From: Greg Kroah-Hartman Date: Fri, 8 Jun 2018 04:52:17 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.17.1~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26cefb6c869face801686f46ca840a2459363441;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: bnx2x-use-the-right-constant.patch ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch ipmr-fix-error-path-when-ipmr_new_table-fails.patch ipv6-omit-traffic-class-when-calculating-flow-hash.patch l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch net-metrics-add-proper-netlink-validation.patch net-packet-refine-check-for-priv-area-size.patch netdev-faq-clarify-davem-s-position-for-stable-backports.patch rtnetlink-validate-attributes-in-do_setlink.patch sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch team-use-netdev_features_t-instead-of-u32.patch vrf-check-the-original-netdevice-for-generating-redirect.patch --- diff --git a/queue-4.17/bnx2x-use-the-right-constant.patch b/queue-4.17/bnx2x-use-the-right-constant.patch new file mode 100644 index 00000000000..aba501dd7a5 --- /dev/null +++ b/queue-4.17/bnx2x-use-the-right-constant.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Julia Lawall +Date: Wed, 6 Jun 2018 15:03:22 +0200 +Subject: bnx2x: use the right constant + +From: Julia Lawall + +[ Upstream commit dd612f18a49b63af8b3a5f572d999bdb197385bc ] + +Nearby code that also tests port suggests that the P0 constant should be +used when port is zero. + +The semantic match that finds this problem is as follows: +(http://coccinelle.lip6.fr/) + +// +@@ +expression e,e1; +@@ + +* e ? e1 : e1 +// + +Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx") +Signed-off-by: Julia Lawall +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c +@@ -588,7 +588,7 @@ static void bnx2x_ets_e3b0_nig_disabled( + * slots for the highest priority. + */ + REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS : +- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100); ++ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100); + /* Mapping between the CREDIT_WEIGHT registers and actual client + * numbers + */ diff --git a/queue-4.17/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch b/queue-4.17/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch new file mode 100644 index 00000000000..ddd20aa3f12 --- /dev/null +++ b/queue-4.17/ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Sabrina Dubroca +Date: Tue, 5 Jun 2018 15:01:59 +0200 +Subject: ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds + +From: Sabrina Dubroca + +[ Upstream commit 848235edb5c93ed086700584c8ff64f6d7fc778d ] + +Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during +ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same +setsockopt will fail with -ENOENT, since we haven't actually created +that table. + +A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr: +various fixes and cleanups"). + +Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1759,7 +1759,8 @@ int ip6_mroute_setsockopt(struct sock *s + ret = 0; + if (!ip6mr_new_table(net, v)) + ret = -ENOMEM; +- raw6_sk(sk)->ip6mr_table = v; ++ else ++ raw6_sk(sk)->ip6mr_table = v; + rtnl_unlock(); + return ret; + } diff --git a/queue-4.17/ipmr-fix-error-path-when-ipmr_new_table-fails.patch b/queue-4.17/ipmr-fix-error-path-when-ipmr_new_table-fails.patch new file mode 100644 index 00000000000..51ad6917679 --- /dev/null +++ b/queue-4.17/ipmr-fix-error-path-when-ipmr_new_table-fails.patch @@ -0,0 +1,118 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Sabrina Dubroca +Date: Tue, 5 Jun 2018 15:02:00 +0200 +Subject: ipmr: fix error path when ipmr_new_table fails + +From: Sabrina Dubroca + +[ Upstream commit e783bb00ad86d9d1f01d9d3a750713070036358e ] + +commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table") +refactored ipmr_new_table, so that it now returns NULL when +mr_table_alloc fails. Unfortunately, all callers of ipmr_new_table +expect an ERR_PTR. + +This can result in NULL deref, for example when ipmr_rules_exit calls +ipmr_free_table with NULL net->ipv4.mrt in the +!CONFIG_IP_MROUTE_MULTIPLE_TABLES version. + +This patch makes mr_table_alloc return errors, and changes +ip6mr_new_table and its callers to return/expect error pointers as +well. It also removes the version of mr_table_alloc defined under +!CONFIG_IP_MROUTE_COMMON, since it is never used. + +Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mroute_base.h | 10 ---------- + net/ipv4/ipmr_base.c | 8 +++++--- + net/ipv6/ip6mr.c | 18 ++++++++++++------ + 3 files changed, 17 insertions(+), 19 deletions(-) + +--- a/include/linux/mroute_base.h ++++ b/include/linux/mroute_base.h +@@ -307,16 +307,6 @@ static inline void vif_device_init(struc + { + } + +-static inline void * +-mr_table_alloc(struct net *net, u32 id, +- struct mr_table_ops *ops, +- void (*expire_func)(struct timer_list *t), +- void (*table_set)(struct mr_table *mrt, +- struct net *net)) +-{ +- return NULL; +-} +- + static inline void *mr_mfc_find_parent(struct mr_table *mrt, + void *hasharg, int parent) + { +--- a/net/ipv4/ipmr_base.c ++++ b/net/ipv4/ipmr_base.c +@@ -35,17 +35,19 @@ mr_table_alloc(struct net *net, u32 id, + struct net *net)) + { + struct mr_table *mrt; ++ int err; + + mrt = kzalloc(sizeof(*mrt), GFP_KERNEL); + if (!mrt) +- return NULL; ++ return ERR_PTR(-ENOMEM); + mrt->id = id; + write_pnet(&mrt->net, net); + + mrt->ops = *ops; +- if (rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params)) { ++ err = rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params); ++ if (err) { + kfree(mrt); +- return NULL; ++ return ERR_PTR(err); + } + INIT_LIST_HEAD(&mrt->mfc_cache_list); + INIT_LIST_HEAD(&mrt->mfc_unres_queue); +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -227,8 +227,8 @@ static int __net_init ip6mr_rules_init(s + INIT_LIST_HEAD(&net->ipv6.mr6_tables); + + mrt = ip6mr_new_table(net, RT6_TABLE_DFLT); +- if (!mrt) { +- err = -ENOMEM; ++ if (IS_ERR(mrt)) { ++ err = PTR_ERR(mrt); + goto err1; + } + +@@ -301,8 +301,13 @@ static int ip6mr_fib_lookup(struct net * + + static int __net_init ip6mr_rules_init(struct net *net) + { +- net->ipv6.mrt6 = ip6mr_new_table(net, RT6_TABLE_DFLT); +- return net->ipv6.mrt6 ? 0 : -ENOMEM; ++ struct mr_table *mrt; ++ ++ mrt = ip6mr_new_table(net, RT6_TABLE_DFLT); ++ if (IS_ERR(mrt)) ++ return PTR_ERR(mrt); ++ net->ipv6.mrt6 = mrt; ++ return 0; + } + + static void __net_exit ip6mr_rules_exit(struct net *net) +@@ -1757,8 +1762,9 @@ int ip6_mroute_setsockopt(struct sock *s + + rtnl_lock(); + ret = 0; +- if (!ip6mr_new_table(net, v)) +- ret = -ENOMEM; ++ mrt = ip6mr_new_table(net, v); ++ if (IS_ERR(mrt)) ++ ret = PTR_ERR(mrt); + else + raw6_sk(sk)->ip6mr_table = v; + rtnl_unlock(); diff --git a/queue-4.17/ipv6-omit-traffic-class-when-calculating-flow-hash.patch b/queue-4.17/ipv6-omit-traffic-class-when-calculating-flow-hash.patch new file mode 100644 index 00000000000..083059c5401 --- /dev/null +++ b/queue-4.17/ipv6-omit-traffic-class-when-calculating-flow-hash.patch @@ -0,0 +1,75 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Michal Kubecek +Date: Mon, 4 Jun 2018 11:36:05 +0200 +Subject: ipv6: omit traffic class when calculating flow hash + +From: Michal Kubecek + +[ Upstream commit fa1be7e01ea863e911349e30456706749518eeab ] + +Some of the code paths calculating flow hash for IPv6 use flowlabel member +of struct flowi6 which, despite its name, encodes both flow label and +traffic class. If traffic class changes within a TCP connection (as e.g. +ssh does), ECMP route can switch between path. It's also inconsistent with +other code paths where ip6_flowlabel() (returning only flow label) is used +to feed the key. + +Use only flow label everywhere, including one place where hash key is set +using ip6_flowinfo(). + +Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)") +Fixes: f70ea018da06 ("net: Add functions to get skb->hash based on flow structures") +Signed-off-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 5 +++++ + net/core/flow_dissector.c | 2 +- + net/ipv6/route.c | 4 ++-- + 3 files changed, 8 insertions(+), 3 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -906,6 +906,11 @@ static inline __be32 ip6_make_flowinfo(u + return htonl(tclass << IPV6_TCLASS_SHIFT) | flowlabel; + } + ++static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6) ++{ ++ return fl6->flowlabel & IPV6_FLOWLABEL_MASK; ++} ++ + /* + * Prototypes exported by ipv6 + */ +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -1334,7 +1334,7 @@ __u32 __get_hash_from_flowi6(const struc + keys->ports.src = fl6->fl6_sport; + keys->ports.dst = fl6->fl6_dport; + keys->keyid.keyid = fl6->fl6_gre_key; +- keys->tags.flow_label = (__force u32)fl6->flowlabel; ++ keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6); + keys->basic.ip_proto = fl6->flowi6_proto; + + return flow_hash_from_keys(keys); +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1868,7 +1868,7 @@ out: + } else { + keys->addrs.v6addrs.src = key_iph->saddr; + keys->addrs.v6addrs.dst = key_iph->daddr; +- keys->tags.flow_label = ip6_flowinfo(key_iph); ++ keys->tags.flow_label = ip6_flowlabel(key_iph); + keys->basic.ip_proto = key_iph->nexthdr; + } + } +@@ -1889,7 +1889,7 @@ u32 rt6_multipath_hash(const struct net + } else { + hash_keys.addrs.v6addrs.src = fl6->saddr; + hash_keys.addrs.v6addrs.dst = fl6->daddr; +- hash_keys.tags.flow_label = (__force u32)fl6->flowlabel; ++ hash_keys.tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6); + hash_keys.basic.ip_proto = fl6->flowi6_proto; + } + break; diff --git a/queue-4.17/l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch b/queue-4.17/l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch new file mode 100644 index 00000000000..6fda6408e96 --- /dev/null +++ b/queue-4.17/l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch @@ -0,0 +1,145 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Guillaume Nault +Date: Mon, 4 Jun 2018 18:52:19 +0200 +Subject: l2tp: fix refcount leakage on PPPoL2TP sockets + +From: Guillaume Nault + +[ Upstream commit 3d609342cc04129ff7568e19316ce3d7451a27e8 ] + +Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session +object destroy") tried to fix a race condition where a PPPoL2TP socket +would disappear while the L2TP session was still using it. However, it +missed the root issue which is that an L2TP session may accept to be +reconnected if its associated socket has entered the release process. + +The tentative fix makes the session hold the socket it is connected to. +That saves the kernel from crashing, but introduces refcount leakage, +preventing the socket from completing the release process. Once stalled, +everything the socket depends on can't be released anymore, including +the L2TP session and the l2tp_ppp module. + +The root issue is that, when releasing a connected PPPoL2TP socket, the +session's ->sk pointer (RCU-protected) is reset to NULL and we have to +wait for a grace period before destroying the socket. The socket drops +the session in its ->sk_destruct callback function, so the session +will exist until the last reference on the socket is dropped. +Therefore, there is a time frame where pppol2tp_connect() may accept +reconnecting a session, as it only checks ->sk to figure out if the +session is connected. This time frame is shortened by the fact that +pppol2tp_release() calls l2tp_session_delete(), making the session +unreachable before resetting ->sk. However, pppol2tp_connect() may +grab the session before it gets unhashed by l2tp_session_delete(), but +it may test ->sk after the later got reset. The race is not so hard to +trigger and syzbot found a pretty reliable reproducer: +https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf + +Before d02ba2a6110c, another race could let pppol2tp_release() +overwrite the ->__sk pointer of an L2TP session, thus tricking +pppol2tp_put_sk() into calling sock_put() on a socket that is different +than the one for which pppol2tp_release() was originally called. To get +there, we had to trigger the race described above, therefore having one +PPPoL2TP socket being released, while the session it is connected to is +reconnecting to a different PPPoL2TP socket. When releasing this new +socket fast enough, pppol2tp_release() overwrites the session's +->__sk pointer with the address of the new socket, before the first +pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call +invoked by the original socket will sock_put() the new socket, +potentially dropping its last reference. When the second +pppol2tp_put_sk() finally runs, its socket has already been freed. + +With d02ba2a6110c, the session takes a reference on both sockets. +Furthermore, the session's ->sk pointer is reset in the +pppol2tp_session_close() callback function rather than in +pppol2tp_release(). Therefore, ->__sk can't be overwritten and +pppol2tp_put_sk() is called only once (l2tp_session_delete() will only +run pppol2tp_session_close() once, to protect the session against +concurrent deletion requests). Now pppol2tp_put_sk() will properly +sock_put() the original socket, but the new socket will remain, as +l2tp_session_delete() prevented the release process from completing. +Here, we don't depend on the ->__sk race to trigger the bug. Getting +into the pppol2tp_connect() race is enough to leak the reference, no +matter when new socket is released. + +So it all boils down to pppol2tp_connect() failing to realise that the +session has already been connected. This patch drops the unneeded extra +reference counting (mostly reverting d02ba2a6110c) and checks that +neither ->sk nor ->__sk is set before allowing a session to be +connected. + +Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -428,16 +428,6 @@ static void pppol2tp_put_sk(struct rcu_h + */ + static void pppol2tp_session_close(struct l2tp_session *session) + { +- struct pppol2tp_session *ps; +- +- ps = l2tp_session_priv(session); +- mutex_lock(&ps->sk_lock); +- ps->__sk = rcu_dereference_protected(ps->sk, +- lockdep_is_held(&ps->sk_lock)); +- RCU_INIT_POINTER(ps->sk, NULL); +- if (ps->__sk) +- call_rcu(&ps->rcu, pppol2tp_put_sk); +- mutex_unlock(&ps->sk_lock); + } + + /* Really kill the session socket. (Called from sock_put() if +@@ -480,15 +470,24 @@ static int pppol2tp_release(struct socke + sock_orphan(sk); + sock->sk = NULL; + +- /* If the socket is associated with a session, +- * l2tp_session_delete will call pppol2tp_session_close which +- * will drop the session's ref on the socket. +- */ + session = pppol2tp_sock_to_session(sk); + if (session) { ++ struct pppol2tp_session *ps; ++ + l2tp_session_delete(session); +- /* drop the ref obtained by pppol2tp_sock_to_session */ +- sock_put(sk); ++ ++ ps = l2tp_session_priv(session); ++ mutex_lock(&ps->sk_lock); ++ ps->__sk = rcu_dereference_protected(ps->sk, ++ lockdep_is_held(&ps->sk_lock)); ++ RCU_INIT_POINTER(ps->sk, NULL); ++ mutex_unlock(&ps->sk_lock); ++ call_rcu(&ps->rcu, pppol2tp_put_sk); ++ ++ /* Rely on the sock_put() call at the end of the function for ++ * dropping the reference held by pppol2tp_sock_to_session(). ++ * The last reference will be dropped by pppol2tp_put_sk(). ++ */ + } + + release_sock(sk); +@@ -742,7 +741,8 @@ static int pppol2tp_connect(struct socke + */ + mutex_lock(&ps->sk_lock); + if (rcu_dereference_protected(ps->sk, +- lockdep_is_held(&ps->sk_lock))) { ++ lockdep_is_held(&ps->sk_lock)) || ++ ps->__sk) { + mutex_unlock(&ps->sk_lock); + error = -EEXIST; + goto end; +@@ -803,7 +803,6 @@ static int pppol2tp_connect(struct socke + + out_no_ppp: + /* This is how we get the session context from the socket. */ +- sock_hold(sk); + sk->sk_user_data = session; + rcu_assign_pointer(ps->sk, sk); + mutex_unlock(&ps->sk_lock); diff --git a/queue-4.17/net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch b/queue-4.17/net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch new file mode 100644 index 00000000000..f6f93c802a7 --- /dev/null +++ b/queue-4.17/net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch @@ -0,0 +1,106 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Arun Parameswaran +Date: Tue, 5 Jun 2018 13:38:12 -0700 +Subject: net: dsa: b53: Fix for brcm tag issue in Cygnus SoC + +From: Arun Parameswaran + +[ Upstream commit 5040cc990cbac98733df4d58fdeac5bbdab15b49 ] + +In the Broadcom Cygnus SoC, the brcm tag needs to be inserted +in between the mac address and the ether type (should use +'DSA_PROTO_TAG_BRCM') for the packets sent to the internal +b53 switch. + +Since the Cygnus was added with the BCM58XX device id and the +BCM58XX uses 'DSA_PROTO_TAG_BRCM_PREPEND', the data path is +broken, due to the incorrect brcm tag location. + +Add a new b53 device id (BCM583XX) for Cygnus family to fix the +issue. Add the new device id to the BCM58XX family as Cygnus +is similar to the BCM58XX in most other functionalities. + +Fixes: 11606039604c ("net: dsa: b53: Support prepended Broadcom tags") + +Signed-off-by: Arun Parameswaran +Acked-by: Scott Branden +Reported-by: Clément Péron +Reviewed-by: Florian Fainelli +Tested-by: Clément Péron +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/b53/b53_common.c | 15 ++++++++++++++- + drivers/net/dsa/b53/b53_priv.h | 2 ++ + drivers/net/dsa/b53/b53_srab.c | 4 ++-- + 3 files changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -684,7 +684,8 @@ static int b53_switch_reset(struct b53_d + * still use this driver as a library and need to perform the reset + * earlier. + */ +- if (dev->chip_id == BCM58XX_DEVICE_ID) { ++ if (dev->chip_id == BCM58XX_DEVICE_ID || ++ dev->chip_id == BCM583XX_DEVICE_ID) { + b53_read8(dev, B53_CTRL_PAGE, B53_SOFTRESET, ®); + reg |= SW_RST | EN_SW_RST | EN_CH_RST; + b53_write8(dev, B53_CTRL_PAGE, B53_SOFTRESET, reg); +@@ -1875,6 +1876,18 @@ static const struct b53_chip_data b53_sw + .arl_entries = 4, + .cpu_port = B53_CPU_PORT, + .vta_regs = B53_VTA_REGS, ++ .duplex_reg = B53_DUPLEX_STAT_GE, ++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK, ++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE, ++ }, ++ { ++ .chip_id = BCM583XX_DEVICE_ID, ++ .dev_name = "BCM583xx/11360", ++ .vlans = 4096, ++ .enabled_ports = 0x103, ++ .arl_entries = 4, ++ .cpu_port = B53_CPU_PORT, ++ .vta_regs = B53_VTA_REGS, + .duplex_reg = B53_DUPLEX_STAT_GE, + .jumbo_pm_reg = B53_JUMBO_PORT_MASK, + .jumbo_size_reg = B53_JUMBO_MAX_SIZE, +--- a/drivers/net/dsa/b53/b53_priv.h ++++ b/drivers/net/dsa/b53/b53_priv.h +@@ -62,6 +62,7 @@ enum { + BCM53018_DEVICE_ID = 0x53018, + BCM53019_DEVICE_ID = 0x53019, + BCM58XX_DEVICE_ID = 0x5800, ++ BCM583XX_DEVICE_ID = 0x58300, + BCM7445_DEVICE_ID = 0x7445, + BCM7278_DEVICE_ID = 0x7278, + }; +@@ -181,6 +182,7 @@ static inline int is5301x(struct b53_dev + static inline int is58xx(struct b53_device *dev) + { + return dev->chip_id == BCM58XX_DEVICE_ID || ++ dev->chip_id == BCM583XX_DEVICE_ID || + dev->chip_id == BCM7445_DEVICE_ID || + dev->chip_id == BCM7278_DEVICE_ID; + } +--- a/drivers/net/dsa/b53/b53_srab.c ++++ b/drivers/net/dsa/b53/b53_srab.c +@@ -364,7 +364,7 @@ static const struct of_device_id b53_sra + { .compatible = "brcm,bcm53018-srab" }, + { .compatible = "brcm,bcm53019-srab" }, + { .compatible = "brcm,bcm5301x-srab" }, +- { .compatible = "brcm,bcm11360-srab", .data = (void *)BCM58XX_DEVICE_ID }, ++ { .compatible = "brcm,bcm11360-srab", .data = (void *)BCM583XX_DEVICE_ID }, + { .compatible = "brcm,bcm58522-srab", .data = (void *)BCM58XX_DEVICE_ID }, + { .compatible = "brcm,bcm58525-srab", .data = (void *)BCM58XX_DEVICE_ID }, + { .compatible = "brcm,bcm58535-srab", .data = (void *)BCM58XX_DEVICE_ID }, +@@ -372,7 +372,7 @@ static const struct of_device_id b53_sra + { .compatible = "brcm,bcm58623-srab", .data = (void *)BCM58XX_DEVICE_ID }, + { .compatible = "brcm,bcm58625-srab", .data = (void *)BCM58XX_DEVICE_ID }, + { .compatible = "brcm,bcm88312-srab", .data = (void *)BCM58XX_DEVICE_ID }, +- { .compatible = "brcm,cygnus-srab", .data = (void *)BCM58XX_DEVICE_ID }, ++ { .compatible = "brcm,cygnus-srab", .data = (void *)BCM583XX_DEVICE_ID }, + { .compatible = "brcm,nsp-srab", .data = (void *)BCM58XX_DEVICE_ID }, + { /* sentinel */ }, + }; diff --git a/queue-4.17/net-metrics-add-proper-netlink-validation.patch b/queue-4.17/net-metrics-add-proper-netlink-validation.patch new file mode 100644 index 00000000000..56d189805a6 --- /dev/null +++ b/queue-4.17/net-metrics-add-proper-netlink-validation.patch @@ -0,0 +1,129 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Eric Dumazet +Date: Tue, 5 Jun 2018 06:06:19 -0700 +Subject: net: metrics: add proper netlink validation + +From: Eric Dumazet + +[ Upstream commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 ] + +Before using nla_get_u32(), better make sure the attribute +is of the proper size. + +Code recently was changed, but bug has been there from beginning +of git. + +BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746 +CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084 + __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686 + rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746 + fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361 + rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419 + fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287 + inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779 + rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x455a09 +RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09 +RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013 +RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:294 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685 + __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529 + fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline] + fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150 + fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146 + inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779 + rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2753 [inline] + __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:988 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -717,6 +717,8 @@ bool fib_metrics_match(struct fib_config + nla_strlcpy(tmp, nla, sizeof(tmp)); + val = tcp_ca_get_key_by_name(fi->fib_net, tmp, &ecn_ca); + } else { ++ if (nla_len(nla) != sizeof(u32)) ++ return false; + val = nla_get_u32(nla); + } + +@@ -1043,6 +1045,8 @@ fib_convert_metrics(struct fib_info *fi, + if (val == TCP_CA_UNSPEC) + return -EINVAL; + } else { ++ if (nla_len(nla) != sizeof(u32)) ++ return -EINVAL; + val = nla_get_u32(nla); + } + if (type == RTAX_ADVMSS && val > 65535 - 40) diff --git a/queue-4.17/net-packet-refine-check-for-priv-area-size.patch b/queue-4.17/net-packet-refine-check-for-priv-area-size.patch new file mode 100644 index 00000000000..4b0277db013 --- /dev/null +++ b/queue-4.17/net-packet-refine-check-for-priv-area-size.patch @@ -0,0 +1,94 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Eric Dumazet +Date: Fri, 1 Jun 2018 09:23:02 -0700 +Subject: net/packet: refine check for priv area size + +From: Eric Dumazet + +[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ] + +syzbot was able to trick af_packet again [1] + +Various commits tried to address the problem in the past, +but failed to take into account V3 header size. + +[1] + +tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96 +BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] +BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 +Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106 + +CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 + prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] + prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 + __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline] + packet_current_rx_frame net/packet/af_packet.c:1117 [inline] + tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282 + dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018 + xmit_one net/core/dev.c:3049 [inline] + dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069 + __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 + dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 + neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358 + neigh_output include/net/neighbour.h:482 [inline] + ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120 + ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 + NF_HOOK_COND include/linux/netfilter.h:277 [inline] + ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 + dst_output include/net/dst.h:444 [inline] + NF_HOOK include/linux/netfilter.h:288 [inline] + ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491 + ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633 + addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033 + process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 + worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 + kthread+0x345/0x410 kernel/kthread.c:240 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 + +The buggy address belongs to the page: +page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80 +flags: 0x2fffc0000000000() +raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80 +raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size") +Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3") +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4282,7 +4282,7 @@ static int packet_set_ring(struct sock * + goto out; + if (po->tp_version >= TPACKET_V3 && + req->tp_block_size <= +- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) ++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr)) + goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) diff --git a/queue-4.17/netdev-faq-clarify-davem-s-position-for-stable-backports.patch b/queue-4.17/netdev-faq-clarify-davem-s-position-for-stable-backports.patch new file mode 100644 index 00000000000..bf28a50181f --- /dev/null +++ b/queue-4.17/netdev-faq-clarify-davem-s-position-for-stable-backports.patch @@ -0,0 +1,41 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Cong Wang +Date: Tue, 5 Jun 2018 09:48:13 -0700 +Subject: netdev-FAQ: clarify DaveM's position for stable backports + +From: Cong Wang + +[ Upstream commit 75d4e704fa8d2cf33ff295e5b441317603d7f9fd ] + +Per discussion with David at netconf 2018, let's clarify +DaveM's position of handling stable backports in netdev-FAQ. + +This is important for people relying on upstream -stable +releases. + +Cc: Greg Kroah-Hartman +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/networking/netdev-FAQ.txt | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/Documentation/networking/netdev-FAQ.txt ++++ b/Documentation/networking/netdev-FAQ.txt +@@ -179,6 +179,15 @@ A: No. See above answer. In short, if + dash marker line as described in Documentation/process/submitting-patches.rst to + temporarily embed that information into the patch that you send. + ++Q: Are all networking bug fixes backported to all stable releases? ++ ++A: Due to capacity, Dave could only take care of the backports for the last ++ 2 stable releases. For earlier stable releases, each stable branch maintainer ++ is supposed to take care of them. If you find any patch is missing from an ++ earlier stable branch, please notify stable@vger.kernel.org with either a ++ commit ID or a formal patch backported, and CC Dave and other relevant ++ networking developers. ++ + Q: Someone said that the comment style and coding convention is different + for the networking content. Is this true? + diff --git a/queue-4.17/rtnetlink-validate-attributes-in-do_setlink.patch b/queue-4.17/rtnetlink-validate-attributes-in-do_setlink.patch new file mode 100644 index 00000000000..bf022be7978 --- /dev/null +++ b/queue-4.17/rtnetlink-validate-attributes-in-do_setlink.patch @@ -0,0 +1,139 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Eric Dumazet +Date: Tue, 5 Jun 2018 09:25:19 -0700 +Subject: rtnetlink: validate attributes in do_setlink() + +From: Eric Dumazet + +[ Upstream commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae ] + +It seems that rtnl_group_changelink() can call do_setlink +while a prior call to validate_linkmsg(dev = NULL, ...) could +not validate IFLA_ADDRESS / IFLA_BROADCAST + +Make sure do_setlink() calls validate_linkmsg() instead +of letting its callers having this responsibility. + +With help from Dmitry Vyukov, thanks a lot ! + +BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline] +BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] +BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 +CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084 + __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686 + is_valid_ether_addr include/linux/etherdevice.h:199 [inline] + eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] + eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 + dev_set_mac_address+0x261/0x530 net/core/dev.c:7157 + do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317 + rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] + rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 + rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x455a09 +RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09 +RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014 +RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:294 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685 + kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527 + __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478 + do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315 + rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] + rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 + rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2753 [inline] + __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:988 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: e7ed828f10bd ("netlink: support setting devgroup parameters") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2256,6 +2256,10 @@ static int do_setlink(const struct sk_bu + const struct net_device_ops *ops = dev->netdev_ops; + int err; + ++ err = validate_linkmsg(dev, tb); ++ if (err < 0) ++ return err; ++ + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_IF_NETNSID]) { + struct net *net = rtnl_link_get_net_capable(skb, dev_net(dev), + tb, CAP_NET_ADMIN); +@@ -2619,10 +2623,6 @@ static int rtnl_setlink(struct sk_buff * + goto errout; + } + +- err = validate_linkmsg(dev, tb); +- if (err < 0) +- goto errout; +- + err = do_setlink(skb, dev, ifm, extack, tb, ifname, 0); + errout: + return err; diff --git a/queue-4.17/sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch b/queue-4.17/sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch new file mode 100644 index 00000000000..80cf75a0862 --- /dev/null +++ b/queue-4.17/sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Xin Long +Date: Tue, 5 Jun 2018 12:16:58 +0800 +Subject: sctp: not allow transport timeout value less than HZ/5 for hb_timer + +From: Xin Long + +[ Upstream commit 1d88ba1ebb2763aa86172cd7ca05dedbeccc0d35 ] + +syzbot reported a rcu_sched self-detected stall on CPU which is caused +by too small value set on rto_min with SCTP_RTOINFO sockopt. With this +value, hb_timer will get stuck there, as in its timer handler it starts +this timer again with this value, then goes to the timer handler again. + +This problem is there since very beginning, and thanks to Eric for the +reproducer shared from a syzbot mail. + +This patch fixes it by not allowing sctp_transport_timeout to return a +smaller value than HZ/5 for hb_timer, which is based on TCP's min rto. + +Note that it doesn't fix this issue by limiting rto_min, as some users +are still using small rto and no proper value was found for it yet. + +Reported-by: syzbot+3dcd59a1f907245f891f@syzkaller.appspotmail.com +Suggested-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(str + trans->state != SCTP_PF) + timeout += trans->hbinterval; + +- return timeout; ++ return max_t(unsigned long, timeout, HZ / 5); + } + + /* Reset transport variables to their initial values */ diff --git a/queue-4.17/series b/queue-4.17/series index a8472f6f808..dbeaffca7ac 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -1 +1,14 @@ netfilter-nf_flow_table-attach-dst-to-skbs.patch +bnx2x-use-the-right-constant.patch +ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch +ipv6-omit-traffic-class-when-calculating-flow-hash.patch +l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch +netdev-faq-clarify-davem-s-position-for-stable-backports.patch +net-metrics-add-proper-netlink-validation.patch +net-packet-refine-check-for-priv-area-size.patch +rtnetlink-validate-attributes-in-do_setlink.patch +sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch +team-use-netdev_features_t-instead-of-u32.patch +vrf-check-the-original-netdevice-for-generating-redirect.patch +net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch +ipmr-fix-error-path-when-ipmr_new_table-fails.patch diff --git a/queue-4.17/team-use-netdev_features_t-instead-of-u32.patch b/queue-4.17/team-use-netdev_features_t-instead-of-u32.patch new file mode 100644 index 00000000000..5a444bb6d83 --- /dev/null +++ b/queue-4.17/team-use-netdev_features_t-instead-of-u32.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Dan Carpenter +Date: Mon, 4 Jun 2018 17:46:01 +0300 +Subject: team: use netdev_features_t instead of u32 + +From: Dan Carpenter + +[ Upstream commit 25ea66544bfd1d9df1b7e1502f8717e85fa1e6e6 ] + +This code was introduced in 2011 around the same time that we made +netdev_features_t a u64 type. These days a u32 is not big enough to +hold all the potential features. + +Signed-off-by: Dan Carpenter +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1004,7 +1004,8 @@ static void team_port_disable(struct tea + static void __team_compute_features(struct team *team) + { + struct team_port *port; +- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL; ++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES & ++ NETIF_F_ALL_FOR_ALL; + netdev_features_t enc_features = TEAM_ENC_FEATURES; + unsigned short max_hard_header_len = ETH_HLEN; + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | diff --git a/queue-4.17/vrf-check-the-original-netdevice-for-generating-redirect.patch b/queue-4.17/vrf-check-the-original-netdevice-for-generating-redirect.patch new file mode 100644 index 00000000000..76c7adef13a --- /dev/null +++ b/queue-4.17/vrf-check-the-original-netdevice-for-generating-redirect.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Jun 8 06:51:12 CEST 2018 +From: Stephen Suryaputra +Date: Fri, 1 Jun 2018 00:05:21 -0400 +Subject: vrf: check the original netdevice for generating redirect + +From: Stephen Suryaputra + +[ Upstream commit 2f17becfbea5e9a0529b51da7345783e96e69516 ] + +Use the right device to determine if redirect should be sent especially +when using vrf. Same as well as when sending the redirect. + +Signed-off-by: Stephen Suryaputra +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 3 ++- + net/ipv6/ndisc.c | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -507,7 +507,8 @@ int ip6_forward(struct sk_buff *skb) + send redirects to source routed frames. + We don't send redirects to frames decapsulated from IPsec. + */ +- if (skb->dev == dst->dev && opt->srcrt == 0 && !skb_sec_path(skb)) { ++ if (IP6CB(skb)->iif == dst->dev->ifindex && ++ opt->srcrt == 0 && !skb_sec_path(skb)) { + struct in6_addr *target = NULL; + struct inet_peer *peer; + struct rt6_info *rt; +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1576,6 +1576,12 @@ void ndisc_send_redirect(struct sk_buff + ops_data_buf[NDISC_OPS_REDIRECT_DATA_SPACE], *ops_data = NULL; + bool ret; + ++ if (netif_is_l3_master(skb->dev)) { ++ dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif); ++ if (!dev) ++ return; ++ } ++ + if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) { + ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n", + dev->name);