--- /dev/null
+From a269333fa5c0c8e53c92b5a28a6076a28cde3e83 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 8 May 2021 16:30:35 +0300
+Subject: net: dsa: fix a crash if ->get_sset_count() fails
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a269333fa5c0c8e53c92b5a28a6076a28cde3e83 upstream.
+
+If ds->ops->get_sset_count() fails then it "count" is a negative error
+code such as -EOPNOTSUPP. Because "i" is an unsigned int, the negative
+error code is type promoted to a very high value and the loop will
+corrupt memory until the system crashes.
+
+Fix this by checking for error codes and changing the type of "i" to
+just int.
+
+Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/master.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/dsa/master.c
++++ b/net/dsa/master.c
+@@ -87,8 +87,7 @@ static void dsa_master_get_strings(struc
+ struct dsa_switch *ds = cpu_dp->ds;
+ int port = cpu_dp->index;
+ int len = ETH_GSTRING_LEN;
+- int mcount = 0, count;
+- unsigned int i;
++ int mcount = 0, count, i;
+ uint8_t pfx[4];
+ uint8_t *ndata;
+
+@@ -118,6 +117,8 @@ static void dsa_master_get_strings(struc
+ */
+ ds->ops->get_strings(ds, port, stringset, ndata);
+ count = ds->ops->get_sset_count(ds, port, stringset);
++ if (count < 0)
++ return;
+ for (i = 0; i < count; i++) {
+ memmove(ndata + (i * len + sizeof(pfx)),
+ ndata + i * len, len - sizeof(pfx));
--- /dev/null
+From 474a2ddaa192777522a7499784f1d60691cd831a Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Sun, 23 May 2021 22:51:54 +0800
+Subject: net: dsa: mt7530: fix VLAN traffic leaks
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 474a2ddaa192777522a7499784f1d60691cd831a upstream.
+
+PCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but
+was not reset when it is disabled, which may cause traffic leaks:
+
+ ip link add br0 type bridge vlan_filtering 1
+ ip link add br1 type bridge vlan_filtering 1
+ ip link set swp0 master br0
+ ip link set swp1 master br1
+ ip link set br0 type bridge vlan_filtering 0
+ ip link set br1 type bridge vlan_filtering 0
+ # traffic in br0 and br1 will start leaking to each other
+
+As port_bridge_{add,del} have set up PCR_MATRIX properly, remove the
+PCR_MATRIX write from mt7530_port_set_vlan_aware.
+
+Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -851,14 +851,6 @@ mt7530_port_set_vlan_aware(struct dsa_sw
+ {
+ struct mt7530_priv *priv = ds->priv;
+
+- /* The real fabric path would be decided on the membership in the
+- * entry of VLAN table. PCR_MATRIX set up here with ALL_MEMBERS
+- * means potential VLAN can be consisting of certain subset of all
+- * ports.
+- */
+- mt7530_rmw(priv, MT7530_PCR_P(port),
+- PCR_MATRIX_MASK, PCR_MATRIX(MT7530_ALL_MEMBERS));
+-
+ /* Trapped into security mode allows packet forwarding through VLAN
+ * table lookup. CPU port is set to fallback mode to let untagged
+ * frames pass through.
drm-meson-fix-shutdown-crash-when-component-not-probed.patch
net-mlx4-fix-eeprom-dump-support.patch
revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
-tipc-wait-and-exit-until-all-work-queues-are-done.patch
tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+net-dsa-mt7530-fix-vlan-traffic-leaks.patch
+net-dsa-fix-a-crash-if-get_sset_count-fails.patch
+++ /dev/null
-From 04c26faa51d1e2fe71cf13c45791f5174c37f986 Mon Sep 17 00:00:00 2001
-From: Xin Long <lucien.xin@gmail.com>
-Date: Mon, 17 May 2021 02:28:58 +0800
-Subject: tipc: wait and exit until all work queues are done
-
-From: Xin Long <lucien.xin@gmail.com>
-
-commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream.
-
-On some host, a crash could be triggered simply by repeating these
-commands several times:
-
- # modprobe tipc
- # tipc bearer enable media udp name UDP1 localip 127.0.0.1
- # rmmod tipc
-
- [] BUG: unable to handle kernel paging request at ffffffffc096bb00
- [] Workqueue: events 0xffffffffc096bb00
- [] Call Trace:
- [] ? process_one_work+0x1a7/0x360
- [] ? worker_thread+0x30/0x390
- [] ? create_worker+0x1a0/0x1a0
- [] ? kthread+0x116/0x130
- [] ? kthread_flush_work_fn+0x10/0x10
- [] ? ret_from_fork+0x35/0x40
-
-When removing the TIPC module, the UDP tunnel sock will be delayed to
-release in a work queue as sock_release() can't be done in rtnl_lock().
-If the work queue is schedule to run after the TIPC module is removed,
-kernel will crash as the work queue function cleanup_beareri() code no
-longer exists when trying to invoke it.
-
-To fix it, this patch introduce a member wq_count in tipc_net to track
-the numbers of work queues in schedule, and wait and exit until all
-work queues are done in tipc_exit_net().
-
-Fixes: d0f91938bede ("tipc: add ip/udp media type")
-Reported-by: Shuang Li <shuali@redhat.com>
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Acked-by: Jon Maloy <jmaloy@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/tipc/core.c | 3 +++
- net/tipc/core.h | 3 +++
- net/tipc/udp_media.c | 1 +
- 3 files changed, 7 insertions(+)
-
---- a/net/tipc/core.c
-+++ b/net/tipc/core.c
-@@ -101,6 +101,9 @@ static void __net_exit tipc_exit_net(str
- tipc_bcast_stop(net);
- tipc_nametbl_stop(net);
- tipc_sk_rht_destroy(net);
-+
-+ while (atomic_read(&tn->wq_count))
-+ cond_resched();
- }
-
- static struct pernet_operations tipc_net_ops = {
---- a/net/tipc/core.h
-+++ b/net/tipc/core.h
-@@ -122,6 +122,9 @@ struct tipc_net {
- /* Topology subscription server */
- struct tipc_topsrv *topsrv;
- atomic_t subscription_count;
-+
-+ /* The numbers of work queues in schedule */
-+ atomic_t wq_count;
- };
-
- static inline struct tipc_net *tipc_net(struct net *net)
---- a/net/tipc/udp_media.c
-+++ b/net/tipc/udp_media.c
-@@ -792,6 +792,7 @@ static void tipc_udp_disable(struct tipc
- RCU_INIT_POINTER(ub->bearer, NULL);
-
- /* sock_release need to be done outside of rtnl lock */
-+ atomic_inc(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
- INIT_WORK(&ub->work, cleanup_bearer);
- schedule_work(&ub->work);
- }
projects / thirdparty / kernel / stable-queue.git / commitdiff
