From 823ba677e63ae1c27d592359e13f3bb05d1b3e64 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 13 Jan 2019 08:04:41 +0100 Subject: [PATCH] 4.19-stable patches added patches: bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch --- ...ce-in-bnx2x_del_all_vlans-on-some-hw.patch | 105 ++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 106 insertions(+) create mode 100644 queue-4.19/bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch diff --git a/queue-4.19/bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch b/queue-4.19/bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch new file mode 100644 index 00000000000..9e4b7c2d206 --- /dev/null +++ b/queue-4.19/bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch @@ -0,0 +1,105 @@ +From 38355a5f9a22bfa5bd5b1bb79805aca39fa53729 Mon Sep 17 00:00:00 2001 +From: Ivan Mironov +Date: Mon, 24 Dec 2018 20:13:05 +0500 +Subject: bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw + +From: Ivan Mironov + +commit 38355a5f9a22bfa5bd5b1bb79805aca39fa53729 upstream. + +This happened when I tried to boot normal Fedora 29 system with latest +available kernel (from fedora rawhide, plus some unrelated custom +patches): + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0010 [#1] SMP PTI + CPU: 6 PID: 1422 Comm: libvirtd Tainted: G I 4.20.0-0.rc7.git3.hpsa2.1.fc29.x86_64 #1 + Hardware name: HP ProLiant BL460c G6, BIOS I24 05/21/2018 + RIP: 0010: (null) + Code: Bad RIP value. + RSP: 0018:ffffa47ccdc9fbe0 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 00000000000003e8 RCX: ffffa47ccdc9fbf8 + RDX: ffffa47ccdc9fc00 RSI: ffff97d9ee7b01f8 RDI: ffff97d9f0150b80 + RBP: ffff97d9f0150b80 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000003 + R13: ffff97d9ef1e53e8 R14: 0000000000000009 R15: ffff97d9f0ac6730 + FS: 00007f4d224ef700(0000) GS:ffff97d9fa200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffffffffd6 CR3: 00000011ece52006 CR4: 00000000000206e0 + Call Trace: + ? bnx2x_chip_cleanup+0x195/0x610 [bnx2x] + ? bnx2x_nic_unload+0x1e2/0x8f0 [bnx2x] + ? bnx2x_reload_if_running+0x24/0x40 [bnx2x] + ? bnx2x_set_features+0x79/0xa0 [bnx2x] + ? __netdev_update_features+0x244/0x9e0 + ? netlink_broadcast_filtered+0x136/0x4b0 + ? netdev_update_features+0x22/0x60 + ? dev_disable_lro+0x1c/0xe0 + ? devinet_sysctl_forward+0x1c6/0x211 + ? proc_sys_call_handler+0xab/0x100 + ? __vfs_write+0x36/0x1a0 + ? rcu_read_lock_sched_held+0x79/0x80 + ? rcu_sync_lockdep_assert+0x2e/0x60 + ? __sb_start_write+0x14c/0x1b0 + ? vfs_write+0x159/0x1c0 + ? vfs_write+0xba/0x1c0 + ? ksys_write+0x52/0xc0 + ? do_syscall_64+0x60/0x1f0 + ? entry_SYSCALL_64_after_hwframe+0x49/0xbe + +After some investigation I figured out that recently added cleanup code +tries to call VLAN filtering de-initialization function which exist only +for newer hardware. Corresponding function pointer is not +set (== 0) for older hardware, namely these chips: + + #define CHIP_NUM_57710 0x164e + #define CHIP_NUM_57711 0x164f + #define CHIP_NUM_57711E 0x1650 + +And I have one of those in my test system: + + Broadcom Inc. and subsidiaries NetXtreme II BCM57711E 10-Gigabit PCIe [14e4:1650] + +Function bnx2x_init_vlan_mac_fp_objs() from +drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h decides whether to +initialize relevant pointers in bnx2x_sp_objs.vlan_obj or not. + +This regression was introduced after v4.20-rc7, and still exists in v4.20 +release. + +Fixes: 04f05230c5c13 ("bnx2x: Remove configured vlans as part of unload sequence.") +Signed-off-by: Ivan Mironov +Signed-off-by: Ivan Mironov +Acked-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Cc: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -9347,10 +9347,16 @@ void bnx2x_chip_cleanup(struct bnx2x *bp + BNX2X_ERR("Failed to schedule DEL commands for UC MACs list: %d\n", + rc); + +- /* Remove all currently configured VLANs */ +- rc = bnx2x_del_all_vlans(bp); +- if (rc < 0) +- BNX2X_ERR("Failed to delete all VLANs\n"); ++ /* The whole *vlan_obj structure may be not initialized if VLAN ++ * filtering offload is not supported by hardware. Currently this is ++ * true for all hardware covered by CHIP_IS_E1x(). ++ */ ++ if (!CHIP_IS_E1x(bp)) { ++ /* Remove all currently configured VLANs */ ++ rc = bnx2x_del_all_vlans(bp); ++ if (rc < 0) ++ BNX2X_ERR("Failed to delete all VLANs\n"); ++ } + + /* Disable LLH */ + if (!CHIP_IS_E1(bp)) diff --git a/queue-4.19/series b/queue-4.19/series index a656ce500ae..cb549109196 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -146,3 +146,4 @@ drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch drm-amd-display-fix-unintialized-max_bpc-state-values.patch +bnx2x-fix-null-pointer-dereference-in-bnx2x_del_all_vlans-on-some-hw.patch -- 2.47.3