diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-08 10:12:42 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-08 10:12:42 +0200 |
commit | 3aba88b949a03bc08dd49357e4a1d77a1f97ac42 (patch) | |
tree | 817a642c5759aea4a34a54b11f90df64f2952093 | |
parent | 391d2f4131e7277a97c8c7fd3df69dee7e05d1cf (diff) | |
download | queue-3.18-3aba88b949a03bc08dd49357e4a1d77a1f97ac42.tar.gz |
more patches
-rw-r--r-- | bnx2x-disable-multi-cos-feature.patch | 35 | ||||
-rw-r--r-- | net-bridge-delete-local-fdb-on-device-init-failure.patch | 45 | ||||
-rw-r--r-- | net-fix-ifindex-collision-during-namespace-removal.patch | 132 | ||||
-rw-r--r-- | net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch | 43 | ||||
-rw-r--r-- | series | 4 |
5 files changed, 259 insertions, 0 deletions
diff --git a/bnx2x-disable-multi-cos-feature.patch b/bnx2x-disable-multi-cos-feature.patch new file mode 100644 index 0000000..1de21c6 --- /dev/null +++ b/bnx2x-disable-multi-cos-feature.patch @@ -0,0 +1,35 @@ +From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST +From: Sudarsana Reddy Kalluru <skalluru@marvell.com> +Date: Tue, 23 Jul 2019 19:32:41 -0700 +Subject: bnx2x: Disable multi-cos feature. + +From: Sudarsana Reddy Kalluru <skalluru@marvell.com> + +[ Upstream commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ] + +Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos +feature after prolonged time in driver added some regression causing +numerous issues (sudden reboots, tx timeout etc.) reported by customers. +We plan to backout this commit and submit proper fix once we have root +cause of issues reported with this feature enabled. + +Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.") +Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com> +Signed-off-by: Manish Chopra <manishc@marvell.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1937,7 +1937,7 @@ u16 bnx2x_select_queue(struct net_device + } + + /* select a non-FCoE queue */ +- return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos); ++ return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp)); + } + + void bnx2x_set_num_queues(struct bnx2x *bp) diff --git a/net-bridge-delete-local-fdb-on-device-init-failure.patch b/net-bridge-delete-local-fdb-on-device-init-failure.patch new file mode 100644 index 0000000..22bc67b --- /dev/null +++ b/net-bridge-delete-local-fdb-on-device-init-failure.patch @@ -0,0 +1,45 @@ +From foo@baz Thu 08 Aug 2019 09:48:28 AM CEST +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Mon, 29 Jul 2019 12:28:41 +0300 +Subject: net: bridge: delete local fdb on device init failure + +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> + +[ Upstream commit d7bae09fa008c6c9a489580db0a5a12063b97f97 ] + +On initialization failure we have to delete the local fdb which was +inserted due to the default pvid creation. This problem has been present +since the inception of default_pvid. Note that currently there are 2 cases: +1) in br_dev_init() when br_multicast_init() fails +2) if register_netdevice() fails after calling ndo_init() + +This patch takes care of both since br_vlan_flush() is called on both +occasions. Also the new fdb delete would be a no-op on normal bridge +device destruction since the local fdb would've been already flushed by +br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is +called last when adding a port thus nothing can fail after it. + +Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com +Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid") +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/bridge/br_vlan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/br_vlan.c ++++ b/net/bridge/br_vlan.c +@@ -360,6 +360,12 @@ void br_vlan_flush(struct net_bridge *br + struct net_port_vlans *pv; + + ASSERT_RTNL(); ++ ++ /* delete auto-added default pvid local fdb before flushing vlans ++ * otherwise it will be leaked on bridge device init failure ++ */ ++ br_fdb_delete_by_port(br, NULL, 1); ++ + pv = rtnl_dereference(br->vlan_info); + if (!pv) + return; diff --git a/net-fix-ifindex-collision-during-namespace-removal.patch b/net-fix-ifindex-collision-during-namespace-removal.patch new file mode 100644 index 0000000..8c33a0c --- /dev/null +++ b/net-fix-ifindex-collision-during-namespace-removal.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 08 Aug 2019 10:04:59 AM CEST +From: Jiri Pirko <jiri@mellanox.com> +Date: Sun, 28 Jul 2019 14:56:36 +0200 +Subject: net: fix ifindex collision during namespace removal + +From: Jiri Pirko <jiri@mellanox.com> + +[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ] + +Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions +on net_ns stop.") introduced a possibility to hit a BUG in case device +is returning back to init_net and two following conditions are met: +1) dev->ifindex value is used in a name of another "dev%d" + device in init_net. +2) dev->name is used by another device in init_net. + +Under real life circumstances this is hard to get. Therefore this has +been present happily for over 10 years. To reproduce: + +$ ip a +1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip netns add ns1 +$ ip -n ns1 link add dummy1ns1 type dummy +$ ip -n ns1 link add dummy2ns1 type dummy +$ ip link set enp0s2 netns ns1 +$ ip -n ns1 link set enp0s2 name dummy0 +[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2 +$ ip link add dev4 type dummy +$ ip -n ns1 a +1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff +3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff +4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff +$ ip a +1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff +4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff +$ ip netns del ns1 +[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17 +[ 158.719316] ------------[ cut here ]------------ +[ 158.720591] kernel BUG at net/core/dev.c:9824! +[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18 +[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 +[ 158.727508] Workqueue: netns cleanup_net +[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 158.762758] Call Trace: +[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520 +[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0 +[ 158.769870] ops_exit_list.isra.0+0xa8/0x150 +[ 158.771544] cleanup_net+0x446/0x8f0 +[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0 +[ 158.775294] process_one_work+0xa1a/0x1740 +[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310 +[ 158.779143] ? do_raw_spin_lock+0x11b/0x280 +[ 158.780848] worker_thread+0x9e/0x1060 +[ 158.782500] ? process_one_work+0x1740/0x1740 +[ 158.784454] kthread+0x31b/0x420 +[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0 +[ 158.788286] ret_from_fork+0x3a/0x50 +[ 158.789871] ---[ end trace defd6c657c71f936 ]--- +[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f +[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e +[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282 +[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000 +[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64 +[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c +[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000 +[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72 +[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000 +[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0 +[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fix this by checking if a device with the same name exists in init_net +and fallback to original code - dev%d to allocate name - in case it does. + +This was found using syzkaller. + +Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.") +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7239,6 +7239,8 @@ static void __net_exit default_device_ex + + /* Push remaining network devices to init_net */ + snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex); ++ if (__dev_get_by_name(&init_net, fb_name)) ++ snprintf(fb_name, IFNAMSIZ, "dev%%d"); + err = dev_change_net_namespace(dev, &init_net, fb_name); + if (err) { + pr_emerg("%s: failed to move %s to init_net: %d\n", diff --git a/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch b/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch new file mode 100644 index 0000000..cd5bbea --- /dev/null +++ b/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 08 Aug 2019 09:48:28 AM CEST +From: Jia-Ju Bai <baijiaju1990@gmail.com> +Date: Mon, 29 Jul 2019 16:24:33 +0800 +Subject: net: sched: Fix a possible null-pointer dereference in dequeue_func() + +From: Jia-Ju Bai <baijiaju1990@gmail.com> + +[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ] + +In dequeue_func(), there is an if statement on line 74 to check whether +skb is NULL: + if (skb) + +When skb is NULL, it is used on line 77: + prefetch(&skb->end); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, skb->end is used when skb is not NULL. + +This bug is found by a static analysis tool STCheck written by us. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Reviewed-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sched/sch_codel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -68,7 +68,8 @@ static struct sk_buff *dequeue(struct co + { + struct sk_buff *skb = __skb_dequeue(&sch->q); + +- prefetch(&skb->end); /* we'll need skb_shinfo() */ ++ if (skb) ++ prefetch(&skb->end); /* we'll need skb_shinfo() */ + return skb; + } + @@ -0,0 +1,4 @@ +net-fix-ifindex-collision-during-namespace-removal.patch +net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch +net-bridge-delete-local-fdb-on-device-init-failure.patch +bnx2x-disable-multi-cos-feature.patch |