From: Greg Kroah-Hartman Date: Wed, 13 Feb 2019 15:52:47 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.157~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34cf81d5f92926e2f4617e07b287540687aa62d1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch batman-adv-force-mac-header-to-start-of-data-on-xmit.patch libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch revert-cifs-in-kconfig-config_cifs_posix-needs-depends-on-legacy-insecure-cifs.patch xfrm-refine-validation-of-template-and-selector-families.patch --- diff --git a/queue-4.9/batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch b/queue-4.9/batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch new file mode 100644 index 00000000000..b9b088070c9 --- /dev/null +++ b/queue-4.9/batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch @@ -0,0 +1,52 @@ +From 955d3411a17f590364238bd0d3329b61f20c1cd2 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 30 Dec 2018 12:46:01 +0100 +Subject: batman-adv: Avoid WARN on net_device without parent in netns + +From: Sven Eckelmann + +commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream. + +It is not allowed to use WARN* helpers on potential incorrect input from +the user or transient problems because systems configured as panic_on_warn +will reboot due to such a problem. + +A NULL return value of __dev_get_by_index can be caused by various problems +which can either be related to the system configuration or problems +(incorrectly returned network namespaces) in other (virtual) net_device +drivers. batman-adv should not cause a (harmful) WARN in this situation and +instead only report it via a simple message. + +Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface") +Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/hard-interface.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -19,7 +19,6 @@ + #include "main.h" + + #include +-#include + #include + #include + #include +@@ -172,8 +171,10 @@ static bool batadv_is_on_batman_iface(co + parent_dev = __dev_get_by_index((struct net *)parent_net, + dev_get_iflink(net_dev)); + /* if we got a NULL parent_dev there is something broken.. */ +- if (WARN(!parent_dev, "Cannot find parent device")) ++ if (!parent_dev) { ++ pr_err("Cannot find parent device\n"); + return false; ++ } + + if (batadv_mutual_parents(net_dev, net, parent_dev, parent_net)) + return false; diff --git a/queue-4.9/batman-adv-force-mac-header-to-start-of-data-on-xmit.patch b/queue-4.9/batman-adv-force-mac-header-to-start-of-data-on-xmit.patch new file mode 100644 index 00000000000..ee65a03d96a --- /dev/null +++ b/queue-4.9/batman-adv-force-mac-header-to-start-of-data-on-xmit.patch @@ -0,0 +1,43 @@ +From 9114daa825fc3f335f9bea3313ce667090187280 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 31 Dec 2018 22:31:01 +0100 +Subject: batman-adv: Force mac header to start of data on xmit + +From: Sven Eckelmann + +commit 9114daa825fc3f335f9bea3313ce667090187280 upstream. + +The caller of ndo_start_xmit may not already have called +skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr +therefore can be in the wrong position and even outside the current skbuff. +This for example happens when the user binds to the device using a +PF_PACKET-SOCK_RAW with enabled qdisc-bypass: + + int opt = 4; + setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt)); + +Since eth_hdr is used all over the codebase, the batadv_interface_tx +function must always take care of resetting it. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com +Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/soft-interface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -211,6 +211,8 @@ static int batadv_interface_tx(struct sk + + netif_trans_update(soft_iface); + vid = batadv_get_vid(skb, 0); ++ ++ skb_reset_mac_header(skb); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { diff --git a/queue-4.9/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch b/queue-4.9/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch new file mode 100644 index 00000000000..0e78a106f05 --- /dev/null +++ b/queue-4.9/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch @@ -0,0 +1,60 @@ +From 4aac9228d16458cedcfd90c7fb37211cf3653ac3 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 14 Jan 2019 21:13:10 +0100 +Subject: libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() + +From: Ilya Dryomov + +commit 4aac9228d16458cedcfd90c7fb37211cf3653ac3 upstream. + +con_fault() can transition the connection into STANDBY right after +ceph_con_keepalive() clears STANDBY in clear_standby(): + + libceph user thread ceph-msgr worker + +ceph_con_keepalive() + mutex_lock(&con->mutex) + clear_standby(con) + mutex_unlock(&con->mutex) + mutex_lock(&con->mutex) + con_fault() + ... + if KEEPALIVE_PENDING isn't set + set state to STANDBY + ... + mutex_unlock(&con->mutex) + set KEEPALIVE_PENDING + set WRITE_PENDING + +This triggers warnings in clear_standby() when either ceph_con_send() +or ceph_con_keepalive() get to clearing STANDBY next time. + +I don't see a reason to condition queue_con() call on the previous +value of KEEPALIVE_PENDING, so move the setting of KEEPALIVE_PENDING +into the critical section -- unlike WRITE_PENDING, KEEPALIVE_PENDING +could have been a non-atomic flag. + +Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com +Signed-off-by: Ilya Dryomov +Tested-by: Myungho Jung +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -3186,9 +3186,10 @@ void ceph_con_keepalive(struct ceph_conn + dout("con_keepalive %p\n", con); + mutex_lock(&con->mutex); + clear_standby(con); ++ con_flag_set(con, CON_FLAG_KEEPALIVE_PENDING); + mutex_unlock(&con->mutex); +- if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 && +- con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0) ++ ++ if (con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0) + queue_con(con); + } + EXPORT_SYMBOL(ceph_con_keepalive); diff --git a/queue-4.9/revert-cifs-in-kconfig-config_cifs_posix-needs-depends-on-legacy-insecure-cifs.patch b/queue-4.9/revert-cifs-in-kconfig-config_cifs_posix-needs-depends-on-legacy-insecure-cifs.patch new file mode 100644 index 00000000000..0e084391610 --- /dev/null +++ b/queue-4.9/revert-cifs-in-kconfig-config_cifs_posix-needs-depends-on-legacy-insecure-cifs.patch @@ -0,0 +1,40 @@ +From 561d6823bdf69d2041d8f8f2644e290d6f9115da Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 Feb 2019 16:01:54 +0100 +Subject: Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)" + +From: Greg Kroah-Hartman + +This reverts commit 4cd376638c893cf5bf1072eeaac884f62b7ac71e which is +commit 6e785302dad32228819d8066e5376acd15d0e6ba upstream. + +Yi writes: + I notice that 4.4.169 merged 60da90b224ba7 ("cifs: In Kconfig + CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)") add + a Kconfig dependency CIFS_ALLOW_INSECURE_LEGACY, which was not + defined in 4.4 stable, so after this patch we are not able to + enable CIFS_POSIX anymore. Linux 4.4 stable didn't merge the + legacy dialects codes, so do we really need this patch for 4.4? + +So revert this patch in 4.9 as well. + +Reported-by: "zhangyi (F)" +Cc: Steve French +Cc: Pavel Shilovsky +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -111,7 +111,7 @@ config CIFS_XATTR + + config CIFS_POSIX + bool "CIFS POSIX Extensions" +- depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR ++ depends on CIFS_XATTR + help + Enabling this option will cause the cifs client to attempt to + negotiate a newer dialect with servers, such as Samba 3.0.5 diff --git a/queue-4.9/series b/queue-4.9/series index d171d051a83..9dc192da951 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -17,3 +17,8 @@ drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch nfsd4-fix-cached-replies-to-solo-sequence-compounds.patch nfsd4-catch-some-false-session-retries.patch hid-debug-fix-the-ring-buffer-implementation.patch +revert-cifs-in-kconfig-config_cifs_posix-needs-depends-on-legacy-insecure-cifs.patch +libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch +xfrm-refine-validation-of-template-and-selector-families.patch +batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch +batman-adv-force-mac-header-to-start-of-data-on-xmit.patch diff --git a/queue-4.9/xfrm-refine-validation-of-template-and-selector-families.patch b/queue-4.9/xfrm-refine-validation-of-template-and-selector-families.patch new file mode 100644 index 00000000000..35dbcedc336 --- /dev/null +++ b/queue-4.9/xfrm-refine-validation-of-template-and-selector-families.patch @@ -0,0 +1,64 @@ +From 35e6103861a3a970de6c84688c6e7a1f65b164ca Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 9 Jan 2019 14:37:34 +0100 +Subject: xfrm: refine validation of template and selector families + +From: Florian Westphal + +commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream. + +The check assumes that in transport mode, the first templates family +must match the address family of the policy selector. + +Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION, +with ipv4-in-ipv6 chain, leading to following splat: + +BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854 +Read of size 4 at addr ffff888063e57aa0 by task a.out/2050 + xfrm_state_find+0x1db/0x1854 + xfrm_tmpl_resolve+0x100/0x1d0 + xfrm_resolve_and_create_bundle+0x108/0x1000 [..] + +Problem is that addresses point into flowi4 struct, but xfrm_state_find +treats them as being ipv6 because it uses templ->encap_family is used +(AF_INET6 in case of reproducer) rather than family (AF_INET). + +This patch inverts the logic: Enforce 'template family must match +selector' EXCEPT for tunnel and BEET mode. + +In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local +address pointers changed to point at the addresses found in the template, +rather than the flowi ones, so no oob read will occur. + +Reported-by: 3ntr0py1337@gmail.com +Reported-by: Daniel Borkmann +Signed-off-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1408,10 +1408,15 @@ static int validate_tmpl(int nr, struct + if (!ut[i].family) + ut[i].family = family; + +- if ((ut[i].mode == XFRM_MODE_TRANSPORT) && +- (ut[i].family != prev_family)) +- return -EINVAL; +- ++ switch (ut[i].mode) { ++ case XFRM_MODE_TUNNEL: ++ case XFRM_MODE_BEET: ++ break; ++ default: ++ if (ut[i].family != prev_family) ++ return -EINVAL; ++ break; ++ } + if (ut[i].mode >= XFRM_MODE_MAX) + return -EINVAL; +