4.19-stable patches

added patches:
	tcp-make-sure-treq-af_specific-is-initialized.patch

diff --git a/queue-4.19/series b/queue-4.19/series
index 385c4c8730a41f33b6216c08e3ff4761f036aa80..55715c8ffaf622882ad8b4ed0aae2450d536574e 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -82,3 +82,4 @@ hwmon-adt7470-fix-warning-on-module-removal.patch-23920
 kvm-x86-cpuid-only-provide-cpuid-leaf-0xa-if-host-ha.patch
 nfc-netlink-fix-sleep-in-atomic-bug-when-firmware-do.patch
 mm-fix-unexpected-zeroed-page-mapping-with-zram-swap.patch
+tcp-make-sure-treq-af_specific-is-initialized.patch

diff --git a/queue-4.19/tcp-make-sure-treq-af_specific-is-initialized.patch b/queue-4.19/tcp-make-sure-treq-af_specific-is-initialized.patch
new file mode 100644 (file)
index 0000000..41015b9
--- /dev/null
+++ b/queue-4.19/tcp-make-sure-treq-af_specific-is-initialized.patch
@@ -0,0 +1,143 @@
+From ba5a4fdd63ae0c575707030db0b634b160baddd7 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 24 Apr 2022 13:35:09 -0700
+Subject: tcp: make sure treq->af_specific is initialized
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ba5a4fdd63ae0c575707030db0b634b160baddd7 upstream.
+
+syzbot complained about a recent change in TCP stack,
+hitting a NULL pointer [1]
+
+tcp request sockets have an af_specific pointer, which
+was used before the blamed change only for SYNACK generation
+in non SYNCOOKIE mode.
+
+tcp requests sockets momentarily created when third packet
+coming from client in SYNCOOKIE mode were not using
+treq->af_specific.
+
+Make sure this field is populated, in the same way normal
+TCP requests sockets do in tcp_conn_request().
+
+[1]
+TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
+general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 PID: 3695 Comm: syz-executor864 Not tainted 5.18.0-rc3-syzkaller-00224-g5fd1fe4807f9 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534
+Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48
+RSP: 0018:ffffc90000de0588 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff888076490330 RCX: 0000000000000100
+RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008
+RBP: ffff88806ee1c7f8 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff88806ee1bfc0
+R13: ffff88801b0e0368 R14: 0000000000000000 R15: 0000000000000000
+FS:  00007f517fe58700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffcead76960 CR3: 000000006f97b000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tcp_v6_syn_recv_sock+0x199/0x23b0 net/ipv6/tcp_ipv6.c:1267
+ tcp_get_cookie_sock+0xc9/0x850 net/ipv4/syncookies.c:207
+ cookie_v6_check+0x15c3/0x2340 net/ipv6/syncookies.c:258
+ tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1131 [inline]
+ tcp_v6_do_rcv+0x1148/0x13b0 net/ipv6/tcp_ipv6.c:1486
+ tcp_v6_rcv+0x3305/0x3840 net/ipv6/tcp_ipv6.c:1725
+ ip6_protocol_deliver_rcu+0x2e9/0x1900 net/ipv6/ip6_input.c:422
+ ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:464
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:473
+ dst_input include/net/dst.h:461 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ipv6_rcv+0x27f/0x3b0 net/ipv6/ip6_input.c:297
+ __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405
+ __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519
+ process_backlog+0x3a0/0x7c0 net/core/dev.c:5847
+ __napi_poll+0xb3/0x6e0 net/core/dev.c:6413
+ napi_poll net/core/dev.c:6480 [inline]
+ net_rx_action+0x8ec/0xc60 net/core/dev.c:6567
+ __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
+ sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
+
+Fixes: 5b0b9e4c2c89 ("tcp: md5: incorrect tcp_header_len for incoming connections")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Francesco Ruggeri <fruggeri@arista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[fruggeri: Account for backport conflicts from 35b2c3211609 and 6fc8c827dd4f]
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h     |    5 +++++
+ net/ipv4/syncookies.c |    1 +
+ net/ipv4/tcp_ipv4.c   |    2 +-
+ net/ipv6/syncookies.c |    1 +
+ net/ipv6/tcp_ipv6.c   |    2 +-
+ 5 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1939,6 +1939,11 @@ struct tcp_request_sock_ops {
+                          enum tcp_synack_type synack_type);
+ };
+ 
++extern const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops;
++#if IS_ENABLED(CONFIG_IPV6)
++extern const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops;
++#endif
++
+ #ifdef CONFIG_SYN_COOKIES
+ static inline __u32 cookie_init_sequence(const struct tcp_request_sock_ops *ops,
+                                        const struct sock *sk, struct sk_buff *skb,
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -337,6 +337,7 @@ struct sock *cookie_v4_check(struct sock
+ 
+       ireq = inet_rsk(req);
+       treq = tcp_rsk(req);
++      treq->af_specific       = &tcp_request_sock_ipv4_ops;
+       treq->rcv_isn           = ntohl(th->seq) - 1;
+       treq->snt_isn           = cookie;
+       treq->ts_off            = 0;
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1372,7 +1372,7 @@ struct request_sock_ops tcp_request_sock
+       .syn_ack_timeout =      tcp_syn_ack_timeout,
+ };
+ 
+-static const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
++const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
+       .mss_clamp      =       TCP_MSS_DEFAULT,
+ #ifdef CONFIG_TCP_MD5SIG
+       .req_md5_lookup =       tcp_v4_md5_lookup,
+--- a/net/ipv6/syncookies.c
++++ b/net/ipv6/syncookies.c
+@@ -181,6 +181,7 @@ struct sock *cookie_v6_check(struct sock
+ 
+       ireq = inet_rsk(req);
+       treq = tcp_rsk(req);
++      treq->af_specific = &tcp_request_sock_ipv6_ops;
+       treq->tfo_listener = false;
+ 
+       if (security_inet_conn_request(sk, skb, req))
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -789,7 +789,7 @@ struct request_sock_ops tcp6_request_soc
+       .syn_ack_timeout =      tcp_syn_ack_timeout,
+ };
+ 
+-static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
++const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
+       .mss_clamp      =       IPV6_MIN_MTU - sizeof(struct tcphdr) -
+                               sizeof(struct ipv6hdr),
+ #ifdef CONFIG_TCP_MD5SIG