--- /dev/null
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Firo Yang <firo.yang@suse.com>
+Date: Wed, 12 Feb 2020 06:09:17 +0100
+Subject: enic: prevent waking up stopped tx queues over watchdog reset
+
+From: Firo Yang <firo.yang@suse.com>
+
+[ Upstream commit 0f90522591fd09dd201065c53ebefdfe3c6b55cb ]
+
+Recent months, our customer reported several kernel crashes all
+preceding with following message:
+NETDEV WATCHDOG: eth2 (enic): transmit queue 0 timed out
+Error message of one of those crashes:
+BUG: unable to handle kernel paging request at ffffffffa007e090
+
+After analyzing severl vmcores, I found that most of crashes are
+caused by memory corruption. And all the corrupted memory areas
+are overwritten by data of network packets. Moreover, I also found
+that the tx queues were enabled over watchdog reset.
+
+After going through the source code, I found that in enic_stop(),
+the tx queues stopped by netif_tx_disable() could be woken up over
+a small time window between netif_tx_disable() and the
+napi_disable() by the following code path:
+napi_poll->
+ enic_poll_msix_wq->
+ vnic_cq_service->
+ enic_wq_service->
+ netif_wake_subqueue(enic->netdev, q_number)->
+ test_and_clear_bit(__QUEUE_STATE_DRV_XOFF, &txq->state)
+In turn, upper netowrk stack could queue skb to ENIC NIC though
+enic_hard_start_xmit(). And this might introduce some race condition.
+
+Our customer comfirmed that this kind of kernel crash doesn't occur over
+90 days since they applied this patch.
+
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1806,10 +1806,10 @@ static int enic_stop(struct net_device *
+ }
+
+ netif_carrier_off(netdev);
+- netif_tx_disable(netdev);
+ if (vnic_dev_get_intr_mode(enic->vdev) == VNIC_DEV_INTR_MODE_MSIX)
+ for (i = 0; i < enic->wq_count; i++)
+ napi_disable(&enic->napi[enic_cq_wq(enic, i)]);
++ netif_tx_disable(netdev);
+
+ if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic))
+ enic_dev_del_station_addr(enic);
--- /dev/null
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 11 Feb 2020 19:33:40 +0100
+Subject: net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit e2debf0852c4d66ba1a8bde12869b196094c70a7 ]
+
+unlike other classifiers that can be offloaded (i.e. users can set flags
+like 'skip_hw' and 'skip_sw'), 'cls_flower' doesn't validate the size of
+netlink attribute 'TCA_FLOWER_FLAGS' provided by user: add a proper entry
+to fl_policy.
+
+Fixes: 5b33f48842fa ("net/flower: Introduce hardware offload support")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_flower.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -364,6 +364,7 @@ static const struct nla_policy fl_policy
+ [TCA_FLOWER_KEY_TCP_DST_MASK] = { .type = NLA_U16 },
+ [TCA_FLOWER_KEY_UDP_SRC_MASK] = { .type = NLA_U16 },
+ [TCA_FLOWER_KEY_UDP_DST_MASK] = { .type = NLA_U16 },
++ [TCA_FLOWER_FLAGS] = { .type = NLA_U32 },
+ };
+
+ static void fl_set_key_val(struct nlattr **tb,
--- /dev/null
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 11 Feb 2020 19:33:39 +0100
+Subject: net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 1afa3cc90f8fb745c777884d79eaa1001d6927a6 ]
+
+unlike other classifiers that can be offloaded (i.e. users can set flags
+like 'skip_hw' and 'skip_sw'), 'cls_matchall' doesn't validate the size
+of netlink attribute 'TCA_MATCHALL_FLAGS' provided by user: add a proper
+entry to mall_policy.
+
+Fixes: b87f7936a932 ("net/sched: Add match-all classifier hw offloading.")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_matchall.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -111,6 +111,7 @@ static unsigned long mall_get(struct tcf
+ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = {
+ [TCA_MATCHALL_UNSPEC] = { .type = NLA_UNSPEC },
+ [TCA_MATCHALL_CLASSID] = { .type = NLA_U32 },
++ [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 },
+ };
+
+ static int mall_set_parms(struct net *net, struct tcf_proto *tp,
brd-check-and-limit-max_part-par.patch
help_next-should-increase-position-index.patch
selinux-ensure-we-cleanup-the-internal-avc-counters-.patch
+enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
+net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
+net-sched-flower-add-missing-validation-of-tca_flower_flags.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
