From: Greg Kroah-Hartman Date: Fri, 11 Dec 2015 16:48:13 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v4.1.15~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35d5acf60bc8251f50223fc5a4699d272e000239;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch ipv6-sctp-implement-sctp_v6_destroy_sock.patch net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch packet-infer-protocol-from-ethernet-header-if-unset.patch sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch snmp-remove-duplicate-outmcast-stat-increment.patch tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch tcp-md5-fix-lockdep-annotation.patch unix-avoid-use-after-free-in-ep_remove_wait_queue.patch --- diff --git a/queue-3.10/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch b/queue-3.10/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch new file mode 100644 index 00000000000..f41ff6ff258 --- /dev/null +++ b/queue-3.10/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Aaro Koskinen +Date: Sun, 22 Nov 2015 01:08:54 +0200 +Subject: broadcom: fix PHY_ID_BCM5481 entry in the id table + +From: Aaro Koskinen + +[ Upstream commit 3c25a860d17b7378822f35d8c9141db9507e3beb ] + +Commit fcb26ec5b18d ("broadcom: move all PHY_ID's to header") +updated broadcom_tbl to use PHY_IDs, but incorrectly replaced 0x0143bca0 +with PHY_ID_BCM5482 (making a duplicate entry, and completely omitting +the original). Fix that. + +Fixes: fcb26ec5b18d ("broadcom: move all PHY_ID's to header") +Signed-off-by: Aaro Koskinen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/broadcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -848,7 +848,7 @@ static struct mdio_device_id __maybe_unu + { PHY_ID_BCM5421, 0xfffffff0 }, + { PHY_ID_BCM5461, 0xfffffff0 }, + { PHY_ID_BCM5464, 0xfffffff0 }, +- { PHY_ID_BCM5482, 0xfffffff0 }, ++ { PHY_ID_BCM5481, 0xfffffff0 }, + { PHY_ID_BCM5482, 0xfffffff0 }, + { PHY_ID_BCM50610, 0xfffffff0 }, + { PHY_ID_BCM50610M, 0xfffffff0 }, diff --git a/queue-3.10/ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch b/queue-3.10/ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch new file mode 100644 index 00000000000..b8bab167523 --- /dev/null +++ b/queue-3.10/ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch @@ -0,0 +1,113 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= +Date: Tue, 24 Nov 2015 15:07:11 +0100 +Subject: ipv6: distinguish frag queues by device for multicast and link-local packets + +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= + +[ Upstream commit 264640fc2c5f4f913db5c73fa3eb1ead2c45e9d7 ] + +If a fragmented multicast packet is received on an ethernet device which +has an active macvlan on top of it, each fragment is duplicated and +received both on the underlying device and the macvlan. If some +fragments for macvlan are processed before the whole packet for the +underlying device is reassembled, the "overlapping fragments" test in +ip6_frag_queue() discards the whole fragment queue. + +To resolve this, add device ifindex to the search key and require it to +match reassembling multicast packets and packets to link-local +addresses. + +Note: similar patch has been already submitted by Yoshifuji Hideaki in + + http://patchwork.ozlabs.org/patch/220979/ + +but got lost and forgotten for some reason. + +Signed-off-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 1 + + net/ipv6/netfilter/nf_conntrack_reasm.c | 5 +++-- + net/ipv6/reassembly.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 5 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -478,6 +478,7 @@ struct ip6_create_arg { + u32 user; + const struct in6_addr *src; + const struct in6_addr *dst; ++ int iif; + u8 ecn; + }; + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -172,7 +172,7 @@ static void nf_ct_frag6_expire(unsigned + /* Creation primitives. */ + static inline struct frag_queue *fq_find(struct net *net, __be32 id, + u32 user, struct in6_addr *src, +- struct in6_addr *dst, u8 ecn) ++ struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -182,6 +182,7 @@ static inline struct frag_queue *fq_find + arg.user = user; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + read_lock_bh(&nf_frags.lock); +@@ -590,7 +591,7 @@ struct sk_buff *nf_ct_frag6_gather(struc + local_bh_enable(); + + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq == NULL) { + pr_debug("Can't find and can't create new queue\n"); + goto ret_orig; +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -111,7 +111,10 @@ bool ip6_frag_match(struct inet_frag_que + return fq->id == arg->id && + fq->user == arg->user && + ipv6_addr_equal(&fq->saddr, arg->src) && +- ipv6_addr_equal(&fq->daddr, arg->dst); ++ ipv6_addr_equal(&fq->daddr, arg->dst) && ++ (arg->iif == fq->iif || ++ !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST | ++ IPV6_ADDR_LINKLOCAL))); + } + EXPORT_SYMBOL(ip6_frag_match); + +@@ -180,7 +183,7 @@ static void ip6_frag_expire(unsigned lon + + static __inline__ struct frag_queue * + fq_find(struct net *net, __be32 id, const struct in6_addr *src, +- const struct in6_addr *dst, u8 ecn) ++ const struct in6_addr *dst, int iif, u8 ecn) + { + struct inet_frag_queue *q; + struct ip6_create_arg arg; +@@ -190,6 +193,7 @@ fq_find(struct net *net, __be32 id, cons + arg.user = IP6_DEFRAG_LOCAL_DELIVER; + arg.src = src; + arg.dst = dst; ++ arg.iif = iif; + arg.ecn = ecn; + + read_lock(&ip6_frags.lock); +@@ -558,7 +562,7 @@ static int ipv6_frag_rcv(struct sk_buff + IPSTATS_MIB_REASMFAILS, evicted); + + fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr, +- ip6_frag_ecn(hdr)); ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq != NULL) { + int ret; + diff --git a/queue-3.10/ipv6-sctp-implement-sctp_v6_destroy_sock.patch b/queue-3.10/ipv6-sctp-implement-sctp_v6_destroy_sock.patch new file mode 100644 index 00000000000..dd5489707eb --- /dev/null +++ b/queue-3.10/ipv6-sctp-implement-sctp_v6_destroy_sock.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Eric Dumazet +Date: Tue, 1 Dec 2015 07:20:07 -0800 +Subject: ipv6: sctp: implement sctp_v6_destroy_sock() + +From: Eric Dumazet + +[ Upstream commit 602dd62dfbda3e63a2d6a3cbde953ebe82bf5087 ] + +Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets. + +We need to call inet6_destroy_sock() to properly release +inet6 specific fields. + +Reported-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7149,6 +7149,13 @@ struct proto sctp_prot = { + + #if IS_ENABLED(CONFIG_IPV6) + ++#include ++static void sctp_v6_destroy_sock(struct sock *sk) ++{ ++ sctp_destroy_sock(sk); ++ inet6_destroy_sock(sk); ++} ++ + struct proto sctpv6_prot = { + .name = "SCTPv6", + .owner = THIS_MODULE, +@@ -7158,7 +7165,7 @@ struct proto sctpv6_prot = { + .accept = sctp_accept, + .ioctl = sctp_ioctl, + .init = sctp_init_sock, +- .destroy = sctp_destroy_sock, ++ .destroy = sctp_v6_destroy_sock, + .shutdown = sctp_shutdown, + .setsockopt = sctp_setsockopt, + .getsockopt = sctp_getsockopt, diff --git a/queue-3.10/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch b/queue-3.10/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch new file mode 100644 index 00000000000..994fe6fa26c --- /dev/null +++ b/queue-3.10/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch @@ -0,0 +1,83 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Nikolay Aleksandrov +Date: Fri, 20 Nov 2015 13:54:20 +0100 +Subject: net: ip6mr: fix static mfc/dev leaks on table destruction + +From: Nikolay Aleksandrov + +[ Upstream commit 4c6980462f32b4f282c5d8e5f7ea8070e2937725 ] + +Similar to ipv4, when destroying an mrt table the static mfc entries and +the static devices are kept, which leads to devices that can never be +destroyed (because of refcnt taken) and leaked memory. Make sure that +everything is cleaned up on netns destruction. + +Fixes: 8229efdaef1e ("netns: ip6mr: enable namespace support in ipv6 multicast forwarding code") +CC: Benjamin Thery +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6mr.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -120,7 +120,7 @@ static void mr6_netlink_event(struct mr6 + int cmd); + static int ip6mr_rtm_dumproute(struct sk_buff *skb, + struct netlink_callback *cb); +-static void mroute_clean_tables(struct mr6_table *mrt); ++static void mroute_clean_tables(struct mr6_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES +@@ -337,7 +337,7 @@ static struct mr6_table *ip6mr_new_table + static void ip6mr_free_table(struct mr6_table *mrt) + { + del_timer(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1537,7 +1537,7 @@ static int ip6mr_mfc_add(struct net *net + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr6_table *mrt) ++static void mroute_clean_tables(struct mr6_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1547,8 +1547,9 @@ static void mroute_clean_tables(struct m + * Shut down all active vif entries + */ + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif6_table[i].flags & VIFF_STATIC)) +- mif6_delete(mrt, i, &list); ++ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) ++ continue; ++ mif6_delete(mrt, i, &list); + } + unregister_netdevice_many(&list); + +@@ -1557,7 +1558,7 @@ static void mroute_clean_tables(struct m + */ + for (i = 0; i < MFC6_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + write_lock_bh(&mrt_lock); + list_del(&c->list); +@@ -1620,7 +1621,7 @@ int ip6mr_sk_done(struct sock *sk) + net->ipv6.devconf_all); + write_unlock_bh(&mrt_lock); + +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + err = 0; + break; + } diff --git a/queue-3.10/net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch b/queue-3.10/net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch new file mode 100644 index 00000000000..fbdc8bb9485 --- /dev/null +++ b/queue-3.10/net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch @@ -0,0 +1,98 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Nikolay Aleksandrov +Date: Fri, 20 Nov 2015 13:54:19 +0100 +Subject: net: ipmr: fix static mfc/dev leaks on table destruction + +From: Nikolay Aleksandrov + +[ Upstream commit 0e615e9601a15efeeb8942cf7cd4dadba0c8c5a7 ] + +When destroying an mrt table the static mfc entries and the static +devices are kept, which leads to devices that can never be destroyed +(because of refcnt taken) and leaked memory, for example: +unreferenced object 0xffff880034c144c0 (size 192): + comm "mfc-broken", pid 4777, jiffies 4320349055 (age 46001.964s) + hex dump (first 32 bytes): + 98 53 f0 34 00 88 ff ff 98 53 f0 34 00 88 ff ff .S.4.....S.4.... + ef 0a 0a 14 01 02 03 04 00 00 00 00 01 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] kmem_cache_alloc+0x190/0x300 + [] ip_mroute_setsockopt+0x5cb/0x910 + [] do_ip_setsockopt.isra.11+0x105/0xff0 + [] ip_setsockopt+0x30/0xa0 + [] raw_setsockopt+0x33/0x90 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xc0 + [] entry_SYSCALL_64_fastpath+0x16/0x7a + [] 0xffffffffffffffff + +Make sure that everything is cleaned on netns destruction. + +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -136,7 +136,7 @@ static int __ipmr_fill_mroute(struct mr_ + struct mfc_cache *c, struct rtmsg *rtm); + static void mroute_netlink_event(struct mr_table *mrt, struct mfc_cache *mfc, + int cmd); +-static void mroute_clean_tables(struct mr_table *mrt); ++static void mroute_clean_tables(struct mr_table *mrt, bool all); + static void ipmr_expire_process(unsigned long arg); + + #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES +@@ -348,7 +348,7 @@ static struct mr_table *ipmr_new_table(s + static void ipmr_free_table(struct mr_table *mrt) + { + del_timer_sync(&mrt->ipmr_expire_timer); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, true); + kfree(mrt); + } + +@@ -1199,7 +1199,7 @@ static int ipmr_mfc_add(struct net *net, + * Close the multicast socket, and clear the vif tables etc + */ + +-static void mroute_clean_tables(struct mr_table *mrt) ++static void mroute_clean_tables(struct mr_table *mrt, bool all) + { + int i; + LIST_HEAD(list); +@@ -1208,8 +1208,9 @@ static void mroute_clean_tables(struct m + /* Shut down all active vif entries */ + + for (i = 0; i < mrt->maxvif; i++) { +- if (!(mrt->vif_table[i].flags & VIFF_STATIC)) +- vif_delete(mrt, i, 0, &list); ++ if (!all && (mrt->vif_table[i].flags & VIFF_STATIC)) ++ continue; ++ vif_delete(mrt, i, 0, &list); + } + unregister_netdevice_many(&list); + +@@ -1217,7 +1218,7 @@ static void mroute_clean_tables(struct m + + for (i = 0; i < MFC_LINES; i++) { + list_for_each_entry_safe(c, next, &mrt->mfc_cache_array[i], list) { +- if (c->mfc_flags & MFC_STATIC) ++ if (!all && (c->mfc_flags & MFC_STATIC)) + continue; + list_del_rcu(&c->list); + mroute_netlink_event(mrt, c, RTM_DELROUTE); +@@ -1252,7 +1253,7 @@ static void mrtsock_destruct(struct sock + NETCONFA_IFINDEX_ALL, + net->ipv4.devconf_all); + RCU_INIT_POINTER(mrt->mroute_sk, NULL); +- mroute_clean_tables(mrt); ++ mroute_clean_tables(mrt, false); + } + } + rtnl_unlock(); diff --git a/queue-3.10/net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch b/queue-3.10/net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch new file mode 100644 index 00000000000..5fb53b0e562 --- /dev/null +++ b/queue-3.10/net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 18 Nov 2015 21:13:07 +0100 +Subject: net: qmi_wwan: add XS Stick W100-2 from 4G Systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= + +[ Upstream commit 68242a5a1e2edce39b069385cbafb82304eac0f1 ] + +Thomas reports +" +4gsystems sells two total different LTE-surfsticks under the same name. +.. +The newer version of XS Stick W100 is from "omega" +.. +Under windows the driver switches to the same ID, and uses MI03\6 for +network and MI01\6 for modem. +.. +echo "1c9e 9b01" > /sys/bus/usb/drivers/qmi_wwan/new_id +echo "1c9e 9b01" > /sys/bus/usb-serial/drivers/option1/new_id + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1c9e ProdID=9b01 Rev=02.32 +S: Manufacturer=USB Modem +S: Product=USB Modem +S: SerialNumber= +C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage + +Now all important things are there: + +wwp0s29f7u2i3 (net), ttyUSB2 (at), cdc-wdm0 (qmi), ttyUSB1 (at) + +There is also ttyUSB0, but it is not usable, at least not for at. + +The device works well with qmi and ModemManager-NetworkManager. +" + +Reported-by: Thomas Schäfer +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -742,6 +742,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ ++ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ + {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */ + {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */ + {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */ diff --git a/queue-3.10/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch b/queue-3.10/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch new file mode 100644 index 00000000000..112c0c3efd3 --- /dev/null +++ b/queue-3.10/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch @@ -0,0 +1,142 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Daniel Borkmann +Date: Fri, 20 Nov 2015 00:11:56 +0100 +Subject: net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds + +From: Daniel Borkmann + +[ Upstream commit 6900317f5eff0a7070c5936e5383f589e0de7a09 ] + +David and HacKurx reported a following/similar size overflow triggered +in a grsecurity kernel, thanks to PaX's gcc size overflow plugin: + +(Already fixed in later grsecurity versions by Brad and PaX Team.) + +[ 1002.296137] PAX: size overflow detected in function scm_detach_fds net/core/scm.c:314 + cicus.202_127 min, count: 4, decl: msg_controllen; num: 0; context: msghdr; +[ 1002.296145] CPU: 0 PID: 3685 Comm: scm_rights_recv Not tainted 4.2.3-grsec+ #7 +[ 1002.296149] Hardware name: Apple Inc. MacBookAir5,1/Mac-66F35F19FE2A0D05, [...] +[ 1002.296153] ffffffff81c27366 0000000000000000 ffffffff81c27375 ffffc90007843aa8 +[ 1002.296162] ffffffff818129ba 0000000000000000 ffffffff81c27366 ffffc90007843ad8 +[ 1002.296169] ffffffff8121f838 fffffffffffffffc fffffffffffffffc ffffc90007843e60 +[ 1002.296176] Call Trace: +[ 1002.296190] [] dump_stack+0x45/0x57 +[ 1002.296200] [] report_size_overflow+0x38/0x60 +[ 1002.296209] [] scm_detach_fds+0x2ce/0x300 +[ 1002.296220] [] unix_stream_read_generic+0x609/0x930 +[ 1002.296228] [] unix_stream_recvmsg+0x4f/0x60 +[ 1002.296236] [] ? unix_set_peek_off+0x50/0x50 +[ 1002.296243] [] sock_recvmsg+0x47/0x60 +[ 1002.296248] [] ___sys_recvmsg+0xe2/0x1e0 +[ 1002.296257] [] __sys_recvmsg+0x46/0x80 +[ 1002.296263] [] SyS_recvmsg+0x2c/0x40 +[ 1002.296271] [] entry_SYSCALL_64_fastpath+0x12/0x85 + +Further investigation showed that this can happen when an *odd* number of +fds are being passed over AF_UNIX sockets. + +In these cases CMSG_LEN(i * sizeof(int)) and CMSG_SPACE(i * sizeof(int)), +where i is the number of successfully passed fds, differ by 4 bytes due +to the extra CMSG_ALIGN() padding in CMSG_SPACE() to an 8 byte boundary +on 64 bit. The padding is used to align subsequent cmsg headers in the +control buffer. + +When the control buffer passed in from the receiver side *lacks* these 4 +bytes (e.g. due to buggy/wrong API usage), then msg->msg_controllen will +overflow in scm_detach_fds(): + + int cmlen = CMSG_LEN(i * sizeof(int)); <--- cmlen w/o tail-padding + err = put_user(SOL_SOCKET, &cm->cmsg_level); + if (!err) + err = put_user(SCM_RIGHTS, &cm->cmsg_type); + if (!err) + err = put_user(cmlen, &cm->cmsg_len); + if (!err) { + cmlen = CMSG_SPACE(i * sizeof(int)); <--- cmlen w/ 4 byte extra tail-padding + msg->msg_control += cmlen; + msg->msg_controllen -= cmlen; <--- iff no tail-padding space here ... + } ... wrap-around + +F.e. it will wrap to a length of 18446744073709551612 bytes in case the +receiver passed in msg->msg_controllen of 20 bytes, and the sender +properly transferred 1 fd to the receiver, so that its CMSG_LEN results +in 20 bytes and CMSG_SPACE in 24 bytes. + +In case of MSG_CMSG_COMPAT (scm_detach_fds_compat()), I haven't seen an +issue in my tests as alignment seems always on 4 byte boundary. Same +should be in case of native 32 bit, where we end up with 4 byte boundaries +as well. + +In practice, passing msg->msg_controllen of 20 to recvmsg() while receiving +a single fd would mean that on successful return, msg->msg_controllen is +being set by the kernel to 24 bytes instead, thus more than the input +buffer advertised. It could f.e. become an issue if such application later +on zeroes or copies the control buffer based on the returned msg->msg_controllen +elsewhere. + +Maximum number of fds we can send is a hard upper limit SCM_MAX_FD (253). + +Going over the code, it seems like msg->msg_controllen is not being read +after scm_detach_fds() in scm_recv() anymore by the kernel, good! + +Relevant recvmsg() handler are unix_dgram_recvmsg() (unix_seqpacket_recvmsg()) +and unix_stream_recvmsg(). Both return back to their recvmsg() caller, +and ___sys_recvmsg() places the updated length, that is, new msg_control - +old msg_control pointer into msg->msg_controllen (hence the 24 bytes seen +in the example). + +Long time ago, Wei Yongjun fixed something related in commit 1ac70e7ad24a +("[NET]: Fix function put_cmsg() which may cause usr application memory +overflow"). + +RFC3542, section 20.2. says: + + The fields shown as "XX" are possible padding, between the cmsghdr + structure and the data, and between the data and the next cmsghdr + structure, if required by the implementation. While sending an + application may or may not include padding at the end of last + ancillary data in msg_controllen and implementations must accept both + as valid. On receiving a portable application must provide space for + padding at the end of the last ancillary data as implementations may + copy out the padding at the end of the control message buffer and + include it in the received msg_controllen. When recvmsg() is called + if msg_controllen is too small for all the ancillary data items + including any trailing padding after the last item an implementation + may set MSG_CTRUNC. + +Since we didn't place MSG_CTRUNC for already quite a long time, just do +the same as in 1ac70e7ad24a to avoid an overflow. + +Btw, even man-page author got this wrong :/ See db939c9b26e9 ("cmsg.3: Fix +error in SCM_RIGHTS code sample"). Some people must have copied this (?), +thus it got triggered in the wild (reported several times during boot by +David and HacKurx). + +No Fixes tag this time as pre 2002 (that is, pre history tree). + +Reported-by: David Sterba +Reported-by: HacKurx +Cc: PaX Team +Cc: Emese Revfy +Cc: Brad Spengler +Cc: Wei Yongjun +Cc: Eric Dumazet +Reviewed-by: Hannes Frederic Sowa +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/scm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -306,6 +306,8 @@ void scm_detach_fds(struct msghdr *msg, + err = put_user(cmlen, &cm->cmsg_len); + if (!err) { + cmlen = CMSG_SPACE(i*sizeof(int)); ++ if (msg->msg_controllen < cmlen) ++ cmlen = msg->msg_controllen; + msg->msg_control += cmlen; + msg->msg_controllen -= cmlen; + } diff --git a/queue-3.10/packet-infer-protocol-from-ethernet-header-if-unset.patch b/queue-3.10/packet-infer-protocol-from-ethernet-header-if-unset.patch new file mode 100644 index 00000000000..099f3e45c17 --- /dev/null +++ b/queue-3.10/packet-infer-protocol-from-ethernet-header-if-unset.patch @@ -0,0 +1,71 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Daniel Borkmann +Date: Wed, 11 Nov 2015 23:25:43 +0100 +Subject: packet: infer protocol from ethernet header if unset + +From: Daniel Borkmann + +[ Upstream commit c72219b75fde768efccf7666342282fab7f9e4e7 ] + +In case no struct sockaddr_ll has been passed to packet +socket's sendmsg() when doing a TX_RING flush run, then +skb->protocol is set to po->num instead, which is the protocol +passed via socket(2)/bind(2). + +Applications only xmitting can go the path of allocating the +socket as socket(PF_PACKET, , 0) and do a bind(2) on the +TX_RING with sll_protocol of 0. That way, register_prot_hook() +is neither called on creation nor on bind time, which saves +cycles when there's no interest in capturing anyway. + +That leaves us however with po->num 0 instead and therefore +the TX_RING flush run sets skb->protocol to 0 as well. Eric +reported that this leads to problems when using tools like +trafgen over bonding device. I.e. the bonding's hash function +could invoke the kernel's flow dissector, which depends on +skb->protocol being properly set. In the current situation, all +the traffic is then directed to a single slave. + +Fix it up by inferring skb->protocol from the Ethernet header +when not set and we have ARPHRD_ETHER device type. This is only +done in case of SOCK_RAW and where we have a dev->hard_header_len +length. In case of ARPHRD_ETHER devices, this is guaranteed to +cover ETH_HLEN, and therefore being accessed on the skb after +the skb_store_bits(). + +Reported-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1945,6 +1945,15 @@ static void tpacket_destruct_skb(struct + sock_wfree(skb); + } + ++static void tpacket_set_protocol(const struct net_device *dev, ++ struct sk_buff *skb) ++{ ++ if (dev->type == ARPHRD_ETHER) { ++ skb_reset_mac_header(skb); ++ skb->protocol = eth_hdr(skb)->h_proto; ++ } ++} ++ + static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, + void *frame, struct net_device *dev, int size_max, + __be16 proto, unsigned char *addr, int hlen) +@@ -2031,6 +2040,8 @@ static int tpacket_fill_skb(struct packe + dev->hard_header_len); + if (unlikely(err)) + return err; ++ if (!skb->protocol) ++ tpacket_set_protocol(dev, skb); + + data += dev->hard_header_len; + to_write -= dev->hard_header_len; diff --git a/queue-3.10/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch b/queue-3.10/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch new file mode 100644 index 00000000000..67643dbf744 --- /dev/null +++ b/queue-3.10/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: lucien +Date: Thu, 12 Nov 2015 13:07:07 +0800 +Subject: sctp: translate host order to network order when setting a hmacid + +From: lucien + +[ Upstream commit ed5a377d87dc4c87fb3e1f7f698cba38cd893103 ] + +now sctp auth cannot work well when setting a hmacid manually, which +is caused by that we didn't use the network order for hmacid, so fix +it by adding the transformation in sctp_auth_ep_set_hmacs. + +even we set hmacid with the network order in userspace, it still +can't work, because of this condition in sctp_auth_ep_set_hmacs(): + + if (id > SCTP_AUTH_HMAC_ID_MAX) + return -EOPNOTSUPP; + +so this wasn't working before and thus it won't break compatibility. + +Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") +Signed-off-by: Xin Long +Signed-off-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/auth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -812,8 +812,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_e + if (!has_sha1) + return -EINVAL; + +- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0], +- hmacs->shmac_num_idents * sizeof(__u16)); ++ for (i = 0; i < hmacs->shmac_num_idents; i++) ++ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]); + ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) + + hmacs->shmac_num_idents * sizeof(__u16)); + return 0; diff --git a/queue-3.10/series b/queue-3.10/series new file mode 100644 index 00000000000..7c6d287ca4d --- /dev/null +++ b/queue-3.10/series @@ -0,0 +1,13 @@ +unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +packet-infer-protocol-from-ethernet-header-if-unset.patch +sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +snmp-remove-duplicate-outmcast-stat-increment.patch +net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch +tcp-md5-fix-lockdep-annotation.patch +tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch +net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch +net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch +net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch +ipv6-sctp-implement-sctp_v6_destroy_sock.patch diff --git a/queue-3.10/snmp-remove-duplicate-outmcast-stat-increment.patch b/queue-3.10/snmp-remove-duplicate-outmcast-stat-increment.patch new file mode 100644 index 00000000000..9e2ede198d4 --- /dev/null +++ b/queue-3.10/snmp-remove-duplicate-outmcast-stat-increment.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Neil Horman +Date: Mon, 16 Nov 2015 13:09:10 -0500 +Subject: snmp: Remove duplicate OUTMCAST stat increment + +From: Neil Horman + +[ Upstream commit 41033f029e393a64e81966cbe34d66c6cf8a2e7e ] + +the OUTMCAST stat is double incremented, getting bumped once in the mcast code +itself, and again in the common ip output path. Remove the mcast bump, as its +not needed + +Validated by the reporter, with good results + +Signed-off-by: Neil Horman +Reported-by: Claus Jensen +CC: Claus Jensen +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1441,7 +1441,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); + } else { + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + } +@@ -1805,7 +1804,6 @@ out: + if (!err) { + ICMP6MSGOUT_INC_STATS(net, idev, type); + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len); + } else + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); + diff --git a/queue-3.10/tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch b/queue-3.10/tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch new file mode 100644 index 00000000000..f614160d58a --- /dev/null +++ b/queue-3.10/tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch @@ -0,0 +1,41 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Eric Dumazet +Date: Thu, 26 Nov 2015 08:18:14 -0800 +Subject: tcp: initialize tp->copied_seq in case of cross SYN connection + +From: Eric Dumazet + +[ Upstream commit 142a2e7ece8d8ac0e818eb2c91f99ca894730e2a ] + +Dmitry provided a syzkaller (http://github.com/google/syzkaller) +generated program that triggers the WARNING at +net/ipv4/tcp.c:1729 in tcp_recvmsg() : + +WARN_ON(tp->copied_seq != tp->rcv_nxt && + !(flags & (MSG_PEEK | MSG_TRUNC))); + +His program is specifically attempting a Cross SYN TCP exchange, +that we support (for the pleasure of hackers ?), but it looks we +lack proper tcp->copied_seq initialization. + +Thanks again Dmitry for your report and testings. + +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5575,6 +5575,7 @@ discard: + } + + tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1; ++ tp->copied_seq = tp->rcv_nxt; + tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1; + + /* RFC1323: The window in SYN & SYN/ACK segments is diff --git a/queue-3.10/tcp-md5-fix-lockdep-annotation.patch b/queue-3.10/tcp-md5-fix-lockdep-annotation.patch new file mode 100644 index 00000000000..74dbfd7e21f --- /dev/null +++ b/queue-3.10/tcp-md5-fix-lockdep-annotation.patch @@ -0,0 +1,68 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Eric Dumazet +Date: Wed, 18 Nov 2015 12:40:13 -0800 +Subject: tcp: md5: fix lockdep annotation + +From: Eric Dumazet + +[ Upstream commit 1b8e6a01e19f001e9f93b39c32387961c91ed3cc ] + +When a passive TCP is created, we eventually call tcp_md5_do_add() +with sk pointing to the child. It is not owner by the user yet (we +will add this socket into listener accept queue a bit later anyway) + +But we do own the spinlock, so amend the lockdep annotation to avoid +following splat : + +[ 8451.090932] net/ipv4/tcp_ipv4.c:923 suspicious rcu_dereference_protected() usage! +[ 8451.090932] +[ 8451.090932] other info that might help us debug this: +[ 8451.090932] +[ 8451.090934] +[ 8451.090934] rcu_scheduler_active = 1, debug_locks = 1 +[ 8451.090936] 3 locks held by socket_sockopt_/214795: +[ 8451.090936] #0: (rcu_read_lock){.+.+..}, at: [] __netif_receive_skb_core+0x151/0xe90 +[ 8451.090947] #1: (rcu_read_lock){.+.+..}, at: [] ip_local_deliver_finish+0x43/0x2b0 +[ 8451.090952] #2: (slock-AF_INET){+.-...}, at: [] sk_clone_lock+0x1c5/0x500 +[ 8451.090958] +[ 8451.090958] stack backtrace: +[ 8451.090960] CPU: 7 PID: 214795 Comm: socket_sockopt_ + +[ 8451.091215] Call Trace: +[ 8451.091216] [] dump_stack+0x55/0x76 +[ 8451.091229] [] lockdep_rcu_suspicious+0xeb/0x110 +[ 8451.091235] [] tcp_md5_do_add+0x1bf/0x1e0 +[ 8451.091239] [] tcp_v4_syn_recv_sock+0x1f1/0x4c0 +[ 8451.091242] [] ? tcp_v4_md5_hash_skb+0x167/0x190 +[ 8451.091246] [] tcp_check_req+0x3c8/0x500 +[ 8451.091249] [] ? tcp_v4_inbound_md5_hash+0x11e/0x190 +[ 8451.091253] [] tcp_v4_rcv+0x3c0/0x9f0 +[ 8451.091256] [] ? ip_local_deliver_finish+0x43/0x2b0 +[ 8451.091260] [] ip_local_deliver_finish+0xb6/0x2b0 +[ 8451.091263] [] ? ip_local_deliver_finish+0x43/0x2b0 +[ 8451.091267] [] ip_local_deliver+0x48/0x80 +[ 8451.091270] [] ip_rcv_finish+0x160/0x700 +[ 8451.091273] [] ip_rcv+0x29e/0x3d0 +[ 8451.091277] [] __netif_receive_skb_core+0xb47/0xe90 + +Fixes: a8afca0329988 ("tcp: md5: protects md5sig_info with RCU") +Signed-off-by: Eric Dumazet +Reported-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1015,7 +1015,8 @@ int tcp_md5_do_add(struct sock *sk, cons + } + + md5sig = rcu_dereference_protected(tp->md5sig_info, +- sock_owned_by_user(sk)); ++ sock_owned_by_user(sk) || ++ lockdep_is_held(&sk->sk_lock.slock)); + if (!md5sig) { + md5sig = kmalloc(sizeof(*md5sig), gfp); + if (!md5sig) diff --git a/queue-3.10/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch b/queue-3.10/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch new file mode 100644 index 00000000000..043f7ff6308 --- /dev/null +++ b/queue-3.10/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch @@ -0,0 +1,329 @@ +From foo@baz Fri Dec 11 11:39:46 EST 2015 +From: Rainer Weikusat +Date: Fri, 20 Nov 2015 22:07:23 +0000 +Subject: unix: avoid use-after-free in ep_remove_wait_queue + +From: Rainer Weikusat + +[ Upstream commit 7d267278a9ece963d77eefec61630223fce08c6c ] + +Rainer Weikusat writes: +An AF_UNIX datagram socket being the client in an n:1 association with +some server socket is only allowed to send messages to the server if the +receive queue of this socket contains at most sk_max_ack_backlog +datagrams. This implies that prospective writers might be forced to go +to sleep despite none of the message presently enqueued on the server +receive queue were sent by them. In order to ensure that these will be +woken up once space becomes again available, the present unix_dgram_poll +routine does a second sock_poll_wait call with the peer_wait wait queue +of the server socket as queue argument (unix_dgram_recvmsg does a wake +up on this queue after a datagram was received). This is inherently +problematic because the server socket is only guaranteed to remain alive +for as long as the client still holds a reference to it. In case the +connection is dissolved via connect or by the dead peer detection logic +in unix_dgram_sendmsg, the server socket may be freed despite "the +polling mechanism" (in particular, epoll) still has a pointer to the +corresponding peer_wait queue. There's no way to forcibly deregister a +wait queue with epoll. + +Based on an idea by Jason Baron, the patch below changes the code such +that a wait_queue_t belonging to the client socket is enqueued on the +peer_wait queue of the server whenever the peer receive queue full +condition is detected by either a sendmsg or a poll. A wake up on the +peer queue is then relayed to the ordinary wait queue of the client +socket via wake function. The connection to the peer wait queue is again +dissolved if either a wake up is about to be relayed or the client +socket reconnects or a dead peer is detected or the client socket is +itself closed. This enables removing the second sock_poll_wait from +unix_dgram_poll, thus avoiding the use-after-free, while still ensuring +that no blocked writer sleeps forever. + +Signed-off-by: Rainer Weikusat +Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets") +Reviewed-by: Jason Baron +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/af_unix.h | 1 + net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 165 insertions(+), 19 deletions(-) + +--- a/include/net/af_unix.h ++++ b/include/net/af_unix.h +@@ -62,6 +62,7 @@ struct unix_sock { + #define UNIX_GC_CANDIDATE 0 + #define UNIX_GC_MAYBE_CYCLE 1 + struct socket_wq peer_wq; ++ wait_queue_t peer_wake; + }; + + static inline struct unix_sock *unix_sk(struct sock *sk) +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -313,6 +313,118 @@ found: + return s; + } + ++/* Support code for asymmetrically connected dgram sockets ++ * ++ * If a datagram socket is connected to a socket not itself connected ++ * to the first socket (eg, /dev/log), clients may only enqueue more ++ * messages if the present receive queue of the server socket is not ++ * "too large". This means there's a second writeability condition ++ * poll and sendmsg need to test. The dgram recv code will do a wake ++ * up on the peer_wait wait queue of a socket upon reception of a ++ * datagram which needs to be propagated to sleeping would-be writers ++ * since these might not have sent anything so far. This can't be ++ * accomplished via poll_wait because the lifetime of the server ++ * socket might be less than that of its clients if these break their ++ * association with it or if the server socket is closed while clients ++ * are still connected to it and there's no way to inform "a polling ++ * implementation" that it should let go of a certain wait queue ++ * ++ * In order to propagate a wake up, a wait_queue_t of the client ++ * socket is enqueued on the peer_wait queue of the server socket ++ * whose wake function does a wake_up on the ordinary client socket ++ * wait queue. This connection is established whenever a write (or ++ * poll for write) hit the flow control condition and broken when the ++ * association to the server socket is dissolved or after a wake up ++ * was relayed. ++ */ ++ ++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags, ++ void *key) ++{ ++ struct unix_sock *u; ++ wait_queue_head_t *u_sleep; ++ ++ u = container_of(q, struct unix_sock, peer_wake); ++ ++ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait, ++ q); ++ u->peer_wake.private = NULL; ++ ++ /* relaying can only happen while the wq still exists */ ++ u_sleep = sk_sleep(&u->sk); ++ if (u_sleep) ++ wake_up_interruptible_poll(u_sleep, key); ++ ++ return 0; ++} ++ ++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ int rc; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ rc = 0; ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (!u->peer_wake.private) { ++ u->peer_wake.private = other; ++ __add_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ ++ rc = 1; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++ return rc; ++} ++ ++static void unix_dgram_peer_wake_disconnect(struct sock *sk, ++ struct sock *other) ++{ ++ struct unix_sock *u, *u_other; ++ ++ u = unix_sk(sk); ++ u_other = unix_sk(other); ++ spin_lock(&u_other->peer_wait.lock); ++ ++ if (u->peer_wake.private == other) { ++ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake); ++ u->peer_wake.private = NULL; ++ } ++ ++ spin_unlock(&u_other->peer_wait.lock); ++} ++ ++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk, ++ struct sock *other) ++{ ++ unix_dgram_peer_wake_disconnect(sk, other); ++ wake_up_interruptible_poll(sk_sleep(sk), ++ POLLOUT | ++ POLLWRNORM | ++ POLLWRBAND); ++} ++ ++/* preconditions: ++ * - unix_peer(sk) == other ++ * - association is stable ++ */ ++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) ++{ ++ int connected; ++ ++ connected = unix_dgram_peer_wake_connect(sk, other); ++ ++ if (unix_recvq_full(other)) ++ return 1; ++ ++ if (connected) ++ unix_dgram_peer_wake_disconnect(sk, other); ++ ++ return 0; ++} ++ + static inline int unix_writable(struct sock *sk) + { + return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; +@@ -417,6 +529,8 @@ static void unix_release_sock(struct soc + skpair->sk_state_change(skpair); + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); + } ++ ++ unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ + unix_peer(sk) = NULL; + } +@@ -650,6 +764,7 @@ static struct sock *unix_create1(struct + INIT_LIST_HEAD(&u->link); + mutex_init(&u->readlock); /* single task reading lock */ + init_waitqueue_head(&u->peer_wait); ++ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay); + unix_insert_socket(unix_sockets_unbound(sk), sk); + out: + if (sk == NULL) +@@ -1017,6 +1132,8 @@ restart: + if (unix_peer(sk)) { + struct sock *old_peer = unix_peer(sk); + unix_peer(sk) = other; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); ++ + unix_state_double_unlock(sk, other); + + if (other != old_peer) +@@ -1456,6 +1573,7 @@ static int unix_dgram_sendmsg(struct kio + struct scm_cookie tmp_scm; + int max_level; + int data_len = 0; ++ int sk_locked; + + if (NULL == siocb->scm) + siocb->scm = &tmp_scm; +@@ -1532,12 +1650,14 @@ restart: + goto out_free; + } + ++ sk_locked = 0; + unix_state_lock(other); ++restart_locked: + err = -EPERM; + if (!unix_may_send(sk, other)) + goto out_unlock; + +- if (sock_flag(other, SOCK_DEAD)) { ++ if (unlikely(sock_flag(other, SOCK_DEAD))) { + /* + * Check with 1003.1g - what should + * datagram error +@@ -1545,10 +1665,14 @@ restart: + unix_state_unlock(other); + sock_put(other); + ++ if (!sk_locked) ++ unix_state_lock(sk); ++ + err = 0; +- unix_state_lock(sk); + if (unix_peer(sk) == other) { + unix_peer(sk) = NULL; ++ unix_dgram_peer_wake_disconnect_wakeup(sk, other); ++ + unix_state_unlock(sk); + + unix_dgram_disconnected(sk, other); +@@ -1574,21 +1698,38 @@ restart: + goto out_unlock; + } + +- if (unix_peer(other) != sk && unix_recvq_full(other)) { +- if (!timeo) { +- err = -EAGAIN; +- goto out_unlock; ++ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ if (timeo) { ++ timeo = unix_wait_for_peer(other, timeo); ++ ++ err = sock_intr_errno(timeo); ++ if (signal_pending(current)) ++ goto out_free; ++ ++ goto restart; + } + +- timeo = unix_wait_for_peer(other, timeo); ++ if (!sk_locked) { ++ unix_state_unlock(other); ++ unix_state_double_lock(sk, other); ++ } + +- err = sock_intr_errno(timeo); +- if (signal_pending(current)) +- goto out_free; ++ if (unix_peer(sk) != other || ++ unix_dgram_peer_wake_me(sk, other)) { ++ err = -EAGAIN; ++ sk_locked = 1; ++ goto out_unlock; ++ } + +- goto restart; ++ if (!sk_locked) { ++ sk_locked = 1; ++ goto restart_locked; ++ } + } + ++ if (unlikely(sk_locked)) ++ unix_state_unlock(sk); ++ + if (sock_flag(other, SOCK_RCVTSTAMP)) + __net_timestamp(skb); + maybe_add_creds(skb, sock, other); +@@ -1602,6 +1743,8 @@ restart: + return len; + + out_unlock: ++ if (sk_locked) ++ unix_state_unlock(sk); + unix_state_unlock(other); + out_free: + kfree_skb(skb); +@@ -2260,14 +2403,16 @@ static unsigned int unix_dgram_poll(stru + return mask; + + writable = unix_writable(sk); +- other = unix_peer_get(sk); +- if (other) { +- if (unix_peer(other) != sk) { +- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); +- if (unix_recvq_full(other)) +- writable = 0; +- } +- sock_put(other); ++ if (writable) { ++ unix_state_lock(sk); ++ ++ other = unix_peer(sk); ++ if (other && unix_peer(other) != sk && ++ unix_recvq_full(other) && ++ unix_dgram_peer_wake_me(sk, other)) ++ writable = 0; ++ ++ unix_state_unlock(sk); + } + + if (writable) diff --git a/queue-3.14/series b/queue-3.14/series new file mode 100644 index 00000000000..cdb398dfa6b --- /dev/null +++ b/queue-3.14/series @@ -0,0 +1,17 @@ +unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +tools-net-use-include-uapi-with-__exported_headers__.patch +packet-do-skb_probe_transport_header-when-we-actually-have-data.patch +packet-always-probe-for-transport-header.patch +packet-infer-protocol-from-ethernet-header-if-unset.patch +sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch +snmp-remove-duplicate-outmcast-stat-increment.patch +net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch +tcp-md5-fix-lockdep-annotation.patch +tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch +net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch +net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch +net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch +ipv6-sctp-implement-sctp_v6_destroy_sock.patch diff --git a/queue-4.1/series b/queue-4.1/series new file mode 100644 index 00000000000..b0de9e5252c --- /dev/null +++ b/queue-4.1/series @@ -0,0 +1,26 @@ +unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +tools-net-use-include-uapi-with-__exported_headers__.patch +packet-do-skb_probe_transport_header-when-we-actually-have-data.patch +packet-always-probe-for-transport-header.patch +packet-only-allow-extra-vlan-len-on-ethernet-devices.patch +packet-infer-protocol-from-ethernet-header-if-unset.patch +packet-fix-tpacket_snd-max-frame-len.patch +sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch +snmp-remove-duplicate-outmcast-stat-increment.patch +net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch +tcp-md5-fix-lockdep-annotation.patch +tcp-disable-fast-open-on-timeouts-after-handshake.patch +tcp-fix-potential-huge-kmalloc-calls-in-tcp_repair.patch +tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch +net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch +net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch +net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch +rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch +ipv6-add-complete-rcu-protection-around-np-opt.patch +net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch +ipv6-sctp-implement-sctp_v6_destroy_sock.patch +net_sched-fix-qdisc_tree_decrease_qlen-races.patch diff --git a/queue-4.2/series b/queue-4.2/series index e69de29bb2d..19bb6925004 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -0,0 +1,37 @@ +af-unix-fix-use-after-free-with-concurrent-readers-while-splicing.patch +af_unix-don-t-append-consumed-skbs-to-sk_receive_queue.patch +af_unix-take-receive-queue-lock-while-appending-new-skb.patch +unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +af-unix-passcred-support-for-sendpage.patch +ipv6-avoid-creating-rtf_cache-from-a-rt-that-is-not-managed-by-fib6-tree.patch +ipv6-check-expire-on-dst_nocache-route.patch +ipv6-check-rt-dst.from-for-the-dst_nocache-route.patch +tools-net-use-include-uapi-with-__exported_headers__.patch +packet-do-skb_probe_transport_header-when-we-actually-have-data.patch +packet-always-probe-for-transport-header.patch +packet-only-allow-extra-vlan-len-on-ethernet-devices.patch +packet-infer-protocol-from-ethernet-header-if-unset.patch +packet-fix-tpacket_snd-max-frame-len.patch +sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +net-mlx4_core-fix-sleeping-while-holding-spinlock-at-rem_slave_counters.patch +ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch +net-switchdev-fix-return-code-of-fdb_dump-stub.patch +net-thunder-check-for-driver-data-in-nicvf_remove.patch +snmp-remove-duplicate-outmcast-stat-increment.patch +net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch +tcp-md5-fix-lockdep-annotation.patch +tcp-disable-fast-open-on-timeouts-after-handshake.patch +tcp-fix-potential-huge-kmalloc-calls-in-tcp_repair.patch +tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch +net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch +net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch +net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch +rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch +ipv6-add-complete-rcu-protection-around-np-opt.patch +net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch +ipv6-sctp-implement-sctp_v6_destroy_sock.patch +net_sched-fix-qdisc_tree_decrease_qlen-races.patch +via-rhine-fix-vlan-receive-handling-regression.patch diff --git a/queue-4.3/series b/queue-4.3/series index f20cdba11e6..f8b05d7fc78 100644 --- a/queue-4.3/series +++ b/queue-4.3/series @@ -1 +1,44 @@ certs-add-.gitignore-to-stop-git-nagging-about.patch +r8169-fix-kasan-reported-skb-use-after-free.patch +af-unix-fix-use-after-free-with-concurrent-readers-while-splicing.patch +af_unix-don-t-append-consumed-skbs-to-sk_receive_queue.patch +af_unix-take-receive-queue-lock-while-appending-new-skb.patch +unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +af-unix-passcred-support-for-sendpage.patch +ipv6-avoid-creating-rtf_cache-from-a-rt-that-is-not-managed-by-fib6-tree.patch +ipv6-check-expire-on-dst_nocache-route.patch +ipv6-check-rt-dst.from-for-the-dst_nocache-route.patch +revert-ipv6-ndisc-inherit-metadata-dst-when-creating-ndisc-requests.patch +tools-net-use-include-uapi-with-__exported_headers__.patch +packet-do-skb_probe_transport_header-when-we-actually-have-data.patch +packet-always-probe-for-transport-header.patch +packet-only-allow-extra-vlan-len-on-ethernet-devices.patch +packet-infer-protocol-from-ethernet-header-if-unset.patch +packet-fix-tpacket_snd-max-frame-len.patch +sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +net-mlx5e-added-self-loopback-prevention.patch +net-mlx4_core-fix-sleeping-while-holding-spinlock-at-rem_slave_counters.patch +ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch +net-switchdev-fix-return-code-of-fdb_dump-stub.patch +net-thunder-check-for-driver-data-in-nicvf_remove.patch +snmp-remove-duplicate-outmcast-stat-increment.patch +net-ip6_tunnel-fix-dst-leak.patch +net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch +tcp-md5-fix-lockdep-annotation.patch +tcp-disable-fast-open-on-timeouts-after-handshake.patch +tcp-fix-potential-huge-kmalloc-calls-in-tcp_repair.patch +tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch +net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch +net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch +net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +vrf-fix-double-free-and-memory-corruption-on-register_netdevice-failure.patch +broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +tipc-fix-error-handling-of-expanding-buffer-headroom.patch +ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch +rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch +ipv6-add-complete-rcu-protection-around-np-opt.patch +net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch +ipv6-sctp-implement-sctp_v6_destroy_sock.patch +openvswitch-fix-hangup-on-vxlan-gre-geneve-device-deletion.patch +net_sched-fix-qdisc_tree_decrease_qlen-races.patch