--- /dev/null
+From foo@baz Thu Dec 14 18:58:21 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 28 Nov 2017 08:03:30 -0800
+Subject: net/packet: fix a race in packet_bind() and packet_notifier()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ]
+
+syzbot reported crashes [1] and provided a C repro easing bug hunting.
+
+When/if packet_do_bind() calls __unregister_prot_hook() and releases
+po->bind_lock, another thread can run packet_notifier() and process an
+NETDEV_UP event.
+
+This calls register_prot_hook() and hooks again the socket right before
+first thread is able to grab again po->bind_lock.
+
+Fixes this issue by temporarily setting po->num to 0, as suggested by
+David Miller.
+
+[1]
+dev_remove_pack: ffff8801bf16fa80 not found
+------------[ cut here ]------------
+kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); )
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+device syz0 entered promiscuous mode
+CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+task: ffff8801cc57a500 task.stack: ffff8801cc588000
+RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
+RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
+RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
+RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
+device syz0 entered promiscuous mode
+RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
+R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
+FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
+ tun_detach drivers/net/tun.c:670 [inline]
+ tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
+ __fput+0x333/0x7f0 fs/file_table.c:210
+ ____fput+0x15/0x20 fs/file_table.c:244
+ task_work_run+0x199/0x270 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x9bb/0x1ae0 kernel/exit.c:865
+ do_group_exit+0x149/0x400 kernel/exit.c:968
+ SYSC_exit_group kernel/exit.c:979 [inline]
+ SyS_exit_group+0x1d/0x20 kernel/exit.c:977
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+RIP: 0033:0x44ad19
+
+Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2704,6 +2704,10 @@ static int packet_do_bind(struct sock *s
+ if (need_rehook) {
+ if (po->running) {
+ rcu_read_unlock();
++ /* prevents packet_notifier() from calling
++ * register_prot_hook()
++ */
++ po->num = 0;
+ __unregister_prot_hook(sk, true);
+ rcu_read_lock();
+ dev_curr = po->prot_hook.dev;
+@@ -2712,6 +2716,7 @@ static int packet_do_bind(struct sock *s
+ dev->ifindex);
+ }
+
++ BUG_ON(po->running);
+ po->num = proto;
+ po->prot_hook.type = proto;
+
--- /dev/null
+From foo@baz Thu Dec 14 18:58:21 CET 2017
+From: Håkon Bugge <Haakon.Bugge@oracle.com>
+Date: Wed, 6 Dec 2017 17:18:28 +0100
+Subject: rds: Fix NULL pointer dereference in __rds_rdma_map
+
+From: Håkon Bugge <Haakon.Bugge@oracle.com>
+
+
+[ Upstream commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca ]
+
+This is a fix for syzkaller719569, where memory registration was
+attempted without any underlying transport being loaded.
+
+Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
+(2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.
+
+Here is an example stack trace when the bug is hit:
+
+BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
+IP: __rds_rdma_map+0x36/0x440 [rds]
+PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0
+Oops: 0000 [#1] SMP
+Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4
+dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp
+coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul
+ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd
+iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd
+shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core
+auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2
+mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect
+sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm
+crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror
+dm_region_hash dm_log dm_mod
+CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2
+Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017
+task: ffff882f9190db00 task.stack: ffffc9002b994000
+RIP: 0010:__rds_rdma_map+0x36/0x440 [rds]
+RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580
+RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002
+R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580
+R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc
+FS: 00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0
+Call Trace:
+ rds_get_mr+0x56/0x80 [rds]
+ rds_setsockopt+0x172/0x340 [rds]
+ ? __fget_light+0x25/0x60
+ ? __fdget+0x13/0x20
+ SyS_setsockopt+0x80/0xe0
+ do_syscall_64+0x67/0x1b0
+ entry_SYSCALL64_slow_path+0x25/0x25
+RIP: 0033:0x7fbff9b117f9
+RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9
+RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b
+RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860
+R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000
+R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021
+
+Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48
+89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48>
+83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08
+
+The fix is to check the existence of an underlying transport in
+__rds_rdma_map().
+
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -184,7 +184,7 @@ static int __rds_rdma_map(struct rds_soc
+ long i;
+ int ret;
+
+- if (rs->rs_bound_addr == 0) {
++ if (rs->rs_bound_addr == 0 || !rs->rs_transport) {
+ ret = -ENOTCONN; /* XXX not a great errno */
+ goto out;
+ }
arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
+rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch
+sit-update-frag_off-info.patch
+net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch
--- /dev/null
+From foo@baz Thu Dec 14 18:58:21 CET 2017
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 30 Nov 2017 10:41:14 +0800
+Subject: sit: update frag_off info
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit f859b4af1c52493ec21173ccc73d0b60029b5b88 ]
+
+After parsing the sit netlink change info, we forget to update frag_off in
+ipip6_tunnel_update(). Fix it by assigning frag_off with new value.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1093,6 +1093,7 @@ static void ipip6_tunnel_update(struct i
+ ipip6_tunnel_link(sitn, t);
+ t->parms.iph.ttl = p->iph.ttl;
+ t->parms.iph.tos = p->iph.tos;
++ t->parms.iph.frag_off = p->iph.frag_off;
+ if (t->parms.link != p->link) {
+ t->parms.link = p->link;
+ ipip6_tunnel_bind_dev(t->dev);
projects / thirdparty / kernel / stable-queue.git / commitdiff
