--- /dev/null
+From foo@baz Tue 12 May 2020 11:40:03 AM CEST
+From: Julia Lawall <Julia.Lawall@inria.fr>
+Date: Thu, 30 Apr 2020 21:51:32 +0200
+Subject: dp83640: reverse arguments to list_add_tail
+
+From: Julia Lawall <Julia.Lawall@inria.fr>
+
+[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ]
+
+In this code, it appears that phyter_clocks is a list head, based on
+the previous list_for_each, and that clock->list is intended to be a
+list element, given that it has just been initialized in
+dp83640_clock_init. Accordingly, switch the arguments to
+list_add_tail, which takes the list head as the second argument.
+
+Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1107,7 +1107,7 @@ static struct dp83640_clock *dp83640_clo
+ goto out;
+ }
+ dp83640_clock_init(clock, bus);
+- list_add_tail(&phyter_clocks, &clock->list);
++ list_add_tail(&clock->list, &phyter_clocks);
+ out:
+ mutex_unlock(&phyter_clocks_lock);
+
--- /dev/null
+From foo@baz Tue 12 May 2020 11:40:03 AM CEST
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 4 May 2020 11:36:02 +0300
+Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ]
+
+When ENOSPC is set the idx is still valid and gets set to the global
+MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that
+ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
+used uninitialized in this function [-Wmaybe-uninitialized]
+ 2552 | priv->def_counter[port] = idx;
+
+Also, when ENOSPC is returned mlx4_allocate_default_counters should not
+fail.
+
+Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2295,6 +2295,7 @@ static int mlx4_allocate_default_counter
+
+ if (!err || err == -ENOSPC) {
+ priv->def_counter[port] = idx;
++ err = 0;
+ } else if (err == -ENOENT) {
+ err = 0;
+ continue;
+@@ -2344,7 +2345,8 @@ int mlx4_counter_alloc(struct mlx4_dev *
+ MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED);
+ if (!err)
+ *idx = get_param_l(&out_param);
+-
++ if (WARN_ON(err == -ENOSPC))
++ err = -EINVAL;
+ return err;
+ }
+ return __mlx4_counter_alloc(dev, idx);
--- /dev/null
+From foo@baz Tue 12 May 2020 11:40:03 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 15:19:51 -0700
+Subject: sch_choke: avoid potential panic in choke_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]
+
+If choke_init() could not allocate q->tab, we would crash later
+in choke_reset().
+
+BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
+BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
+
+CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ check_memory_region_inline mm/kasan/generic.c:187 [inline]
+ check_memory_region+0x141/0x190 mm/kasan/generic.c:193
+ memset+0x20/0x40 mm/kasan/common.c:85
+ memset include/linux/string.h:366 [inline]
+ choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+ qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
+ dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
+ netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
+ dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
+ dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
+ qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
+ tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2416
+ __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+
+Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_choke.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_choke.c
++++ b/net/sched/sch_choke.c
+@@ -396,7 +396,8 @@ static void choke_reset(struct Qdisc *sc
+ qdisc_drop(skb, sch);
+ }
+
+- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
++ if (q->tab)
++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
+ q->head = q->tail = 0;
+ red_restart(&q->vars);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 11:40:03 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 26 Apr 2020 18:19:07 -0700
+Subject: sch_sfq: validate silly quantum values
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]
+
+syzbot managed to set up sfq so that q->scaled_quantum was zero,
+triggering an infinite loop in sfq_dequeue()
+
+More generally, we must only accept quantum between 1 and 2^18 - 7,
+meaning scaled_quantum must be in [1, 0x7FFF] range.
+
+Otherwise, we also could have a loop in sfq_dequeue()
+if scaled_quantum happens to be 0x8000, since slot->allot
+could indefinitely switch between 0 and 0x8000.
+
+Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -635,6 +635,15 @@ static int sfq_change(struct Qdisc *sch,
+ if (ctl->divisor &&
+ (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
+ return -EINVAL;
++
++ /* slot->allot is a short, make sure quantum is not too big. */
++ if (ctl->quantum) {
++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
++
++ if (scaled <= 0 || scaled > SHRT_MAX)
++ return -EINVAL;
++ }
++
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+ ctl_v1->Wlog))
+ return -EINVAL;
usb-serial-qcserial-add-dw5816e-support.patch
revert-net-phy-avoid-polling-phy-with-phy_ignore_interrupts.patch
+dp83640-reverse-arguments-to-list_add_tail.patch
+net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch
+sch_sfq-validate-silly-quantum-values.patch
+sch_choke-avoid-potential-panic-in-choke_reset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
