more patches

5 files changed, 276 insertions, 0 deletions

diff --git a/af_packet-set-defaule-value-for-tmo.patch b/af_packet-set-defaule-value-for-tmo.patch
new file mode 100644
index 0000000..badf7ba
--- /dev/null
+++ b/af_packet-set-defaule-value-for-tmo.patch
@@ -0,0 +1,54 @@
+From foo@baz Sat 28 Dec 2019 06:10:39 AM EST
+From: Mao Wenan <maowenan@huawei.com>
+Date: Mon, 9 Dec 2019 21:31:25 +0800
+Subject: af_packet: set defaule value for tmo
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ]
+
+There is softlockup when using TPACKET_V3:
+...
+NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
+(__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
+(_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
+(mod_timer) from [<c0549c30>]
+(prb_retire_rx_blk_timer_expired+0x68/0x11c)
+(prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
+(call_timer_fn+0x90/0x17c)
+(call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
+(run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
+(__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
+(irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
+(msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
+(handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
+(gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
+...
+
+If __ethtool_get_link_ksettings() is failed in
+prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
+is zero and the timer expire for retire_blk_timer is turn to
+mod_timer(&pkc->retire_blk_timer, jiffies + 0),
+which will trigger cpu usage of softirq is 100%.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -584,7 +584,8 @@ static int prb_calc_retire_blk_tmo(struc
+ 			msec = 1;
+ 			div = speed / 1000;
+ 		}
+-	}
++	} else
++		return DEFAULT_PRB_RETIRE_TOV;
+ 
+ 	mbits = (blk_size_in_bytes * 8) / (1024 * 1024);
+ 
diff --git a/mod_devicetable-fix-phy-module-format.patch b/mod_devicetable-fix-phy-module-format.patch
new file mode 100644
index 0000000..00cd8ad
--- /dev/null
+++ b/mod_devicetable-fix-phy-module-format.patch
@@ -0,0 +1,43 @@
+From foo@baz Sat 28 Dec 2019 06:10:39 AM EST
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Dec 2019 23:24:47 +0000
+Subject: mod_devicetable: fix PHY module format
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 ]
+
+When a PHY is probed, if the top bit is set, we end up requesting a
+module with the string "mdio:-10101110000000100101000101010001" -
+the top bit is printed to a signed -1 value. This leads to the module
+not being loaded.
+
+Fix the module format string and the macro generating the values for
+it to ensure that we only print unsigned types and the top bit is
+always 0/1. We correctly end up with
+"mdio:10101110000000100101000101010001".
+
+Fixes: 8626d3b43280 ("phylib: Support phy module autoloading")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mod_devicetable.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mod_devicetable.h
++++ b/include/linux/mod_devicetable.h
+@@ -497,9 +497,9 @@ struct platform_device_id {
+ 
+ #define MDIO_MODULE_PREFIX	"mdio:"
+ 
+-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d"
++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u"
+ #define MDIO_ID_ARGS(_id) \
+-	(_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1,	\
++	((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \
+ 	((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \
+ 	((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \
+ 	((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \
diff --git a/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch b/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch
new file mode 100644
index 0000000..3a937b3
--- /dev/null
+++ b/net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch
@@ -0,0 +1,76 @@
+From foo@baz Sat 28 Dec 2019 06:10:39 AM EST
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 17 Dec 2019 01:57:40 +0000
+Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit cad46039e4c99812db067c8ac22a864960e7acc4 ]
+
+ql_alloc_large_buffers() has the usual RX buffer allocation
+loop where it allocates skbs and maps them for DMA.  It also
+treats failure as a fatal error.
+
+There are (at least) three bugs in the error paths:
+
+1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
+first buffer that couldn't be allocated will have .skb == NULL.
+But the qla_buf[] array is not zero-initialised.
+
+2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[].  This is
+incorrect for the last allocated skb, if DMA mapping failed.
+
+3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in
+ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
+after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
+will double-free it.
+
+The bugs are somewhat inter-twined, so fix them all at once:
+
+* Clear each entry in qla_buf[] before attempting to allocate
+  an skb for it.  This goes half-way to fixing bug 1.
+* Set the .skb field only after the skb is DMA-mapped.  This
+  fixes the rest.
+
+Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...")
+Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...")
+Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -2756,6 +2756,9 @@ static int ql_alloc_large_buffers(struct
+ 	int err;
+ 
+ 	for (i = 0; i < qdev->num_large_buffers; i++) {
++		lrg_buf_cb = &qdev->lrg_buf[i];
++		memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
++
+ 		skb = netdev_alloc_skb(qdev->ndev,
+ 				       qdev->lrg_buffer_len);
+ 		if (unlikely(!skb)) {
+@@ -2766,11 +2769,7 @@ static int ql_alloc_large_buffers(struct
+ 			ql_free_large_buffers(qdev);
+ 			return -ENOMEM;
+ 		} else {
+-
+-			lrg_buf_cb = &qdev->lrg_buf[i];
+-			memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
+ 			lrg_buf_cb->index = i;
+-			lrg_buf_cb->skb = skb;
+ 			/*
+ 			 * We save some space to copy the ethhdr from first
+ 			 * buffer
+@@ -2792,6 +2791,7 @@ static int ql_alloc_large_buffers(struct
+ 				return -ENOMEM;
+ 			}
+ 
++			lrg_buf_cb->skb = skb;
+ 			dma_unmap_addr_set(lrg_buf_cb, mapaddr, map);
+ 			dma_unmap_len_set(lrg_buf_cb, maplen,
+ 					  qdev->lrg_buffer_len -
diff --git a/sctp-fully-initialize-v4-addr-in-some-functions.patch b/sctp-fully-initialize-v4-addr-in-some-functions.patch
new file mode 100644
index 0000000..abdb2e7
--- /dev/null
+++ b/sctp-fully-initialize-v4-addr-in-some-functions.patch
@@ -0,0 +1,99 @@
+From foo@baz Sat 28 Dec 2019 06:10:39 AM EST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 9 Dec 2019 13:45:54 +0800
+Subject: sctp: fully initialize v4 addr in some functions
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ]
+
+Syzbot found a crash:
+
+  BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
+  BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
+  BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
+  Call Trace:
+    crc32_body lib/crc32.c:112 [inline]
+    crc32_le_generic lib/crc32.c:179 [inline]
+    __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
+    chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
+    crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
+    crc32c+0x150/0x220 lib/libcrc32c.c:47
+    sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
+    __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
+    sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
+    sctp_packet_pack net/sctp/output.c:528 [inline]
+    sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
+    sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
+    sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
+    sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
+    sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
+    sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
+    sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
+    sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
+    sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
+    sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
+    sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
+
+The issue was caused by transport->ipaddr set with uninit addr param, which
+was passed by:
+
+  sctp_transport_init net/sctp/transport.c:47 [inline]
+  sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
+  sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
+  sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
+
+where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
+the padding of addr->v4.
+
+Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
+will become the part of skb, and the issue occurs.
+
+This patch is to fix it by initializing the padding of addr->v4 in
+sctp_v4_from_addr_param(), as well as other functions that do the similar
+thing, and these functions shouldn't trust that the caller initializes the
+memory, as Marcelo suggested.
+
+Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/protocol.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -253,6 +253,7 @@ static void sctp_v4_from_sk(union sctp_a
+ 	addr->v4.sin_family = AF_INET;
+ 	addr->v4.sin_port = 0;
+ 	addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr;
++	memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+ 
+ /* Initialize sk->sk_rcv_saddr from sctp_addr. */
+@@ -275,6 +276,7 @@ static void sctp_v4_from_addr_param(unio
+ 	addr->v4.sin_family = AF_INET;
+ 	addr->v4.sin_port = port;
+ 	addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
++	memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+ 
+ /* Initialize an address parameter from a sctp_addr and return the length
+@@ -299,6 +301,7 @@ static void sctp_v4_dst_saddr(union sctp
+ 	saddr->v4.sin_family = AF_INET;
+ 	saddr->v4.sin_port = port;
+ 	saddr->v4.sin_addr.s_addr = fl4->saddr;
++	memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero));
+ }
+ 
+ /* Compare two addresses exactly. */
+@@ -321,6 +324,7 @@ static void sctp_v4_inaddr_any(union sct
+ 	addr->v4.sin_family = AF_INET;
+ 	addr->v4.sin_addr.s_addr = htonl(INADDR_ANY);
+ 	addr->v4.sin_port = port;
++	memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+ 
+ /* Is this a wildcard address? */
diff --git a/series b/series
index 39d0dee..99359ac 100644
--- a/series
+++ b/series
@@ -68,3 +68,7 @@ alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
 alsa-hda-ca0132-keep-power-on-during-processing-dsp-response.patch
 alsa-hda-ca0132-avoid-endless-loop.patch
 
+af_packet-set-defaule-value-for-tmo.patch
+mod_devicetable-fix-phy-module-format.patch
+net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch
+sctp-fully-initialize-v4-addr-in-some-functions.patch