From: Greg Kroah-Hartman Date: Wed, 26 Sep 2018 11:32:35 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.18.11~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13e7b7daeb433ca820c31397cb9ebbebf3db8029;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: gso_segment-reset-skb-mac_len-after-modifying-network-header.patch ipv6-fix-possible-use-after-free-in-ip6_xmit.patch neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch net-hp100-fix-always-true-check-for-link-up-state.patch --- diff --git a/queue-4.4/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch b/queue-4.4/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch new file mode 100644 index 00000000000..88edc0f699b --- /dev/null +++ b/queue-4.4/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Sep 26 13:12:43 CEST 2018 +From: "Toke Høiland-Jørgensen" +Date: Thu, 13 Sep 2018 16:43:07 +0200 +Subject: gso_segment: Reset skb->mac_len after modifying network header + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit c56cae23c6b167acc68043c683c4573b80cbcc2c ] + +When splitting a GSO segment that consists of encapsulated packets, the +skb->mac_len of the segments can end up being set wrong, causing packet +drops in particular when using act_mirred and ifb interfaces in +combination with a qdisc that splits GSO packets. + +This happens because at the time skb_segment() is called, network_header +will point to the inner header, throwing off the calculation in +skb_reset_mac_len(). The network_header is subsequently adjust by the +outer IP gso_segment handlers, but they don't set the mac_len. + +Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6 +gso_segment handlers, after they modify the network_header. + +Many thanks to Eric Dumazet for his help in identifying the cause of +the bug. + +Acked-by: Dave Taht +Reviewed-by: Eric Dumazet +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 1 + + net/ipv6/ip6_offload.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1280,6 +1280,7 @@ static struct sk_buff *inet_gso_segment( + if (encap) + skb_reset_inner_headers(skb); + skb->network_header = (u8 *)iph - skb->head; ++ skb_reset_mac_len(skb); + } while ((skb = skb->next)); + + out: +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -118,6 +118,7 @@ static struct sk_buff *ipv6_gso_segment( + ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff); + ipv6h->payload_len = htons(skb->len - nhoff - sizeof(*ipv6h)); + skb->network_header = (u8 *)ipv6h - skb->head; ++ skb_reset_mac_len(skb); + + if (udpfrag) { + int err = ip6_find_1stfragopt(skb, &prevhdr); diff --git a/queue-4.4/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch b/queue-4.4/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch new file mode 100644 index 00000000000..d56e3bdf3de --- /dev/null +++ b/queue-4.4/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Sep 26 13:12:43 CEST 2018 +From: Eric Dumazet +Date: Fri, 14 Sep 2018 12:02:31 -0700 +Subject: ipv6: fix possible use-after-free in ip6_xmit() + +From: Eric Dumazet + +[ Upstream commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 ] + +In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), +we need to call skb_set_owner_w() before consuming original skb, +otherwise we risk a use-after-free. + +Bring IPv6 in line with what we do in IPv4 to fix this. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -193,12 +193,10 @@ int ip6_xmit(const struct sock *sk, stru + kfree_skb(skb); + return -ENOBUFS; + } ++ if (skb->sk) ++ skb_set_owner_w(skb2, skb->sk); + consume_skb(skb); + skb = skb2; +- /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically, +- * it is safe to call in our context (socket lock not held) +- */ +- skb_set_owner_w(skb, (struct sock *)sk); + } + if (opt->opt_flen) + ipv6_push_frag_opts(skb, opt, &proto); diff --git a/queue-4.4/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch b/queue-4.4/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch new file mode 100644 index 00000000000..ca592a1e754 --- /dev/null +++ b/queue-4.4/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Sep 26 13:12:43 CEST 2018 +From: Vasily Khoruzhick +Date: Thu, 13 Sep 2018 11:12:03 -0700 +Subject: neighbour: confirm neigh entries when ARP packet is received + +From: Vasily Khoruzhick + +[ Upstream commit f0e0d04413fcce9bc76388839099aee93cd0d33b ] + +Update 'confirmed' timestamp when ARP packet is received. It shouldn't +affect locktime logic and anyway entry can be confirmed by any higher-layer +protocol. Thus it makes sense to confirm it when ARP packet is received. + +Fixes: 77d7123342dc ("neighbour: update neigh timestamps iff update is effective") +Signed-off-by: Vasily Khoruzhick +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1140,6 +1140,12 @@ int neigh_update(struct neighbour *neigh + lladdr = neigh->ha; + } + ++ /* Update confirmed timestamp for neighbour entry after we ++ * received ARP packet even if it doesn't change IP to MAC binding. ++ */ ++ if (new & NUD_CONNECTED) ++ neigh->confirmed = jiffies; ++ + /* If entry was valid and address is not changed, + do not change entry state, if new one is STALE. + */ +@@ -1163,15 +1169,12 @@ int neigh_update(struct neighbour *neigh + } + } + +- /* Update timestamps only once we know we will make a change to the ++ /* Update timestamp only once we know we will make a change to the + * neighbour entry. Otherwise we risk to move the locktime window with + * noop updates and ignore relevant ARP updates. + */ +- if (new != old || lladdr != neigh->ha) { +- if (new & NUD_CONNECTED) +- neigh->confirmed = jiffies; ++ if (new != old || lladdr != neigh->ha) + neigh->updated = jiffies; +- } + + if (new != old) { + neigh_del_timer(neigh); diff --git a/queue-4.4/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch b/queue-4.4/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch new file mode 100644 index 00000000000..2b9a9ccda39 --- /dev/null +++ b/queue-4.4/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Sep 26 13:12:43 CEST 2018 +From: Willy Tarreau +Date: Wed, 12 Sep 2018 07:36:35 +0200 +Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT + +From: Willy Tarreau + +[ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ] + +Fields ->dev and ->next of struct ipddp_route may be copied to +userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible +to CAP_NET_ADMIN though. Let's manually copy the relevant fields +instead of using memcpy(). + +BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html +Cc: Jann Horn +Signed-off-by: Willy Tarreau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/appletalk/ipddp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -284,8 +284,12 @@ static int ipddp_ioctl(struct net_device + case SIOCFINDIPDDPRT: + spin_lock_bh(&ipddp_route_lock); + rp = __ipddp_find_route(&rcp); +- if (rp) +- memcpy(&rcp2, rp, sizeof(rcp2)); ++ if (rp) { ++ memset(&rcp2, 0, sizeof(rcp2)); ++ rcp2.ip = rp->ip; ++ rcp2.at = rp->at; ++ rcp2.flags = rp->flags; ++ } + spin_unlock_bh(&ipddp_route_lock); + + if (rp) { diff --git a/queue-4.4/net-hp100-fix-always-true-check-for-link-up-state.patch b/queue-4.4/net-hp100-fix-always-true-check-for-link-up-state.patch new file mode 100644 index 00000000000..5f2325cf5ed --- /dev/null +++ b/queue-4.4/net-hp100-fix-always-true-check-for-link-up-state.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Sep 26 13:12:43 CEST 2018 +From: Colin Ian King +Date: Fri, 14 Sep 2018 17:39:53 +0100 +Subject: net: hp100: fix always-true check for link up state + +From: Colin Ian King + +[ Upstream commit a7f38002fb69b44f8fc622ecb838665d0b8666af ] + +The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value +that is always non-zero and hence the wait for the link to drop always +terminates prematurely. Fix this by using a logical not operator instead +of a bitwise complement. This issue has been in the driver since +pre-2.6.12-rc2. + +Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hp/hp100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hp/hp100.c ++++ b/drivers/net/ethernet/hp/hp100.c +@@ -2636,7 +2636,7 @@ static int hp100_login_to_vg_hub(struct + /* Wait for link to drop */ + time = jiffies + (HZ / 10); + do { +- if (~(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) ++ if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) + break; + if (!in_interrupt()) + schedule_timeout_interruptible(1); diff --git a/queue-4.4/series b/queue-4.4/series index 274d971fa64..74391eef8ff 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -8,3 +8,8 @@ xen-netfront-don-t-bug-in-case-of-too-many-frags.patch xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch ring-buffer-allow-for-rescheduling-when-removing-pages.patch mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch +gso_segment-reset-skb-mac_len-after-modifying-network-header.patch +ipv6-fix-possible-use-after-free-in-ip6_xmit.patch +net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch +net-hp100-fix-always-true-check-for-link-up-state.patch +neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch