From: Greg Kroah-Hartman Date: Sat, 4 May 2019 10:24:15 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.19.40~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15e6eb8b51d7f07d22a3969b2153f36bf48b56fd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bnxt_en-free-short-fw-command-hwrm-memory-in-error-path-in-bnxt_init_one.patch bnxt_en-improve-multicast-address-setup-logic.patch ipv4-ip_do_fragment-preserve-skb_iif-during-fragmentation.patch ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch net-phy-marvell-fix-buffer-overrun-with-stats-counters.patch packet-validate-msg_namelen-in-send-directly.patch rxrpc-fix-net-namespace-cleanup.patch sctp-avoid-running-the-sctp-state-machine-recursively.patch --- diff --git a/queue-4.14/bnxt_en-free-short-fw-command-hwrm-memory-in-error-path-in-bnxt_init_one.patch b/queue-4.14/bnxt_en-free-short-fw-command-hwrm-memory-in-error-path-in-bnxt_init_one.patch new file mode 100644 index 00000000000..01e2403fea1 --- /dev/null +++ b/queue-4.14/bnxt_en-free-short-fw-command-hwrm-memory-in-error-path-in-bnxt_init_one.patch @@ -0,0 +1,31 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Vasundhara Volam +Date: Thu, 25 Apr 2019 22:31:51 -0400 +Subject: bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() + +From: Vasundhara Volam + +[ Upstream commit f9099d611449836a51a65f40ea7dc9cb5f2f665e ] + +In the bnxt_init_one() error path, short FW command request memory +is not freed. This patch fixes it. + +Fixes: e605db801bde ("bnxt_en: Support for Short Firmware Message") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8241,6 +8241,7 @@ init_err_cleanup_tc: + bnxt_clear_int_mode(bp); + + init_err_pci_clean: ++ bnxt_free_hwrm_short_cmd_req(bp); + bnxt_free_hwrm_resources(bp); + bnxt_cleanup_pci(bp); + diff --git a/queue-4.14/bnxt_en-improve-multicast-address-setup-logic.patch b/queue-4.14/bnxt_en-improve-multicast-address-setup-logic.patch new file mode 100644 index 00000000000..6aae052db1d --- /dev/null +++ b/queue-4.14/bnxt_en-improve-multicast-address-setup-logic.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Michael Chan +Date: Thu, 25 Apr 2019 22:31:50 -0400 +Subject: bnxt_en: Improve multicast address setup logic. + +From: Michael Chan + +[ Upstream commit b4e30e8e7ea1d1e35ffd64ca46f7d9a7f227b4bf ] + +The driver builds a list of multicast addresses and sends it to the +firmware when the driver's ndo_set_rx_mode() is called. In rare +cases, the firmware can fail this call if internal resources to +add multicast addresses are exhausted. In that case, we should +try the call again by setting the ALL_MCAST flag which is more +guaranteed to succeed. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6768,8 +6768,15 @@ static int bnxt_cfg_rx_mode(struct bnxt + + skip_uc: + rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ if (rc && vnic->mc_list_count) { ++ netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n", ++ rc); ++ vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST; ++ vnic->mc_list_count = 0; ++ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ } + if (rc) +- netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n", ++ netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n", + rc); + + return rc; diff --git a/queue-4.14/ipv4-ip_do_fragment-preserve-skb_iif-during-fragmentation.patch b/queue-4.14/ipv4-ip_do_fragment-preserve-skb_iif-during-fragmentation.patch new file mode 100644 index 00000000000..fa555e58628 --- /dev/null +++ b/queue-4.14/ipv4-ip_do_fragment-preserve-skb_iif-during-fragmentation.patch @@ -0,0 +1,42 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Shmulik Ladkani +Date: Mon, 29 Apr 2019 16:39:30 +0300 +Subject: ipv4: ip_do_fragment: Preserve skb_iif during fragmentation + +From: Shmulik Ladkani + +[ Upstream commit d2f0c961148f65bc73eda72b9fa3a4e80973cb49 ] + +Previously, during fragmentation after forwarding, skb->skb_iif isn't +preserved, i.e. 'ip_copy_metadata' does not copy skb_iif from given +'from' skb. + +As a result, ip_do_fragment's creates fragments with zero skb_iif, +leading to inconsistent behavior. + +Assume for example an eBPF program attached at tc egress (post +forwarding) that examines __sk_buff->ingress_ifindex: + - the correct iif is observed if forwarding path does not involve + fragmentation/refragmentation + - a bogus iif is observed if forwarding path involves + fragmentation/refragmentatiom + +Fix, by preserving skb_iif during 'ip_copy_metadata'. + +Signed-off-by: Shmulik Ladkani +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -518,6 +518,7 @@ static void ip_copy_metadata(struct sk_b + to->pkt_type = from->pkt_type; + to->priority = from->priority; + to->protocol = from->protocol; ++ to->skb_iif = from->skb_iif; + skb_dst_drop(to); + skb_dst_copy(to, from); + to->dev = from->dev; diff --git a/queue-4.14/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch b/queue-4.14/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch new file mode 100644 index 00000000000..4f9814bbbd0 --- /dev/null +++ b/queue-4.14/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch @@ -0,0 +1,151 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Eric Dumazet +Date: Sat, 27 Apr 2019 16:49:06 -0700 +Subject: ipv6/flowlabel: wait rcu grace period before put_pid() + +From: Eric Dumazet + +[ Upstream commit 6c0afef5fb0c27758f4d52b2210c61b6bd8b4470 ] + +syzbot was able to catch a use-after-free read in pid_nr_ns() [1] + +ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid +but fl_free() releases fl->owner.pid before rcu grace period is started. + +[1] + +BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407 +Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087 + +CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 + kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 + pid_nr_ns+0x128/0x140 kernel/pid.c:407 + ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794 + seq_read+0xad3/0x1130 fs/seq_file.c:268 + proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227 + do_loop_readv_writev fs/read_write.c:701 [inline] + do_loop_readv_writev fs/read_write.c:688 [inline] + do_iter_read+0x4a9/0x660 fs/read_write.c:922 + vfs_readv+0xf0/0x160 fs/read_write.c:984 + kernel_readv fs/splice.c:358 [inline] + default_file_splice_read+0x475/0x890 fs/splice.c:413 + do_splice_to+0x12a/0x190 fs/splice.c:876 + splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1062 + do_sendfile+0x597/0xd00 fs/read_write.c:1443 + __do_sys_sendfile64 fs/read_write.c:1498 [inline] + __se_sys_sendfile64 fs/read_write.c:1490 [inline] + __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458da9 +Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9 +RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4 +R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff + +Allocated by task 17543: + save_stack+0x45/0xd0 mm/kasan/common.c:75 + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc mm/kasan/common.c:497 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 + kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505 + slab_post_alloc_hook mm/slab.h:437 [inline] + slab_alloc mm/slab.c:3393 [inline] + kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555 + alloc_pid+0x55/0x8f0 kernel/pid.c:168 + copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932 + copy_process kernel/fork.c:1709 [inline] + _do_fork+0x257/0xfd0 kernel/fork.c:2226 + __do_sys_clone kernel/fork.c:2333 [inline] + __se_sys_clone kernel/fork.c:2327 [inline] + __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 7789: + save_stack+0x45/0xd0 mm/kasan/common.c:75 + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 + __cache_free mm/slab.c:3499 [inline] + kmem_cache_free+0x86/0x260 mm/slab.c:3765 + put_pid.part.0+0x111/0x150 kernel/pid.c:111 + put_pid+0x20/0x30 kernel/pid.c:105 + fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102 + ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + +The buggy address belongs to the object at ffff888094012a00 + which belongs to the cache pid_2 of size 88 +The buggy address is located 4 bytes inside of + 88-byte region [ffff888094012a00, ffff888094012a58) +The buggy address belongs to the page: +page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980 +flags: 0x1fffc0000000200(slab) +raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080 +raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc +>ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ^ + ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + +Fixes: 4f82f45730c6 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t") +Signed-off-by: Eric Dumazet +Cc: Eric W. Biederman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_flowlabel.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(s + return fl; + } + ++static void fl_free_rcu(struct rcu_head *head) ++{ ++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); ++ ++ if (fl->share == IPV6_FL_S_PROCESS) ++ put_pid(fl->owner.pid); ++ kfree(fl->opt); ++ kfree(fl); ++} ++ + + static void fl_free(struct ip6_flowlabel *fl) + { +- if (fl) { +- if (fl->share == IPV6_FL_S_PROCESS) +- put_pid(fl->owner.pid); +- kfree(fl->opt); +- kfree_rcu(fl, rcu); +- } ++ if (fl) ++ call_rcu(&fl->rcu, fl_free_rcu); + } + + static void fl_release(struct ip6_flowlabel *fl) diff --git a/queue-4.14/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch b/queue-4.14/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch new file mode 100644 index 00000000000..76b330df6ce --- /dev/null +++ b/queue-4.14/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch @@ -0,0 +1,37 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Willem de Bruijn +Date: Thu, 25 Apr 2019 12:06:54 -0400 +Subject: ipv6: invert flowlabel sharing check in process and user mode + +From: Willem de Bruijn + +[ Upstream commit 95c169251bf734aa555a1e8043e4d88ec97a04ec ] + +A request for a flowlabel fails in process or user exclusive mode must +fail if the caller pid or uid does not match. Invert the test. + +Previously, the test was unsafe wrt PID recycling, but indeed tested +for inequality: fl1->owner != fl->owner + +Fixes: 4f82f45730c68 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_flowlabel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -640,9 +640,9 @@ recheck: + if (fl1->share == IPV6_FL_S_EXCL || + fl1->share != fl->share || + ((fl1->share == IPV6_FL_S_PROCESS) && +- (fl1->owner.pid == fl->owner.pid)) || ++ (fl1->owner.pid != fl->owner.pid)) || + ((fl1->share == IPV6_FL_S_USER) && +- uid_eq(fl1->owner.uid, fl->owner.uid))) ++ !uid_eq(fl1->owner.uid, fl->owner.uid))) + goto release; + + err = -ENOMEM; diff --git a/queue-4.14/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch b/queue-4.14/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch new file mode 100644 index 00000000000..d5930bde46b --- /dev/null +++ b/queue-4.14/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch @@ -0,0 +1,43 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Dan Carpenter +Date: Tue, 30 Apr 2019 13:44:19 +0300 +Subject: net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc + +From: Dan Carpenter + +[ Upstream commit f949a12fd697479f68d99dc65e9bbab68ee49043 ] + +The "fs->location" is a u32 that comes from the user in ethtool_set_rxnfc(). +We can't pass unclamped values to test_bit() or it results in an out of +bounds access beyond the end of the bitmap. + +Fixes: 7318166cacad ("net: dsa: bcm_sf2: Add support for ethtool::rxnfc") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2_cfp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/dsa/bcm_sf2_cfp.c ++++ b/drivers/net/dsa/bcm_sf2_cfp.c +@@ -130,6 +130,9 @@ static int bcm_sf2_cfp_rule_set(struct d + (fs->m_ext.vlan_etype || fs->m_ext.data[1])) + return -EINVAL; + ++ if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES) ++ return -EINVAL; ++ + if (fs->location != RX_CLS_LOC_ANY && + test_bit(fs->location, priv->cfp.used)) + return -EBUSY; +@@ -330,6 +333,9 @@ static int bcm_sf2_cfp_rule_del(struct b + int ret; + u32 reg; + ++ if (loc >= CFP_NUM_RULES) ++ return -EINVAL; ++ + /* Refuse deletion of unused rules, and the default reserved rule */ + if (!test_bit(loc, priv->cfp.used) || loc == 0) + return -EINVAL; diff --git a/queue-4.14/net-phy-marvell-fix-buffer-overrun-with-stats-counters.patch b/queue-4.14/net-phy-marvell-fix-buffer-overrun-with-stats-counters.patch new file mode 100644 index 00000000000..23e186c3ef6 --- /dev/null +++ b/queue-4.14/net-phy-marvell-fix-buffer-overrun-with-stats-counters.patch @@ -0,0 +1,51 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Andrew Lunn +Date: Thu, 25 Apr 2019 00:33:00 +0200 +Subject: net: phy: marvell: Fix buffer overrun with stats counters + +From: Andrew Lunn + +[ Upstream commit fdfdf86720a34527f777cbe0d8599bf0528fa146 ] + +marvell_get_sset_count() returns how many statistics counters there +are. If the PHY supports fibre, there are 3, otherwise two. + +marvell_get_strings() does not make this distinction, and always +returns 3 strings. This then often results in writing past the end +of the buffer for the strings. + +Fixes: 2170fef78a40 ("Marvell phy: add field to get errors from fiber link.") +Signed-off-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1497,9 +1497,10 @@ static int marvell_get_sset_count(struct + + static void marvell_get_strings(struct phy_device *phydev, u8 *data) + { ++ int count = marvell_get_sset_count(phydev); + int i; + +- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) { ++ for (i = 0; i < count; i++) { + memcpy(data + i * ETH_GSTRING_LEN, + marvell_hw_stats[i].string, ETH_GSTRING_LEN); + } +@@ -1536,9 +1537,10 @@ static u64 marvell_get_stat(struct phy_d + static void marvell_get_stats(struct phy_device *phydev, + struct ethtool_stats *stats, u64 *data) + { ++ int count = marvell_get_sset_count(phydev); + int i; + +- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) ++ for (i = 0; i < count; i++) + data[i] = marvell_get_stat(phydev, i); + } + diff --git a/queue-4.14/packet-validate-msg_namelen-in-send-directly.patch b/queue-4.14/packet-validate-msg_namelen-in-send-directly.patch new file mode 100644 index 00000000000..0401f2a86e5 --- /dev/null +++ b/queue-4.14/packet-validate-msg_namelen-in-send-directly.patch @@ -0,0 +1,97 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Willem de Bruijn +Date: Mon, 29 Apr 2019 11:53:18 -0400 +Subject: packet: validate msg_namelen in send directly + +From: Willem de Bruijn + +[ Upstream commit 486efdc8f6ce802b27e15921d2353cc740c55451 ] + +Packet sockets in datagram mode take a destination address. Verify its +length before passing to dev_hard_header. + +Prior to 2.6.14-rc3, the send code ignored sll_halen. This is +established behavior. Directly compare msg_namelen to dev->addr_len. + +Change v1->v2: initialize addr in all paths + +Fixes: 6b8d95f1795c4 ("packet: validate address length if non-zero") +Suggested-by: David Laight +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2641,8 +2641,8 @@ static int tpacket_snd(struct packet_soc + void *ph; + DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); + bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); ++ unsigned char *addr = NULL; + int tp_len, size_max; +- unsigned char *addr; + void *data; + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; +@@ -2653,7 +2653,6 @@ static int tpacket_snd(struct packet_soc + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2663,10 +2662,13 @@ static int tpacket_snd(struct packet_soc + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_put; ++ if (po->sk.sk_socket->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_put; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -2838,7 +2840,7 @@ static int packet_snd(struct socket *soc + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- unsigned char *addr; ++ unsigned char *addr = NULL; + int err, reserve = 0; + struct sockcm_cookie sockc; + struct virtio_net_hdr vnet_hdr = { 0 }; +@@ -2855,7 +2857,6 @@ static int packet_snd(struct socket *soc + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2863,10 +2864,13 @@ static int packet_snd(struct socket *soc + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_unlock; ++ if (sock->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_unlock; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; diff --git a/queue-4.14/rxrpc-fix-net-namespace-cleanup.patch b/queue-4.14/rxrpc-fix-net-namespace-cleanup.patch new file mode 100644 index 00000000000..d787ff9cd99 --- /dev/null +++ b/queue-4.14/rxrpc-fix-net-namespace-cleanup.patch @@ -0,0 +1,89 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: David Howells +Date: Tue, 30 Apr 2019 08:34:08 +0100 +Subject: rxrpc: Fix net namespace cleanup + +From: David Howells + +[ Upstream commit b13023421b5179413421333f602850914f6a7ad8 ] + +In rxrpc_destroy_all_calls(), there are two phases: (1) make sure the +->calls list is empty, emitting error messages if not, and (2) wait for the +RCU cleanup to happen on outstanding calls (ie. ->nr_calls becomes 0). + +To avoid taking the call_lock, the function prechecks ->calls and if empty, +it returns to avoid taking the lock - this is wrong, however: it still +needs to go and do the second phase and wait for ->nr_calls to become 0. + +Without this, the rxrpc_net struct may get deallocated before we get to the +RCU cleanup for the last calls. This can lead to: + + Slab corruption (Not tainted): kmalloc-16k start=ffff88802b178000, len=16384 + 050: 6b 6b 6b 6b 6b 6b 6b 6b 61 6b 6b 6b 6b 6b 6b 6b kkkkkkkkakkkkkkk + +Note the "61" at offset 0x58. This corresponds to the ->nr_calls member of +struct rxrpc_net (which is >9k in size, and thus allocated out of the 16k +slab). + +Fix this by flipping the condition on the if-statement, putting the locked +section inside the if-body and dropping the return from there. The +function will then always go on to wait for the RCU cleanup on outstanding +calls. + +Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing") +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_object.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -684,27 +684,27 @@ void rxrpc_destroy_all_calls(struct rxrp + + _enter(""); + +- if (list_empty(&rxnet->calls)) +- return; +- +- write_lock(&rxnet->call_lock); ++ if (!list_empty(&rxnet->calls)) { ++ write_lock(&rxnet->call_lock); + +- while (!list_empty(&rxnet->calls)) { +- call = list_entry(rxnet->calls.next, struct rxrpc_call, link); +- _debug("Zapping call %p", call); +- +- rxrpc_see_call(call); +- list_del_init(&call->link); +- +- pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", +- call, atomic_read(&call->usage), +- rxrpc_call_states[call->state], +- call->flags, call->events); ++ while (!list_empty(&rxnet->calls)) { ++ call = list_entry(rxnet->calls.next, ++ struct rxrpc_call, link); ++ _debug("Zapping call %p", call); ++ ++ rxrpc_see_call(call); ++ list_del_init(&call->link); ++ ++ pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n", ++ call, atomic_read(&call->usage), ++ rxrpc_call_states[call->state], ++ call->flags, call->events); ++ ++ write_unlock(&rxnet->call_lock); ++ cond_resched(); ++ write_lock(&rxnet->call_lock); ++ } + + write_unlock(&rxnet->call_lock); +- cond_resched(); +- write_lock(&rxnet->call_lock); + } +- +- write_unlock(&rxnet->call_lock); + } diff --git a/queue-4.14/sctp-avoid-running-the-sctp-state-machine-recursively.patch b/queue-4.14/sctp-avoid-running-the-sctp-state-machine-recursively.patch new file mode 100644 index 00000000000..96fae3ff7e3 --- /dev/null +++ b/queue-4.14/sctp-avoid-running-the-sctp-state-machine-recursively.patch @@ -0,0 +1,165 @@ +From foo@baz Sat 04 May 2019 11:25:56 AM CEST +From: Xin Long +Date: Mon, 29 Apr 2019 14:16:19 +0800 +Subject: sctp: avoid running the sctp state machine recursively + +From: Xin Long + +[ Upstream commit fbd019737d71e405f86549fd738f81e2ff3dd073 ] + +Ying triggered a call trace when doing an asconf testing: + + BUG: scheduling while atomic: swapper/12/0/0x10000100 + Call Trace: + [] dump_stack+0x19/0x1b + [] __schedule_bug+0x64/0x72 + [] __schedule+0x9ba/0xa00 + [] __cond_resched+0x26/0x30 + [] _cond_resched+0x3a/0x50 + [] kmem_cache_alloc_node+0x38/0x200 + [] __alloc_skb+0x5d/0x2d0 + [] sctp_packet_transmit+0x610/0xa20 [sctp] + [] sctp_outq_flush+0x2ce/0xc00 [sctp] + [] sctp_outq_uncork+0x1c/0x20 [sctp] + [] sctp_cmd_interpreter.isra.22+0xc8/0x1460 [sctp] + [] sctp_do_sm+0xe1/0x350 [sctp] + [] sctp_primitive_ASCONF+0x3d/0x50 [sctp] + [] sctp_cmd_interpreter.isra.22+0x114/0x1460 [sctp] + [] sctp_do_sm+0xe1/0x350 [sctp] + [] sctp_assoc_bh_rcv+0xf4/0x1b0 [sctp] + [] sctp_inq_push+0x51/0x70 [sctp] + [] sctp_rcv+0xa8b/0xbd0 [sctp] + +As it shows, the first sctp_do_sm() running under atomic context (NET_RX +softirq) invoked sctp_primitive_ASCONF() that uses GFP_KERNEL flag later, +and this flag is supposed to be used in non-atomic context only. Besides, +sctp_do_sm() was called recursively, which is not expected. + +Vlad tried to fix this recursive call in Commit c0786693404c ("sctp: Fix +oops when sending queued ASCONF chunks") by introducing a new command +SCTP_CMD_SEND_NEXT_ASCONF. But it didn't work as this command is still +used in the first sctp_do_sm() call, and sctp_primitive_ASCONF() will +be called in this command again. + +To avoid calling sctp_do_sm() recursively, we send the next queued ASCONF +not by sctp_primitive_ASCONF(), but by sctp_sf_do_prm_asconf() in the 1st +sctp_do_sm() directly. + +Reported-by: Ying Xu +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/command.h | 1 - + net/sctp/sm_sideeffect.c | 29 ----------------------------- + net/sctp/sm_statefuns.c | 35 +++++++++++++++++++++++++++-------- + 3 files changed, 27 insertions(+), 38 deletions(-) + +--- a/include/net/sctp/command.h ++++ b/include/net/sctp/command.h +@@ -104,7 +104,6 @@ enum sctp_verb { + SCTP_CMD_T1_RETRAN, /* Mark for retransmission after T1 timeout */ + SCTP_CMD_UPDATE_INITTAG, /* Update peer inittag */ + SCTP_CMD_SEND_MSG, /* Send the whole use message */ +- SCTP_CMD_SEND_NEXT_ASCONF, /* Send the next ASCONF after ACK */ + SCTP_CMD_PURGE_ASCONF_QUEUE, /* Purge all asconf queues.*/ + SCTP_CMD_SET_ASOC, /* Restore association context */ + SCTP_CMD_LAST +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1092,32 +1092,6 @@ static void sctp_cmd_send_msg(struct sct + } + + +-/* Sent the next ASCONF packet currently stored in the association. +- * This happens after the ASCONF_ACK was succeffully processed. +- */ +-static void sctp_cmd_send_asconf(struct sctp_association *asoc) +-{ +- struct net *net = sock_net(asoc->base.sk); +- +- /* Send the next asconf chunk from the addip chunk +- * queue. +- */ +- if (!list_empty(&asoc->addip_chunk_list)) { +- struct list_head *entry = asoc->addip_chunk_list.next; +- struct sctp_chunk *asconf = list_entry(entry, +- struct sctp_chunk, list); +- list_del_init(entry); +- +- /* Hold the chunk until an ASCONF_ACK is received. */ +- sctp_chunk_hold(asconf); +- if (sctp_primitive_ASCONF(net, asoc, asconf)) +- sctp_chunk_free(asconf); +- else +- asoc->addip_last_asconf = asconf; +- } +-} +- +- + /* These three macros allow us to pull the debugging code out of the + * main flow of sctp_do_sm() to keep attention focused on the real + * functionality there. +@@ -1763,9 +1737,6 @@ static int sctp_cmd_interpreter(enum sct + } + sctp_cmd_send_msg(asoc, cmd->obj.msg, gfp); + break; +- case SCTP_CMD_SEND_NEXT_ASCONF: +- sctp_cmd_send_asconf(asoc); +- break; + case SCTP_CMD_PURGE_ASCONF_QUEUE: + sctp_asconf_queue_teardown(asoc); + break; +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -3756,6 +3756,29 @@ enum sctp_disposition sctp_sf_do_asconf( + return SCTP_DISPOSITION_CONSUME; + } + ++static enum sctp_disposition sctp_send_next_asconf( ++ struct net *net, ++ const struct sctp_endpoint *ep, ++ struct sctp_association *asoc, ++ const union sctp_subtype type, ++ struct sctp_cmd_seq *commands) ++{ ++ struct sctp_chunk *asconf; ++ struct list_head *entry; ++ ++ if (list_empty(&asoc->addip_chunk_list)) ++ return SCTP_DISPOSITION_CONSUME; ++ ++ entry = asoc->addip_chunk_list.next; ++ asconf = list_entry(entry, struct sctp_chunk, list); ++ ++ list_del_init(entry); ++ sctp_chunk_hold(asconf); ++ asoc->addip_last_asconf = asconf; ++ ++ return sctp_sf_do_prm_asconf(net, ep, asoc, type, asconf, commands); ++} ++ + /* + * ADDIP Section 4.3 General rules for address manipulation + * When building TLV parameters for the ASCONF Chunk that will add or +@@ -3847,14 +3870,10 @@ enum sctp_disposition sctp_sf_do_asconf_ + SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); + + if (!sctp_process_asconf_ack((struct sctp_association *)asoc, +- asconf_ack)) { +- /* Successfully processed ASCONF_ACK. We can +- * release the next asconf if we have one. +- */ +- sctp_add_cmd_sf(commands, SCTP_CMD_SEND_NEXT_ASCONF, +- SCTP_NULL()); +- return SCTP_DISPOSITION_CONSUME; +- } ++ asconf_ack)) ++ return sctp_send_next_asconf(net, ep, ++ (struct sctp_association *)asoc, ++ type, commands); + + abort = sctp_make_abort(asoc, asconf_ack, + sizeof(struct sctp_errhdr)); diff --git a/queue-4.14/series b/queue-4.14/series index 285ef427caa..eade7d019fe 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,11 @@ alsa-line6-use-dynamic-buffers.patch +ipv4-ip_do_fragment-preserve-skb_iif-during-fragmentation.patch +ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch +ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch +sctp-avoid-running-the-sctp-state-machine-recursively.patch +packet-validate-msg_namelen-in-send-directly.patch +bnxt_en-improve-multicast-address-setup-logic.patch +bnxt_en-free-short-fw-command-hwrm-memory-in-error-path-in-bnxt_init_one.patch +rxrpc-fix-net-namespace-cleanup.patch +net-phy-marvell-fix-buffer-overrun-with-stats-counters.patch +net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch