From: Greg Kroah-Hartman Date: Sun, 24 Feb 2019 13:51:27 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.9.161~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e45d605f72c711c2c8ce70532e58bc823f0d4c6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: batman-adv-fix-uninit-value-in-batadv_interface_tx.patch net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch --- diff --git a/queue-3.18/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch b/queue-3.18/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch new file mode 100644 index 00000000000..a39744ed982 --- /dev/null +++ b/queue-3.18/batman-adv-fix-uninit-value-in-batadv_interface_tx.patch @@ -0,0 +1,99 @@ +From foo@baz Sun Feb 24 14:45:13 CET 2019 +From: Eric Dumazet +Date: Mon, 11 Feb 2019 14:41:22 -0800 +Subject: batman-adv: fix uninit-value in batadv_interface_tx() + +From: Eric Dumazet + +[ Upstream commit 4ffcbfac60642f63ae3d80891f573ba7e94a265c ] + +KMSAN reported batadv_interface_tx() was possibly using a +garbage value [1] + +batadv_get_vid() does have a pskb_may_pull() call +but batadv_interface_tx() does not actually make sure +this did not fail. + +[1] +BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 +CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313 + batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231 + __netdev_start_xmit include/linux/netdevice.h:4356 [inline] + netdev_start_xmit include/linux/netdevice.h:4365 [inline] + xmit_one net/core/dev.c:3257 [inline] + dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273 + __dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876 + packet_snd net/packet/af_packet.c:2928 [inline] + packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x441889 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889 +RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0 +R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2759 [inline] + __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 + __kmalloc_reserve net/core/skbuff.c:137 [inline] + __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 + alloc_skb include/linux/skbuff.h:998 [inline] + alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220 + sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083 + packet_alloc_skb net/packet/af_packet.c:2781 [inline] + packet_snd net/packet/af_packet.c:2872 [inline] + packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Marek Lindner +Cc: Simon Wunderlich +Cc: Antonio Quartulli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -186,6 +186,8 @@ static int batadv_interface_tx(struct sk + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, sizeof(*vhdr))) ++ goto dropped; + vhdr = vlan_eth_hdr(skb); + + if (vhdr->h_vlan_encapsulated_proto != ethertype) { diff --git a/queue-3.18/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch b/queue-3.18/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch new file mode 100644 index 00000000000..b567da796a1 --- /dev/null +++ b/queue-3.18/net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Feb 24 14:45:13 CET 2019 +From: Kal Conley +Date: Sun, 10 Feb 2019 09:57:11 +0100 +Subject: net/packet: fix 4gb buffer limit due to overflow check + +From: Kal Conley + +[ Upstream commit fc62814d690cf62189854464f4bd07457d5e9e50 ] + +When calculating rb->frames_per_block * req->tp_block_nr the result +can overflow. Check it for overflow without limiting the total buffer +size to UINT_MAX. + +This change fixes support for packet ring buffers >= UINT_MAX. + +Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr") +Signed-off-by: Kal Conley +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3894,7 +3894,7 @@ static int packet_set_ring(struct sock * + rb->frames_per_block = req->tp_block_size/req->tp_frame_size; + if (unlikely(rb->frames_per_block <= 0)) + goto out; +- if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) ++ if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr)) + goto out; + if (unlikely((rb->frames_per_block * req->tp_block_nr) != + req->tp_frame_nr)) diff --git a/queue-3.18/series b/queue-3.18/series index f1271173916..30567a96b78 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -17,3 +17,7 @@ leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch isdn-avm-fix-string-plus-integer-warning-from-clang.patch keys-user-align-the-payload-buffer.patch keys-always-initialize-keyring_index_key-desc_len.patch +batman-adv-fix-uninit-value-in-batadv_interface_tx.patch +net-packet-fix-4gb-buffer-limit-due-to-overflow-check.patch +team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch +sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch diff --git a/queue-3.18/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch b/queue-3.18/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch new file mode 100644 index 00000000000..5cb95bc6bf1 --- /dev/null +++ b/queue-3.18/sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Feb 24 14:41:29 CET 2019 +From: Hangbin Liu +Date: Thu, 7 Feb 2019 18:36:11 +0800 +Subject: sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() + +From: Hangbin Liu + +[ Upstream commit 173656accaf583698bac3f9e269884ba60d51ef4 ] + +If we disabled IPv6 from the kernel command line (ipv6.disable=1), we should +not call ip6_err_gen_icmpv6_unreach(). This: + + ip link add sit1 type sit local 192.0.2.1 remote 192.0.2.2 ttl 1 + ip link set sit1 up + ip addr add 198.51.100.1/24 dev sit1 + ping 198.51.100.2 + +if IPv6 is disabled at boot time, will crash the kernel. + +v2: there's no need to use in6_dev_get(), use __in6_dev_get() instead, + as we only need to check that idev exists and we are under + rcu_read_lock() (from netif_receive_skb_internal()). + +Reported-by: Jianlin Shi +Fixes: ca15a078bd90 ("sit: generate icmpv6 error when receiving icmpv4 error") +Cc: Oussama Ghorbel +Signed-off-by: Hangbin Liu +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -577,7 +577,7 @@ static int ipip6_err(struct sk_buff *skb + goto out; + + err = 0; +- if (!ipip6_err_gen_icmpv6_unreach(skb)) ++ if (__in6_dev_get(skb->dev) && !ipip6_err_gen_icmpv6_unreach(skb)) + goto out; + + if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED) diff --git a/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch b/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch new file mode 100644 index 00000000000..25a6f199aed --- /dev/null +++ b/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch @@ -0,0 +1,113 @@ +From foo@baz Sun Feb 24 14:45:13 CET 2019 +From: Cong Wang +Date: Mon, 11 Feb 2019 21:59:51 -0800 +Subject: team: avoid complex list operations in team_nl_cmd_options_set() + +From: Cong Wang + +[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] + +The current opt_inst_list operations inside team_nl_cmd_options_set() +is too complex to track: + + LIST_HEAD(opt_inst_list); + nla_for_each_nested(...) { + list_for_each_entry(opt_inst, &team->option_inst_list, list) { + if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) + continue; + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + } + team_nl_send_event_options_get(team, &opt_inst_list); + +as while we retrieve 'opt_inst' from team->option_inst_list, it could +be added to the local 'opt_inst_list' for multiple times. The +__team_option_inst_tmp_find() doesn't work, as the setter +team_mode_option_set() still calls team->ops.exit() which uses +->tmp_list too in __team_options_change_check(). + +Simplify the list operations by moving the 'opt_inst_list' and +team_nl_send_event_options_get() into the nla_for_each_nested() loop so +that it can be guranteed that we won't insert a same list entry for +multiple times. Therefore, __team_option_inst_tmp_find() can be removed +too. + +Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") +Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") +Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com +Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com +Cc: Jiri Pirko +Cc: Paolo Abeni +Signed-off-by: Cong Wang +Acked-by: Jiri Pirko +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -253,17 +253,6 @@ static void __team_option_inst_mark_remo + } + } + +-static bool __team_option_inst_tmp_find(const struct list_head *opts, +- const struct team_option_inst *needle) +-{ +- struct team_option_inst *opt_inst; +- +- list_for_each_entry(opt_inst, opts, tmp_list) +- if (opt_inst == needle) +- return true; +- return false; +-} +- + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2435,7 +2424,6 @@ static int team_nl_cmd_options_set(struc + int err = 0; + int i; + struct nlattr *nl_option; +- LIST_HEAD(opt_inst_list); + + team = team_nl_team_get(info); + if (!team) +@@ -2451,6 +2439,7 @@ static int team_nl_cmd_options_set(struc + struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; + struct nlattr *attr; + struct nlattr *attr_data; ++ LIST_HEAD(opt_inst_list); + enum team_option_type opt_type; + int opt_port_ifindex = 0; /* != 0 for per-port options */ + u32 opt_array_index = 0; +@@ -2554,23 +2543,17 @@ static int team_nl_cmd_options_set(struc + if (err) + goto team_put; + opt_inst->changed = true; +- +- /* dumb/evil user-space can send us duplicate opt, +- * keep only the last one +- */ +- if (__team_option_inst_tmp_find(&opt_inst_list, +- opt_inst)) +- continue; +- + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { + err = -ENOENT; + goto team_put; + } +- } + +- err = team_nl_send_event_options_get(team, &opt_inst_list); ++ err = team_nl_send_event_options_get(team, &opt_inst_list); ++ if (err) ++ break; ++ } + + team_put: + team_nl_team_put(team);