From: Greg Kroah-Hartman Date: Fri, 21 Feb 2020 07:21:13 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.106~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0179bcaaae977008c90f258d2c94cfc492c9faaa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch net-dsa-tag_qca-make-sure-there-is-headroom-for-tag.patch net-sched-flower-add-missing-validation-of-tca_flower_flags.patch net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch net-smc-fix-leak-of-kernel-memory-to-user-space.patch --- diff --git a/queue-4.14/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch b/queue-4.14/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch new file mode 100644 index 00000000000..b9dcf686683 --- /dev/null +++ b/queue-4.14/enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch @@ -0,0 +1,57 @@ +From foo@baz Fri 21 Feb 2020 08:12:47 AM CET +From: Firo Yang +Date: Wed, 12 Feb 2020 06:09:17 +0100 +Subject: enic: prevent waking up stopped tx queues over watchdog reset + +From: Firo Yang + +[ Upstream commit 0f90522591fd09dd201065c53ebefdfe3c6b55cb ] + +Recent months, our customer reported several kernel crashes all +preceding with following message: +NETDEV WATCHDOG: eth2 (enic): transmit queue 0 timed out +Error message of one of those crashes: +BUG: unable to handle kernel paging request at ffffffffa007e090 + +After analyzing severl vmcores, I found that most of crashes are +caused by memory corruption. And all the corrupted memory areas +are overwritten by data of network packets. Moreover, I also found +that the tx queues were enabled over watchdog reset. + +After going through the source code, I found that in enic_stop(), +the tx queues stopped by netif_tx_disable() could be woken up over +a small time window between netif_tx_disable() and the +napi_disable() by the following code path: +napi_poll-> + enic_poll_msix_wq-> + vnic_cq_service-> + enic_wq_service-> + netif_wake_subqueue(enic->netdev, q_number)-> + test_and_clear_bit(__QUEUE_STATE_DRV_XOFF, &txq->state) +In turn, upper netowrk stack could queue skb to ENIC NIC though +enic_hard_start_xmit(). And this might introduce some race condition. + +Our customer comfirmed that this kind of kernel crash doesn't occur over +90 days since they applied this patch. + +Signed-off-by: Firo Yang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1972,10 +1972,10 @@ static int enic_stop(struct net_device * + napi_disable(&enic->napi[i]); + + netif_carrier_off(netdev); +- netif_tx_disable(netdev); + if (vnic_dev_get_intr_mode(enic->vdev) == VNIC_DEV_INTR_MODE_MSIX) + for (i = 0; i < enic->wq_count; i++) + napi_disable(&enic->napi[enic_cq_wq(enic, i)]); ++ netif_tx_disable(netdev); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_del_station_addr(enic); diff --git a/queue-4.14/net-dsa-tag_qca-make-sure-there-is-headroom-for-tag.patch b/queue-4.14/net-dsa-tag_qca-make-sure-there-is-headroom-for-tag.patch new file mode 100644 index 00000000000..a4e1ce2d8b9 --- /dev/null +++ b/queue-4.14/net-dsa-tag_qca-make-sure-there-is-headroom-for-tag.patch @@ -0,0 +1,33 @@ +From foo@baz Fri 21 Feb 2020 08:12:47 AM CET +From: Per Forlin +Date: Thu, 13 Feb 2020 15:37:09 +0100 +Subject: net: dsa: tag_qca: Make sure there is headroom for tag + +From: Per Forlin + +[ Upstream commit 04fb91243a853dbde216d829c79d9632e52aa8d9 ] + +Passing tag size to skb_cow_head will make sure +there is enough headroom for the tag data. +This change does not introduce any overhead in case there +is already available headroom for tag. + +Signed-off-by: Per Forlin +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_qca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dsa/tag_qca.c ++++ b/net/dsa/tag_qca.c +@@ -41,7 +41,7 @@ static struct sk_buff *qca_tag_xmit(stru + struct dsa_slave_priv *p = netdev_priv(dev); + u16 *phdr, hdr; + +- if (skb_cow_head(skb, 0) < 0) ++ if (skb_cow_head(skb, QCA_HDR_LEN) < 0) + return NULL; + + skb_push(skb, QCA_HDR_LEN); diff --git a/queue-4.14/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch b/queue-4.14/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch new file mode 100644 index 00000000000..68756838b81 --- /dev/null +++ b/queue-4.14/net-sched-flower-add-missing-validation-of-tca_flower_flags.patch @@ -0,0 +1,33 @@ +From foo@baz Fri 21 Feb 2020 08:12:47 AM CET +From: Davide Caratti +Date: Tue, 11 Feb 2020 19:33:40 +0100 +Subject: net/sched: flower: add missing validation of TCA_FLOWER_FLAGS + +From: Davide Caratti + +[ Upstream commit e2debf0852c4d66ba1a8bde12869b196094c70a7 ] + +unlike other classifiers that can be offloaded (i.e. users can set flags +like 'skip_hw' and 'skip_sw'), 'cls_flower' doesn't validate the size of +netlink attribute 'TCA_FLOWER_FLAGS' provided by user: add a proper entry +to fl_policy. + +Fixes: 5b33f48842fa ("net/flower: Introduce hardware offload support") +Signed-off-by: Davide Caratti +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_flower.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -445,6 +445,7 @@ static const struct nla_policy fl_policy + [TCA_FLOWER_KEY_IP_TOS_MASK] = { .type = NLA_U8 }, + [TCA_FLOWER_KEY_IP_TTL] = { .type = NLA_U8 }, + [TCA_FLOWER_KEY_IP_TTL_MASK] = { .type = NLA_U8 }, ++ [TCA_FLOWER_FLAGS] = { .type = NLA_U32 }, + }; + + static void fl_set_key_val(struct nlattr **tb, diff --git a/queue-4.14/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch b/queue-4.14/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch new file mode 100644 index 00000000000..33c31a9390b --- /dev/null +++ b/queue-4.14/net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch @@ -0,0 +1,33 @@ +From foo@baz Fri 21 Feb 2020 08:12:47 AM CET +From: Davide Caratti +Date: Tue, 11 Feb 2020 19:33:39 +0100 +Subject: net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS + +From: Davide Caratti + +[ Upstream commit 1afa3cc90f8fb745c777884d79eaa1001d6927a6 ] + +unlike other classifiers that can be offloaded (i.e. users can set flags +like 'skip_hw' and 'skip_sw'), 'cls_matchall' doesn't validate the size +of netlink attribute 'TCA_MATCHALL_FLAGS' provided by user: add a proper +entry to mall_policy. + +Fixes: b87f7936a932 ("net/sched: Add match-all classifier hw offloading.") +Signed-off-by: Davide Caratti +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_matchall.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -136,6 +136,7 @@ static void *mall_get(struct tcf_proto * + static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { + [TCA_MATCHALL_UNSPEC] = { .type = NLA_UNSPEC }, + [TCA_MATCHALL_CLASSID] = { .type = NLA_U32 }, ++ [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, + }; + + static int mall_set_parms(struct net *net, struct tcf_proto *tp, diff --git a/queue-4.14/net-smc-fix-leak-of-kernel-memory-to-user-space.patch b/queue-4.14/net-smc-fix-leak-of-kernel-memory-to-user-space.patch new file mode 100644 index 00000000000..9ec42927946 --- /dev/null +++ b/queue-4.14/net-smc-fix-leak-of-kernel-memory-to-user-space.patch @@ -0,0 +1,110 @@ +From foo@baz Fri 21 Feb 2020 08:12:47 AM CET +From: Eric Dumazet +Date: Mon, 10 Feb 2020 11:36:13 -0800 +Subject: net/smc: fix leak of kernel memory to user space + +From: Eric Dumazet + +[ Upstream commit 457fed775c97ac2c0cd1672aaf2ff2c8a6235e87 ] + +As nlmsg_put() does not clear the memory that is reserved, +it this the caller responsability to make sure all of this +memory will be written, in order to not reveal prior content. + +While we are at it, we can provide the socket cookie even +if clsock is not set. + +syzbot reported : + +BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] +BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline] +BUG: KMSAN: uninit-value in __swab32p include/uapi/linux/swab.h:179 [inline] +BUG: KMSAN: uninit-value in __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline] +BUG: KMSAN: uninit-value in get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline] +BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline] +BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline] +BUG: KMSAN: uninit-value in bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252 +CPU: 1 PID: 5262 Comm: syz-executor.5 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] + __fswab32 include/uapi/linux/swab.h:59 [inline] + __swab32p include/uapi/linux/swab.h:179 [inline] + __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline] + get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline] + ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline] + ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline] + bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_kmalloc_large+0x73/0xc0 mm/kmsan/kmsan_hooks.c:128 + kmalloc_large_node_hook mm/slub.c:1406 [inline] + kmalloc_large_node+0x282/0x2c0 mm/slub.c:3841 + __kmalloc_node_track_caller+0x44b/0x1200 mm/slub.c:4368 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + netlink_dump+0x44b/0x1ab0 net/netlink/af_netlink.c:2224 + __netlink_dump_start+0xbb2/0xcf0 net/netlink/af_netlink.c:2352 + netlink_dump_start include/linux/netlink.h:233 [inline] + smc_diag_handler_dump+0x2ba/0x300 net/smc/smc_diag.c:242 + sock_diag_rcv_msg+0x211/0x610 net/core/sock_diag.c:256 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:275 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + kernel_sendmsg+0x433/0x440 net/socket.c:679 + sock_no_sendpage+0x235/0x300 net/core/sock.c:2740 + kernel_sendpage net/socket.c:3776 [inline] + sock_sendpage+0x1e1/0x2c0 net/socket.c:937 + pipe_to_sendpage+0x38c/0x4c0 fs/splice.c:458 + splice_from_pipe_feed fs/splice.c:512 [inline] + __splice_from_pipe+0x539/0xed0 fs/splice.c:636 + splice_from_pipe fs/splice.c:671 [inline] + generic_splice_sendpage+0x1d5/0x2d0 fs/splice.c:844 + do_splice_from fs/splice.c:863 [inline] + do_splice fs/splice.c:1170 [inline] + __do_sys_splice fs/splice.c:1447 [inline] + __se_sys_splice+0x2380/0x3350 fs/splice.c:1427 + __x64_sys_splice+0x6e/0x90 fs/splice.c:1427 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets") +Signed-off-by: Eric Dumazet +Cc: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_diag.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/smc/smc_diag.c ++++ b/net/smc/smc_diag.c +@@ -38,15 +38,14 @@ static void smc_diag_msg_common_fill(str + { + struct smc_sock *smc = smc_sk(sk); + ++ memset(r, 0, sizeof(*r)); + r->diag_family = sk->sk_family; ++ sock_diag_save_cookie(sk, r->id.idiag_cookie); + if (!smc->clcsock) + return; + r->id.idiag_sport = htons(smc->clcsock->sk->sk_num); + r->id.idiag_dport = smc->clcsock->sk->sk_dport; + r->id.idiag_if = smc->clcsock->sk->sk_bound_dev_if; +- sock_diag_save_cookie(sk, r->id.idiag_cookie); +- memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src)); +- memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst)); + r->id.idiag_src[0] = smc->clcsock->sk->sk_rcv_saddr; + r->id.idiag_dst[0] = smc->clcsock->sk->sk_daddr; + } diff --git a/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch b/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch index b9cd53b1710..c092324d880 100644 --- a/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch +++ b/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch @@ -19,14 +19,12 @@ Signed-off-by: Ravi Kumar Siddojigari Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- - security/selinux/avc.c | 2 +- + security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/security/selinux/avc.c b/security/selinux/avc.c -index 2380b8d72cecb..23f387b30ece6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c -@@ -863,7 +863,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, +@@ -863,7 +863,7 @@ static int avc_update_node(u32 event, u3 if (orig->ae.xp_node) { rc = avc_xperms_populate(node, orig->ae.xp_node); if (rc) { @@ -35,6 +33,3 @@ index 2380b8d72cecb..23f387b30ece6 100644 goto out_unlock; } } --- -2.20.1 - diff --git a/queue-4.14/series b/queue-4.14/series index cefb5421b7c..96a5172ac80 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -165,3 +165,8 @@ help_next-should-increase-position-index.patch virtio_balloon-prevent-pfn-array-overflow.patch mlxsw-spectrum_dpipe-add-missing-error-path.patch selinux-ensure-we-cleanup-the-internal-avc-counters-.patch +enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch +net-dsa-tag_qca-make-sure-there-is-headroom-for-tag.patch +net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch +net-sched-flower-add-missing-validation-of-tca_flower_flags.patch +net-smc-fix-leak-of-kernel-memory-to-user-space.patch