--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:42 -0400
+Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ]
+
+The current logic in bnxt_fix_features() will inadvertently turn on both
+CTAG and STAG VLAN offload if the user tries to disable both. Fix it
+by checking that the user is trying to enable CTAG or STAG before
+enabling both. The logic is supposed to enable or disable both CTAG and
+STAG together.
+
+Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5997,6 +5997,7 @@ static netdev_features_t bnxt_fix_featur
+ netdev_features_t features)
+ {
+ struct bnxt *bp = netdev_priv(dev);
++ netdev_features_t vlan_features;
+
+ if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp))
+ features &= ~NETIF_F_NTUPLE;
+@@ -6004,12 +6005,14 @@ static netdev_features_t bnxt_fix_featur
+ /* Both CTAG and STAG VLAN accelaration on the RX side have to be
+ * turned on or off together.
+ */
+- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) !=
+- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) {
++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX);
++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX)) {
+ if (dev->features & NETIF_F_HW_VLAN_CTAG_RX)
+ features &= ~(NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX);
+- else
++ else if (vlan_features)
+ features |= NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:40 -0400
+Subject: bnxt_en: Improve AER slot reset.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ]
+
+Improve the slot reset sequence by disabling the device to prevent bad
+DMAs if slot reset fails. Return the proper result instead of always
+PCI_ERS_RESULT_RECOVERED to the caller.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7166,8 +7166,11 @@ static pci_ers_result_t bnxt_io_slot_res
+ result = PCI_ERS_RESULT_RECOVERED;
+ }
+
+- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev))
+- dev_close(netdev);
++ if (result != PCI_ERS_RESULT_RECOVERED) {
++ if (netif_running(netdev))
++ dev_close(netdev);
++ pci_disable_device(pdev);
++ }
+
+ rtnl_unlock();
+
+@@ -7178,7 +7181,7 @@ static pci_ers_result_t bnxt_io_slot_res
+ err); /* non-fatal, continue */
+ }
+
+- return PCI_ERS_RESULT_RECOVERED;
++ return result;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Julia Lawall <Julia.Lawall@inria.fr>
+Date: Thu, 30 Apr 2020 21:51:32 +0200
+Subject: dp83640: reverse arguments to list_add_tail
+
+From: Julia Lawall <Julia.Lawall@inria.fr>
+
+[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ]
+
+In this code, it appears that phyter_clocks is a list head, based on
+the previous list_for_each, and that clock->list is intended to be a
+list element, given that it has just been initialized in
+dp83640_clock_init. Accordingly, switch the arguments to
+list_add_tail, which takes the list head as the second argument.
+
+Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1108,7 +1108,7 @@ static struct dp83640_clock *dp83640_clo
+ goto out;
+ }
+ dp83640_clock_init(clock, bus);
+- list_add_tail(&phyter_clocks, &clock->list);
++ list_add_tail(&clock->list, &phyter_clocks);
+ out:
+ mutex_unlock(&phyter_clocks_lock);
+
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 12:40:25 -0700
+Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ]
+
+My intent was to not let users set a zero drop_batch_size,
+it seems I once again messed with min()/max().
+
+Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_codel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -428,7 +428,7 @@ static int fq_codel_change(struct Qdisc
+ q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM]));
+
+ if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])
+- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
+
+ if (tb[TCA_FQ_CODEL_MEMORY_LIMIT])
+ q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT]));
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Scott Dial <scott@scottdial.com>
+Date: Fri, 24 Apr 2020 18:51:08 -0400
+Subject: net: macsec: preserve ingress frame ordering
+
+From: Scott Dial <scott@scottdial.com>
+
+[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ]
+
+MACsec decryption always occurs in a softirq context. Since
+the FPU may not be usable in the softirq context, the call to
+decrypt may be scheduled on the cryptd work queue. The cryptd
+work queue does not provide ordering guarantees. Therefore,
+preserving order requires masking out ASYNC implementations
+of gcm(aes).
+
+For instance, an Intel CPU with AES-NI makes available the
+generic-gcm-aesni driver from the aesni_intel module to
+implement gcm(aes). However, this implementation requires
+the FPU, so it is not always available to use from a softirq
+context, and will fallback to the cryptd work queue, which
+does not preserve frame ordering. With this change, such a
+system would select gcm_base(ctr(aes-aesni),ghash-generic).
+While the aes-aesni implementation prefers to use the FPU, it
+will fallback to the aes-asm implementation if unavailable.
+
+By using a synchronous version of gcm(aes), the decryption
+will complete before returning from crypto_aead_decrypt().
+Therefore, the macsec_decrypt_done() callback will be called
+before returning from macsec_decrypt(). Thus, the order of
+calls to macsec_post_decrypt() for the frames is preserved.
+
+While it's presumable that the pure AES-NI version of gcm(aes)
+is more performant, the hybrid solution is capable of gigabit
+speeds on modest hardware. Regardless, preserving the order
+of frames is paramount for many network protocols (e.g.,
+triggering TCP retries). Within the MACsec driver itself, the
+replay protection is tripped by the out-of-order frames, and
+can cause frames to be dropped.
+
+This bug has been present in this code since it was added in
+v4.6, however it may not have been noticed since not all CPUs
+have FPU offload available. Additionally, the bug manifests
+as occasional out-of-order packets that are easily
+misattributed to other network phenomena.
+
+When this code was added in v4.6, the crypto/gcm.c code did
+not restrict selection of the ghash function based on the
+ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would
+select the ghash-clmulni driver instead of ghash-generic,
+which submits to the cryptd work queue if the FPU is busy.
+However, this bug was was corrected in v4.8 by commit
+b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported
+all the way back to the v3.14 stable branch, so this patch
+should be applicable back to the v4.6 stable branch.
+
+Signed-off-by: Scott Dial <scott@scottdial.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1315,7 +1315,8 @@ static struct crypto_aead *macsec_alloc_
+ struct crypto_aead *tfm;
+ int ret;
+
+- tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */
++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
+
+ if (IS_ERR(tfm))
+ return tfm;
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 4 May 2020 11:36:02 +0300
+Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ]
+
+When ENOSPC is set the idx is still valid and gets set to the global
+MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that
+ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
+used uninitialized in this function [-Wmaybe-uninitialized]
+ 2552 | priv->def_counter[port] = idx;
+
+Also, when ENOSPC is returned mlx4_allocate_default_counters should not
+fail.
+
+Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2478,6 +2478,7 @@ static int mlx4_allocate_default_counter
+
+ if (!err || err == -ENOSPC) {
+ priv->def_counter[port] = idx;
++ err = 0;
+ } else if (err == -ENOENT) {
+ err = 0;
+ continue;
+@@ -2527,7 +2528,8 @@ int mlx4_counter_alloc(struct mlx4_dev *
+ MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED);
+ if (!err)
+ *idx = get_param_l(&out_param);
+-
++ if (WARN_ON(err == -ENOSPC))
++ err = -EINVAL;
+ return err;
+ }
+ return __mlx4_counter_alloc(dev, idx);
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 23 Feb 2020 03:27:41 +0200
+Subject: net/mlx5: Fix command entry leak in Internal Error State
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ]
+
+Processing commands by cmd_work_handler() while already in Internal
+Error State will result in entry leak, since the handler process force
+completion without doorbell. Forced completion doesn't release the entry
+and event completion will never arrive, so entry should be released.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -847,6 +847,10 @@ static void cmd_work_handler(struct work
+ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
+
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ /* no doorbell, no need to keep the entry */
++ free_ent(cmd, ent->idx);
++ if (ent->callback)
++ free_cmd(ent);
+ return;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 21 Jul 2019 08:40:13 +0300
+Subject: net/mlx5: Fix forced completion access non initialized command entry
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ]
+
+mlx5_cmd_flush() will trigger forced completions to all valid command
+entries. Triggered by an asynch event such as fast teardown it can
+happen at any stage of the command, including command initialization.
+It will trigger forced completion and that can lead to completion on an
+uninitialized command entry.
+
+Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is
+initialized will ensure force completion is treated only if command
+entry is initialized.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -813,7 +813,6 @@ static void cmd_work_handler(struct work
+ }
+
+ cmd->ent_arr[ent->idx] = ent;
+- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+ lay = get_inst(cmd, ent->idx);
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+@@ -835,6 +834,7 @@ static void cmd_work_handler(struct work
+
+ if (ent->callback)
+ schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+
+ /* Skip sending command to fw if internal error */
+ if (pci_channel_offline(dev->pdev) ||
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Matt Jolly <Kangie@footclan.ninja>
+Date: Sun, 3 May 2020 01:52:28 +1000
+Subject: net: usb: qmi_wwan: add support for DW5816e
+
+From: Matt Jolly <Kangie@footclan.ninja>
+
+[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ]
+
+Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c
+
+Signed-off-by: Matt Jolly <Kangie@footclan.ninja>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -950,6 +950,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */
+ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 15:19:51 -0700
+Subject: sch_choke: avoid potential panic in choke_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]
+
+If choke_init() could not allocate q->tab, we would crash later
+in choke_reset().
+
+BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
+BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
+
+CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ check_memory_region_inline mm/kasan/generic.c:187 [inline]
+ check_memory_region+0x141/0x190 mm/kasan/generic.c:193
+ memset+0x20/0x40 mm/kasan/common.c:85
+ memset include/linux/string.h:366 [inline]
+ choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+ qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
+ dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
+ netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
+ dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
+ dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
+ qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
+ tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2416
+ __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+
+Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_choke.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_choke.c
++++ b/net/sched/sch_choke.c
+@@ -382,7 +382,8 @@ static void choke_reset(struct Qdisc *sc
+
+ sch->q.qlen = 0;
+ sch->qstats.backlog = 0;
+- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
++ if (q->tab)
++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
+ q->head = q->tail = 0;
+ red_restart(&q->vars);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 11:26:56 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 26 Apr 2020 18:19:07 -0700
+Subject: sch_sfq: validate silly quantum values
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]
+
+syzbot managed to set up sfq so that q->scaled_quantum was zero,
+triggering an infinite loop in sfq_dequeue()
+
+More generally, we must only accept quantum between 1 and 2^18 - 7,
+meaning scaled_quantum must be in [1, 0x7FFF] range.
+
+Otherwise, we also could have a loop in sfq_dequeue()
+if scaled_quantum happens to be 0x8000, since slot->allot
+could indefinitely switch between 0 and 0x8000.
+
+Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -635,6 +635,15 @@ static int sfq_change(struct Qdisc *sch,
+ if (ctl->divisor &&
+ (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
+ return -EINVAL;
++
++ /* slot->allot is a short, make sure quantum is not too big. */
++ if (ctl->quantum) {
++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
++
++ if (scaled <= 0 || scaled > SHRT_MAX)
++ return -EINVAL;
++ }
++
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+ ctl_v1->Wlog))
+ return -EINVAL;
usb-serial-qcserial-add-dw5816e-support.patch
+dp83640-reverse-arguments-to-list_add_tail.patch
+fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch
+net-macsec-preserve-ingress-frame-ordering.patch
+net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch
+net-usb-qmi_wwan-add-support-for-dw5816e.patch
+sch_choke-avoid-potential-panic-in-choke_reset.patch
+sch_sfq-validate-silly-quantum-values.patch
+bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch
+net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch
+net-mlx5-fix-command-entry-leak-in-internal-error-state.patch
+bnxt_en-improve-aer-slot-reset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
