From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 4 Aug 2018 07:33:48 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.17.13~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05f65cc243da33bdacf5c27654843a145e83a9ef;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	inet-frag-enforce-memory-limits-earlier.patch
	net-dsa-do-not-suspend-resume-closed-slave_dev.patch
	netlink-fix-spectre-v1-gadget-in-netlink_create.patch
---

diff --git a/queue-4.4/inet-frag-enforce-memory-limits-earlier.patch b/queue-4.4/inet-frag-enforce-memory-limits-earlier.patch
new file mode 100644
index 00000000000..f777d327c1d
--- /dev/null
+++ b/queue-4.4/inet-frag-enforce-memory-limits-earlier.patch
@@ -0,0 +1,60 @@
+From foo@baz Sat Aug  4 09:13:52 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 30 Jul 2018 20:09:11 -0700
+Subject: inet: frag: enforce memory limits earlier
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ]
+
+We currently check current frags memory usage only when
+a new frag queue is created. This allows attackers to first
+consume the memory budget (default : 4 MB) creating thousands
+of frag queues, then sending tiny skbs to exceed high_thresh
+limit by 2 to 3 order of magnitude.
+
+Note that before commit 648700f76b03 ("inet: frags: use rhashtables
+for reassembly units"), work queue could be starved under DOS,
+getting no cpu cycles.
+After commit 648700f76b03, only the per frag queue timer can eventually
+remove an incomplete frag queue and its skbs.
+
+Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Peter Oskolkov <posk@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_fragment.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -364,11 +364,6 @@ static struct inet_frag_queue *inet_frag
+ {
+ 	struct inet_frag_queue *q;
+ 
+-	if (frag_mem_limit(nf) > nf->high_thresh) {
+-		inet_frag_schedule_worker(f);
+-		return NULL;
+-	}
+-
+ 	q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
+ 	if (!q)
+ 		return NULL;
+@@ -405,6 +400,11 @@ struct inet_frag_queue *inet_frag_find(s
+ 	struct inet_frag_queue *q;
+ 	int depth = 0;
+ 
++	if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
++		inet_frag_schedule_worker(f);
++		return NULL;
++	}
++
+ 	if (frag_mem_limit(nf) > nf->low_thresh)
+ 		inet_frag_schedule_worker(f);
+ 
diff --git a/queue-4.4/net-dsa-do-not-suspend-resume-closed-slave_dev.patch b/queue-4.4/net-dsa-do-not-suspend-resume-closed-slave_dev.patch
new file mode 100644
index 00000000000..d1f5444b5eb
--- /dev/null
+++ b/queue-4.4/net-dsa-do-not-suspend-resume-closed-slave_dev.patch
@@ -0,0 +1,43 @@
+From foo@baz Sat Aug  4 09:13:52 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 31 Jul 2018 17:12:52 -0700
+Subject: net: dsa: Do not suspend/resume closed slave_dev
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ]
+
+If a DSA slave network device was previously disabled, there is no need
+to suspend or resume it.
+
+Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement suspend/resume hooks")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/slave.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1099,6 +1099,9 @@ int dsa_slave_suspend(struct net_device
+ {
+ 	struct dsa_slave_priv *p = netdev_priv(slave_dev);
+ 
++	if (!netif_running(slave_dev))
++		return 0;
++
+ 	netif_device_detach(slave_dev);
+ 
+ 	if (p->phy) {
+@@ -1116,6 +1119,9 @@ int dsa_slave_resume(struct net_device *
+ {
+ 	struct dsa_slave_priv *p = netdev_priv(slave_dev);
+ 
++	if (!netif_running(slave_dev))
++		return 0;
++
+ 	netif_device_attach(slave_dev);
+ 
+ 	if (p->phy) {
diff --git a/queue-4.4/netlink-fix-spectre-v1-gadget-in-netlink_create.patch b/queue-4.4/netlink-fix-spectre-v1-gadget-in-netlink_create.patch
new file mode 100644
index 00000000000..9497fe5060e
--- /dev/null
+++ b/queue-4.4/netlink-fix-spectre-v1-gadget-in-netlink_create.patch
@@ -0,0 +1,51 @@
+From foo@baz Sat Aug  4 09:13:52 CEST 2018
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 31 Jul 2018 21:13:16 +0000
+Subject: netlink: Fix spectre v1 gadget in netlink_create()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ]
+
+'protocol' is a user-controlled value, so sanitize it after the bounds
+check to avoid using it for speculative out-of-bounds access to arrays
+indexed by it.
+
+This addresses the following accesses detected with the help of smatch:
+
+* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
+  spectre issue 'nlk_cb_mutex_keys' [w]
+
+* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
+  spectre issue 'nlk_cb_mutex_key_strings' [w]
+
+* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
+  issue 'nl_table' [w] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -62,6 +62,7 @@
+ #include <asm/cacheflush.h>
+ #include <linux/hash.h>
+ #include <linux/genetlink.h>
++#include <linux/nospec.h>
+ 
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+@@ -654,6 +655,7 @@ static int netlink_create(struct net *ne
+ 
+ 	if (protocol < 0 || protocol >= MAX_LINKS)
+ 		return -EPROTONOSUPPORT;
++	protocol = array_index_nospec(protocol, MAX_LINKS);
+ 
+ 	netlink_lock_table();
+ #ifdef CONFIG_MODULES
diff --git a/queue-4.4/series b/queue-4.4/series
index 7e383bb9bc8..9b9ca3925c1 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -111,3 +111,6 @@ tcp-add-max_quickacks-param-to-tcp_incr_quickack-and-tcp_enter_quickack_mode.pat
 tcp-do-not-aggressively-quick-ack-after-ecn-events.patch
 tcp-refactor-tcp_ecn_check_ce-to-remove-sk-type-cast.patch
 tcp-add-one-more-quick-ack-after-after-ecn-events.patch
+inet-frag-enforce-memory-limits-earlier.patch
+net-dsa-do-not-suspend-resume-closed-slave_dev.patch
+netlink-fix-spectre-v1-gadget-in-netlink_create.patch