From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 21 Feb 2020 07:20:06 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.106~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbd2af423b104100e21ba042e24e5ebb807e155b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
	net-sched-flower-add-missing-validation-of-tca_flower_flags.patch
	net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
---

diff --git a/queue-4.9/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch b/queue-4.9/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
new file mode 100644
index 00000000000..16e577beec0
--- /dev/null
+++ b/queue-4.9/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
@@ -0,0 +1,57 @@
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Firo Yang <firo.yang@suse.com>
+Date: Wed, 12 Feb 2020 06:09:17 +0100
+Subject: enic: prevent waking up stopped tx queues over watchdog reset
+
+From: Firo Yang <firo.yang@suse.com>
+
+[ Upstream commit 0f90522591fd09dd201065c53ebefdfe3c6b55cb ]
+
+Recent months, our customer reported several kernel crashes all
+preceding with following message:
+NETDEV WATCHDOG: eth2 (enic): transmit queue 0 timed out
+Error message of one of those crashes:
+BUG: unable to handle kernel paging request at ffffffffa007e090
+
+After analyzing severl vmcores, I found that most of crashes are
+caused by memory corruption. And all the corrupted memory areas
+are overwritten by data of network packets. Moreover, I also found
+that the tx queues were enabled over watchdog reset.
+
+After going through the source code, I found that in enic_stop(),
+the tx queues stopped by netif_tx_disable() could be woken up over
+a small time window between netif_tx_disable() and the
+napi_disable() by the following code path:
+napi_poll->
+  enic_poll_msix_wq->
+     vnic_cq_service->
+        enic_wq_service->
+           netif_wake_subqueue(enic->netdev, q_number)->
+              test_and_clear_bit(__QUEUE_STATE_DRV_XOFF, &txq->state)
+In turn, upper netowrk stack could queue skb to ENIC NIC though
+enic_hard_start_xmit(). And this might introduce some race condition.
+
+Our customer comfirmed that this kind of kernel crash doesn't occur over
+90 days since they applied this patch.
+
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1806,10 +1806,10 @@ static int enic_stop(struct net_device *
+ 	}
+ 
+ 	netif_carrier_off(netdev);
+-	netif_tx_disable(netdev);
+ 	if (vnic_dev_get_intr_mode(enic->vdev) == VNIC_DEV_INTR_MODE_MSIX)
+ 		for (i = 0; i < enic->wq_count; i++)
+ 			napi_disable(&enic->napi[enic_cq_wq(enic, i)]);
++	netif_tx_disable(netdev);
+ 
+ 	if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic))
+ 		enic_dev_del_station_addr(enic);
diff --git a/queue-4.9/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch b/queue-4.9/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch
new file mode 100644
index 00000000000..a1c2dde45d7
--- /dev/null
+++ b/queue-4.9/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch
@@ -0,0 +1,33 @@
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 11 Feb 2020 19:33:40 +0100
+Subject: net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit e2debf0852c4d66ba1a8bde12869b196094c70a7 ]
+
+unlike other classifiers that can be offloaded (i.e. users can set flags
+like 'skip_hw' and 'skip_sw'), 'cls_flower' doesn't validate the size of
+netlink attribute 'TCA_FLOWER_FLAGS' provided by user: add a proper entry
+to fl_policy.
+
+Fixes: 5b33f48842fa ("net/flower: Introduce hardware offload support")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_flower.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -364,6 +364,7 @@ static const struct nla_policy fl_policy
+ 	[TCA_FLOWER_KEY_TCP_DST_MASK]	= { .type = NLA_U16 },
+ 	[TCA_FLOWER_KEY_UDP_SRC_MASK]	= { .type = NLA_U16 },
+ 	[TCA_FLOWER_KEY_UDP_DST_MASK]	= { .type = NLA_U16 },
++	[TCA_FLOWER_FLAGS]		= { .type = NLA_U32 },
+ };
+ 
+ static void fl_set_key_val(struct nlattr **tb,
diff --git a/queue-4.9/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch b/queue-4.9/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
new file mode 100644
index 00000000000..e2f3fedc98e
--- /dev/null
+++ b/queue-4.9/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
@@ -0,0 +1,33 @@
+From foo@baz Fri 21 Feb 2020 08:17:43 AM CET
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 11 Feb 2020 19:33:39 +0100
+Subject: net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 1afa3cc90f8fb745c777884d79eaa1001d6927a6 ]
+
+unlike other classifiers that can be offloaded (i.e. users can set flags
+like 'skip_hw' and 'skip_sw'), 'cls_matchall' doesn't validate the size
+of netlink attribute 'TCA_MATCHALL_FLAGS' provided by user: add a proper
+entry to mall_policy.
+
+Fixes: b87f7936a932 ("net/sched: Add match-all classifier hw offloading.")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_matchall.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -111,6 +111,7 @@ static unsigned long mall_get(struct tcf
+ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = {
+ 	[TCA_MATCHALL_UNSPEC]		= { .type = NLA_UNSPEC },
+ 	[TCA_MATCHALL_CLASSID]		= { .type = NLA_U32 },
++	[TCA_MATCHALL_FLAGS]		= { .type = NLA_U32 },
+ };
+ 
+ static int mall_set_parms(struct net *net, struct tcf_proto *tp,
diff --git a/queue-4.9/series b/queue-4.9/series
index 97053f3c6c2..4e5b3777e98 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -113,3 +113,6 @@ microblaze-prevent-the-overflow-of-the-start.patch
 brd-check-and-limit-max_part-par.patch
 help_next-should-increase-position-index.patch
 selinux-ensure-we-cleanup-the-internal-avc-counters-.patch
+enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
+net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
+net-sched-flower-add-missing-validation-of-tca_flower_flags.patch