From: Greg Kroah-Hartman Date: Mon, 25 Nov 2019 13:29:01 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.203~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52eec70445d53d069f2dd2c40fa0e41518041a56;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch net-mlx5-fix-auto-group-size-calculation.patch net-mlx5e-fix-set-vf-link-state-error-flow.patch net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch net-sched-act_pedit-fix-warn-in-the-traffic-path.patch net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch sfc-only-cancel-the-pps-workqueue-if-it-exists.patch --- diff --git a/queue-4.19/mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch b/queue-4.19/mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch new file mode 100644 index 00000000000..afdd9712d1f --- /dev/null +++ b/queue-4.19/mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch @@ -0,0 +1,70 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Petr Machata +Date: Mon, 18 Nov 2019 09:18:42 +0200 +Subject: mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel + +From: Petr Machata + +[ Upstream commit 1fc1657775dc1b19e9ac1d46b4054ed8ae5d99ab ] + +The helper mlxsw_sp_ipip_dev_ul_tb_id() determines the underlay VRF of a +GRE tunnel. For a tunnel without a bound device, it uses the same VRF that +the tunnel is in. However in Linux, a GRE tunnel without a bound device +uses the main VRF as the underlay. Fix the function accordingly. + +mlxsw further assumed that moving a tunnel to a different VRF could cause +conflict in local tunnel endpoint address, which cannot be offloaded. +However, the only way that an underlay could be changed by moving the +tunnel device itself is if the tunnel device does not have a bound device. +But in that case the underlay is always the main VRF, so there is no +opportunity to introduce a conflict by moving such device. Thus this check +constitutes a dead code, and can be removed, which do. + +Fixes: 6ddb7426a7d4 ("mlxsw: spectrum_router: Introduce loopback RIFs") +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 19 ------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -970,7 +970,7 @@ u32 mlxsw_sp_ipip_dev_ul_tb_id(const str + if (d) + return l3mdev_fib_table(d) ? : RT_TABLE_MAIN; + else +- return l3mdev_fib_table(ol_dev) ? : RT_TABLE_MAIN; ++ return RT_TABLE_MAIN; + } + + static struct mlxsw_sp_rif * +@@ -1532,27 +1532,10 @@ static int mlxsw_sp_netdevice_ipip_ol_vr + { + struct mlxsw_sp_ipip_entry *ipip_entry = + mlxsw_sp_ipip_entry_find_by_ol_dev(mlxsw_sp, ol_dev); +- enum mlxsw_sp_l3proto ul_proto; +- union mlxsw_sp_l3addr saddr; +- u32 ul_tb_id; + + if (!ipip_entry) + return 0; + +- /* For flat configuration cases, moving overlay to a different VRF might +- * cause local address conflict, and the conflicting tunnels need to be +- * demoted. +- */ +- ul_tb_id = mlxsw_sp_ipip_dev_ul_tb_id(ol_dev); +- ul_proto = mlxsw_sp->router->ipip_ops_arr[ipip_entry->ipipt]->ul_proto; +- saddr = mlxsw_sp_ipip_netdev_saddr(ul_proto, ol_dev); +- if (mlxsw_sp_ipip_demote_tunnel_by_saddr(mlxsw_sp, ul_proto, +- saddr, ul_tb_id, +- ipip_entry)) { +- mlxsw_sp_ipip_entry_demote_tunnel(mlxsw_sp, ipip_entry); +- return 0; +- } +- + return __mlxsw_sp_ipip_entry_update_tunnel(mlxsw_sp, ipip_entry, + true, false, false, extack); + } diff --git a/queue-4.19/net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch b/queue-4.19/net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch new file mode 100644 index 00000000000..f402f82074c --- /dev/null +++ b/queue-4.19/net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch @@ -0,0 +1,35 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Luigi Rizzo +Date: Fri, 15 Nov 2019 12:12:25 -0800 +Subject: net/mlx4_en: fix mlx4 ethtool -N insertion + +From: Luigi Rizzo + +[ Upstream commit 34e59836565e36fade1464e054a3551c1a0364be ] + +ethtool expects ETHTOOL_GRXCLSRLALL to set ethtool_rxnfc->data with the +total number of entries in the rx classifier table. Surprisingly, mlx4 +is missing this part (in principle ethtool could still move forward and +try the insert). + +Tested: compiled and run command: + phh13:~# ethtool -N eth1 flow-type udp4 queue 4 + Added rule with ID 255 + +Signed-off-by: Luigi Rizzo +Reviewed-by: Tariq Toukan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1745,6 +1745,7 @@ static int mlx4_en_get_rxnfc(struct net_ + err = mlx4_en_get_flow(dev, cmd, cmd->fs.location); + break; + case ETHTOOL_GRXCLSRLALL: ++ cmd->data = MAX_NUM_OF_FS_RULES; + while ((!err || err == -ENOENT) && priority < cmd->rule_cnt) { + err = mlx4_en_get_flow(dev, cmd, i); + if (!err) diff --git a/queue-4.19/net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch b/queue-4.19/net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch new file mode 100644 index 00000000000..2f0e1aa1afb --- /dev/null +++ b/queue-4.19/net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch @@ -0,0 +1,75 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Tariq Toukan +Date: Mon, 18 Nov 2019 11:41:04 +0200 +Subject: net/mlx4_en: Fix wrong limitation for number of TX rings + +From: Tariq Toukan + +[ Upstream commit 2744bf42680f64ebf2ee8a00354897857c073331 ] + +XDP_TX rings should not be limited by max_num_tx_rings_p_up. +To make sure total number of TX rings never exceed MAX_TX_RINGS, +add similar check in mlx4_en_alloc_tx_queue_per_tc(), where +a new value is assigned for num_up. + +Fixes: 7e1dc5e926d5 ("net/mlx4_en: Limit the number of TX rings") +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 8 ++++---- + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++++ + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1812,6 +1812,7 @@ static int mlx4_en_set_channels(struct n + struct mlx4_en_dev *mdev = priv->mdev; + struct mlx4_en_port_profile new_prof; + struct mlx4_en_priv *tmp; ++ int total_tx_count; + int port_up = 0; + int xdp_count; + int err = 0; +@@ -1826,13 +1827,12 @@ static int mlx4_en_set_channels(struct n + + mutex_lock(&mdev->state_lock); + xdp_count = priv->tx_ring_num[TX_XDP] ? channel->rx_count : 0; +- if (channel->tx_count * priv->prof->num_up + xdp_count > +- priv->mdev->profile.max_num_tx_rings_p_up * priv->prof->num_up) { ++ total_tx_count = channel->tx_count * priv->prof->num_up + xdp_count; ++ if (total_tx_count > MAX_TX_RINGS) { + err = -EINVAL; + en_err(priv, + "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n", +- channel->tx_count * priv->prof->num_up + xdp_count, +- MAX_TX_RINGS); ++ total_tx_count, MAX_TX_RINGS); + goto out; + } + +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -92,6 +92,7 @@ int mlx4_en_alloc_tx_queue_per_tc(struct + struct mlx4_en_dev *mdev = priv->mdev; + struct mlx4_en_port_profile new_prof; + struct mlx4_en_priv *tmp; ++ int total_count; + int port_up = 0; + int err = 0; + +@@ -105,6 +106,14 @@ int mlx4_en_alloc_tx_queue_per_tc(struct + MLX4_EN_NUM_UP_HIGH; + new_prof.tx_ring_num[TX] = new_prof.num_tx_rings_p_up * + new_prof.num_up; ++ total_count = new_prof.tx_ring_num[TX] + new_prof.tx_ring_num[TX_XDP]; ++ if (total_count > MAX_TX_RINGS) { ++ err = -EINVAL; ++ en_err(priv, ++ "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n", ++ total_count, MAX_TX_RINGS); ++ goto out; ++ } + err = mlx4_en_try_alloc_resources(priv, tmp, &new_prof, true); + if (err) + goto out; diff --git a/queue-4.19/net-mlx5-fix-auto-group-size-calculation.patch b/queue-4.19/net-mlx5-fix-auto-group-size-calculation.patch new file mode 100644 index 00000000000..4112704155e --- /dev/null +++ b/queue-4.19/net-mlx5-fix-auto-group-size-calculation.patch @@ -0,0 +1,74 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Maor Gottlieb +Date: Thu, 5 Sep 2019 09:56:10 +0300 +Subject: net/mlx5: Fix auto group size calculation + +From: Maor Gottlieb + +[ Upstream commit 97fd8da281f80e7e69e0114bc906575734d4dfaf ] + +Once all the large flow groups (defined by the user when the flow table +is created - max_num_groups) were created, then all the following new +flow groups will have only one flow table entry, even though the flow table +has place to larger groups. +Fix the condition to prefer large flow group. + +Fixes: f0d22d187473 ("net/mlx5_core: Introduce flow steering autogrouped flow table") +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 ++++++---- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.h | 1 + + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -520,7 +520,7 @@ static void del_sw_flow_group(struct fs_ + + rhashtable_destroy(&fg->ftes_hash); + ida_destroy(&fg->fte_allocator); +- if (ft->autogroup.active) ++ if (ft->autogroup.active && fg->max_ftes == ft->autogroup.group_size) + ft->autogroup.num_groups--; + err = rhltable_remove(&ft->fgs_hash, + &fg->hash, +@@ -1065,6 +1065,8 @@ mlx5_create_auto_grouped_flow_table(stru + + ft->autogroup.active = true; + ft->autogroup.required_groups = max_num_groups; ++ /* We save place for flow groups in addition to max types */ ++ ft->autogroup.group_size = ft->max_fte / (max_num_groups + 1); + + return ft; + } +@@ -1270,8 +1272,7 @@ static struct mlx5_flow_group *alloc_aut + return ERR_PTR(-ENOENT); + + if (ft->autogroup.num_groups < ft->autogroup.required_groups) +- /* We save place for flow groups in addition to max types */ +- group_size = ft->max_fte / (ft->autogroup.required_groups + 1); ++ group_size = ft->autogroup.group_size; + + /* ft->max_fte == ft->autogroup.max_types */ + if (group_size == 0) +@@ -1298,7 +1299,8 @@ static struct mlx5_flow_group *alloc_aut + if (IS_ERR(fg)) + goto out; + +- ft->autogroup.num_groups++; ++ if (group_size == ft->autogroup.group_size) ++ ft->autogroup.num_groups++; + + out: + return fg; +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h +@@ -121,6 +121,7 @@ struct mlx5_flow_table { + struct { + bool active; + unsigned int required_groups; ++ unsigned int group_size; + unsigned int num_groups; + } autogroup; + /* Protect fwd_rules */ diff --git a/queue-4.19/net-mlx5e-fix-set-vf-link-state-error-flow.patch b/queue-4.19/net-mlx5e-fix-set-vf-link-state-error-flow.patch new file mode 100644 index 00000000000..df824708f75 --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-set-vf-link-state-error-flow.patch @@ -0,0 +1,32 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Roi Dayan +Date: Wed, 13 Nov 2019 14:42:00 +0200 +Subject: net/mlx5e: Fix set vf link state error flow + +From: Roi Dayan + +[ Upstream commit 751021218f7e66ee9bbaa2be23056e447cd75ec4 ] + +Before this commit the ndo always returned success. +Fix that. + +Fixes: 1ab2068a4c66 ("net/mlx5: Implement vports admin state backup/restore") +Signed-off-by: Roi Dayan +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1861,7 +1861,7 @@ int mlx5_eswitch_set_vport_state(struct + + unlock: + mutex_unlock(&esw->state_lock); +- return 0; ++ return err; + } + + int mlx5_eswitch_get_vport_config(struct mlx5_eswitch *esw, diff --git a/queue-4.19/net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch b/queue-4.19/net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch new file mode 100644 index 00000000000..fb6c87b84cb --- /dev/null +++ b/queue-4.19/net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch @@ -0,0 +1,34 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Eran Ben Elisha +Date: Sun, 17 Nov 2019 10:18:59 +0200 +Subject: net/mlxfw: Verify FSM error code translation doesn't exceed array size + +From: Eran Ben Elisha + +[ Upstream commit 30e9e0550bf693c94bc15827781fe42dd60be634 ] + +Array mlxfw_fsm_state_err_str contains value to string translation, when +values are provided by mlxfw_dev. If value is larger than +MLXFW_FSM_STATE_ERR_MAX, return "unknown error" as expected instead of +reading an address than exceed array size. + +Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process") +Signed-off-by: Eran Ben Elisha +Acked-by: Jiri Pirko +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c ++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c +@@ -86,6 +86,8 @@ retry: + return err; + + if (fsm_state_err != MLXFW_FSM_STATE_ERR_OK) { ++ fsm_state_err = min_t(enum mlxfw_fsm_state_err, ++ fsm_state_err, MLXFW_FSM_STATE_ERR_MAX); + pr_err("Firmware flash failed: %s\n", + mlxfw_fsm_state_err_str[fsm_state_err]); + return -EINVAL; diff --git a/queue-4.19/net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch b/queue-4.19/net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch new file mode 100644 index 00000000000..2dcdc2be801 --- /dev/null +++ b/queue-4.19/net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch @@ -0,0 +1,189 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Dan Carpenter +Date: Wed, 20 Nov 2019 15:34:38 +0300 +Subject: net: rtnetlink: prevent underflows in do_setvfinfo() + +From: Dan Carpenter + +[ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ] + +The "ivm->vf" variable is a u32, but the problem is that a number of +drivers cast it to an int and then forget to check for negatives. An +example of this is in the cxgb4 driver. + +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c + 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev, + 2891 int vf, struct ifla_vf_info *ivi) + ^^^^^^ + 2892 { + 2893 struct port_info *pi = netdev_priv(dev); + 2894 struct adapter *adap = pi->adapter; + 2895 struct vf_info *vfinfo; + 2896 + 2897 if (vf >= adap->num_vfs) + ^^^^^^^^^^^^^^^^^^^ + 2898 return -EINVAL; + 2899 vfinfo = &adap->vfinfo[vf]; + ^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are 48 functions affected. + +drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646' +drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646' +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' +drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63' +drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254' +drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646' +drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646' + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2126,6 +2126,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_MAC]) { + struct ifla_vf_mac *ivm = nla_data(tb[IFLA_VF_MAC]); + ++ if (ivm->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_mac) + err = ops->ndo_set_vf_mac(dev, ivm->vf, +@@ -2137,6 +2139,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_VLAN]) { + struct ifla_vf_vlan *ivv = nla_data(tb[IFLA_VF_VLAN]); + ++ if (ivv->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_vlan) + err = ops->ndo_set_vf_vlan(dev, ivv->vf, ivv->vlan, +@@ -2169,6 +2173,8 @@ static int do_setvfinfo(struct net_devic + if (len == 0) + return -EINVAL; + ++ if (ivvl[0]->vf >= INT_MAX) ++ return -EINVAL; + err = ops->ndo_set_vf_vlan(dev, ivvl[0]->vf, ivvl[0]->vlan, + ivvl[0]->qos, ivvl[0]->vlan_proto); + if (err < 0) +@@ -2179,6 +2185,8 @@ static int do_setvfinfo(struct net_devic + struct ifla_vf_tx_rate *ivt = nla_data(tb[IFLA_VF_TX_RATE]); + struct ifla_vf_info ivf; + ++ if (ivt->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_get_vf_config) + err = ops->ndo_get_vf_config(dev, ivt->vf, &ivf); +@@ -2197,6 +2205,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_RATE]) { + struct ifla_vf_rate *ivt = nla_data(tb[IFLA_VF_RATE]); + ++ if (ivt->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_rate) + err = ops->ndo_set_vf_rate(dev, ivt->vf, +@@ -2209,6 +2219,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_SPOOFCHK]) { + struct ifla_vf_spoofchk *ivs = nla_data(tb[IFLA_VF_SPOOFCHK]); + ++ if (ivs->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_spoofchk) + err = ops->ndo_set_vf_spoofchk(dev, ivs->vf, +@@ -2220,6 +2232,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_LINK_STATE]) { + struct ifla_vf_link_state *ivl = nla_data(tb[IFLA_VF_LINK_STATE]); + ++ if (ivl->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_link_state) + err = ops->ndo_set_vf_link_state(dev, ivl->vf, +@@ -2233,6 +2247,8 @@ static int do_setvfinfo(struct net_devic + + err = -EOPNOTSUPP; + ivrssq_en = nla_data(tb[IFLA_VF_RSS_QUERY_EN]); ++ if (ivrssq_en->vf >= INT_MAX) ++ return -EINVAL; + if (ops->ndo_set_vf_rss_query_en) + err = ops->ndo_set_vf_rss_query_en(dev, ivrssq_en->vf, + ivrssq_en->setting); +@@ -2243,6 +2259,8 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_TRUST]) { + struct ifla_vf_trust *ivt = nla_data(tb[IFLA_VF_TRUST]); + ++ if (ivt->vf >= INT_MAX) ++ return -EINVAL; + err = -EOPNOTSUPP; + if (ops->ndo_set_vf_trust) + err = ops->ndo_set_vf_trust(dev, ivt->vf, ivt->setting); +@@ -2253,15 +2271,18 @@ static int do_setvfinfo(struct net_devic + if (tb[IFLA_VF_IB_NODE_GUID]) { + struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_NODE_GUID]); + ++ if (ivt->vf >= INT_MAX) ++ return -EINVAL; + if (!ops->ndo_set_vf_guid) + return -EOPNOTSUPP; +- + return handle_vf_guid(dev, ivt, IFLA_VF_IB_NODE_GUID); + } + + if (tb[IFLA_VF_IB_PORT_GUID]) { + struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_PORT_GUID]); + ++ if (ivt->vf >= INT_MAX) ++ return -EINVAL; + if (!ops->ndo_set_vf_guid) + return -EOPNOTSUPP; + diff --git a/queue-4.19/net-sched-act_pedit-fix-warn-in-the-traffic-path.patch b/queue-4.19/net-sched-act_pedit-fix-warn-in-the-traffic-path.patch new file mode 100644 index 00000000000..8c9081f775b --- /dev/null +++ b/queue-4.19/net-sched-act_pedit-fix-warn-in-the-traffic-path.patch @@ -0,0 +1,96 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Davide Caratti +Date: Tue, 19 Nov 2019 23:47:33 +0100 +Subject: net/sched: act_pedit: fix WARN() in the traffic path + +From: Davide Caratti + +[ Upstream commit f67169fef8dbcc1ac6a6a109ecaad0d3b259002c ] + +when configuring act_pedit rules, the number of keys is validated only on +addition of a new entry. This is not sufficient to avoid hitting a WARN() +in the traffic path: for example, it is possible to replace a valid entry +with a new one having 0 extended keys, thus causing splats in dmesg like: + + pedit BUG: index 42 + WARNING: CPU: 2 PID: 4054 at net/sched/act_pedit.c:410 tcf_pedit_act+0xc84/0x1200 [act_pedit] + [...] + RIP: 0010:tcf_pedit_act+0xc84/0x1200 [act_pedit] + Code: 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ac 00 00 00 48 8b 44 24 10 48 c7 c7 a0 c4 e4 c0 8b 70 18 e8 1c 30 95 ea <0f> 0b e9 a0 fa ff ff e8 00 03 f5 ea e9 14 f4 ff ff 48 89 58 40 e9 + RSP: 0018:ffff888077c9f320 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffac2983a2 + RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888053927bec + RBP: dffffc0000000000 R08: ffffed100a726209 R09: ffffed100a726209 + R10: 0000000000000001 R11: ffffed100a726208 R12: ffff88804beea780 + R13: ffff888079a77400 R14: ffff88804beea780 R15: ffff888027ab2000 + FS: 00007fdeec9bd740(0000) GS:ffff888053900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007ffdb3dfd000 CR3: 000000004adb4006 CR4: 00000000001606e0 + Call Trace: + tcf_action_exec+0x105/0x3f0 + tcf_classify+0xf2/0x410 + __dev_queue_xmit+0xcbf/0x2ae0 + ip_finish_output2+0x711/0x1fb0 + ip_output+0x1bf/0x4b0 + ip_send_skb+0x37/0xa0 + raw_sendmsg+0x180c/0x2430 + sock_sendmsg+0xdb/0x110 + __sys_sendto+0x257/0x2b0 + __x64_sys_sendto+0xdd/0x1b0 + do_syscall_64+0xa5/0x4e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fdeeb72e993 + Code: 48 8b 0d e0 74 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 0d d6 2c 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 4b cc 00 00 48 89 04 24 + RSP: 002b:00007ffdb3de8a18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 000055c81972b700 RCX: 00007fdeeb72e993 + RDX: 0000000000000040 RSI: 000055c81972b700 RDI: 0000000000000003 + RBP: 00007ffdb3dea130 R08: 000055c819728510 R09: 0000000000000010 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 + R13: 000055c81972b6c0 R14: 000055c81972969c R15: 0000000000000080 + +Fix this moving the check on 'nkeys' earlier in tcf_pedit_init(), so that +attempts to install rules having 0 keys are always rejected with -EINVAL. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_pedit.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -46,7 +46,7 @@ static struct tcf_pedit_key_ex *tcf_pedi + int err = -EINVAL; + int rem; + +- if (!nla || !n) ++ if (!nla) + return NULL; + + keys_ex = kcalloc(n, sizeof(*k), GFP_KERNEL); +@@ -169,6 +169,10 @@ static int tcf_pedit_init(struct net *ne + } + + parm = nla_data(pattr); ++ if (!parm->nkeys) { ++ NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed"); ++ return -EINVAL; ++ } + ksize = parm->nkeys * sizeof(struct tc_pedit_key); + if (nla_len(pattr) < sizeof(*parm) + ksize) { + NL_SET_ERR_MSG_ATTR(extack, pattr, "Length of TCA_PEDIT_PARMS or TCA_PEDIT_PARMS_EX pedit attribute is invalid"); +@@ -182,12 +186,6 @@ static int tcf_pedit_init(struct net *ne + index = parm->index; + err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { +- if (!parm->nkeys) { +- tcf_idr_cleanup(tn, index); +- NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed"); +- ret = -EINVAL; +- goto out_free; +- } + ret = tcf_idr_create(tn, index, est, a, + &act_pedit_ops, bind, false); + if (ret) { diff --git a/queue-4.19/net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch b/queue-4.19/net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch new file mode 100644 index 00000000000..85657d27c74 --- /dev/null +++ b/queue-4.19/net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch @@ -0,0 +1,50 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Xin Long +Date: Mon, 18 Nov 2019 17:39:34 +0800 +Subject: net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key + +From: Xin Long + +[ Upstream commit 4f0e97d070984d487df027f163e52bb72d1713d8 ] + +info->options_len is 'u8' type, and when opts_len with a value > +IP_TUNNEL_OPTS_MAX, 'info->options_len = opts_len' will cast int +to u8 and set a wrong value to info->options_len. + +Kernel crashed in my test when doing: + + # opts="0102:80:00800022" + # for i in {1..99}; do opts="$opts,0102:80:00800022"; done + # ip link add name geneve0 type geneve dstport 0 external + # tc qdisc add dev eth0 ingress + # tc filter add dev eth0 protocol ip parent ffff: \ + flower indev eth0 ip_proto udp action tunnel_key \ + set src_ip 10.0.99.192 dst_ip 10.0.99.193 \ + dst_port 6081 id 11 geneve_opts $opts \ + action mirred egress redirect dev geneve0 + +So we should do the similar check as cls_flower does, return error +when opts_len > IP_TUNNEL_OPTS_MAX in tunnel_key_copy_opts(). + +Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key") +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_tunnel_key.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -137,6 +137,10 @@ static int tunnel_key_copy_opts(const st + if (opt_len < 0) + return opt_len; + opts_len += opt_len; ++ if (opts_len > IP_TUNNEL_OPTS_MAX) { ++ NL_SET_ERR_MSG(extack, "Tunnel options exceeds max size"); ++ return -EINVAL; ++ } + if (dst) { + dst_len -= opt_len; + dst += opt_len; diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..b999b9e8183 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,10 @@ +mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch +net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch +net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch +net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch +net-sched-act_pedit-fix-warn-in-the-traffic-path.patch +net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch +sfc-only-cancel-the-pps-workqueue-if-it-exists.patch +net-mlx5e-fix-set-vf-link-state-error-flow.patch +net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch +net-mlx5-fix-auto-group-size-calculation.patch diff --git a/queue-4.19/sfc-only-cancel-the-pps-workqueue-if-it-exists.patch b/queue-4.19/sfc-only-cancel-the-pps-workqueue-if-it-exists.patch new file mode 100644 index 00000000000..49ea9ee076e --- /dev/null +++ b/queue-4.19/sfc-only-cancel-the-pps-workqueue-if-it-exists.patch @@ -0,0 +1,32 @@ +From foo@baz Mon 25 Nov 2019 02:27:10 PM CET +From: Martin Habets +Date: Thu, 21 Nov 2019 17:52:15 +0000 +Subject: sfc: Only cancel the PPS workqueue if it exists + +From: Martin Habets + +[ Upstream commit 723eb53690041740a13ac78efeaf6804f5d684c9 ] + +The workqueue only exists for the primary PF. For other functions +we hit a WARN_ON in kernel/workqueue.c. + +Fixes: 7c236c43b838 ("sfc: Add support for IEEE-1588 PTP") +Signed-off-by: Martin Habets +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ptp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/ptp.c ++++ b/drivers/net/ethernet/sfc/ptp.c +@@ -1534,7 +1534,8 @@ void efx_ptp_remove(struct efx_nic *efx) + (void)efx_ptp_disable(efx); + + cancel_work_sync(&efx->ptp_data->work); +- cancel_work_sync(&efx->ptp_data->pps_work); ++ if (efx->ptp_data->pps_workwq) ++ cancel_work_sync(&efx->ptp_data->pps_work); + + skb_queue_purge(&efx->ptp_data->rxq); + skb_queue_purge(&efx->ptp_data->txq);