--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Menglong Dong <dong.menglong@zte.com.cn>
+Date: Mon, 25 Nov 2019 16:58:09 +0800
+Subject: macvlan: schedule bc_work even if error
+
+From: Menglong Dong <dong.menglong@zte.com.cn>
+
+[ Upstream commit 1d7ea55668878bb350979c377fc72509dd6f5b21 ]
+
+While enqueueing a broadcast skb to port->bc_queue, schedule_work()
+is called to add port->bc_work, which processes the skbs in
+bc_queue, to "events" work queue. If port->bc_queue is full, the
+skb will be discarded and schedule_work(&port->bc_work) won't be
+called. However, if port->bc_queue is full and port->bc_work is not
+running or pending, port->bc_queue will keep full and schedule_work()
+won't be called any more, and all broadcast skbs to macvlan will be
+discarded. This case can happen:
+
+macvlan_process_broadcast() is the pending function of port->bc_work,
+it moves all the skbs in port->bc_queue to the queue "list", and
+processes the skbs in "list". During this, new skbs will keep being
+added to port->bc_queue in macvlan_broadcast_enqueue(), and
+port->bc_queue may already full when macvlan_process_broadcast()
+return. This may happen, especially when there are a lot of real-time
+threads and the process is preempted.
+
+Fix this by calling schedule_work(&port->bc_work) even if
+port->bc_work is full in macvlan_broadcast_enqueue().
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -334,10 +334,11 @@ static void macvlan_broadcast_enqueue(st
+ }
+ spin_unlock(&port->bc_queue.lock);
+
++ schedule_work(&port->bc_work);
++
+ if (err)
+ goto free_nskb;
+
+- schedule_work(&port->bc_work);
+ return;
+
+ free_nskb:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 10:28:24 AM CET
+From: Dust Li <dust.li@linux.alibaba.com>
+Date: Thu, 28 Nov 2019 14:29:09 +0800
+Subject: net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
+
+From: Dust Li <dust.li@linux.alibaba.com>
+
+[ Upstream commit 14e54ab9143fa60794d13ea0a66c792a2046a8f3 ]
+
+When a classful qdisc's child qdisc has set the flag
+TCQ_F_CPUSTATS (pfifo_fast for example), the child qdisc's
+cpu_bstats should be passed to gnet_stats_copy_basic(),
+but many classful qdisc didn't do that. As a result,
+`tc -s class show dev DEV` always return 0 for bytes and
+packets in this case.
+
+Pass the child qdisc's cpu_bstats to gnet_stats_copy_basic()
+to fix this issue.
+
+The qstats also has this problem, but it has been fixed
+in 5dd431b6b9 ("net: sched: introduce and use qstats read...")
+and bstats still remains buggy.
+
+Fixes: 22e0f8b9322c ("net: sched: make bstats per cpu and estimator RCU safe")
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_mq.c | 3 ++-
+ net/sched/sch_mqprio.c | 4 ++--
+ net/sched/sch_multiq.c | 2 +-
+ net/sched/sch_prio.c | 2 +-
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_mq.c
++++ b/net/sched/sch_mq.c
+@@ -195,7 +195,8 @@ static int mq_dump_class_stats(struct Qd
+ struct netdev_queue *dev_queue = mq_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(&sch->running, d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(&sch->running, d, sch->cpu_bstats,
++ &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+ return 0;
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -362,8 +362,8 @@ static int mqprio_dump_class_stats(struc
+ struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+
+ sch = dev_queue->qdisc_sleeping;
+- if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &sch->bstats) < 0 ||
++ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch), d,
++ sch->cpu_bstats, &sch->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL,
+ &sch->qstats, sch->q.qlen) < 0)
+ return -1;
+--- a/net/sched/sch_multiq.c
++++ b/net/sched/sch_multiq.c
+@@ -332,7 +332,7 @@ static int multiq_dump_class_stats(struc
+
+ cl_q = q->queues[cl - 1];
+ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &cl_q->bstats) < 0 ||
++ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
+--- a/net/sched/sch_prio.c
++++ b/net/sched/sch_prio.c
+@@ -286,7 +286,7 @@ static int prio_dump_class_stats(struct
+
+ cl_q = q->queues[cl - 1];
+ if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
+- d, NULL, &cl_q->bstats) < 0 ||
++ d, cl_q->cpu_bstats, &cl_q->bstats) < 0 ||
+ gnet_stats_copy_queue(d, NULL, &cl_q->qstats, cl_q->q.qlen) < 0)
+ return -1;
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:24 +0100
+Subject: openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8ffeb03fbba3b599690b361467bfd2373e8c450f ]
+
+All the callers of ovs_flow_cmd_build_info() already deal with
+error return code correctly, so we can handle the error condition
+in a more gracefull way. Still dump a warning to preserve
+debuggability.
+
+v1 -> v2:
+ - clarify the commit message
+ - clean the skb and report the error (DaveM)
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -920,7 +920,10 @@ static struct sk_buff *ovs_flow_cmd_buil
+ retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb,
+ info->snd_portid, info->snd_seq, 0,
+ cmd, ufid_flags);
+- BUG_ON(retval < 0);
++ if (WARN_ON_ONCE(retval < 0)) {
++ kfree_skb(skb);
++ skb = ERR_PTR(retval);
++ }
+ return skb;
+ }
+
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 26 Nov 2019 12:55:50 +0100
+Subject: openvswitch: fix flow command message size
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 4e81c0b3fa93d07653e2415fa71656b080a112fd ]
+
+When user-space sets the OVS_UFID_F_OMIT_* flags, and the relevant
+flow has no UFID, we can exceed the computed size, as
+ovs_nla_put_identifier() will always dump an OVS_FLOW_ATTR_KEY
+attribute.
+Take the above in account when computing the flow command message
+size.
+
+Fixes: 74ed7ab9264c ("openvswitch: Add support for unique flow IDs.")
+Reported-by: Qi Jun Ding <qding@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -738,9 +738,13 @@ static size_t ovs_flow_cmd_msg_size(cons
+ {
+ size_t len = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+- /* OVS_FLOW_ATTR_UFID */
++ /* OVS_FLOW_ATTR_UFID, or unmasked flow key as fallback
++ * see ovs_nla_put_identifier()
++ */
+ if (sfid && ovs_identifier_is_ufid(sfid))
+ len += nla_total_size(sfid->ufid_len);
++ else
++ len += nla_total_size(ovs_key_attr_size());
+
+ /* OVS_FLOW_ATTR_KEY */
+ if (!sfid || should_fill_key(sfid, ufid_flags))
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Sun, 1 Dec 2019 18:41:25 +0100
+Subject: openvswitch: remove another BUG_ON()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8a574f86652a4540a2433946ba826ccb87f398cc ]
+
+If we can't build the flow del notification, we can simply delete
+the flow, no need to crash the kernel. Still keep a WARN_ON to
+preserve debuggability.
+
+Note: the BUG_ON() predates the Fixes tag, but this change
+can be applied only after the mentioned commit.
+
+v1 -> v2:
+ - do not leak an skb on error
+
+Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1350,7 +1350,10 @@ static int ovs_flow_cmd_del(struct sk_bu
+ OVS_FLOW_CMD_DEL,
+ ufid_flags);
+ rcu_read_unlock();
+- BUG_ON(err < 0);
++ if (WARN_ON_ONCE(err < 0)) {
++ kfree_skb(reply);
++ goto out_free;
++ }
+
+ ovs_notify(&dp_flow_genl_family, reply, info);
+ } else {
+@@ -1358,6 +1361,7 @@ static int ovs_flow_cmd_del(struct sk_bu
+ }
+ }
+
++out_free:
+ ovs_flow_free(flow, true);
+ return 0;
+ unlock:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 23 Nov 2019 11:56:49 +0800
+Subject: sctp: cache netns in sctp_ep_common
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 312434617cb16be5166316cf9d08ba760b1042a1 ]
+
+This patch is to fix a data-race reported by syzbot:
+
+ BUG: KCSAN: data-race in sctp_assoc_migrate / sctp_hash_obj
+
+ write to 0xffff8880b67c0020 of 8 bytes by task 18908 on cpu 1:
+ sctp_assoc_migrate+0x1a6/0x290 net/sctp/associola.c:1091
+ sctp_sock_migrate+0x8aa/0x9b0 net/sctp/socket.c:9465
+ sctp_accept+0x3c8/0x470 net/sctp/socket.c:4916
+ inet_accept+0x7f/0x360 net/ipv4/af_inet.c:734
+ __sys_accept4+0x224/0x430 net/socket.c:1754
+ __do_sys_accept net/socket.c:1795 [inline]
+ __se_sys_accept net/socket.c:1792 [inline]
+ __x64_sys_accept+0x4e/0x60 net/socket.c:1792
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ read to 0xffff8880b67c0020 of 8 bytes by task 12003 on cpu 0:
+ sctp_hash_obj+0x4f/0x2d0 net/sctp/input.c:894
+ rht_key_get_hash include/linux/rhashtable.h:133 [inline]
+ rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ rht_head_hashfn include/linux/rhashtable.h:174 [inline]
+ head_hashfn lib/rhashtable.c:41 [inline]
+ rhashtable_rehash_one lib/rhashtable.c:245 [inline]
+ rhashtable_rehash_chain lib/rhashtable.c:276 [inline]
+ rhashtable_rehash_table lib/rhashtable.c:316 [inline]
+ rht_deferred_worker+0x468/0xab0 lib/rhashtable.c:420
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+It was caused by rhashtable access asoc->base.sk when sctp_assoc_migrate
+is changing its value. However, what rhashtable wants is netns from asoc
+base.sk, and for an asoc, its netns won't change once set. So we can
+simply fix it by caching netns since created.
+
+Fixes: d6c0256a60e6 ("sctp: add the rhashtable apis for sctp global transport hashtable")
+Reported-by: syzbot+e3b35fe7918ff0ee474e@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sctp/structs.h | 3 +++
+ net/sctp/associola.c | 1 +
+ net/sctp/endpointola.c | 1 +
+ net/sctp/input.c | 4 ++--
+ 4 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -1202,6 +1202,9 @@ struct sctp_ep_common {
+ /* What socket does this endpoint belong to? */
+ struct sock *sk;
+
++ /* Cache netns and it won't change once set */
++ struct net *net;
++
+ /* This is where we receive inbound chunks. */
+ struct sctp_inq inqueue;
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -81,6 +81,7 @@ static struct sctp_association *sctp_ass
+ /* Discarding const is appropriate here. */
+ asoc->ep = (struct sctp_endpoint *)ep;
+ asoc->base.sk = (struct sock *)sk;
++ asoc->base.net = sock_net(sk);
+
+ sctp_endpoint_hold(asoc->ep);
+ sock_hold(asoc->base.sk);
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -163,6 +163,7 @@ static struct sctp_endpoint *sctp_endpoi
+
+ /* Remember who we are attached to. */
+ ep->base.sk = sk;
++ ep->base.net = sock_net(sk);
+ sock_hold(ep->base.sk);
+
+ return ep;
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -812,7 +812,7 @@ static inline int sctp_hash_cmp(struct r
+ return err;
+
+ asoc = t->asoc;
+- if (!net_eq(sock_net(asoc->base.sk), x->net))
++ if (!net_eq(asoc->base.net, x->net))
+ goto out;
+ if (x->ep) {
+ if (x->ep != asoc->ep)
+@@ -835,7 +835,7 @@ static inline u32 sctp_hash_obj(const vo
+ {
+ const struct sctp_transport *t = data;
+ const union sctp_addr *paddr = &t->ipaddr;
+- const struct net *net = sock_net(t->asoc->base.sk);
++ const struct net *net = t->asoc->base.net;
+ u16 lport = htons(t->asoc->base.bind_addr.port);
+ u32 addr;
+
net-macb-fix-error-format-in-dev_err.patch
pwm-clear-chip_data-in-pwm_put.patch
media-atmel-atmel-isc-fix-asd-memory-allocation.patch
+macvlan-schedule-bc_work-even-if-error.patch
+openvswitch-fix-flow-command-message-size.patch
+slip-fix-use-after-free-read-in-slip_open.patch
+openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch
+openvswitch-remove-another-bug_on.patch
+tipc-fix-link-name-length-check.patch
+sctp-cache-netns-in-sctp_ep_common.patch
+net-sched-fix-tc-s-class-show-no-bstats-on-class-with-nolock-subqueues.patch
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Mon, 25 Nov 2019 14:23:43 +0200
+Subject: slip: Fix use-after-free Read in slip_open
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
+
+Slip_open doesn't clean-up device which registration failed from the
+slip_devs device list. On next open after failure this list is iterated
+and freed device is accessed. Fix this by calling sl_free_netdev in error
+path.
+
+Here is the trace from the Syzbot:
+
+__dump_stack lib/dump_stack.c:77 [inline]
+dump_stack+0x197/0x210 lib/dump_stack.c:118
+print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+kasan_report+0x12/0x20 mm/kasan/common.c:634
+__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+sl_sync drivers/net/slip/slip.c:725 [inline]
+slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
+tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
+tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
+tiocsetd drivers/tty/tty_io.c:2334 [inline]
+tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
+vfs_ioctl fs/ioctl.c:46 [inline]
+file_ioctl fs/ioctl.c:509 [inline]
+do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
+ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+__do_sys_ioctl fs/ioctl.c:720 [inline]
+__se_sys_ioctl fs/ioctl.c:718 [inline]
+__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
+entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
+Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
+Cc: David Miller <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -860,6 +860,7 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ sl_free_netdev(sl->dev);
+ free_netdev(sl->dev);
+
+ err_exit:
--- /dev/null
+From foo@baz Tue 03 Dec 2019 11:07:30 AM CET
+From: John Rutherford <john.rutherford@dektech.com.au>
+Date: Tue, 26 Nov 2019 13:52:55 +1100
+Subject: tipc: fix link name length check
+
+From: John Rutherford <john.rutherford@dektech.com.au>
+
+[ Upstream commit fd567ac20cb0377ff466d3337e6e9ac5d0cb15e4 ]
+
+In commit 4f07b80c9733 ("tipc: check msg->req data len in
+tipc_nl_compat_bearer_disable") the same patch code was copied into
+routines: tipc_nl_compat_bearer_disable(),
+tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
+The two link routine occurrences should have been modified to check
+the maximum link name length and not bearer name length.
+
+Fixes: 4f07b80c9733 ("tipc: check msg->reg data len in tipc_nl_compat_bearer_disable")
+Signed-off-by: John Rutherford <john.rutherford@dektech.com.au>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -539,7 +539,7 @@ static int tipc_nl_compat_link_stat_dump
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -821,7 +821,7 @@ static int tipc_nl_compat_link_reset_sta
+ if (len <= 0)
+ return -EINVAL;
+
+- len = min_t(int, len, TIPC_MAX_BEARER_NAME);
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
