From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Sep 2019 13:27:03 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.194~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e5bfed0c8d019bdd603a307c9a1234f2e5f2f79;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net_sched-let-qdisc_put-accept-null-pointer.patch
	xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
---

diff --git a/queue-4.14/net_sched-let-qdisc_put-accept-null-pointer.patch b/queue-4.14/net_sched-let-qdisc_put-accept-null-pointer.patch
new file mode 100644
index 00000000000..057e035122f
--- /dev/null
+++ b/queue-4.14/net_sched-let-qdisc_put-accept-null-pointer.patch
@@ -0,0 +1,44 @@
+From foo@baz Thu 19 Sep 2019 03:07:06 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 12 Sep 2019 10:22:30 -0700
+Subject: net_sched: let qdisc_put() accept NULL pointer
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ]
+
+When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
+pointer which leads to a crash in sfb_destroy(). Similar for
+sch_dsmark.
+
+Instead of fixing each separately, Linus suggested to just accept
+NULL pointer in qdisc_put(), which would make callers easier.
+
+(For sch_dsmark, the bug probably exists long before commit
+6529eaba33f0.)
+
+Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
+Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_generic.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -705,6 +705,9 @@ void qdisc_destroy(struct Qdisc *qdisc)
+ {
+ 	const struct Qdisc_ops  *ops = qdisc->ops;
+ 
++	if (!qdisc)
++		return;
++
+ 	if (qdisc->flags & TCQ_F_BUILTIN ||
+ 	    !refcount_dec_and_test(&qdisc->refcnt))
+ 		return;
diff --git a/queue-4.14/series b/queue-4.14/series
index f833e7b80a6..6750af75354 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -4,3 +4,5 @@ powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch
 usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch
 phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch
 media-tm6000-double-free-if-usb-disconnect-while-streaming.patch
+xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
+net_sched-let-qdisc_put-accept-null-pointer.patch
diff --git a/queue-4.14/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch b/queue-4.14/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
new file mode 100644
index 00000000000..393119c833d
--- /dev/null
+++ b/queue-4.14/xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
@@ -0,0 +1,53 @@
+From foo@baz Thu 19 Sep 2019 03:22:23 PM CEST
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Mon, 16 Sep 2019 11:46:59 +0800
+Subject: xen-netfront: do not assume sk_buff_head list is empty in error handling
+
+From: Dongli Zhang <dongli.zhang@oracle.com>
+
+[ Upstream commit 00b368502d18f790ab715e055869fd4bb7484a9b ]
+
+When skb_shinfo(skb) is not able to cache extra fragment (that is,
+skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
+the sk_buff_head list is already empty. As a result, cons is increased only
+by 1 and returns to error handling path in xennet_poll().
+
+However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
+set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
+buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
+already cleared to NULL. This leads to NULL pointer access in the next
+iteration to process rx ring buffer entries.
+
+Below is how xennet_poll() does error handling. All remaining entries in
+tmpq are accounted to queue->rx.rsp_cons without assuming how many
+outstanding skbs are remained in the list.
+
+ 985 static int xennet_poll(struct napi_struct *napi, int budget)
+... ...
+1032           if (unlikely(xennet_set_skb_gso(skb, gso))) {
+1033                   __skb_queue_head(&tmpq, skb);
+1034                   queue->rx.rsp_cons += skb_queue_len(&tmpq);
+1035                   goto err;
+1036           }
+
+It is better to always have the error handling in the same way.
+
+Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags")
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -908,7 +908,7 @@ static RING_IDX xennet_fill_frags(struct
+ 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ 		}
+ 		if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+-			queue->rx.rsp_cons = ++cons;
++			queue->rx.rsp_cons = ++cons + skb_queue_len(list);
+ 			kfree_skb(nskb);
+ 			return ~0U;
+ 		}