--- /dev/null
+From 6613b6173dee098997229caf1f3b961c49da75e6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 17 Jul 2018 21:03:15 +0200
+Subject: netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.
+
+When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
+that has an un-initialized timeout value, i.e. such entry could be
+reaped at any time.
+
+Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
+an old state.
+
+Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_dccp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -244,14 +244,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
+ * We currently ignore Sync packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ [DCCP_PKT_SYNCACK] = {
+ /*
+ * We currently ignore SyncAck packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ },
+ [CT_DCCP_ROLE_SERVER] = {
+@@ -372,14 +372,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
+ * We currently ignore Sync packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ [DCCP_PKT_SYNCACK] = {
+ /*
+ * We currently ignore SyncAck packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ },
+ };
--- /dev/null
+From 4576cd469d980317c4edd9173f8b694aa71ea3a3 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 6 Aug 2018 10:38:34 -0400
+Subject: packet: refine ring v3 block size test to hold one frame
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.
+
+TPACKET_V3 stores variable length frames in fixed length blocks.
+Blocks must be able to store a block header, optional private space
+and at least one minimum sized frame.
+
+Frames, even for a zero snaplen packet, store metadata headers and
+optional reserved space.
+
+In the block size bounds check, ensure that the frame of the
+chosen configuration fits. This includes sockaddr_ll and optional
+tp_reserve.
+
+Syzbot was able to construct a ring with insuffient room for the
+sockaddr_ll in the header of a zero-length frame, triggering an
+out-of-bounds write in dev_parse_header.
+
+Convert the comparison to less than, as zero is a valid snap len.
+This matches the test for minimum tp_frame_size immediately below.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4176,6 +4176,8 @@ static int packet_set_ring(struct sock *
+ }
+
+ if (req->tp_block_nr) {
++ unsigned int min_frame_size;
++
+ /* Sanity tests and some calculations */
+ err = -EBUSY;
+ if (unlikely(rb->pg_vec))
+@@ -4198,12 +4200,12 @@ static int packet_set_ring(struct sock *
+ goto out;
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
++ min_frame_size = po->tp_hdrlen + po->tp_reserve;
+ if (po->tp_version >= TPACKET_V3 &&
+- req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
++ req->tp_block_size <
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
+ goto out;
+- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+- po->tp_reserve))
++ if (unlikely(req->tp_frame_size < min_frame_size))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
--- /dev/null
+From 7797167ffde1f00446301cb22b37b7c03194cfaf Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Sun, 12 Aug 2018 16:38:03 -0400
+Subject: parisc: Remove ordered stores from syscall.S
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 7797167ffde1f00446301cb22b37b7c03194cfaf upstream.
+
+Now that we use a sync prior to releasing the locks in syscall.S, we don't need
+the PA 2.0 ordered stores used to release some locks. Using an ordered store,
+potentially slows the release and subsequent code.
+
+There are a number of other ordered stores and loads that serve no purpose. I
+have converted these to normal stores.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org # 4.0+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/syscall.S | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -627,12 +627,12 @@ cas_action:
+ stw %r1, 4(%sr2,%r20)
+ #endif
+ /* The load and store could fail */
+-1: ldw,ma 0(%r26), %r28
++1: ldw 0(%r26), %r28
+ sub,<> %r28, %r25, %r0
+-2: stw,ma %r24, 0(%r26)
++2: stw %r24, 0(%r26)
+ /* Free lock */
+ sync
+- stw,ma %r20, 0(%sr2,%r20)
++ stw %r20, 0(%sr2,%r20)
+ #if ENABLE_LWS_DEBUG
+ /* Clear thread register indicator */
+ stw %r0, 4(%sr2,%r20)
+@@ -796,30 +796,30 @@ cas2_action:
+ ldo 1(%r0),%r28
+
+ /* 8bit CAS */
+-13: ldb,ma 0(%r26), %r29
++13: ldb 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-14: stb,ma %r24, 0(%r26)
++14: stb %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+ nop
+
+ /* 16bit CAS */
+-15: ldh,ma 0(%r26), %r29
++15: ldh 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-16: sth,ma %r24, 0(%r26)
++16: sth %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+ nop
+
+ /* 32bit CAS */
+-17: ldw,ma 0(%r26), %r29
++17: ldw 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-18: stw,ma %r24, 0(%r26)
++18: stw %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+@@ -827,10 +827,10 @@ cas2_action:
+
+ /* 64bit CAS */
+ #ifdef CONFIG_64BIT
+-19: ldd,ma 0(%r26), %r29
++19: ldd 0(%r26), %r29
+ sub,*= %r29, %r25, %r0
+ b,n cas2_end
+-20: std,ma %r24, 0(%r26)
++20: std %r24, 0(%r26)
+ copy %r0, %r28
+ #else
+ /* Compare first word */
+@@ -849,7 +849,7 @@ cas2_action:
+ cas2_end:
+ /* Free lock */
+ sync
+- stw,ma %r20, 0(%sr2,%r20)
++ stw %r20, 0(%sr2,%r20)
+ /* Enable interrupts */
+ ssm PSW_SM_I, %r0
+ /* Return to userspace, set no error */
staging-android-ion-check-for-kref-overflow.patch
kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
+parisc-remove-ordered-stores-from-syscall.s.patch
+xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
+netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch
+packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
--- /dev/null
+From 45c180bc29babbedd6b8c01b975780ef44d9d09c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 18 Jun 2018 21:35:07 -0700
+Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.
+
+struct xfrm_userpolicy_type has two holes, so we should not
+use C99 style initializer.
+
+KMSAN report:
+
+BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copyout lib/iov_iter.c:140 [inline]
+ _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+ copy_to_iter include/linux/uio.h:106 [inline]
+ skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
+ skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
+ netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
+ sock_recvmsg_nosec net/socket.c:802 [inline]
+ sock_recvmsg+0x1d6/0x230 net/socket.c:809
+ ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
+ __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
+ do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
+ __do_sys_recvmmsg net/socket.c:2485 [inline]
+ __se_sys_recvmmsg net/socket.c:2481 [inline]
+ __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x446ce9
+RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
+RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
+R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
+ __nla_put lib/nlattr.c:569 [inline]
+ nla_put+0x276/0x340 lib/nlattr.c:627
+ copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
+ dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+ xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
+ netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
+ __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Local variable description: ----upt.i@dump_one_policy
+Variable was created at:
+ dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+
+Byte 130 of 137 is uninitialized
+Memory access starts at ffff88019550407f
+
+Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1624,9 +1624,11 @@ static inline size_t userpolicy_type_att
+ #ifdef CONFIG_XFRM_SUB_POLICY
+ static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+ {
+- struct xfrm_userpolicy_type upt = {
+- .type = type,
+- };
++ struct xfrm_userpolicy_type upt;
++
++ /* Sadly there are two holes in struct xfrm_userpolicy_type */
++ memset(&upt, 0, sizeof(upt));
++ upt.type = type;
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
