+++ /dev/null
-From b0818f80c8c1bc215bba276bd61c216014fab23b Mon Sep 17 00:00:00 2001
-From: Mahesh Bandewar <maheshb@google.com>
-Date: Fri, 11 Oct 2019 18:14:55 -0700
-Subject: blackhole_netdev: fix syzkaller reported issue
-
-From: Mahesh Bandewar <maheshb@google.com>
-
-commit b0818f80c8c1bc215bba276bd61c216014fab23b upstream.
-
-While invalidating the dst, we assign backhole_netdev instead of
-loopback device. However, this device does not have idev pointer
-and hence no ip6_ptr even if IPv6 is enabled. Possibly this has
-triggered the syzbot reported crash.
-
-The syzbot report does not have reproducer, however, this is the
-only device that doesn't have matching idev created.
-
-Crash instruction is :
-
-static inline bool ip6_ignore_linkdown(const struct net_device *dev)
-{
- const struct inet6_dev *idev = __in6_dev_get(dev);
-
- return !!idev->cnf.ignore_routes_with_linkdown; <= crash
-}
-
-Also ipv6 always assumes presence of idev and never checks for it
-being NULL (as does the above referenced code). So adding a idev
-for the blackhole_netdev to avoid this class of crashes in the future.
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/ipv6/addrconf.c | 7 ++++++-
- net/ipv6/route.c | 15 ++++++---------
- 2 files changed, 12 insertions(+), 10 deletions(-)
-
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -6550,7 +6550,7 @@ static struct rtnl_af_ops inet6_ops __re
-
- int __init addrconf_init(void)
- {
-- struct inet6_dev *idev;
-+ struct inet6_dev *idev, *bdev;
- int i, err;
-
- err = ipv6_addr_label_init();
-@@ -6590,10 +6590,14 @@ int __init addrconf_init(void)
- */
- rtnl_lock();
- idev = ipv6_add_dev(init_net.loopback_dev);
-+ bdev = ipv6_add_dev(blackhole_netdev);
- rtnl_unlock();
- if (IS_ERR(idev)) {
- err = PTR_ERR(idev);
- goto errlo;
-+ } else if (IS_ERR(bdev)) {
-+ err = PTR_ERR(bdev);
-+ goto errlo;
- }
-
- ip6_route_init_special_entries();
-@@ -6660,6 +6664,7 @@ void addrconf_cleanup(void)
- addrconf_ifdown(dev, 1);
- }
- addrconf_ifdown(init_net.loopback_dev, 2);
-+ addrconf_ifdown(blackhole_netdev, 2);
-
- /*
- * Check hash table.
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -148,10 +148,9 @@ static void rt6_uncached_list_del(struct
-
- static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev)
- {
-- struct net_device *loopback_dev = net->loopback_dev;
- int cpu;
-
-- if (dev == loopback_dev)
-+ if (dev == net->loopback_dev)
- return;
-
- for_each_possible_cpu(cpu) {
-@@ -164,7 +163,7 @@ static void rt6_uncached_list_flush_dev(
- struct net_device *rt_dev = rt->dst.dev;
-
- if (rt_idev->dev == dev) {
-- rt->rt6i_idev = in6_dev_get(loopback_dev);
-+ rt->rt6i_idev = in6_dev_get(blackhole_netdev);
- in6_dev_put(rt_idev);
- }
-
-@@ -414,13 +413,11 @@ static void ip6_dst_ifdown(struct dst_en
- {
- struct rt6_info *rt = (struct rt6_info *)dst;
- struct inet6_dev *idev = rt->rt6i_idev;
-- struct net_device *loopback_dev =
-- dev_net(dev)->loopback_dev;
-
-- if (idev && idev->dev != loopback_dev) {
-- struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
-- if (loopback_idev) {
-- rt->rt6i_idev = loopback_idev;
-+ if (idev && idev->dev != dev_net(dev)->loopback_dev) {
-+ struct inet6_dev *ibdev = in6_dev_get(blackhole_netdev);
-+ if (ibdev) {
-+ rt->rt6i_idev = ibdev;
- in6_dev_put(idev);
- }
- }
rxrpc-fix-call-ref-leak.patch
nfc-pn533-fix-use-after-free-and-memleaks.patch
bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
-blackhole_netdev-fix-syzkaller-reported-issue.patch
net-usb-sr9800-fix-uninitialized-local-variable.patch
sch_netem-fix-rcu-splat-in-netem_enqueue.patch
sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch
+++ /dev/null
-From b0818f80c8c1bc215bba276bd61c216014fab23b Mon Sep 17 00:00:00 2001
-From: Mahesh Bandewar <maheshb@google.com>
-Date: Fri, 11 Oct 2019 18:14:55 -0700
-Subject: blackhole_netdev: fix syzkaller reported issue
-
-From: Mahesh Bandewar <maheshb@google.com>
-
-commit b0818f80c8c1bc215bba276bd61c216014fab23b upstream.
-
-While invalidating the dst, we assign backhole_netdev instead of
-loopback device. However, this device does not have idev pointer
-and hence no ip6_ptr even if IPv6 is enabled. Possibly this has
-triggered the syzbot reported crash.
-
-The syzbot report does not have reproducer, however, this is the
-only device that doesn't have matching idev created.
-
-Crash instruction is :
-
-static inline bool ip6_ignore_linkdown(const struct net_device *dev)
-{
- const struct inet6_dev *idev = __in6_dev_get(dev);
-
- return !!idev->cnf.ignore_routes_with_linkdown; <= crash
-}
-
-Also ipv6 always assumes presence of idev and never checks for it
-being NULL (as does the above referenced code). So adding a idev
-for the blackhole_netdev to avoid this class of crashes in the future.
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/ipv6/addrconf.c | 7 ++++++-
- net/ipv6/route.c | 15 ++++++---------
- 2 files changed, 12 insertions(+), 10 deletions(-)
-
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -6704,7 +6704,7 @@ static struct rtnl_af_ops inet6_ops __re
-
- int __init addrconf_init(void)
- {
-- struct inet6_dev *idev;
-+ struct inet6_dev *idev, *bdev;
- int i, err;
-
- err = ipv6_addr_label_init();
-@@ -6744,10 +6744,14 @@ int __init addrconf_init(void)
- */
- rtnl_lock();
- idev = ipv6_add_dev(init_net.loopback_dev);
-+ bdev = ipv6_add_dev(blackhole_netdev);
- rtnl_unlock();
- if (IS_ERR(idev)) {
- err = PTR_ERR(idev);
- goto errlo;
-+ } else if (IS_ERR(bdev)) {
-+ err = PTR_ERR(bdev);
-+ goto errlo;
- }
-
- ip6_route_init_special_entries();
-@@ -6832,6 +6836,7 @@ void addrconf_cleanup(void)
- addrconf_ifdown(dev, 1);
- }
- addrconf_ifdown(init_net.loopback_dev, 2);
-+ addrconf_ifdown(blackhole_netdev, 2);
-
- /*
- * Check hash table.
---- a/net/ipv6/route.c
-+++ b/net/ipv6/route.c
-@@ -158,10 +158,9 @@ void rt6_uncached_list_del(struct rt6_in
-
- static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev)
- {
-- struct net_device *loopback_dev = net->loopback_dev;
- int cpu;
-
-- if (dev == loopback_dev)
-+ if (dev == net->loopback_dev)
- return;
-
- for_each_possible_cpu(cpu) {
-@@ -174,7 +173,7 @@ static void rt6_uncached_list_flush_dev(
- struct net_device *rt_dev = rt->dst.dev;
-
- if (rt_idev->dev == dev) {
-- rt->rt6i_idev = in6_dev_get(loopback_dev);
-+ rt->rt6i_idev = in6_dev_get(blackhole_netdev);
- in6_dev_put(rt_idev);
- }
-
-@@ -391,13 +390,11 @@ static void ip6_dst_ifdown(struct dst_en
- {
- struct rt6_info *rt = (struct rt6_info *)dst;
- struct inet6_dev *idev = rt->rt6i_idev;
-- struct net_device *loopback_dev =
-- dev_net(dev)->loopback_dev;
-
-- if (idev && idev->dev != loopback_dev) {
-- struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev);
-- if (loopback_idev) {
-- rt->rt6i_idev = loopback_idev;
-+ if (idev && idev->dev != dev_net(dev)->loopback_dev) {
-+ struct inet6_dev *ibdev = in6_dev_get(blackhole_netdev);
-+ if (ibdev) {
-+ rt->rt6i_idev = ibdev;
- in6_dev_put(idev);
- }
- }
rxrpc-fix-trace-after-put-looking-at-the-put-peer-record.patch
nfc-pn533-fix-use-after-free-and-memleaks.patch
bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
-blackhole_netdev-fix-syzkaller-reported-issue.patch
net-usb-sr9800-fix-uninitialized-local-variable.patch
sch_netem-fix-rcu-splat-in-netem_enqueue.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
