<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v5.4.11</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>vlan: vlan_changelink() should propagate errors</title>
<updated>2020-01-12T11:21:50+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2020-01-07T09:42:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=25037e4b197bf04a9c8467b9ce1d76aefc8fa703'/>
<id>25037e4b197bf04a9c8467b9ce1d76aefc8fa703</id>
<content type='text'>
[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ]

Both vlan_dev_change_flags() and vlan_dev_set_egress_priority()
can return an error. vlan_changelink() should not ignore them.

Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ]

Both vlan_dev_change_flags() and vlan_dev_set_egress_priority()
can return an error. vlan_changelink() should not ignore them.

Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vlan: fix memory leak in vlan_dev_set_egress_priority</title>
<updated>2020-01-12T11:21:49+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2020-01-07T09:42:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=196a9a408c3eb8f590f0f7088cafe80c7c1564e7'/>
<id>196a9a408c3eb8f590f0f7088cafe80c7c1564e7</id>
<content type='text'>
[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ]

There are few cases where the ndo_uninit() handler might be not
called if an error happens while device is initialized.

Since vlan_newlink() calls vlan_changelink() before
trying to register the netdevice, we need to make sure
vlan_dev_uninit() has been called at least once,
or we might leak allocated memory.

BUG: memory leak
unreferenced object 0xffff888122a206c0 (size 32):
  comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00  ......as........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000000eb3bb85&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;000000000eb3bb85&gt;] slab_post_alloc_hook mm/slab.h:586 [inline]
    [&lt;000000000eb3bb85&gt;] slab_alloc mm/slab.c:3320 [inline]
    [&lt;000000000eb3bb85&gt;] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
    [&lt;000000007b99f620&gt;] kmalloc include/linux/slab.h:556 [inline]
    [&lt;000000007b99f620&gt;] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
    [&lt;000000007b0cb745&gt;] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
    [&lt;0000000065aba83a&gt;] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
    [&lt;00000000fb5dd7a2&gt;] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
    [&lt;00000000ae4273a1&gt;] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
    [&lt;00000000decab39f&gt;] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
    [&lt;00000000accba4ee&gt;] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [&lt;00000000319fe20f&gt;] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [&lt;00000000d51938dc&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [&lt;00000000d51938dc&gt;] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [&lt;00000000e539ac79&gt;] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [&lt;000000006250c27e&gt;] sock_sendmsg_nosec net/socket.c:639 [inline]
    [&lt;000000006250c27e&gt;] sock_sendmsg+0x54/0x70 net/socket.c:659
    [&lt;00000000e2a156d1&gt;] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [&lt;000000008c87466e&gt;] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [&lt;00000000110e3054&gt;] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [&lt;00000000d71077c8&gt;] __do_sys_sendmsg net/socket.c:2426 [inline]
    [&lt;00000000d71077c8&gt;] __se_sys_sendmsg net/socket.c:2424 [inline]
    [&lt;00000000d71077c8&gt;] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ]

There are few cases where the ndo_uninit() handler might be not
called if an error happens while device is initialized.

Since vlan_newlink() calls vlan_changelink() before
trying to register the netdevice, we need to make sure
vlan_dev_uninit() has been called at least once,
or we might leak allocated memory.

BUG: memory leak
unreferenced object 0xffff888122a206c0 (size 32):
  comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00  ......as........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000000eb3bb85&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;000000000eb3bb85&gt;] slab_post_alloc_hook mm/slab.h:586 [inline]
    [&lt;000000000eb3bb85&gt;] slab_alloc mm/slab.c:3320 [inline]
    [&lt;000000000eb3bb85&gt;] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
    [&lt;000000007b99f620&gt;] kmalloc include/linux/slab.h:556 [inline]
    [&lt;000000007b99f620&gt;] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
    [&lt;000000007b0cb745&gt;] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
    [&lt;0000000065aba83a&gt;] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
    [&lt;00000000fb5dd7a2&gt;] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
    [&lt;00000000ae4273a1&gt;] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
    [&lt;00000000decab39f&gt;] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
    [&lt;00000000accba4ee&gt;] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [&lt;00000000319fe20f&gt;] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [&lt;00000000d51938dc&gt;] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [&lt;00000000d51938dc&gt;] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [&lt;00000000e539ac79&gt;] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [&lt;000000006250c27e&gt;] sock_sendmsg_nosec net/socket.c:639 [inline]
    [&lt;000000006250c27e&gt;] sock_sendmsg+0x54/0x70 net/socket.c:659
    [&lt;00000000e2a156d1&gt;] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [&lt;000000008c87466e&gt;] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [&lt;00000000110e3054&gt;] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [&lt;00000000d71077c8&gt;] __do_sys_sendmsg net/socket.c:2426 [inline]
    [&lt;00000000d71077c8&gt;] __se_sys_sendmsg net/socket.c:2424 [inline]
    [&lt;00000000d71077c8&gt;] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sch_prio: When ungrafting, replace with FIFO</title>
<updated>2020-01-12T11:21:49+00:00</updated>
<author>
<name>Petr Machata</name>
<email>petrm@mellanox.com</email>
</author>
<published>2020-01-06T18:01:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c6e324d0cbb2e3096290ce7329039d76a3c18dfb'/>
<id>c6e324d0cbb2e3096290ce7329039d76a3c18dfb</id>
<content type='text'>
[ Upstream commit 240ce7f6428ff5188b9eedc066e1e4d645b8635f ]

When a child Qdisc is removed from one of the PRIO Qdisc's bands, it is
replaced unconditionally by a NOOP qdisc. As a result, any traffic hitting
that band gets dropped. That is incorrect--no Qdisc was explicitly added
when PRIO was created, and after removal, none should have to be added
either.

Fix PRIO by first attempting to create a default Qdisc and only falling
back to noop when that fails. This pattern of attempting to create an
invisible FIFO, using NOOP only as a fallback, is also seen in other
Qdiscs.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Petr Machata &lt;petrm@mellanox.com&gt;
Acked-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 240ce7f6428ff5188b9eedc066e1e4d645b8635f ]

When a child Qdisc is removed from one of the PRIO Qdisc's bands, it is
replaced unconditionally by a NOOP qdisc. As a result, any traffic hitting
that band gets dropped. That is incorrect--no Qdisc was explicitly added
when PRIO was created, and after removal, none should have to be added
either.

Fix PRIO by first attempting to create a default Qdisc and only falling
back to noop when that fails. This pattern of attempting to create an
invisible FIFO, using NOOP only as a fallback, is also seen in other
Qdiscs.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Petr Machata &lt;petrm@mellanox.com&gt;
Acked-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK</title>
<updated>2020-01-12T11:21:48+00:00</updated>
<author>
<name>Pengcheng Yang</name>
<email>yangpc@wangsu.com</email>
</author>
<published>2019-12-30T09:54:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=68fe2b265a674fe479f09762a1c6ffa74e25cd43'/>
<id>68fe2b265a674fe479f09762a1c6ffa74e25cd43</id>
<content type='text'>
[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ]

When we receive a D-SACK, where the sequence number satisfies:
	undo_marker &lt;= start_seq &lt; end_seq &lt;= prior_snd_una
we consider this is a valid D-SACK and tcp_is_sackblock_valid()
returns true, then this D-SACK is discarded as "old stuff",
but the variable first_sack_index is not marked as negative
in tcp_sacktag_write_queue().

If this D-SACK also carries a SACK that needs to be processed
(for example, the previous SACK segment was lost), this SACK
will be treated as a D-SACK in the following processing of
tcp_sacktag_write_queue(), which will eventually lead to
incorrect updates of undo_retrans and reordering.

Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification &amp; simplify access to them")
Signed-off-by: Pengcheng Yang &lt;yangpc@wangsu.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ]

When we receive a D-SACK, where the sequence number satisfies:
	undo_marker &lt;= start_seq &lt; end_seq &lt;= prior_snd_una
we consider this is a valid D-SACK and tcp_is_sackblock_valid()
returns true, then this D-SACK is discarded as "old stuff",
but the variable first_sack_index is not marked as negative
in tcp_sacktag_write_queue().

If this D-SACK also carries a SACK that needs to be processed
(for example, the previous SACK segment was lost), this SACK
will be treated as a D-SACK in the following processing of
tcp_sacktag_write_queue(), which will eventually lead to
incorrect updates of undo_retrans and reordering.

Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification &amp; simplify access to them")
Signed-off-by: Pengcheng Yang &lt;yangpc@wangsu.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: free cmd-&gt;obj.chunk for the unprocessed SCTP_CMD_REPLY</title>
<updated>2020-01-12T11:21:48+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2020-01-04T06:15:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50027f1c78abced651d03e2a0d88b7caa2b9a0c2'/>
<id>50027f1c78abced651d03e2a0d88b7caa2b9a0c2</id>
<content type='text'>
[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ]

This patch is to fix a memleak caused by no place to free cmd-&gt;obj.chunk
for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
with an allocated chunk in cmd-&gt;obj.chunk.

So fix it by freeing cmd-&gt;obj.chunk for each SCTP_CMD_REPLY cmd left on
the cmd seq when any cmd returns error. While at it, also remove 'nomem'
label.

Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ]

This patch is to fix a memleak caused by no place to free cmd-&gt;obj.chunk
for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
with an allocated chunk in cmd-&gt;obj.chunk.

So fix it by freeing cmd-&gt;obj.chunk for each SCTP_CMD_REPLY cmd left on
the cmd seq when any cmd returns error. While at it, also remove 'nomem'
label.

Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sch_cake: avoid possible divide by zero in cake_enqueue()</title>
<updated>2020-01-12T11:21:48+00:00</updated>
<author>
<name>Wen Yang</name>
<email>wenyang@linux.alibaba.com</email>
</author>
<published>2020-01-02T09:21:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2895cea2889ae20fec5372e11b8343468f166ef7'/>
<id>2895cea2889ae20fec5372e11b8343468f166ef7</id>
<content type='text'>
[ Upstream commit 68aab823c223646fab311f8a6581994facee66a0 ]

The variables 'window_interval' is u64 and do_div()
truncates it to 32 bits, which means it can test
non-zero and be truncated to zero for division.
The unit of window_interval is nanoseconds,
so its lower 32-bit is relatively easy to exceed.
Fix this issue by using div64_u64() instead.

Fixes: 7298de9cd725 ("sch_cake: Add ingress mode")
Signed-off-by: Wen Yang &lt;wenyang@linux.alibaba.com&gt;
Cc: Kevin Darbyshire-Bryant &lt;ldir@darbyshire-bryant.me.uk&gt;
Cc: Toke Høiland-Jørgensen &lt;toke@redhat.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Cc: cake@lists.bufferbloat.net
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Acked-by: Toke Høiland-Jørgensen &lt;toke@toke.dk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 68aab823c223646fab311f8a6581994facee66a0 ]

The variables 'window_interval' is u64 and do_div()
truncates it to 32 bits, which means it can test
non-zero and be truncated to zero for division.
The unit of window_interval is nanoseconds,
so its lower 32-bit is relatively easy to exceed.
Fix this issue by using div64_u64() instead.

Fixes: 7298de9cd725 ("sch_cake: Add ingress mode")
Signed-off-by: Wen Yang &lt;wenyang@linux.alibaba.com&gt;
Cc: Kevin Darbyshire-Bryant &lt;ldir@darbyshire-bryant.me.uk&gt;
Cc: Toke Høiland-Jørgensen &lt;toke@redhat.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Cc: cake@lists.bufferbloat.net
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Acked-by: Toke Høiland-Jørgensen &lt;toke@toke.dk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM</title>
<updated>2020-01-12T11:21:47+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2020-01-06T14:10:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8b9c77a59f9ee35a0b076e3db9009ba96d5b8395'/>
<id>8b9c77a59f9ee35a0b076e3db9009ba96d5b8395</id>
<content type='text'>
[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ]

As diagnosed by Florian :

If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
can loop forever in :

if (f-&gt;credit &lt;= 0) {
  f-&gt;credit += q-&gt;quantum;
  goto begin;
}

... because f-&gt;credit is either 0 or -2147483648.

Let's limit TCA_FQ_QUANTUM to no more than 1 &lt;&lt; 20 :
This max value should limit risks of breaking user setups
while fixing this bug.

Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Diagnosed-by: Florian Westphal &lt;fw@strlen.de&gt;
Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ]

As diagnosed by Florian :

If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
can loop forever in :

if (f-&gt;credit &lt;= 0) {
  f-&gt;credit += q-&gt;quantum;
  goto begin;
}

... because f-&gt;credit is either 0 or -2147483648.

Let's limit TCA_FQ_QUANTUM to no more than 1 &lt;&lt; 20 :
This max value should limit risks of breaking user setups
while fixing this bug.

Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Diagnosed-by: Florian Westphal &lt;fw@strlen.de&gt;
Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)</title>
<updated>2020-01-12T11:21:45+00:00</updated>
<author>
<name>Chan Shu Tak, Alex</name>
<email>alexchan@task.com.hk</email>
</author>
<published>2019-12-19T06:16:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5485d62cf5fd2bfc1a4820d9432f7ba4b44e50fe'/>
<id>5485d62cf5fd2bfc1a4820d9432f7ba4b44e50fe</id>
<content type='text'>
[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ]

When a frame with NULL DSAP is received, llc_station_rcv is called.
In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL
XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1
when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a
NULL XID response is returned unexpectedly, e.g. when the incoming frame is
a NULL TEST command.

To fix the error, simply remove the conditional operator.

A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed.

Signed-off-by: Chan Shu Tak, Alex &lt;alexchan@task.com.hk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ]

When a frame with NULL DSAP is received, llc_station_rcv is called.
In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL
XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1
when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a
NULL XID response is returned unexpectedly, e.g. when the incoming frame is
a NULL TEST command.

To fix the error, simply remove the conditional operator.

A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed.

Signed-off-by: Chan Shu Tak, Alex &lt;alexchan@task.com.hk&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xsk: Add rcu_read_lock around the XSK wakeup</title>
<updated>2020-01-12T11:21:41+00:00</updated>
<author>
<name>Maxim Mikityanskiy</name>
<email>maximmi@mellanox.com</email>
</author>
<published>2019-12-17T16:20:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=96dee90a9d089992a74b46524776754750c99053'/>
<id>96dee90a9d089992a74b46524776754750c99053</id>
<content type='text'>
[ Upstream commit 06870682087b58398671e8cdc896cd62314c4399 ]

The XSK wakeup callback in drivers makes some sanity checks before
triggering NAPI. However, some configuration changes may occur during
this function that affect the result of those checks. For example, the
interface can go down, and all the resources will be destroyed after the
checks in the wakeup function, but before it attempts to use these
resources. Wrap this callback in rcu_read_lock to allow driver to
synchronize_rcu before actually destroying the resources.

xsk_wakeup is a new function that encapsulates calling ndo_xsk_wakeup
wrapped into the RCU lock. After this commit, xsk_poll starts using
xsk_wakeup and checks xs-&gt;zc instead of ndo_xsk_wakeup != NULL to decide
ndo_xsk_wakeup should be called. It also fixes a bug introduced with the
need_wakeup feature: a non-zero-copy socket may be used with a driver
supporting zero-copy, and in this case ndo_xsk_wakeup should not be
called, so the xs-&gt;zc check is the correct one.

Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP rings")
Signed-off-by: Maxim Mikityanskiy &lt;maximmi@mellanox.com&gt;
Signed-off-by: Björn Töpel &lt;bjorn.topel@intel.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Link: https://lore.kernel.org/bpf/20191217162023.16011-2-maximmi@mellanox.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 06870682087b58398671e8cdc896cd62314c4399 ]

The XSK wakeup callback in drivers makes some sanity checks before
triggering NAPI. However, some configuration changes may occur during
this function that affect the result of those checks. For example, the
interface can go down, and all the resources will be destroyed after the
checks in the wakeup function, but before it attempts to use these
resources. Wrap this callback in rcu_read_lock to allow driver to
synchronize_rcu before actually destroying the resources.

xsk_wakeup is a new function that encapsulates calling ndo_xsk_wakeup
wrapped into the RCU lock. After this commit, xsk_poll starts using
xsk_wakeup and checks xs-&gt;zc instead of ndo_xsk_wakeup != NULL to decide
ndo_xsk_wakeup should be called. It also fixes a bug introduced with the
need_wakeup feature: a non-zero-copy socket may be used with a driver
supporting zero-copy, and in this case ndo_xsk_wakeup should not be
called, so the xs-&gt;zc check is the correct one.

Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP rings")
Signed-off-by: Maxim Mikityanskiy &lt;maximmi@mellanox.com&gt;
Signed-off-by: Björn Töpel &lt;bjorn.topel@intel.com&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Link: https://lore.kernel.org/bpf/20191217162023.16011-2-maximmi@mellanox.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rfkill: Fix incorrect check to avoid NULL pointer dereference</title>
<updated>2020-01-12T11:21:33+00:00</updated>
<author>
<name>Aditya Pakki</name>
<email>pakki001@umn.edu</email>
</author>
<published>2019-12-15T15:34:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=705c7e53702d7eb239b0c27ee0ce20bc44314b6d'/>
<id>705c7e53702d7eb239b0c27ee0ce20bc44314b6d</id>
<content type='text'>
[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ]

In rfkill_register, the struct rfkill pointer is first derefernced
and then checked for NULL. This patch removes the BUG_ON and returns
an error to the caller in case rfkill is NULL.

Signed-off-by: Aditya Pakki &lt;pakki001@umn.edu&gt;
Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ]

In rfkill_register, the struct rfkill pointer is first derefernced
and then checked for NULL. This patch removes the BUG_ON and returns
an error to the caller in case rfkill is NULL.

Signed-off-by: Aditya Pakki &lt;pakki001@umn.edu&gt;
Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
