+++ /dev/null
-From foo@baz Thu Dec 13 12:24:22 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073 TASK: ffff880626711440 CPU: 1 COMMAND: "kworker/u48:4"
- #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
- #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
- #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
- #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
- #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c | 7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +++++++-
- net/ipv6/reassembly.c | 8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -507,6 +507,7 @@ static int ip_frag_reasm(struct ipq *qp,
- struct sk_buff *fp, *head = qp->q.fragments;
- int len;
- int ihlen;
-+ int delta;
- int err;
- int sum_truesize;
- u8 ecn;
-@@ -548,10 +549,16 @@ static int ip_frag_reasm(struct ipq *qp,
- if (len > 65535)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_nomem;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(&qp->q, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -380,7 +380,7 @@ static struct sk_buff *
- nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
- {
- struct sk_buff *fp, *op, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- u8 ecn;
-
- inet_frag_kill(&fq->q, &nf_frags);
-@@ -401,12 +401,18 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- goto out_oversize;
- }
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC)) {
- pr_debug("skb is cloned but can't expand head");
- goto out_oom;
- }
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(&fq->q, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -381,7 +381,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- struct sk_buff *fp, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- unsigned int nhoff;
- int sum_truesize;
- u8 ecn;
-@@ -422,10 +422,16 @@ static int ip6_frag_reasm(struct frag_qu
- if (payload_len > IPV6_MAXPLEN)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_oom;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(&fq->q, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
tun-forbid-iface-creation-with-rtnl-ops.patch
neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch
ipv6-check-available-headroom-in-ip6_xmit-even-without-options.patch
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
+++ /dev/null
-From foo@baz Thu Dec 13 12:24:22 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073 TASK: ffff880626711440 CPU: 1 COMMAND: "kworker/u48:4"
- #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
- #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
- #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
- #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
- #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c | 7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +++++++-
- net/ipv6/reassembly.c | 8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -538,6 +538,7 @@ static int ip_frag_reasm(struct ipq *qp,
- struct sk_buff *fp, *head = qp->q.fragments;
- int len;
- int ihlen;
-+ int delta;
- int err;
- u8 ecn;
-
-@@ -578,10 +579,16 @@ static int ip_frag_reasm(struct ipq *qp,
- if (len > 65535)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_nomem;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(qp->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -380,7 +380,7 @@ static struct sk_buff *
- nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
- {
- struct sk_buff *fp, *op, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- u8 ecn;
-
- inet_frag_kill(&fq->q, &nf_frags);
-@@ -401,12 +401,18 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- goto out_oversize;
- }
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC)) {
- pr_debug("skb is cloned but can't expand head");
- goto out_oom;
- }
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(fq->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -381,7 +381,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- struct sk_buff *fp, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- unsigned int nhoff;
- int sum_truesize;
- u8 ecn;
-@@ -422,10 +422,16 @@ static int ip6_frag_reasm(struct frag_qu
- if (payload_len > IPV6_MAXPLEN)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_oom;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(fq->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
tcp-fix-null-ref-in-tail-loss-probe.patch
tun-forbid-iface-creation-with-rtnl-ops.patch
neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch
arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch
sysv-return-err-instead-of-0-in-__sysv_write_inode.patch
+++ /dev/null
-From foo@baz Thu Dec 13 12:16:38 CET 2018
-From: Jiri Wiesner <jwiesner@suse.com>
-Date: Wed, 5 Dec 2018 16:55:29 +0100
-Subject: ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
-
-From: Jiri Wiesner <jwiesner@suse.com>
-
-[ Upstream commit ebaf39e6032faf77218220707fc3fa22487784e0 ]
-
-The *_frag_reasm() functions are susceptible to miscalculating the byte
-count of packet fragments in case the truesize of a head buffer changes.
-The truesize member may be changed by the call to skb_unclone(), leaving
-the fragment memory limit counter unbalanced even if all fragments are
-processed. This miscalculation goes unnoticed as long as the network
-namespace which holds the counter is not destroyed.
-
-Should an attempt be made to destroy a network namespace that holds an
-unbalanced fragment memory limit counter the cleanup of the namespace
-never finishes. The thread handling the cleanup gets stuck in
-inet_frags_exit_net() waiting for the percpu counter to reach zero. The
-thread is usually in running state with a stacktrace similar to:
-
- PID: 1073 TASK: ffff880626711440 CPU: 1 COMMAND: "kworker/u48:4"
- #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
- #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
- #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
- #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
- #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
- #10 [ffff880621563e38] process_one_work at ffffffff81096f14
-
-It is not possible to create new network namespaces, and processes
-that call unshare() end up being stuck in uninterruptible sleep state
-waiting to acquire the net_mutex.
-
-The bug was observed in the IPv6 netfilter code by Per Sundstrom.
-I thank him for his analysis of the problem. The parts of this patch
-that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
-
-Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
-Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
-Acked-by: Peter Oskolkov <posk@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_fragment.c | 7 +++++++
- net/ipv6/netfilter/nf_conntrack_reasm.c | 8 +++++++-
- net/ipv6/reassembly.c | 8 +++++++-
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ip_fragment.c
-+++ b/net/ipv4/ip_fragment.c
-@@ -511,6 +511,7 @@ static int ip_frag_reasm(struct ipq *qp,
- struct rb_node *rbn;
- int len;
- int ihlen;
-+ int delta;
- int err;
- u8 ecn;
-
-@@ -552,10 +553,16 @@ static int ip_frag_reasm(struct ipq *qp,
- if (len > 65535)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_nomem;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(qp->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -348,7 +348,7 @@ static bool
- nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev, struct net_device *dev)
- {
- struct sk_buff *fp, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- u8 ecn;
-
- inet_frag_kill(&fq->q);
-@@ -370,10 +370,16 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
- return false;
- }
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- return false;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(fq->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -343,7 +343,7 @@ static int ip6_frag_reasm(struct frag_qu
- {
- struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
- struct sk_buff *fp, *head = fq->q.fragments;
-- int payload_len;
-+ int payload_len, delta;
- unsigned int nhoff;
- int sum_truesize;
- u8 ecn;
-@@ -384,10 +384,16 @@ static int ip6_frag_reasm(struct frag_qu
- if (payload_len > IPV6_MAXPLEN)
- goto out_oversize;
-
-+ delta = - head->truesize;
-+
- /* Head of list must not be cloned. */
- if (skb_unclone(head, GFP_ATOMIC))
- goto out_oom;
-
-+ delta += head->truesize;
-+ if (delta)
-+ add_frag_mem_limit(fq->q.net, delta);
-+
- /* If the first fragment is fragmented itself, we split
- * it to two chunks: the first with data and paged part
- * and the second, holding only fragments. */
-ipv4-ipv6-netfilter-adjust-the-frag-mem-limit-when-truesize-changes.patch
ipv6-check-available-headroom-in-ip6_xmit-even-without-options.patch
net-8139cp-fix-a-bug-triggered-by-changing-mtu-with-network-traffic.patch
net-mlx4_core-correctly-set-pfc-param-if-global-pause-is-turned-off.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
