[   15.451643] R10: 0000000000000000 R11: 000000d0d56879bb R12: 0000000000000000
+[   15.452478] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[   15.453340]  ? __sched_text_end+0x2/0x2
+[   15.453835]  default_idle+0xf/0x20
+[   15.454259]  do_idle+0x170/0x200
+[   15.454653]  cpu_startup_entry+0x14/0x20
+[   15.455142]  secondary_startup_64+0xa5/0xb0
+[   15.455715] Code: 1f 84 00 00 00 00 00 55 53 48 89 fd 48 83 ec 08 8b 87 bc 00 00 00 48 8b 8f c0 00 00 00 0f b6 97 81 00 00 00 48 8b 77 10 48 01 c8 <48> 8b 9
+[   15.458138] RIP: netif_skb_features+0x24/0x230 RSP: ffff88043fd83e70
+[   15.458933] CR2: 00000000000000d0
+[   15.459352] ---[ end trace 083925903ae60570 ]---
+
+Fixes: 6b921536f170 ("net: sk_buff rbnode reorg")
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 2a2ab6bfe5d8..3d325b840802 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -624,6 +624,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
+                       skb->next = NULL;
+                       skb->prev = NULL;
+                       skb->tstamp = netem_skb_cb(skb)->tstamp_save;
++                      /* skb->dev shares skb->rbnode area,
++                       * we need to restore its value.
++                       */
++                      skb->dev = qdisc_dev(sch);
+ 
+ #ifdef CONFIG_NET_CLS_ACT
+                       /*
+-- 
+2.17.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index d80bb8389fe5cf2062394fa2d375ddd343234bb1..d03afae217c3689e9f0d40f8c7dbdbf8192d4a7c 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -103,3 +103,4 @@ net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch
 net-ena-fix-null-dereference-due-to-untimely-napi-in.patch
 selftests-rtnetlink.sh-explicitly-requires-bash.patch
 fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
+sch_netem-restore-skb-dev-after-dequeuing-from-the-r.patch