more patches

5 files changed, 259 insertions, 0 deletions

diff --git a/bnx2x-disable-multi-cos-feature.patch b/bnx2x-disable-multi-cos-feature.patch
new file mode 100644
index 0000000..1de21c6
--- /dev/null
+++ b/bnx2x-disable-multi-cos-feature.patch
@@ -0,0 +1,35 @@
+From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Date: Tue, 23 Jul 2019 19:32:41 -0700
+Subject: bnx2x: Disable multi-cos feature.
+
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+
+[ Upstream commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ]
+
+Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos
+feature after prolonged time in driver added some regression causing
+numerous issues (sudden reboots, tx timeout etc.) reported by customers.
+We plan to backout this commit and submit proper fix once we have root
+cause of issues reported with this feature enabled.
+
+Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.")
+Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -1937,7 +1937,7 @@ u16 bnx2x_select_queue(struct net_device
+ 	}
+ 
+ 	/* select a non-FCoE queue */
+-	return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos);
++	return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp));
+ }
+ 
+ void bnx2x_set_num_queues(struct bnx2x *bp)
diff --git a/net-bridge-delete-local-fdb-on-device-init-failure.patch b/net-bridge-delete-local-fdb-on-device-init-failure.patch
new file mode 100644
index 0000000..22bc67b
--- /dev/null
+++ b/net-bridge-delete-local-fdb-on-device-init-failure.patch
@@ -0,0 +1,45 @@
+From foo@baz Thu 08 Aug 2019 09:48:28 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Mon, 29 Jul 2019 12:28:41 +0300
+Subject: net: bridge: delete local fdb on device init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit d7bae09fa008c6c9a489580db0a5a12063b97f97 ]
+
+On initialization failure we have to delete the local fdb which was
+inserted due to the default pvid creation. This problem has been present
+since the inception of default_pvid. Note that currently there are 2 cases:
+1) in br_dev_init() when br_multicast_init() fails
+2) if register_netdevice() fails after calling ndo_init()
+
+This patch takes care of both since br_vlan_flush() is called on both
+occasions. Also the new fdb delete would be a no-op on normal bridge
+device destruction since the local fdb would've been already flushed by
+br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is
+called last when adding a port thus nothing can fail after it.
+
+Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com
+Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_vlan.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -360,6 +360,12 @@ void br_vlan_flush(struct net_bridge *br
+ 	struct net_port_vlans *pv;
+ 
+ 	ASSERT_RTNL();
++
++	/* delete auto-added default pvid local fdb before flushing vlans
++	 * otherwise it will be leaked on bridge device init failure
++	 */
++	br_fdb_delete_by_port(br, NULL, 1);
++
+ 	pv = rtnl_dereference(br->vlan_info);
+ 	if (!pv)
+ 		return;
diff --git a/net-fix-ifindex-collision-during-namespace-removal.patch b/net-fix-ifindex-collision-during-namespace-removal.patch
new file mode 100644
index 0000000..8c33a0c
--- /dev/null
+++ b/net-fix-ifindex-collision-during-namespace-removal.patch
@@ -0,0 +1,132 @@
+From foo@baz Thu 08 Aug 2019 10:04:59 AM CEST
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Sun, 28 Jul 2019 14:56:36 +0200
+Subject: net: fix ifindex collision during namespace removal
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]
+
+Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
+on net_ns stop.") introduced a possibility to hit a BUG in case device
+is returning back to init_net and two following conditions are met:
+1) dev->ifindex value is used in a name of another "dev%d"
+   device in init_net.
+2) dev->name is used by another device in init_net.
+
+Under real life circumstances this is hard to get. Therefore this has
+been present happily for over 10 years. To reproduce:
+
+$ ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
+3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
+$ ip netns add ns1
+$ ip -n ns1 link add dummy1ns1 type dummy
+$ ip -n ns1 link add dummy2ns1 type dummy
+$ ip link set enp0s2 netns ns1
+$ ip -n ns1 link set enp0s2 name dummy0
+[  100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
+$ ip link add dev4 type dummy
+$ ip -n ns1 a
+1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
+3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
+4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
+$ ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
+4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+    link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
+$ ip netns del ns1
+[  158.717795] default_device_exit: failed to move dummy0 to init_net: -17
+[  158.719316] ------------[ cut here ]------------
+[  158.720591] kernel BUG at net/core/dev.c:9824!
+[  158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
+[  158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
+[  158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+[  158.727508] Workqueue: netns cleanup_net
+[  158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
+[  158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
+[  158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
+[  158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
+[  158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
+[  158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
+[  158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
+[  158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
+[  158.750638] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
+[  158.752944] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
+[  158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  158.762758] Call Trace:
+[  158.763882]  ? dev_change_net_namespace+0xbb0/0xbb0
+[  158.766148]  ? devlink_nl_cmd_set_doit+0x520/0x520
+[  158.768034]  ? dev_change_net_namespace+0xbb0/0xbb0
+[  158.769870]  ops_exit_list.isra.0+0xa8/0x150
+[  158.771544]  cleanup_net+0x446/0x8f0
+[  158.772945]  ? unregister_pernet_operations+0x4a0/0x4a0
+[  158.775294]  process_one_work+0xa1a/0x1740
+[  158.776896]  ? pwq_dec_nr_in_flight+0x310/0x310
+[  158.779143]  ? do_raw_spin_lock+0x11b/0x280
+[  158.780848]  worker_thread+0x9e/0x1060
+[  158.782500]  ? process_one_work+0x1740/0x1740
+[  158.784454]  kthread+0x31b/0x420
+[  158.786082]  ? __kthread_create_on_node+0x3f0/0x3f0
+[  158.788286]  ret_from_fork+0x3a/0x50
+[  158.789871] ---[ end trace defd6c657c71f936 ]---
+[  158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
+[  158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
+[  158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
+[  158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
+[  158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
+[  158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
+[  158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
+[  158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
+[  158.829899] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
+[  158.834923] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
+[  158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fix this by checking if a device with the same name exists in init_net
+and fallback to original code - dev%d to allocate name - in case it does.
+
+This was found using syzkaller.
+
+Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -7239,6 +7239,8 @@ static void __net_exit default_device_ex
+ 
+ 		/* Push remaining network devices to init_net */
+ 		snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
++		if (__dev_get_by_name(&init_net, fb_name))
++			snprintf(fb_name, IFNAMSIZ, "dev%%d");
+ 		err = dev_change_net_namespace(dev, &init_net, fb_name);
+ 		if (err) {
+ 			pr_emerg("%s: failed to move %s to init_net: %d\n",
diff --git a/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch b/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch
new file mode 100644
index 0000000..cd5bbea
--- /dev/null
+++ b/net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch
@@ -0,0 +1,43 @@
+From foo@baz Thu 08 Aug 2019 09:48:28 AM CEST
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Mon, 29 Jul 2019 16:24:33 +0800
+Subject: net: sched: Fix a possible null-pointer dereference in dequeue_func()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ]
+
+In dequeue_func(), there is an if statement on line 74 to check whether
+skb is NULL:
+    if (skb)
+
+When skb is NULL, it is used on line 77:
+    prefetch(&skb->end);
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, skb->end is used when skb is not NULL.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_codel.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_codel.c
++++ b/net/sched/sch_codel.c
+@@ -68,7 +68,8 @@ static struct sk_buff *dequeue(struct co
+ {
+ 	struct sk_buff *skb = __skb_dequeue(&sch->q);
+ 
+-	prefetch(&skb->end); /* we'll need skb_shinfo() */
++	if (skb)
++		prefetch(&skb->end); /* we'll need skb_shinfo() */
+ 	return skb;
+ }
+ 
diff --git a/series b/series
index e69de29..9681bea 100644
--- a/series
+++ b/series
@@ -0,0 +1,4 @@
+net-fix-ifindex-collision-during-namespace-removal.patch
+net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch
+net-bridge-delete-local-fdb-on-device-init-failure.patch
+bnx2x-disable-multi-cos-feature.patch