--- /dev/null
+From 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 Mon Sep 17 00:00:00 2001
+From: Pavel Belous <pbelous@marvell.com>
+Date: Fri, 14 Feb 2020 18:44:56 +0300
+Subject: net: atlantic: fix potential error handling
+
+From: Pavel Belous <pbelous@marvell.com>
+
+commit 380ec5b9af7f0d57dbf6ac067fd9f33cff2fef71 upstream.
+
+Code inspection found that in case of mapping error we do return current
+'ret' value. But beside error, it is used to count number of descriptors
+allocated for the packet. In that case map_skb function could return '1'.
+
+Changing it to return zero (number of mapped descriptors for skb)
+
+Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
+Signed-off-by: Pavel Belous <pbelous@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -399,8 +399,10 @@ static unsigned int aq_nic_map_skb(struc
+ dx_buff->len,
+ DMA_TO_DEVICE);
+
+- if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa)))
++ if (unlikely(dma_mapping_error(aq_nic_get_dev(self), dx_buff->pa))) {
++ ret = 0;
+ goto exit;
++ }
+
+ first = dx_buff;
+ dx_buff->len_pkt = skb->len;
--- /dev/null
+From a4980919ad6a7be548d499bc5338015e1a9191c6 Mon Sep 17 00:00:00 2001
+From: Pavel Belous <pbelous@marvell.com>
+Date: Fri, 14 Feb 2020 18:44:55 +0300
+Subject: net: atlantic: fix use after free kasan warn
+
+From: Pavel Belous <pbelous@marvell.com>
+
+commit a4980919ad6a7be548d499bc5338015e1a9191c6 upstream.
+
+skb->len is used to calculate statistics after xmit invocation.
+
+Under a stress load it may happen that skb will be xmited,
+rx interrupt will come and skb will be freed, all before xmit function
+is even returned.
+
+Eventually, skb->len will access unallocated area.
+
+Moving stats calculation into tx_clean routine.
+
+Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
+Reported-by: Christophe Vu-Brugier <cvubrugier@fastmail.fm>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Pavel Belous <pbelous@marvell.com>
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 4 ----
+ drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 7 +++++--
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -530,10 +530,6 @@ int aq_nic_xmit(struct aq_nic_s *self, s
+ if (likely(frags)) {
+ err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw,
+ ring, frags);
+- if (err >= 0) {
+- ++ring->stats.tx.packets;
+- ring->stats.tx.bytes += skb->len;
+- }
+ } else {
+ err = NETDEV_TX_BUSY;
+ }
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+@@ -162,9 +162,12 @@ bool aq_ring_tx_clean(struct aq_ring_s *
+ }
+ }
+
+- if (unlikely(buff->is_eop))
+- dev_kfree_skb_any(buff->skb);
++ if (unlikely(buff->is_eop)) {
++ ++self->stats.rx.packets;
++ self->stats.tx.bytes += buff->skb->len;
+
++ dev_kfree_skb_any(buff->skb);
++ }
+ buff->pa = 0U;
+ buff->eop_index = 0xffffU;
+ self->sw_head = aq_ring_next_dx(self, self->sw_head);
--- /dev/null
+From 3a20773beeeeadec41477a5ba872175b778ff752 Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 20 Feb 2020 16:42:13 +0200
+Subject: net: netlink: cap max groups which will be considered in netlink_bind()
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+commit 3a20773beeeeadec41477a5ba872175b778ff752 upstream.
+
+Since nl_groups is a u32 we can't bind more groups via ->bind
+(netlink_bind) call, but netlink has supported more groups via
+setsockopt() for a long time and thus nlk->ngroups could be over 32.
+Recently I added support for per-vlan notifications and increased the
+groups to 33 for NETLINK_ROUTE which exposed an old bug in the
+netlink_bind() code causing out-of-bounds access on archs where unsigned
+long is 32 bits via test_bit() on a local variable. Fix this by capping the
+maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively
+capping them at 32 which is the minimum of allocated groups and the
+maximum groups which can be bound via netlink_bind().
+
+CC: Christophe Leroy <christophe.leroy@c-s.fr>
+CC: Richard Guy Briggs <rgb@redhat.com>
+Fixes: 4f520900522f ("netlink: have netlink per-protocol bind function return an error code.")
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1029,7 +1029,8 @@ static int netlink_bind(struct socket *s
+ if (nlk->netlink_bind && groups) {
+ int group;
+
+- for (group = 0; group < nlk->ngroups; group++) {
++ /* nl_groups is a u32, so cap the maximum groups we can bind */
++ for (group = 0; group < BITS_PER_TYPE(u32); group++) {
+ if (!test_bit(group, &groups))
+ continue;
+ err = nlk->netlink_bind(net, group + 1);
+@@ -1048,7 +1049,7 @@ static int netlink_bind(struct socket *s
+ netlink_insert(sk, nladdr->nl_pid) :
+ netlink_autobind(sock);
+ if (err) {
+- netlink_undo_bind(nlk->ngroups, groups, sk);
++ netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
+ goto unlock;
+ }
+ }
From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+commit 6f08e98d62799e53c89dbf2c9a49d77e20ca648c upstream.
+
The mii management register in iproc mdio block
does not have a retention register so it is lost on suspend.
Save and restore value of register while resuming from suspend.
--- /dev/null
+From 6f3846f0955308b6d1b219419da42b8de2c08845 Mon Sep 17 00:00:00 2001
+From: Alexandra Winter <wintera@linux.ibm.com>
+Date: Thu, 20 Feb 2020 15:54:54 +0100
+Subject: s390/qeth: vnicc Fix EOPNOTSUPP precedence
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+commit 6f3846f0955308b6d1b219419da42b8de2c08845 upstream.
+
+When getting or setting VNICC parameters, the error code EOPNOTSUPP
+should have precedence over EBUSY.
+
+EBUSY is used because vnicc feature and bridgeport feature are mutually
+exclusive, which is a temporary condition.
+Whereas EOPNOTSUPP indicates that the HW does not support all or parts of
+the vnicc feature.
+This issue causes the vnicc sysfs params to show 'blocked by bridgeport'
+for HW that does not support VNICC at all.
+
+Fixes: caa1f0b10d18 ("s390/qeth: add VNICC enable/disable support")
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/net/qeth_l2_main.c | 29 +++++++++++++----------------
+ 1 file changed, 13 insertions(+), 16 deletions(-)
+
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -2148,15 +2148,14 @@ int qeth_l2_vnicc_set_state(struct qeth_
+
+ QETH_CARD_TEXT(card, 2, "vniccsch");
+
+- /* do not change anything if BridgePort is enabled */
+- if (qeth_bridgeport_is_in_use(card))
+- return -EBUSY;
+-
+ /* check if characteristic and enable/disable are supported */
+ if (!(card->options.vnicc.sup_chars & vnicc) ||
+ !(card->options.vnicc.set_char_sup & vnicc))
+ return -EOPNOTSUPP;
+
++ if (qeth_bridgeport_is_in_use(card))
++ return -EBUSY;
++
+ /* set enable/disable command and store wanted characteristic */
+ if (state) {
+ cmd = IPA_VNICC_ENABLE;
+@@ -2202,14 +2201,13 @@ int qeth_l2_vnicc_get_state(struct qeth_
+
+ QETH_CARD_TEXT(card, 2, "vniccgch");
+
+- /* do not get anything if BridgePort is enabled */
+- if (qeth_bridgeport_is_in_use(card))
+- return -EBUSY;
+-
+ /* check if characteristic is supported */
+ if (!(card->options.vnicc.sup_chars & vnicc))
+ return -EOPNOTSUPP;
+
++ if (qeth_bridgeport_is_in_use(card))
++ return -EBUSY;
++
+ /* if card is ready, query current VNICC state */
+ if (qeth_card_hw_is_reachable(card))
+ rc = qeth_l2_vnicc_query_chars(card);
+@@ -2227,15 +2225,14 @@ int qeth_l2_vnicc_set_timeout(struct qet
+
+ QETH_CARD_TEXT(card, 2, "vniccsto");
+
+- /* do not change anything if BridgePort is enabled */
+- if (qeth_bridgeport_is_in_use(card))
+- return -EBUSY;
+-
+ /* check if characteristic and set_timeout are supported */
+ if (!(card->options.vnicc.sup_chars & QETH_VNICC_LEARNING) ||
+ !(card->options.vnicc.getset_timeout_sup & QETH_VNICC_LEARNING))
+ return -EOPNOTSUPP;
+
++ if (qeth_bridgeport_is_in_use(card))
++ return -EBUSY;
++
+ /* do we need to do anything? */
+ if (card->options.vnicc.learning_timeout == timeout)
+ return rc;
+@@ -2264,14 +2261,14 @@ int qeth_l2_vnicc_get_timeout(struct qet
+
+ QETH_CARD_TEXT(card, 2, "vniccgto");
+
+- /* do not get anything if BridgePort is enabled */
+- if (qeth_bridgeport_is_in_use(card))
+- return -EBUSY;
+-
+ /* check if characteristic and get_timeout are supported */
+ if (!(card->options.vnicc.sup_chars & QETH_VNICC_LEARNING) ||
+ !(card->options.vnicc.getset_timeout_sup & QETH_VNICC_LEARNING))
+ return -EOPNOTSUPP;
++
++ if (qeth_bridgeport_is_in_use(card))
++ return -EBUSY;
++
+ /* if card is ready, get timeout. Otherwise, just return stored value */
+ *timeout = card->options.vnicc.learning_timeout;
+ if (qeth_card_hw_is_reachable(card))
drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch
hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch
usb-charger-assign-specific-number-for-enum-value.patch
+s390-qeth-vnicc-fix-eopnotsupp-precedence.patch
+net-netlink-cap-max-groups-which-will-be-considered-in-netlink_bind.patch
+net-atlantic-fix-use-after-free-kasan-warn.patch
+net-atlantic-fix-potential-error-handling.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
