From 2c1a514a1a766f8ce525a6db89e23270a844fc24 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 29 May 2020 11:35:07 +0200 Subject: [PATCH] 4.19-stable patches added patches: mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch net-mlx4_core-fix-a-memory-leak-bug.patch net-mlx5-annotate-mutex-destroy-for-root-ns.patch net-sun-fix-missing-release-regions-in-cas_init_one.patch --- ...nsplit-type_set-in-case-reload-fails.patch | 108 ++++++++++++++++++ .../net-mlx4_core-fix-a-memory-leak-bug.patch | 34 ++++++ ...5-annotate-mutex-destroy-for-root-ns.patch | 36 ++++++ ...sing-release-regions-in-cas_init_one.patch | 45 ++++++++ queue-4.19/series | 4 + 5 files changed, 227 insertions(+) create mode 100644 queue-4.19/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch create mode 100644 queue-4.19/net-mlx4_core-fix-a-memory-leak-bug.patch create mode 100644 queue-4.19/net-mlx5-annotate-mutex-destroy-for-root-ns.patch create mode 100644 queue-4.19/net-sun-fix-missing-release-regions-in-cas_init_one.patch diff --git a/queue-4.19/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch b/queue-4.19/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch new file mode 100644 index 00000000000..483aaba0001 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch @@ -0,0 +1,108 @@ +From 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 21 May 2020 15:11:44 +0300 +Subject: mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails + +From: Jiri Pirko + +commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 upstream. + +In case of reload fail, the mlxsw_sp->ports contains a pointer to a +freed memory (either by reload_down() or reload_up() error path). +Fix this by initializing the pointer to NULL and checking it before +dereferencing in split/unsplit/type_set callpaths. + +Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload") +Reported-by: Danielle Ratson +Signed-off-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 14 ++++++++++++-- + drivers/net/ethernet/mellanox/mlxsw/switchx2.c | 8 ++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -3126,6 +3126,7 @@ static void mlxsw_sp_ports_remove(struct + mlxsw_sp_port_remove(mlxsw_sp, i); + kfree(mlxsw_sp->port_to_module); + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + } + + static int mlxsw_sp_ports_create(struct mlxsw_sp *mlxsw_sp) +@@ -3174,6 +3175,7 @@ err_port_module_info_get: + kfree(mlxsw_sp->port_to_module); + err_port_to_module_alloc: + kfree(mlxsw_sp->ports); ++ mlxsw_sp->ports = NULL; + return err; + } + +@@ -3228,6 +3230,14 @@ static void mlxsw_sp_port_unsplit_create + } + } + ++static struct mlxsw_sp_port * ++mlxsw_sp_port_get_by_local_port(struct mlxsw_sp *mlxsw_sp, u8 local_port) ++{ ++ if (mlxsw_sp->ports && mlxsw_sp->ports[local_port]) ++ return mlxsw_sp->ports[local_port]; ++ return NULL; ++} ++ + static int mlxsw_sp_port_split(struct mlxsw_core *mlxsw_core, u8 local_port, + unsigned int count, + struct netlink_ext_ack *extack) +@@ -3238,7 +3248,7 @@ static int mlxsw_sp_port_split(struct ml + int i; + int err; + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +@@ -3305,7 +3315,7 @@ static int mlxsw_sp_port_unsplit(struct + unsigned int count; + int i; + +- mlxsw_sp_port = mlxsw_sp->ports[local_port]; ++ mlxsw_sp_port = mlxsw_sp_port_get_by_local_port(mlxsw_sp, local_port); + if (!mlxsw_sp_port) { + dev_err(mlxsw_sp->bus_info->dev, "Port number \"%d\" does not exist\n", + local_port); +--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c +@@ -1289,6 +1289,7 @@ static void mlxsw_sx_ports_remove(struct + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + } + + static int mlxsw_sx_ports_create(struct mlxsw_sx *mlxsw_sx) +@@ -1323,6 +1324,7 @@ err_port_module_info_get: + if (mlxsw_sx_port_created(mlxsw_sx, i)) + mlxsw_sx_port_remove(mlxsw_sx, i); + kfree(mlxsw_sx->ports); ++ mlxsw_sx->ports = NULL; + return err; + } + +@@ -1406,6 +1408,12 @@ static int mlxsw_sx_port_type_set(struct + u8 module, width; + int err; + ++ if (!mlxsw_sx->ports || !mlxsw_sx->ports[local_port]) { ++ dev_err(mlxsw_sx->bus_info->dev, "Port number \"%d\" does not exist\n", ++ local_port); ++ return -EINVAL; ++ } ++ + if (new_type == DEVLINK_PORT_TYPE_AUTO) + return -EOPNOTSUPP; + diff --git a/queue-4.19/net-mlx4_core-fix-a-memory-leak-bug.patch b/queue-4.19/net-mlx4_core-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..f28d4243096 --- /dev/null +++ b/queue-4.19/net-mlx4_core-fix-a-memory-leak-bug.patch @@ -0,0 +1,34 @@ +From febfd9d3c7f74063e8e630b15413ca91b567f963 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 14:07:15 -0500 +Subject: net/mlx4_core: fix a memory leak bug. + +From: Qiushi Wu + +commit febfd9d3c7f74063e8e630b15413ca91b567f963 upstream. + +In function mlx4_opreq_action(), pointer "mailbox" is not released, +when mlx4_cmd_box() return and error, causing a memory leak bug. +Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can +free this pointer. + +Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/fw.c ++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c +@@ -2731,7 +2731,7 @@ void mlx4_opreq_action(struct work_struc + if (err) { + mlx4_err(dev, "Failed to retrieve required operation: %d\n", + err); +- return; ++ goto out; + } + MLX4_GET(modifier, outbox, GET_OP_REQ_MODIFIER_OFFSET); + MLX4_GET(token, outbox, GET_OP_REQ_TOKEN_OFFSET); diff --git a/queue-4.19/net-mlx5-annotate-mutex-destroy-for-root-ns.patch b/queue-4.19/net-mlx5-annotate-mutex-destroy-for-root-ns.patch new file mode 100644 index 00000000000..c5a4758c56d --- /dev/null +++ b/queue-4.19/net-mlx5-annotate-mutex-destroy-for-root-ns.patch @@ -0,0 +1,36 @@ +From 9ca415399dae133b00273a4283ef31d003a6818d Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Thu, 14 May 2020 23:44:38 +0300 +Subject: net/mlx5: Annotate mutex destroy for root ns + +From: Roi Dayan + +commit 9ca415399dae133b00273a4283ef31d003a6818d upstream. + +Invoke mutex_destroy() to catch any errors. + +Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table") +Signed-off-by: Roi Dayan +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -364,6 +364,12 @@ static void del_sw_ns(struct fs_node *no + + static void del_sw_prio(struct fs_node *node) + { ++ struct mlx5_flow_root_namespace *root_ns; ++ struct mlx5_flow_namespace *ns; ++ ++ fs_get_obj(ns, node); ++ root_ns = container_of(ns, struct mlx5_flow_root_namespace, ns); ++ mutex_destroy(&root_ns->chain_lock); + kfree(node); + } + diff --git a/queue-4.19/net-sun-fix-missing-release-regions-in-cas_init_one.patch b/queue-4.19/net-sun-fix-missing-release-regions-in-cas_init_one.patch new file mode 100644 index 00000000000..bc3aeac40dd --- /dev/null +++ b/queue-4.19/net-sun-fix-missing-release-regions-in-cas_init_one.patch @@ -0,0 +1,45 @@ +From 5a730153984dd13f82ffae93d7170d76eba204e9 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Fri, 22 May 2020 16:50:27 -0500 +Subject: net: sun: fix missing release regions in cas_init_one(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qiushi Wu + +commit 5a730153984dd13f82ffae93d7170d76eba204e9 upstream. + +In cas_init_one(), "pdev" is requested by "pci_request_regions", but it +was not released after a call of the function “pci_write_config_byte” +failed. Thus replace the jump target “err_write_cacheline” by +"err_out_free_res". + +Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/sun/cassini.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -4971,7 +4971,7 @@ static int cas_init_one(struct pci_dev * + cas_cacheline_size)) { + dev_err(&pdev->dev, "Could not set PCI cache " + "line size\n"); +- goto err_write_cacheline; ++ goto err_out_free_res; + } + } + #endif +@@ -5144,7 +5144,6 @@ err_out_iounmap: + err_out_free_res: + pci_release_regions(pdev); + +-err_write_cacheline: + /* Try to restore it in case the error occurred after we + * set it. + */ diff --git a/queue-4.19/series b/queue-4.19/series index 0ac517a67b4..da1f53c4787 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,3 +12,7 @@ r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch net-mlx5e-update-netdev-txq-on-completions-during-closure.patch +net-mlx5-annotate-mutex-destroy-for-root-ns.patch +net-sun-fix-missing-release-regions-in-cas_init_one.patch +net-mlx4_core-fix-a-memory-leak-bug.patch +mlxsw-spectrum-fix-use-after-free-of-split-unsplit-type_set-in-case-reload-fails.patch -- 2.47.3