--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 9 Nov 2017 13:04:44 +0900
+Subject: af_netlink: ensure that NLMSG_DONE never fails in dumps
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit 0642840b8bb008528dbdf929cec9f65ac4231ad0 ]
+
+The way people generally use netlink_dump is that they fill in the skb
+as much as possible, breaking when nla_put returns an error. Then, they
+get called again and start filling out the next skb, and again, and so
+forth. The mechanism at work here is the ability for the iterative
+dumping function to detect when the skb is filled up and not fill it
+past the brim, waiting for a fresh skb for the rest of the data.
+
+However, if the attributes are small and nicely packed, it is possible
+that a dump callback function successfully fills in attributes until the
+skb is of size 4080 (libmnl's default page-sized receive buffer size).
+The dump function completes, satisfied, and then, if it happens to be
+that this is actually the last skb, and no further ones are to be sent,
+then netlink_dump will add on the NLMSG_DONE part:
+
+ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+
+It is very important that netlink_dump does this, of course. However, in
+this example, that call to nlmsg_put_answer will fail, because the
+previous filling by the dump function did not leave it enough room. And
+how could it possibly have done so? All of the nla_put variety of
+functions simply check to see if the skb has enough tailroom,
+independent of the context it is in.
+
+In order to keep the important assumptions of all netlink dump users, it
+is therefore important to give them an skb that has this end part of the
+tail already reserved, so that the call to nlmsg_put_answer does not
+fail. Otherwise, library authors are forced to find some bizarre sized
+receive buffer that has a large modulo relative to the common sizes of
+messages received, which is ugly and buggy.
+
+This patch thus saves the NLMSG_DONE for an additional message, for the
+case that things are dangerously close to the brim. This requires
+keeping track of the errno from ->dump() across calls.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 17 +++++++++++------
+ net/netlink/af_netlink.h | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2077,7 +2077,7 @@ static int netlink_dump(struct sock *sk)
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
+ struct module *module;
+- int len, err = -ENOBUFS;
++ int err = -ENOBUFS;
+ int alloc_min_size;
+ int alloc_size;
+
+@@ -2125,9 +2125,11 @@ static int netlink_dump(struct sock *sk)
+ skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+ netlink_skb_set_owner_r(skb, sk);
+
+- len = cb->dump(skb, cb);
++ if (nlk->dump_done_errno > 0)
++ nlk->dump_done_errno = cb->dump(skb, cb);
+
+- if (len > 0) {
++ if (nlk->dump_done_errno > 0 ||
++ skb_tailroom(skb) < nlmsg_total_size(sizeof(nlk->dump_done_errno))) {
+ mutex_unlock(nlk->cb_mutex);
+
+ if (sk_filter(sk, skb))
+@@ -2137,13 +2139,15 @@ static int netlink_dump(struct sock *sk)
+ return 0;
+ }
+
+- nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+- if (!nlh)
++ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE,
++ sizeof(nlk->dump_done_errno), NLM_F_MULTI);
++ if (WARN_ON(!nlh))
+ goto errout_skb;
+
+ nl_dump_check_consistent(cb, nlh);
+
+- memcpy(nlmsg_data(nlh), &len, sizeof(len));
++ memcpy(nlmsg_data(nlh), &nlk->dump_done_errno,
++ sizeof(nlk->dump_done_errno));
+
+ if (sk_filter(sk, skb))
+ kfree_skb(skb);
+@@ -2208,6 +2212,7 @@ int __netlink_dump_start(struct sock *ss
+ cb->skb = skb;
+
+ nlk->cb_running = true;
++ nlk->dump_done_errno = INT_MAX;
+
+ mutex_unlock(nlk->cb_mutex);
+
+--- a/net/netlink/af_netlink.h
++++ b/net/netlink/af_netlink.h
+@@ -38,6 +38,7 @@ struct netlink_sock {
+ wait_queue_head_t wait;
+ bool bound;
+ bool cb_running;
++ int dump_done_errno;
+ struct netlink_callback cb;
+ struct mutex *cb_mutex;
+ struct mutex cb_def_mutex;
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 6 Nov 2017 09:01:57 +0800
+Subject: bonding: discard lowest hash bit for 802.3ad layer3+4
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit b5f862180d7011d9575d0499fa37f0f25b423b12 ]
+
+After commit 07f4c90062f8 ("tcp/dccp: try to not exhaust ip_local_port_range
+in connect()"), we will try to use even ports for connect(). Then if an
+application (seen clearly with iperf) opens multiple streams to the same
+destination IP and port, each stream will be given an even source port.
+
+So the bonding driver's simple xmit_hash_policy based on layer3+4 addressing
+will always hash all these streams to the same interface. And the total
+throughput will limited to a single slave.
+
+Change the tcp code will impact the whole tcp behavior, only for bonding
+usage. Paolo Abeni suggested fix this by changing the bonding code only,
+which should be more reasonable, and less impact.
+
+Fix this by discarding the lowest hash bit because it contains little entropy.
+After the fix we can re-balance between slaves.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3166,7 +3166,7 @@ u32 bond_xmit_hash(struct bonding *bond,
+ hash ^= (hash >> 16);
+ hash ^= (hash >> 8);
+
+- return hash;
++ return hash >> 1;
+ }
+
+ /*-------------------------- Device entry points ----------------------------*/
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 16 Nov 2017 11:07:15 +0800
+Subject: fealnx: Fix building error on MIPS
+
+From: Huacai Chen <chenhc@lemote.com>
+
+
+[ Upstream commit cc54c1d32e6a4bb3f116721abf900513173e4d02 ]
+
+This patch try to fix the building error on MIPS. The reason is MIPS
+has already defined the LONG macro, which conflicts with the LONG enum
+in drivers/net/ethernet/fealnx.c.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/fealnx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/fealnx.c
++++ b/drivers/net/ethernet/fealnx.c
+@@ -257,8 +257,8 @@ enum rx_desc_status_bits {
+ RXFSD = 0x00000800, /* first descriptor */
+ RXLSD = 0x00000400, /* last descriptor */
+ ErrorSummary = 0x80, /* error summary */
+- RUNT = 0x40, /* runt packet received */
+- LONG = 0x20, /* long packet received */
++ RUNTPKT = 0x40, /* runt packet received */
++ LONGPKT = 0x20, /* long packet received */
+ FAE = 0x10, /* frame align error */
+ CRC = 0x08, /* crc error */
+ RXER = 0x04, /* receive error */
+@@ -1633,7 +1633,7 @@ static int netdev_rx(struct net_device *
+ dev->name, rx_status);
+
+ dev->stats.rx_errors++; /* end of a packet. */
+- if (rx_status & (LONG | RUNT))
++ if (rx_status & (LONGPKT | RUNTPKT))
+ dev->stats.rx_length_errors++;
+ if (rx_status & RXER)
+ dev->stats.rx_frame_errors++;
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 Nov 2017 22:17:48 -0600
+Subject: net/sctp: Always set scope_id in sctp_inet6_skb_msgname
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec ]
+
+Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
+discovered that in some configurations sctp would leak 4 bytes of
+kernel stack.
+
+Working with his reproducer I discovered that those 4 bytes that
+are leaked is the scope id of an ipv6 address returned by recvmsg.
+
+With a little code inspection and a shrewd guess I discovered that
+sctp_inet6_skb_msgname only initializes the scope_id field for link
+local ipv6 addresses to the interface index the link local address
+pertains to instead of initializing the scope_id field for all ipv6
+addresses.
+
+That is almost reasonable as scope_id's are meaniningful only for link
+local addresses. Set the scope_id in all other cases to 0 which is
+not a valid interface index to make it clear there is nothing useful
+in the scope_id field.
+
+There should be no danger of breaking userspace as the stack leak
+guaranteed that previously meaningless random data was being returned.
+
+Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
+History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -806,6 +806,8 @@ static void sctp_inet6_skb_msgname(struc
+ if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+ struct sctp_ulpevent *ev = sctp_skb2event(skb);
+ addr->v6.sin6_scope_id = ev->iif;
++ } else {
++ addr->v6.sin6_scope_id = 0;
+ }
+ }
+
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Ye Yin <hustcat@gmail.com>
+Date: Thu, 26 Oct 2017 16:57:05 +0800
+Subject: netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
+
+From: Ye Yin <hustcat@gmail.com>
+
+
+[ Upstream commit 2b5ec1a5f9738ee7bf8f5ec0526e75e00362c48f ]
+
+When run ipvs in two different network namespace at the same host, and one
+ipvs transport network traffic to the other network namespace ipvs.
+'ipvs_property' flag will make the second ipvs take no effect. So we should
+clear 'ipvs_property' when SKB network namespace changed.
+
+Fixes: 621e84d6f373 ("dev: introduce skb_scrub_packet()")
+Signed-off-by: Ye Yin <hustcat@gmail.com>
+Signed-off-by: Wei Zhou <chouryzhou@gmail.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 7 +++++++
+ net/core/skbuff.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3400,6 +3400,13 @@ static inline void nf_reset_trace(struct
+ #endif
+ }
+
++static inline void ipvs_reset(struct sk_buff *skb)
++{
++#if IS_ENABLED(CONFIG_IP_VS)
++ skb->ipvs_property = 0;
++#endif
++}
++
+ /* Note: This doesn't put any conntrack and bridge info in dst. */
+ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
+ bool copy)
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4229,6 +4229,7 @@ void skb_scrub_packet(struct sk_buff *sk
+ if (!xnet)
+ return;
+
++ ipvs_reset(skb);
+ skb_orphan(skb);
+ skb->mark = 0;
+ }
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 17 Oct 2017 23:26:10 +0800
+Subject: sctp: do not peel off an assoc from one netns to another one
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 ]
+
+Now when peeling off an association to the sock in another netns, all
+transports in this assoc are not to be rehashed and keep use the old
+key in hashtable.
+
+As a transport uses sk->net as the hash key to insert into hashtable,
+it would miss removing these transports from hashtable due to the new
+netns when closing the sock and all transports are being freeed, then
+later an use-after-free issue could be caused when looking up an asoc
+and dereferencing those transports.
+
+This is a very old issue since very beginning, ChunYu found it with
+syzkaller fuzz testing with this series:
+
+ socket$inet6_sctp()
+ bind$inet6()
+ sendto$inet6()
+ unshare(0x40000000)
+ getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
+ getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
+
+This patch is to block this call when peeling one assoc off from one
+netns to another one, so that the netns of all transport would not
+go out-sync with the key in hashtable.
+
+Note that this patch didn't fix it by rehashing transports, as it's
+difficult to handle the situation when the tuple is already in use
+in the new netns. Besides, no one would like to peel off one assoc
+to another netns, considering ipaddrs, ifaces, etc. are usually
+different.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4457,6 +4457,10 @@ int sctp_do_peeloff(struct sock *sk, sct
+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
+ return -EINVAL;
+
++ /* Do not peel off from one netns to another one. */
++ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
++ return -EINVAL;
++
+ if (!asoc)
+ return -EINVAL;
+
--- /dev/null
+tcp-do-not-mangle-skb-cb-in-tcp_make_synack.patch
+netfilter-ipvs-clear-ipvs_property-flag-when-skb-net-namespace-changed.patch
+bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
+vlan-fix-a-use-after-free-in-vlan_device_event.patch
+af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch
+sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+fealnx-fix-building-error-on-mips.patch
+net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 2 Nov 2017 12:30:25 -0700
+Subject: tcp: do not mangle skb->cb[] in tcp_make_synack()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 3b11775033dc87c3d161996c54507b15ba26414a ]
+
+Christoph Paasch sent a patch to address the following issue :
+
+tcp_make_synack() is leaving some TCP private info in skb->cb[],
+then send the packet by other means than tcp_transmit_skb()
+
+tcp_transmit_skb() makes sure to clear skb->cb[] to not confuse
+IPv4/IPV6 stacks, but we have no such cleanup for SYNACK.
+
+tcp_make_synack() should not use tcp_init_nondata_skb() :
+
+tcp_init_nondata_skb() really should be limited to skbs put in write/rtx
+queues (the ones that are only sent via tcp_transmit_skb())
+
+This patch fixes the issue and should even save few cpu cycles ;)
+
+Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Reviewed-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3018,13 +3018,8 @@ struct sk_buff *tcp_make_synack(const st
+ tcp_ecn_make_synack(req, th);
+ th->source = htons(ireq->ir_num);
+ th->dest = ireq->ir_rmt_port;
+- /* Setting of flags are superfluous here for callers (and ECE is
+- * not even correctly set)
+- */
+- tcp_init_nondata_skb(skb, tcp_rsk(req)->snt_isn,
+- TCPHDR_SYN | TCPHDR_ACK);
+-
+- th->seq = htonl(TCP_SKB_CB(skb)->seq);
++ skb->ip_summed = CHECKSUM_PARTIAL;
++ th->seq = htonl(tcp_rsk(req)->snt_isn);
+ /* XXX data is queued and acked as is. No buffer/window check */
+ th->ack_seq = htonl(tcp_rsk(req)->rcv_nxt);
+
--- /dev/null
+From foo@baz Tue Nov 21 15:28:16 CET 2017
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 9 Nov 2017 16:43:13 -0800
+Subject: vlan: fix a use-after-free in vlan_device_event()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 052d41c01b3a2e3371d66de569717353af489d63 ]
+
+After refcnt reaches zero, vlan_vid_del() could free
+dev->vlan_info via RCU:
+
+ RCU_INIT_POINTER(dev->vlan_info, NULL);
+ call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
+
+However, the pointer 'grp' still points to that memory
+since it is set before vlan_vid_del():
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+ goto out;
+ grp = &vlan_info->grp;
+
+Depends on when that RCU callback is scheduled, we could
+trigger a use-after-free in vlan_group_for_each_dev()
+right following this vlan_vid_del().
+
+Fix it by moving vlan_vid_del() before setting grp. This
+is also symmetric to the vlan_vid_add() we call in
+vlan_device_event().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Cc: Alexander Duyck <alexander.duyck@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
+Tested-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -376,6 +376,9 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
++ if (event == NETDEV_DOWN &&
++ (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+@@ -423,9 +426,6 @@ static int vlan_device_event(struct noti
+ struct net_device *tmp;
+ LIST_HEAD(close_list);
+
+- if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+-
+ /* Put all VLANs for this dev in the down state too. */
+ vlan_group_for_each_dev(grp, i, vlandev) {
+ flgs = vlandev->flags;
projects / thirdparty / kernel / stable-queue.git / commitdiff
