From 7bb0974e3e0a0c4cfb7661f380f0cc7bcbe1544f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 May 2020 12:06:33 +0200 Subject: [PATCH] 4.4-stable patches added patches: dp83640-reverse-arguments-to-list_add_tail.patch net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch sch_choke-avoid-potential-panic-in-choke_reset.patch sch_sfq-validate-silly-quantum-values.patch --- ...0-reverse-arguments-to-list_add_tail.patch | 34 +++++++++ ...-of-enospc-around-mlx4_counter_alloc.patch | 49 +++++++++++++ ...avoid-potential-panic-in-choke_reset.patch | 69 +++++++++++++++++++ ...ch_sfq-validate-silly-quantum-values.patch | 47 +++++++++++++ queue-4.4/series | 4 ++ 5 files changed, 203 insertions(+) create mode 100644 queue-4.4/dp83640-reverse-arguments-to-list_add_tail.patch create mode 100644 queue-4.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch create mode 100644 queue-4.4/sch_choke-avoid-potential-panic-in-choke_reset.patch create mode 100644 queue-4.4/sch_sfq-validate-silly-quantum-values.patch diff --git a/queue-4.4/dp83640-reverse-arguments-to-list_add_tail.patch b/queue-4.4/dp83640-reverse-arguments-to-list_add_tail.patch new file mode 100644 index 00000000000..9fbd53d9ca0 --- /dev/null +++ b/queue-4.4/dp83640-reverse-arguments-to-list_add_tail.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 12 May 2020 11:40:03 AM CEST +From: Julia Lawall +Date: Thu, 30 Apr 2020 21:51:32 +0200 +Subject: dp83640: reverse arguments to list_add_tail + +From: Julia Lawall + +[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ] + +In this code, it appears that phyter_clocks is a list head, based on +the previous list_for_each, and that clock->list is intended to be a +list element, given that it has just been initialized in +dp83640_clock_init. Accordingly, switch the arguments to +list_add_tail, which takes the list head as the second argument. + +Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Julia Lawall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1107,7 +1107,7 @@ static struct dp83640_clock *dp83640_clo + goto out; + } + dp83640_clock_init(clock, bus); +- list_add_tail(&phyter_clocks, &clock->list); ++ list_add_tail(&clock->list, &phyter_clocks); + out: + mutex_unlock(&phyter_clocks_lock); + diff --git a/queue-4.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch b/queue-4.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch new file mode 100644 index 00000000000..dc3e08c2de9 --- /dev/null +++ b/queue-4.4/net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch @@ -0,0 +1,49 @@ +From foo@baz Tue 12 May 2020 11:40:03 AM CEST +From: Tariq Toukan +Date: Mon, 4 May 2020 11:36:02 +0300 +Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() + +From: Tariq Toukan + +[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ] + +When ENOSPC is set the idx is still valid and gets set to the global +MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that +ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: + +drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be +used uninitialized in this function [-Wmaybe-uninitialized] + 2552 | priv->def_counter[port] = idx; + +Also, when ENOSPC is returned mlx4_allocate_default_counters should not +fail. + +Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -2295,6 +2295,7 @@ static int mlx4_allocate_default_counter + + if (!err || err == -ENOSPC) { + priv->def_counter[port] = idx; ++ err = 0; + } else if (err == -ENOENT) { + err = 0; + continue; +@@ -2344,7 +2345,8 @@ int mlx4_counter_alloc(struct mlx4_dev * + MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED); + if (!err) + *idx = get_param_l(&out_param); +- ++ if (WARN_ON(err == -ENOSPC)) ++ err = -EINVAL; + return err; + } + return __mlx4_counter_alloc(dev, idx); diff --git a/queue-4.4/sch_choke-avoid-potential-panic-in-choke_reset.patch b/queue-4.4/sch_choke-avoid-potential-panic-in-choke_reset.patch new file mode 100644 index 00000000000..bb9103a6768 --- /dev/null +++ b/queue-4.4/sch_choke-avoid-potential-panic-in-choke_reset.patch @@ -0,0 +1,69 @@ +From foo@baz Tue 12 May 2020 11:40:03 AM CEST +From: Eric Dumazet +Date: Sat, 25 Apr 2020 15:19:51 -0700 +Subject: sch_choke: avoid potential panic in choke_reset() + +From: Eric Dumazet + +[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ] + +If choke_init() could not allocate q->tab, we would crash later +in choke_reset(). + +BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline] +BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326 +Write of size 8 at addr 0000000000000000 by task syz-executor822/7022 + +CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x188/0x20d lib/dump_stack.c:118 + __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515 + kasan_report+0x33/0x50 mm/kasan/common.c:625 + check_memory_region_inline mm/kasan/generic.c:187 [inline] + check_memory_region+0x141/0x190 mm/kasan/generic.c:193 + memset+0x20/0x40 mm/kasan/common.c:85 + memset include/linux/string.h:366 [inline] + choke_reset+0x208/0x340 net/sched/sch_choke.c:326 + qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910 + dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138 + netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline] + dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195 + dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233 + qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051 + tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454 + netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 + netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 + ___sys_sendmsg+0x100/0x170 net/socket.c:2416 + __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 + do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 + +Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_choke.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -396,7 +396,8 @@ static void choke_reset(struct Qdisc *sc + qdisc_drop(skb, sch); + } + +- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); ++ if (q->tab) ++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *)); + q->head = q->tail = 0; + red_restart(&q->vars); + } diff --git a/queue-4.4/sch_sfq-validate-silly-quantum-values.patch b/queue-4.4/sch_sfq-validate-silly-quantum-values.patch new file mode 100644 index 00000000000..746cf755bfe --- /dev/null +++ b/queue-4.4/sch_sfq-validate-silly-quantum-values.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 12 May 2020 11:40:03 AM CEST +From: Eric Dumazet +Date: Sun, 26 Apr 2020 18:19:07 -0700 +Subject: sch_sfq: validate silly quantum values + +From: Eric Dumazet + +[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ] + +syzbot managed to set up sfq so that q->scaled_quantum was zero, +triggering an infinite loop in sfq_dequeue() + +More generally, we must only accept quantum between 1 and 2^18 - 7, +meaning scaled_quantum must be in [1, 0x7FFF] range. + +Otherwise, we also could have a loop in sfq_dequeue() +if scaled_quantum happens to be 0x8000, since slot->allot +could indefinitely switch between 0 and 0x8000. + +Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com +Cc: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_sfq.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -635,6 +635,15 @@ static int sfq_change(struct Qdisc *sch, + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ ++ /* slot->allot is a short, make sure quantum is not too big. */ ++ if (ctl->quantum) { ++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum); ++ ++ if (scaled <= 0 || scaled > SHRT_MAX) ++ return -EINVAL; ++ } ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog)) + return -EINVAL; diff --git a/queue-4.4/series b/queue-4.4/series index e43f1955984..398a9123587 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,6 @@ usb-serial-qcserial-add-dw5816e-support.patch revert-net-phy-avoid-polling-phy-with-phy_ignore_interrupts.patch +dp83640-reverse-arguments-to-list_add_tail.patch +net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch +sch_sfq-validate-silly-quantum-values.patch +sch_choke-avoid-potential-panic-in-choke_reset.patch -- 2.47.3