From: Greg Kroah-Hartman Date: Tue, 12 May 2020 09:39:03 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.19.123~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c6f3b6656e9942685f67ed9f04be3a5b4eccc7d2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch bnxt_en-improve-aer-slot-reset.patch dp83640-reverse-arguments-to-list_add_tail.patch fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch net-macsec-preserve-ingress-frame-ordering.patch net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch net-mlx5-fix-command-entry-leak-in-internal-error-state.patch net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch net-usb-qmi_wwan-add-support-for-dw5816e.patch sch_choke-avoid-potential-panic-in-choke_reset.patch sch_sfq-validate-silly-quantum-values.patch --- diff --git a/queue-4.9/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch b/queue-4.9/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch new file mode 100644 index 00000000000..417ef7d9851 --- /dev/null +++ b/queue-4.9/bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:42 -0400 +Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). + +From: Michael Chan + +[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ] + +The current logic in bnxt_fix_features() will inadvertently turn on both +CTAG and STAG VLAN offload if the user tries to disable both. Fix it +by checking that the user is trying to enable CTAG or STAG before +enabling both. The logic is supposed to enable or disable both CTAG and +STAG together. + +Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5997,6 +5997,7 @@ static netdev_features_t bnxt_fix_featur + netdev_features_t features) + { + struct bnxt *bp = netdev_priv(dev); ++ netdev_features_t vlan_features; + + if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp)) + features &= ~NETIF_F_NTUPLE; +@@ -6004,12 +6005,14 @@ static netdev_features_t bnxt_fix_featur + /* Both CTAG and STAG VLAN accelaration on the RX side have to be + * turned on or off together. + */ +- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) != +- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) { ++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX); ++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX | ++ NETIF_F_HW_VLAN_STAG_RX)) { + if (dev->features & NETIF_F_HW_VLAN_CTAG_RX) + features &= ~(NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX); +- else ++ else if (vlan_features) + features |= NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_STAG_RX; + } diff --git a/queue-4.9/bnxt_en-improve-aer-slot-reset.patch b/queue-4.9/bnxt_en-improve-aer-slot-reset.patch new file mode 100644 index 00000000000..59c06a7a2a4 --- /dev/null +++ b/queue-4.9/bnxt_en-improve-aer-slot-reset.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 12 May 2020 10:57:53 AM CEST +From: Michael Chan +Date: Sun, 26 Apr 2020 16:24:40 -0400 +Subject: bnxt_en: Improve AER slot reset. + +From: Michael Chan + +[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ] + +Improve the slot reset sequence by disabling the device to prevent bad +DMAs if slot reset fails. Return the proper result instead of always +PCI_ERS_RESULT_RECOVERED to the caller. + +Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7166,8 +7166,11 @@ static pci_ers_result_t bnxt_io_slot_res + result = PCI_ERS_RESULT_RECOVERED; + } + +- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev)) +- dev_close(netdev); ++ if (result != PCI_ERS_RESULT_RECOVERED) { ++ if (netif_running(netdev)) ++ dev_close(netdev); ++ pci_disable_device(pdev); ++ } + + rtnl_unlock(); + +@@ -7178,7 +7181,7 @@ static pci_ers_result_t bnxt_io_slot_res + err); /* non-fatal, continue */ + } + +- return PCI_ERS_RESULT_RECOVERED; ++ return result; + } + + /** diff --git a/queue-4.9/dp83640-reverse-arguments-to-list_add_tail.patch b/queue-4.9/dp83640-reverse-arguments-to-list_add_tail.patch new file mode 100644 index 00000000000..5dac03c888c --- /dev/null +++ b/queue-4.9/dp83640-reverse-arguments-to-list_add_tail.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Julia Lawall +Date: Thu, 30 Apr 2020 21:51:32 +0200 +Subject: dp83640: reverse arguments to list_add_tail + +From: Julia Lawall + +[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] + +In this code, it appears that phyter_clocks is a list head, based on +the previous list_for_each, and that clock->list is intended to be a +list element, given that it has just been initialized in +dp83640_clock_init. Accordingly, switch the arguments to +list_add_tail, which takes the list head as the second argument. + +Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Julia Lawall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1108,7 +1108,7 @@ static struct dp83640_clock *dp83640_clo + goto out; + } + dp83640_clock_init(clock, bus); +- list_add_tail(&phyter_clocks, &clock->list); ++ list_add_tail(&clock->list, &phyter_clocks); + out: + mutex_unlock(&phyter_clocks_lock); + diff --git a/queue-4.9/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch b/queue-4.9/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch new file mode 100644 index 00000000000..51262a6ca26 --- /dev/null +++ b/queue-4.9/fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 12:40:25 -0700 +Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks + +From: Eric Dumazet + +[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ] + +My intent was to not let users set a zero drop_batch_size, +it seems I once again messed with min()/max(). + +Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()") +Signed-off-by: Eric Dumazet +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_fq_codel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -428,7 +428,7 @@ static int fq_codel_change(struct Qdisc + q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM])); + + if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]) +- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); ++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])); + + if (tb[TCA_FQ_CODEL_MEMORY_LIMIT]) + q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT])); diff --git a/queue-4.9/net-macsec-preserve-ingress-frame-ordering.patch b/queue-4.9/net-macsec-preserve-ingress-frame-ordering.patch new file mode 100644 index 00000000000..13be5c8287a --- /dev/null +++ b/queue-4.9/net-macsec-preserve-ingress-frame-ordering.patch @@ -0,0 +1,75 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Scott Dial +Date: Fri, 24 Apr 2020 18:51:08 -0400 +Subject: net: macsec: preserve ingress frame ordering + +From: Scott Dial + +[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ] + +MACsec decryption always occurs in a softirq context. Since +the FPU may not be usable in the softirq context, the call to +decrypt may be scheduled on the cryptd work queue. The cryptd +work queue does not provide ordering guarantees. Therefore, +preserving order requires masking out ASYNC implementations +of gcm(aes). + +For instance, an Intel CPU with AES-NI makes available the +generic-gcm-aesni driver from the aesni_intel module to +implement gcm(aes). However, this implementation requires +the FPU, so it is not always available to use from a softirq +context, and will fallback to the cryptd work queue, which +does not preserve frame ordering. With this change, such a +system would select gcm_base(ctr(aes-aesni),ghash-generic). +While the aes-aesni implementation prefers to use the FPU, it +will fallback to the aes-asm implementation if unavailable. + +By using a synchronous version of gcm(aes), the decryption +will complete before returning from crypto_aead_decrypt(). +Therefore, the macsec_decrypt_done() callback will be called +before returning from macsec_decrypt(). Thus, the order of +calls to macsec_post_decrypt() for the frames is preserved. + +While it's presumable that the pure AES-NI version of gcm(aes) +is more performant, the hybrid solution is capable of gigabit +speeds on modest hardware. Regardless, preserving the order +of frames is paramount for many network protocols (e.g., +triggering TCP retries). Within the MACsec driver itself, the +replay protection is tripped by the out-of-order frames, and +can cause frames to be dropped. + +This bug has been present in this code since it was added in +v4.6, however it may not have been noticed since not all CPUs +have FPU offload available. Additionally, the bug manifests +as occasional out-of-order packets that are easily +misattributed to other network phenomena. + +When this code was added in v4.6, the crypto/gcm.c code did +not restrict selection of the ghash function based on the +ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would +select the ghash-clmulni driver instead of ghash-generic, +which submits to the cryptd work queue if the FPU is busy. +However, this bug was was corrected in v4.8 by commit +b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported +all the way back to the v3.14 stable branch, so this patch +should be applicable back to the v4.6 stable branch. + +Signed-off-by: Scott Dial +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1315,7 +1315,8 @@ static struct crypto_aead *macsec_alloc_ + struct crypto_aead *tfm; + int ret; + +- tfm = crypto_alloc_aead("gcm(aes)", 0, 0); ++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */ ++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); + + if (IS_ERR(tfm)) + return tfm; diff --git a/queue-4.9/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch b/queue-4.9/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch new file mode 100644 index 00000000000..a76e143afba --- /dev/null +++ b/queue-4.9/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Tariq Toukan +Date: Mon, 4 May 2020 11:36:02 +0300 +Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() + +From: Tariq Toukan + +[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] + +When ENOSPC is set the idx is still valid and gets set to the global +MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that +ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be +used uninitialized in this function [-Wmaybe-uninitialized] + 2552 | priv->def_counter[port] = idx; + +Also, when ENOSPC is returned mlx4_allocate_default_counters should not +fail. + +Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -2478,6 +2478,7 @@ static int mlx4_allocate_default_counter + + if (!err || err == -ENOSPC) { + priv->def_counter[port] = idx; ++ err = 0; + } else if (err == -ENOENT) { + err = 0; + continue; +@@ -2527,7 +2528,8 @@ int mlx4_counter_alloc(struct mlx4_dev * + MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED); + if (!err) + *idx = get_param_l(&out_param); +- ++ if (WARN_ON(err == -ENOSPC)) ++ err = -EINVAL; + return err; + } + return __mlx4_counter_alloc(dev, idx); diff --git a/queue-4.9/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch b/queue-4.9/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch new file mode 100644 index 00000000000..930d789173b --- /dev/null +++ b/queue-4.9/net-mlx5-fix-command-entry-leak-in-internal-error-state.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Moshe Shemesh +Date: Sun, 23 Feb 2020 03:27:41 +0200 +Subject: net/mlx5: Fix command entry leak in Internal Error State + +From: Moshe Shemesh + +[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ] + +Processing commands by cmd_work_handler() while already in Internal +Error State will result in entry leak, since the handler process force +completion without doorbell. Forced completion doesn't release the entry +and event completion will never arrive, so entry should be released. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -847,6 +847,10 @@ static void cmd_work_handler(struct work + MLX5_SET(mbox_out, ent->out, syndrome, drv_synd); + + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); ++ /* no doorbell, no need to keep the entry */ ++ free_ent(cmd, ent->idx); ++ if (ent->callback) ++ free_cmd(ent); + return; + } + diff --git a/queue-4.9/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch b/queue-4.9/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch new file mode 100644 index 00000000000..a14cd6cd0e9 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Moshe Shemesh +Date: Sun, 21 Jul 2019 08:40:13 +0300 +Subject: net/mlx5: Fix forced completion access non initialized command entry + +From: Moshe Shemesh + +[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ] + +mlx5_cmd_flush() will trigger forced completions to all valid command +entries. Triggered by an asynch event such as fast teardown it can +happen at any stage of the command, including command initialization. +It will trigger forced completion and that can lead to completion on an +uninitialized command entry. + +Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is +initialized will ensure force completion is treated only if command +entry is initialized. + +Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -813,7 +813,6 @@ static void cmd_work_handler(struct work + } + + cmd->ent_arr[ent->idx] = ent; +- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -835,6 +834,7 @@ static void cmd_work_handler(struct work + + if (ent->callback) + schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); ++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + + /* Skip sending command to fw if internal error */ + if (pci_channel_offline(dev->pdev) || diff --git a/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5816e.patch b/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5816e.patch new file mode 100644 index 00000000000..64ad14de21f --- /dev/null +++ b/queue-4.9/net-usb-qmi_wwan-add-support-for-dw5816e.patch @@ -0,0 +1,29 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Matt Jolly +Date: Sun, 3 May 2020 01:52:28 +1000 +Subject: net: usb: qmi_wwan: add support for DW5816e + +From: Matt Jolly + +[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ] + +Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c + +Signed-off-by: Matt Jolly +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -950,6 +950,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ ++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */ + {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/ diff --git a/queue-4.9/sch_choke-avoid-potential-panic-in-choke_reset.patch b/queue-4.9/sch_choke-avoid-potential-panic-in-choke_reset.patch new file mode 100644 index 00000000000..e875948fb5d --- /dev/null +++ b/queue-4.9/sch_choke-avoid-potential-panic-in-choke_reset.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 15:19:51 -0700 +Subject: sch_choke: avoid potential panic in choke_reset() + +From: Eric Dumazet + +[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] + +If choke_init() could not allocate q->tab, we would crash later +in choke_reset(). + +BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] +BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 +Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 + +CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + check_memory_region_inline mm/kasan/generic.c:187 [inline] + check_memory_region+0x141/0x190 mm/kasan/generic.c:193 + memset+0x20/0x40 mm/kasan/common.c:85 + memset include/linux/string.h:366 [inline] + choke_reset+0x208/0x340 net/sched/sch_choke.c:326 + qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 + dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 + netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] + dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 + dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 + qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 + tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 + netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + +Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_choke.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -382,7 +382,8 @@ static void choke_reset(struct Qdisc *sc + + sch->q.qlen = 0; + sch->qstats.backlog = 0; +- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); ++ if (q->tab) ++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); + q->head = q->tail = 0; + red_restart(&q->vars); + } diff --git a/queue-4.9/sch_sfq-validate-silly-quantum-values.patch b/queue-4.9/sch_sfq-validate-silly-quantum-values.patch new file mode 100644 index 00000000000..bbc3a96a37e --- /dev/null +++ b/queue-4.9/sch_sfq-validate-silly-quantum-values.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 12 May 2020 11:26:56 AM CEST +From: Eric Dumazet +Date: Sun, 26 Apr 2020 18:19:07 -0700 +Subject: sch_sfq: validate silly quantum values + +From: Eric Dumazet + +[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ] + +syzbot managed to set up sfq so that q->scaled_quantum was zero, +triggering an infinite loop in sfq_dequeue() + +More generally, we must only accept quantum between 1 and 2^18 - 7, +meaning scaled_quantum must be in [1, 0x7FFF] range. + +Otherwise, we also could have a loop in sfq_dequeue() +if scaled_quantum happens to be 0x8000, since slot->allot +could indefinitely switch between 0 and 0x8000. + +Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com +Cc: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -635,6 +635,15 @@ static int sfq_change(struct Qdisc *sch, + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ ++ /* slot->allot is a short, make sure quantum is not too big. */ ++ if (ctl->quantum) { ++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum); ++ ++ if (scaled <= 0 || scaled > SHRT_MAX) ++ return -EINVAL; ++ } ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog)) + return -EINVAL; diff --git a/queue-4.9/series b/queue-4.9/series index 396b83be1c6..e548731f84c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,12 @@ usb-serial-qcserial-add-dw5816e-support.patch +dp83640-reverse-arguments-to-list_add_tail.patch +fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch +net-macsec-preserve-ingress-frame-ordering.patch +net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch +net-usb-qmi_wwan-add-support-for-dw5816e.patch +sch_choke-avoid-potential-panic-in-choke_reset.patch +sch_sfq-validate-silly-quantum-values.patch +bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch +net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch +net-mlx5-fix-command-entry-leak-in-internal-error-state.patch +bnxt_en-improve-aer-slot-reset.patch