--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:01:36 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 24 Apr 2019 08:04:05 -0700
+Subject: ipv4: add sanity checks in ipv4_link_failure()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 20ff83f10f113c88d0bb74589389b05250994c16 ]
+
+Before calling __ip_options_compile(), we need to ensure the network
+header is a an IPv4 one, and that it is already pulled in skb->head.
+
+RAW sockets going through a tunnel can end up calling ipv4_link_failure()
+with total garbage in the skb, or arbitrary lengthes.
+
+syzbot report :
+
+BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
+BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
+Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204
+
+CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
+ kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ check_memory_region_inline mm/kasan/generic.c:185 [inline]
+ check_memory_region+0x123/0x190 mm/kasan/generic.c:191
+ memcpy+0x38/0x50 mm/kasan/common.c:133
+ memcpy include/linux/string.h:355 [inline]
+ __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
+ __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
+ ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
+ dst_link_failure include/net/dst.h:427 [inline]
+ vti6_xmit net/ipv6/ip6_vti.c:514 [inline]
+ vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553
+ __netdev_start_xmit include/linux/netdevice.h:4414 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4423 [inline]
+ xmit_one net/core/dev.c:3292 [inline]
+ dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308
+ __dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878
+ dev_queue_xmit+0x18/0x20 net/core/dev.c:3911
+ neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527
+ neigh_output include/net/neighbour.h:508 [inline]
+ ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229
+ ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317
+ NF_HOOK_COND include/linux/netfilter.h:278 [inline]
+ ip_output+0x21f/0x670 net/ipv4/ip_output.c:405
+ dst_output include/net/dst.h:444 [inline]
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ raw_send_hdrinc net/ipv4/raw.c:432 [inline]
+ raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663
+ inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0xdd/0x130 net/socket.c:661
+ sock_write_iter+0x27c/0x3e0 net/socket.c:988
+ call_write_iter include/linux/fs.h:1866 [inline]
+ new_sync_write+0x4c7/0x760 fs/read_write.c:474
+ __vfs_write+0xe4/0x110 fs/read_write.c:487
+ vfs_write+0x20c/0x580 fs/read_write.c:549
+ ksys_write+0x14f/0x2d0 fs/read_write.c:599
+ __do_sys_write fs/read_write.c:611 [inline]
+ __se_sys_write fs/read_write.c:608 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:608
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458c29
+Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
+RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4
+R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff
+
+The buggy address belongs to the page:
+page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x1fffc0000000000()
+raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
+ ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
+ ^
+ ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
+ ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1148,25 +1148,39 @@ static struct dst_entry *ipv4_dst_check(
+ return dst;
+ }
+
+-static void ipv4_link_failure(struct sk_buff *skb)
++static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ {
+ struct ip_options opt;
+- struct rtable *rt;
+ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
++ * Also check we have a reasonable ipv4 header.
+ */
+- memset(&opt, 0, sizeof(opt));
+- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+-
+- rcu_read_lock();
+- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
+- rcu_read_unlock();
+-
+- if (res)
++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) ||
++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5)
+ return;
+
++ memset(&opt, 0, sizeof(opt));
++ if (ip_hdr(skb)->ihl > 5) {
++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4))
++ return;
++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
++ return;
++ }
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
++}
++
++static void ipv4_link_failure(struct sk_buff *skb)
++{
++ struct rtable *rt;
++
++ ipv4_send_dest_unreach(skb);
+
+ rt = skb_rtable(skb);
+ if (rt)
--- /dev/null
+From foo@baz Tue 30 Apr 2019 11:47:03 AM CEST
+From: Vinod Koul <vkoul@kernel.org>
+Date: Mon, 22 Apr 2019 15:15:32 +0530
+Subject: net: stmmac: move stmmac_check_ether_addr() to driver probe
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit b561af36b1841088552464cdc3f6371d92f17710 ]
+
+stmmac_check_ether_addr() checks the MAC address and assigns one in
+driver open(). In many cases when we create slave netdevice, the dev
+addr is inherited from master but the master dev addr maybe NULL at
+that time, so move this call to driver probe so that address is
+always valid.
+
+Signed-off-by: Xiaofei Shen <xiaofeis@codeaurora.org>
+Tested-by: Xiaofei Shen <xiaofeis@codeaurora.org>
+Signed-off-by: Sneh Shah <snehshah@codeaurora.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1736,8 +1736,6 @@ static int stmmac_open(struct net_device
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
+
+- stmmac_check_ether_addr(priv);
+-
+ if (priv->pcs != STMMAC_PCS_RGMII && priv->pcs != STMMAC_PCS_TBI &&
+ priv->pcs != STMMAC_PCS_RTBI) {
+ ret = stmmac_init_phy(dev);
+@@ -2824,6 +2822,8 @@ struct stmmac_priv *stmmac_dvr_probe(str
+ if (ret)
+ goto error_hw_init;
+
++ stmmac_check_ether_addr(priv);
++
+ ndev->netdev_ops = &stmmac_netdev_ops;
+
+ ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
--- /dev/null
+From foo@baz Tue 30 Apr 2019 12:01:36 PM CEST
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 19 Apr 2019 14:31:00 +0800
+Subject: team: fix possible recursive locking when add slaves
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 925b0c841e066b488cc3a60272472b2c56300704 ]
+
+If we add a bond device which is already the master of the team interface,
+we will hold the team->lock in team_add_slave() first and then request the
+lock in team_set_mac_address() again. The functions are called like:
+
+- team_add_slave()
+ - team_port_add()
+ - team_port_enter()
+ - team_modeop_port_enter()
+ - __set_port_dev_addr()
+ - dev_set_mac_address()
+ - bond_set_mac_address()
+ - dev_set_mac_address()
+ - team_set_mac_address
+
+Although team_upper_dev_link() would check the upper devices but it is
+called too late. Fix it by adding a checking before processing the slave.
+
+v2: Do not split the string in netdev_err()
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1137,6 +1137,12 @@ static int team_port_add(struct team *te
+ return -EINVAL;
+ }
+
++ if (netdev_has_upper_dev(dev, port_dev)) {
++ netdev_err(dev, "Device %s is already an upper device of the team interface\n",
++ portname);
++ return -EBUSY;
++ }
++
+ if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
+ vlan_uses_dev(dev)) {
+ netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
