--- /dev/null
+From 955d3411a17f590364238bd0d3329b61f20c1cd2 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 30 Dec 2018 12:46:01 +0100
+Subject: batman-adv: Avoid WARN on net_device without parent in netns
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream.
+
+It is not allowed to use WARN* helpers on potential incorrect input from
+the user or transient problems because systems configured as panic_on_warn
+will reboot due to such a problem.
+
+A NULL return value of __dev_get_by_index can be caused by various problems
+which can either be related to the system configuration or problems
+(incorrectly returned network namespaces) in other (virtual) net_device
+drivers. batman-adv should not cause a (harmful) WARN in this situation and
+instead only report it via a simple message.
+
+Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
+Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/hard-interface.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -89,8 +89,10 @@ static bool batadv_is_on_batman_iface(co
+ /* recurse over the parent device */
+ parent_dev = __dev_get_by_index(&init_net, net_dev->iflink);
+ /* if we got a NULL parent_dev there is something broken.. */
+- if (WARN(!parent_dev, "Cannot find parent device"))
++ if (!parent_dev) {
++ pr_err("Cannot find parent device\n");
+ return false;
++ }
+
+ ret = batadv_is_on_batman_iface(parent_dev);
+
--- /dev/null
+From 9114daa825fc3f335f9bea3313ce667090187280 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 31 Dec 2018 22:31:01 +0100
+Subject: batman-adv: Force mac header to start of data on xmit
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.
+
+The caller of ndo_start_xmit may not already have called
+skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
+therefore can be in the wrong position and even outside the current skbuff.
+This for example happens when the user binds to the device using a
+PF_PACKET-SOCK_RAW with enabled qdisc-bypass:
+
+ int opt = 4;
+ setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));
+
+Since eth_hdr is used all over the codebase, the batadv_interface_tx
+function must always take care of resetting it.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
+Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/soft-interface.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -180,6 +180,8 @@ static int batadv_interface_tx(struct sk
+
+ soft_iface->trans_start = jiffies;
+ vid = batadv_get_vid(skb, 0);
++
++ skb_reset_mac_header(skb);
+ ethhdr = eth_hdr(skb);
+
+ switch (ntohs(ethhdr->h_proto)) {
--- /dev/null
+From 4aac9228d16458cedcfd90c7fb37211cf3653ac3 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 14 Jan 2019 21:13:10 +0100
+Subject: libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 4aac9228d16458cedcfd90c7fb37211cf3653ac3 upstream.
+
+con_fault() can transition the connection into STANDBY right after
+ceph_con_keepalive() clears STANDBY in clear_standby():
+
+ libceph user thread ceph-msgr worker
+
+ceph_con_keepalive()
+ mutex_lock(&con->mutex)
+ clear_standby(con)
+ mutex_unlock(&con->mutex)
+ mutex_lock(&con->mutex)
+ con_fault()
+ ...
+ if KEEPALIVE_PENDING isn't set
+ set state to STANDBY
+ ...
+ mutex_unlock(&con->mutex)
+ set KEEPALIVE_PENDING
+ set WRITE_PENDING
+
+This triggers warnings in clear_standby() when either ceph_con_send()
+or ceph_con_keepalive() get to clearing STANDBY next time.
+
+I don't see a reason to condition queue_con() call on the previous
+value of KEEPALIVE_PENDING, so move the setting of KEEPALIVE_PENDING
+into the critical section -- unlike WRITE_PENDING, KEEPALIVE_PENDING
+could have been a non-atomic flag.
+
+Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Myungho Jung <mhjungk@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -3068,9 +3068,10 @@ void ceph_con_keepalive(struct ceph_conn
+ dout("con_keepalive %p\n", con);
+ mutex_lock(&con->mutex);
+ clear_standby(con);
++ con_flag_set(con, CON_FLAG_KEEPALIVE_PENDING);
+ mutex_unlock(&con->mutex);
+- if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 &&
+- con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
++
++ if (con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
+ queue_con(con);
+ }
+ EXPORT_SYMBOL(ceph_con_keepalive);
drm-vmwgfx-fix-setting-of-dma-masks.patch
drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch
hid-debug-fix-the-ring-buffer-implementation.patch
+libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch
+xfrm-refine-validation-of-template-and-selector-families.patch
+batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch
+batman-adv-force-mac-header-to-start-of-data-on-xmit.patch
--- /dev/null
+From 35e6103861a3a970de6c84688c6e7a1f65b164ca Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 9 Jan 2019 14:37:34 +0100
+Subject: xfrm: refine validation of template and selector families
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream.
+
+The check assumes that in transport mode, the first templates family
+must match the address family of the policy selector.
+
+Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
+with ipv4-in-ipv6 chain, leading to following splat:
+
+BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
+Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
+ xfrm_state_find+0x1db/0x1854
+ xfrm_tmpl_resolve+0x100/0x1d0
+ xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
+
+Problem is that addresses point into flowi4 struct, but xfrm_state_find
+treats them as being ipv6 because it uses templ->encap_family is used
+(AF_INET6 in case of reproducer) rather than family (AF_INET).
+
+This patch inverts the logic: Enforce 'template family must match
+selector' EXCEPT for tunnel and BEET mode.
+
+In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
+address pointers changed to point at the addresses found in the template,
+rather than the flowi ones, so no oob read will occur.
+
+Reported-by: 3ntr0py1337@gmail.com
+Reported-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1377,10 +1377,15 @@ static int validate_tmpl(int nr, struct
+ if (!ut[i].family)
+ ut[i].family = family;
+
+- if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+- (ut[i].family != prev_family))
+- return -EINVAL;
+-
++ switch (ut[i].mode) {
++ case XFRM_MODE_TUNNEL:
++ case XFRM_MODE_BEET:
++ break;
++ default:
++ if (ut[i].family != prev_family)
++ return -EINVAL;
++ break;
++ }
+ if (ut[i].mode >= XFRM_MODE_MAX)
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
