From: Greg Kroah-Hartman Date: Fri, 27 Apr 2018 11:24:57 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.107~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a90584e42d9ad6829bd34fb1560e44c74f3bbe9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch keys-dns-limit-the-length-of-option-strings.patch l2tp-check-sockaddr-length-in-pppol2tp_connect.patch llc-delete-timers-synchronously-in-llc_sk_free.patch llc-fix-null-pointer-deref-for-sock_zapped.patch llc-hold-llc_sap-before-release_sock.patch net-af_packet-fix-race-in-packet_-r-t-x_ring.patch net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch net-fix-deadlock-while-clearing-neighbor-proxy-table.patch net-sched-ife-signal-not-finding-metaid.patch net-validate-attribute-sizes-in-neigh_dump_table.patch packet-fix-bitfield-update-race.patch pppoe-check-sockaddr-length-in-pppoe_connect.patch sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch strparser-fix-incorrect-strp-need_bytes-value.patch tcp-don-t-read-out-of-bounds-opsize.patch tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch team-avoid-adding-twice-the-same-option-to-the-event-list.patch team-fix-netconsole-setup-over-team.patch tipc-add-policy-for-tipc_nla_net_addr.patch vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch --- diff --git a/queue-4.9/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch b/queue-4.9/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch new file mode 100644 index 00000000000..c4d9e3269a7 --- /dev/null +++ b/queue-4.9/bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Xin Long +Date: Sun, 22 Apr 2018 19:11:50 +0800 +Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave + +From: Xin Long + + +[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ] + +After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it +would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev +if bond->dev->npinfo was set. + +However now slave_dev npinfo is set with bond->dev->npinfo before calling +slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called +in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup(). +It causes that the lower dev of this slave dev can't set its npinfo. + +One way to reproduce it: + + # modprobe bonding + # brctl addbr br0 + # brctl addif br0 eth1 + # ifconfig bond0 192.168.122.1/24 up + # ifenslave bond0 eth2 + # systemctl restart netconsole + # ifenslave bond0 br0 + # ifconfig eth2 down + # systemctl restart netconsole + +The netpoll won't really work. + +This patch is to remove that slave_dev npinfo setting in bond_enslave(). + +Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1654,8 +1654,7 @@ int bond_enslave(struct net_device *bond + } /* switch(bond_mode) */ + + #ifdef CONFIG_NET_POLL_CONTROLLER +- slave_dev->npinfo = bond->dev->npinfo; +- if (slave_dev->npinfo) { ++ if (bond->dev->npinfo) { + if (slave_enable_netpoll(new_slave)) { + netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n"); + res = -EBUSY; diff --git a/queue-4.9/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch b/queue-4.9/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch new file mode 100644 index 00000000000..2fc799a6730 --- /dev/null +++ b/queue-4.9/ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Dumazet +Date: Sun, 22 Apr 2018 18:29:23 -0700 +Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy + +From: Eric Dumazet + + +[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ] + +KMSAN reported use of uninit-value that I tracked to lack +of proper size check on RTA_TABLE attribute. + +I also believe RTA_PREFSRC lacks a similar check. + +Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config") +Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2811,6 +2811,7 @@ void rt6_mtu_change(struct net_device *d + + static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { + [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, ++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, + [RTA_OIF] = { .type = NLA_U32 }, + [RTA_IIF] = { .type = NLA_U32 }, + [RTA_PRIORITY] = { .type = NLA_U32 }, +@@ -2820,6 +2821,7 @@ static const struct nla_policy rtm_ipv6_ + [RTA_ENCAP_TYPE] = { .type = NLA_U16 }, + [RTA_ENCAP] = { .type = NLA_NESTED }, + [RTA_EXPIRES] = { .type = NLA_U32 }, ++ [RTA_TABLE] = { .type = NLA_U32 }, + }; + + static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh, diff --git a/queue-4.9/keys-dns-limit-the-length-of-option-strings.patch b/queue-4.9/keys-dns-limit-the-length-of-option-strings.patch new file mode 100644 index 00000000000..9fb0ed86452 --- /dev/null +++ b/queue-4.9/keys-dns-limit-the-length-of-option-strings.patch @@ -0,0 +1,76 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Biggers +Date: Tue, 17 Apr 2018 12:07:06 -0700 +Subject: KEYS: DNS: limit the length of option strings + +From: Eric Biggers + + +[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ] + +Adding a dns_resolver key whose payload contains a very long option name +resulted in that string being printed in full. This hit the WARN_ONCE() +in set_precision() during the printk(), because printk() only supports a +precision of up to 32767 bytes: + + precision 1000000 too large + WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0 + +Fix it by limiting option strings (combined name + value) to a much more +reasonable 128 bytes. The exact limit is arbitrary, but currently the +only recognized option is formatted as "dnserror=%lu" which fits well +within this limit. + +Also ratelimit the printks. + +Reproducer: + + perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s + +This bug was found using syzkaller. + +Reported-by: Mark Rutland +Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]") +Signed-off-by: Eric Biggers +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dns_resolver/dns_key.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_prepars + + next_opt = memchr(opt, '#', end - opt) ?: end; + opt_len = next_opt - opt; +- if (!opt_len) { +- printk(KERN_WARNING +- "Empty option to dns_resolver key\n"); ++ if (opt_len <= 0 || opt_len > 128) { ++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n", ++ opt_len); + return -EINVAL; + } + +@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_prepars + } + + bad_option_value: +- printk(KERN_WARNING +- "Option '%*.*s' to dns_resolver key:" +- " bad/missing value\n", +- opt_nlen, opt_nlen, opt); ++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n", ++ opt_nlen, opt_nlen, opt); + return -EINVAL; + } while (opt = next_opt + 1, opt < end); + } diff --git a/queue-4.9/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch b/queue-4.9/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch new file mode 100644 index 00000000000..be0a1c7963e --- /dev/null +++ b/queue-4.9/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch @@ -0,0 +1,38 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Guillaume Nault +Date: Mon, 23 Apr 2018 16:15:14 +0200 +Subject: l2tp: check sockaddr length in pppol2tp_connect() + +From: Guillaume Nault + + +[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ] + +Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that +it actually points to valid data. + +Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") +Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -590,6 +590,13 @@ static int pppol2tp_connect(struct socke + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OL2TP) + goto end; + diff --git a/queue-4.9/llc-delete-timers-synchronously-in-llc_sk_free.patch b/queue-4.9/llc-delete-timers-synchronously-in-llc_sk_free.patch new file mode 100644 index 00000000000..9de70ed3b88 --- /dev/null +++ b/queue-4.9/llc-delete-timers-synchronously-in-llc_sk_free.patch @@ -0,0 +1,98 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Cong Wang +Date: Thu, 19 Apr 2018 12:25:38 -0700 +Subject: llc: delete timers synchronously in llc_sk_free() + +From: Cong Wang + + +[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ] + +The connection timers of an llc sock could be still flying +after we delete them in llc_sk_free(), and even possibly +after we free the sock. We could just wait synchronously +here in case of troubles. + +Note, I leave other call paths as they are, since they may +not have to wait, at least we can change them to synchronously +when needed. + +Also, move the code to net/llc/llc_conn.c, which is apparently +a better place. + +Reported-by: +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/llc_conn.h | 1 + + net/llc/llc_c_ac.c | 9 +-------- + net/llc/llc_conn.c | 22 +++++++++++++++++++++- + 3 files changed, 23 insertions(+), 9 deletions(-) + +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type( + + struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority, + struct proto *prot, int kern); ++void llc_sk_stop_all_timers(struct sock *sk, bool sync); + void llc_sk_free(struct sock *sk); + + void llc_sk_reset(struct sock *sk); +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -1096,14 +1096,7 @@ int llc_conn_ac_inc_tx_win_size(struct s + + int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb) + { +- struct llc_sock *llc = llc_sk(sk); +- +- del_timer(&llc->pf_cycle_timer.timer); +- del_timer(&llc->ack_timer.timer); +- del_timer(&llc->rej_sent_timer.timer); +- del_timer(&llc->busy_state_timer.timer); +- llc->ack_must_be_send = 0; +- llc->ack_pf = 0; ++ llc_sk_stop_all_timers(sk, false); + return 0; + } + +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -951,6 +951,26 @@ out: + return sk; + } + ++void llc_sk_stop_all_timers(struct sock *sk, bool sync) ++{ ++ struct llc_sock *llc = llc_sk(sk); ++ ++ if (sync) { ++ del_timer_sync(&llc->pf_cycle_timer.timer); ++ del_timer_sync(&llc->ack_timer.timer); ++ del_timer_sync(&llc->rej_sent_timer.timer); ++ del_timer_sync(&llc->busy_state_timer.timer); ++ } else { ++ del_timer(&llc->pf_cycle_timer.timer); ++ del_timer(&llc->ack_timer.timer); ++ del_timer(&llc->rej_sent_timer.timer); ++ del_timer(&llc->busy_state_timer.timer); ++ } ++ ++ llc->ack_must_be_send = 0; ++ llc->ack_pf = 0; ++} ++ + /** + * llc_sk_free - Frees a LLC socket + * @sk - socket to free +@@ -963,7 +983,7 @@ void llc_sk_free(struct sock *sk) + + llc->state = LLC_CONN_OUT_OF_SVC; + /* Stop all (possibly) running timers */ +- llc_conn_ac_stop_all_timers(sk, NULL); ++ llc_sk_stop_all_timers(sk, true); + #ifdef DEBUG_LLC_CONN_ALLOC + printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__, + skb_queue_len(&llc->pdu_unack_q), diff --git a/queue-4.9/llc-fix-null-pointer-deref-for-sock_zapped.patch b/queue-4.9/llc-fix-null-pointer-deref-for-sock_zapped.patch new file mode 100644 index 00000000000..02f5f016cf5 --- /dev/null +++ b/queue-4.9/llc-fix-null-pointer-deref-for-sock_zapped.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Cong Wang +Date: Thu, 19 Apr 2018 21:54:34 -0700 +Subject: llc: fix NULL pointer deref for SOCK_ZAPPED + +From: Cong Wang + + +[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ] + +For SOCK_ZAPPED socket, we don't need to care about llc->sap, +so we should just skip these refcount functions in this case. + +Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()") +Reported-by: kernel test robot +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -187,7 +187,6 @@ static int llc_ui_release(struct socket + { + struct sock *sk = sock->sk; + struct llc_sock *llc; +- struct llc_sap *sap; + + if (unlikely(sk == NULL)) + goto out; +@@ -198,15 +197,19 @@ static int llc_ui_release(struct socket + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); +- sap = llc->sap; +- /* Hold this for release_sock(), so that llc_backlog_rcv() could still +- * use it. +- */ +- llc_sap_hold(sap); +- if (!sock_flag(sk, SOCK_ZAPPED)) ++ if (!sock_flag(sk, SOCK_ZAPPED)) { ++ struct llc_sap *sap = llc->sap; ++ ++ /* Hold this for release_sock(), so that llc_backlog_rcv() ++ * could still use it. ++ */ ++ llc_sap_hold(sap); + llc_sap_remove_socket(llc->sap, sk); +- release_sock(sk); +- llc_sap_put(sap); ++ release_sock(sk); ++ llc_sap_put(sap); ++ } else { ++ release_sock(sk); ++ } + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); diff --git a/queue-4.9/llc-hold-llc_sap-before-release_sock.patch b/queue-4.9/llc-hold-llc_sap-before-release_sock.patch new file mode 100644 index 00000000000..4642c5fc313 --- /dev/null +++ b/queue-4.9/llc-hold-llc_sap-before-release_sock.patch @@ -0,0 +1,68 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Cong Wang +Date: Wed, 18 Apr 2018 11:51:56 -0700 +Subject: llc: hold llc_sap before release_sock() + +From: Cong Wang + + +[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ] + +syzbot reported we still access llc->sap in llc_backlog_rcv() +after it is freed in llc_sap_remove_socket(): + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 + llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 + llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] + llc_conn_service net/llc/llc_conn.c:400 [inline] + llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 + llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 + sk_backlog_rcv include/net/sock.h:909 [inline] + __release_sock+0x12f/0x3a0 net/core/sock.c:2335 + release_sock+0xa4/0x2b0 net/core/sock.c:2850 + llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 + +llc->sap is refcount'ed and llc_sap_remove_socket() is paired +with llc_sap_add_socket(). This can be amended by holding its refcount +before llc_sap_remove_socket() and releasing it after release_sock(). + +Reported-by: +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -187,6 +187,7 @@ static int llc_ui_release(struct socket + { + struct sock *sk = sock->sk; + struct llc_sock *llc; ++ struct llc_sap *sap; + + if (unlikely(sk == NULL)) + goto out; +@@ -197,9 +198,15 @@ static int llc_ui_release(struct socket + llc->laddr.lsap, llc->daddr.lsap); + if (!llc_send_disc(sk)) + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); ++ sap = llc->sap; ++ /* Hold this for release_sock(), so that llc_backlog_rcv() could still ++ * use it. ++ */ ++ llc_sap_hold(sap); + if (!sock_flag(sk, SOCK_ZAPPED)) + llc_sap_remove_socket(llc->sap, sk); + release_sock(sk); ++ llc_sap_put(sap); + if (llc->dev) + dev_put(llc->dev); + sock_put(sk); diff --git a/queue-4.9/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch b/queue-4.9/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch new file mode 100644 index 00000000000..26af195fc96 --- /dev/null +++ b/queue-4.9/net-af_packet-fix-race-in-packet_-r-t-x_ring.patch @@ -0,0 +1,120 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Dumazet +Date: Sun, 15 Apr 2018 17:52:04 -0700 +Subject: net: af_packet: fix race in PACKET_{R|T}X_RING + +From: Eric Dumazet + + +[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ] + +In order to remove the race caught by syzbot [1], we need +to lock the socket before using po->tp_version as this could +change under us otherwise. + +This means lock_sock() and release_sock() must be done by +packet_set_ring() callers. + +[1] : +BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 +CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 + packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662 + SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 + SyS_setsockopt+0x76/0xa0 net/socket.c:1828 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x449099 +RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099 +RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003 +RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000 +R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001 + +Local variable description: ----req_u@packet_setsockopt +Variable was created at: + packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612 + SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3024,6 +3024,7 @@ static int packet_release(struct socket + + packet_flush_mclist(sk); + ++ lock_sock(sk); + if (po->rx_ring.pg_vec) { + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 0); +@@ -3033,6 +3034,7 @@ static int packet_release(struct socket + memset(&req_u, 0, sizeof(req_u)); + packet_set_ring(sk, &req_u, 1, 1); + } ++ release_sock(sk); + + f = fanout_release(sk); + +@@ -3661,6 +3663,7 @@ packet_setsockopt(struct socket *sock, i + union tpacket_req_u req_u; + int len; + ++ lock_sock(sk); + switch (po->tp_version) { + case TPACKET_V1: + case TPACKET_V2: +@@ -3671,12 +3674,17 @@ packet_setsockopt(struct socket *sock, i + len = sizeof(req_u.req3); + break; + } +- if (optlen < len) +- return -EINVAL; +- if (copy_from_user(&req_u.req, optval, len)) +- return -EFAULT; +- return packet_set_ring(sk, &req_u, 0, +- optname == PACKET_TX_RING); ++ if (optlen < len) { ++ ret = -EINVAL; ++ } else { ++ if (copy_from_user(&req_u.req, optval, len)) ++ ret = -EFAULT; ++ else ++ ret = packet_set_ring(sk, &req_u, 0, ++ optname == PACKET_TX_RING); ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_COPY_THRESH: + { +@@ -4247,7 +4255,6 @@ static int packet_set_ring(struct sock * + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + +- lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + net_warn_ratelimited("Tx-ring is not supported.\n"); +@@ -4383,7 +4390,6 @@ static int packet_set_ring(struct sock * + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: +- release_sock(sk); + return err; + } + diff --git a/queue-4.9/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch b/queue-4.9/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch new file mode 100644 index 00000000000..fb9b8b8256d --- /dev/null +++ b/queue-4.9/net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Ivan Khoronzhuk +Date: Thu, 19 Apr 2018 22:49:09 +0300 +Subject: net: ethernet: ti: cpsw: fix tx vlan priority mapping + +From: Ivan Khoronzhuk + + +[ Upstream commit 5e391dc5a8d801a2410d0032ad4a428d1d61800c ] + +The CPDMA_TX_PRIORITY_MAP in real is vlan pcp field priority mapping +register and basically replaces vlan pcp field for tagged packets. +So, set it to be 1:1 mapping. Otherwise, it will cause unexpected +change of egress vlan tagged packets, like prio 2 -> prio 5. + +Fixes: e05107e6b747 ("net: ethernet: ti: cpsw: add multi queue support") +Reviewed-by: Grygorii Strashko +Signed-off-by: Ivan Khoronzhuk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -124,7 +124,7 @@ do { \ + + #define RX_PRIORITY_MAPPING 0x76543210 + #define TX_PRIORITY_MAPPING 0x33221100 +-#define CPDMA_TX_PRIORITY_MAP 0x01234567 ++#define CPDMA_TX_PRIORITY_MAP 0x76543210 + + #define CPSW_VLAN_AWARE BIT(1) + #define CPSW_ALE_VLAN_AWARE 1 diff --git a/queue-4.9/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch b/queue-4.9/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch new file mode 100644 index 00000000000..cf4bfdcb97d --- /dev/null +++ b/queue-4.9/net-fix-deadlock-while-clearing-neighbor-proxy-table.patch @@ -0,0 +1,97 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Wolfgang Bumiller +Date: Thu, 12 Apr 2018 10:46:55 +0200 +Subject: net: fix deadlock while clearing neighbor proxy table + +From: Wolfgang Bumiller + + +[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ] + +When coming from ndisc_netdev_event() in net/ipv6/ndisc.c, +neigh_ifdown() is called with &nd_tbl, locking this while +clearing the proxy neighbor entries when eg. deleting an +interface. Calling the table's pndisc_destructor() with the +lock still held, however, can cause a deadlock: When a +multicast listener is available an IGMP packet of type +ICMPV6_MGM_REDUCTION may be sent out. When reaching +ip6_finish_output2(), if no neighbor entry for the target +address is found, __neigh_create() is called with &nd_tbl, +which it'll want to lock. + +Move the elements into their own list, then unlock the table +and perform the destruction. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289 +Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().") +Signed-off-by: Wolfgang Bumiller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -54,7 +54,8 @@ do { \ + static void neigh_timer_handler(unsigned long arg); + static void __neigh_notify(struct neighbour *n, int type, int flags); + static void neigh_update_notify(struct neighbour *neigh); +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev); ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev); + + #ifdef CONFIG_PROC_FS + static const struct file_operations neigh_stat_seq_fops; +@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl + { + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); +- pneigh_ifdown(tbl, dev); +- write_unlock_bh(&tbl->lock); ++ pneigh_ifdown_and_unlock(tbl, dev); + + del_timer_sync(&tbl->proxy_timer); + pneigh_queue_purge(&tbl->proxy_queue); +@@ -645,9 +645,10 @@ int pneigh_delete(struct neigh_table *tb + return -ENOENT; + } + +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev) ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, ++ struct net_device *dev) + { +- struct pneigh_entry *n, **np; ++ struct pneigh_entry *n, **np, *freelist = NULL; + u32 h; + + for (h = 0; h <= PNEIGH_HASHMASK; h++) { +@@ -655,16 +656,23 @@ static int pneigh_ifdown(struct neigh_ta + while ((n = *np) != NULL) { + if (!dev || n->dev == dev) { + *np = n->next; +- if (tbl->pdestructor) +- tbl->pdestructor(n); +- if (n->dev) +- dev_put(n->dev); +- kfree(n); ++ n->next = freelist; ++ freelist = n; + continue; + } + np = &n->next; + } + } ++ write_unlock_bh(&tbl->lock); ++ while ((n = freelist)) { ++ freelist = n->next; ++ n->next = NULL; ++ if (tbl->pdestructor) ++ tbl->pdestructor(n); ++ if (n->dev) ++ dev_put(n->dev); ++ kfree(n); ++ } + return -ENOENT; + } + diff --git a/queue-4.9/net-sched-ife-signal-not-finding-metaid.patch b/queue-4.9/net-sched-ife-signal-not-finding-metaid.patch new file mode 100644 index 00000000000..7788772fa1a --- /dev/null +++ b/queue-4.9/net-sched-ife-signal-not-finding-metaid.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Alexander Aring +Date: Fri, 20 Apr 2018 15:15:03 -0400 +Subject: net: sched: ife: signal not finding metaid + +From: Alexander Aring + + +[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ] + +We need to record stats for received metadata that we dont know how +to process. Have find_decode_metaid() return -ENOENT to capture this. + +Signed-off-by: Alexander Aring +Reviewed-by: Yotam Gigi +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -634,7 +634,7 @@ int find_decode_metaid(struct sk_buff *s + } + } + +- return 0; ++ return -ENOENT; + } + + struct ifeheadr { diff --git a/queue-4.9/net-validate-attribute-sizes-in-neigh_dump_table.patch b/queue-4.9/net-validate-attribute-sizes-in-neigh_dump_table.patch new file mode 100644 index 00000000000..3727118b6a4 --- /dev/null +++ b/queue-4.9/net-validate-attribute-sizes-in-neigh_dump_table.patch @@ -0,0 +1,109 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Dumazet +Date: Wed, 11 Apr 2018 14:46:00 -0700 +Subject: net: validate attribute sizes in neigh_dump_table() + +From: Eric Dumazet + + +[ Upstream commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 ] + +Since neigh_dump_table() calls nlmsg_parse() without giving policy +constraints, attributes can have arbirary size that we must validate + +Reported by syzbot/KMSAN : + +BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline] +BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline] +BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 +CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + neigh_master_filtered net/core/neighbour.c:2292 [inline] + neigh_dump_table net/core/neighbour.c:2348 [inline] + neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438 + netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225 + __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322 + netlink_dump_start include/linux/netlink.h:214 [inline] + rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598 + netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fed9 +RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9 +RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800 +R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] + netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device") +Signed-off-by: Eric Dumazet +Cc: David Ahern +Reported-by: syzbot +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2279,12 +2279,16 @@ static int neigh_dump_table(struct neigh + + err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL); + if (!err) { +- if (tb[NDA_IFINDEX]) ++ if (tb[NDA_IFINDEX]) { ++ if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32)) ++ return -EINVAL; + filter_idx = nla_get_u32(tb[NDA_IFINDEX]); +- +- if (tb[NDA_MASTER]) ++ } ++ if (tb[NDA_MASTER]) { ++ if (nla_len(tb[NDA_MASTER]) != sizeof(u32)) ++ return -EINVAL; + filter_master_idx = nla_get_u32(tb[NDA_MASTER]); +- ++ } + if (filter_idx || filter_master_idx) + flags |= NLM_F_DUMP_FILTERED; + } diff --git a/queue-4.9/packet-fix-bitfield-update-race.patch b/queue-4.9/packet-fix-bitfield-update-race.patch new file mode 100644 index 00000000000..ab320cc26bc --- /dev/null +++ b/queue-4.9/packet-fix-bitfield-update-race.patch @@ -0,0 +1,198 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Willem de Bruijn +Date: Mon, 23 Apr 2018 17:37:03 -0400 +Subject: packet: fix bitfield update race + +From: Willem de Bruijn + + +[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ] + +Updates to the bitfields in struct packet_sock are not atomic. +Serialize these read-modify-write cycles. + +Move po->running into a separate variable. Its writes are protected by +po->bind_lock (except for one startup case at packet_create). Also +replace a textual precondition warning with lockdep annotation. + +All others are set only in packet_setsockopt. Serialize these +updates by holding the socket lock. Analogous to other field updates, +also hold the lock when testing whether a ring is active (pg_vec). + +Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg") +Reported-by: DaeRyong Jeong +Reported-by: Byoungyoung Lee +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 60 +++++++++++++++++++++++++++++++++++-------------- + net/packet/internal.h | 10 ++++---- + 2 files changed, 49 insertions(+), 21 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -333,11 +333,11 @@ static void packet_pick_tx_queue(struct + skb_set_queue_mapping(skb, queue_index); + } + +-/* register_prot_hook must be invoked with the po->bind_lock held, ++/* __register_prot_hook must be invoked through register_prot_hook + * or from a context in which asynchronous accesses to the packet + * socket is not possible (packet_create()). + */ +-static void register_prot_hook(struct sock *sk) ++static void __register_prot_hook(struct sock *sk) + { + struct packet_sock *po = pkt_sk(sk); + +@@ -352,8 +352,13 @@ static void register_prot_hook(struct so + } + } + +-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock +- * held. If the sync parameter is true, we will temporarily drop ++static void register_prot_hook(struct sock *sk) ++{ ++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock); ++ __register_prot_hook(sk); ++} ++ ++/* If the sync parameter is true, we will temporarily drop + * the po->bind_lock and do a synchronize_net to make sure no + * asynchronous packet processing paths still refer to the elements + * of po->prot_hook. If the sync parameter is false, it is the +@@ -363,6 +368,8 @@ static void __unregister_prot_hook(struc + { + struct packet_sock *po = pkt_sk(sk); + ++ lockdep_assert_held_once(&po->bind_lock); ++ + po->running = 0; + + if (po->fanout) +@@ -3259,7 +3266,7 @@ static int packet_create(struct net *net + + if (proto) { + po->prot_hook.type = proto; +- register_prot_hook(sk); ++ __register_prot_hook(sk); + } + + mutex_lock(&net->packet.sklist_lock); +@@ -3735,12 +3742,18 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_loss = !!val; +- return 0; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_loss = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_AUXDATA: + { +@@ -3751,7 +3764,9 @@ packet_setsockopt(struct socket *sock, i + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->auxdata = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_ORIGDEV: +@@ -3763,7 +3778,9 @@ packet_setsockopt(struct socket *sock, i + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + ++ lock_sock(sk); + po->origdev = !!val; ++ release_sock(sk); + return 0; + } + case PACKET_VNET_HDR: +@@ -3772,15 +3789,20 @@ packet_setsockopt(struct socket *sock, i + + if (sock->type != SOCK_RAW) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (optlen < sizeof(val)) + return -EINVAL; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + +- po->has_vnet_hdr = !!val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->has_vnet_hdr = !!val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_TIMESTAMP: + { +@@ -3818,11 +3840,17 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; +- po->tp_tx_has_off = !!val; ++ ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_tx_has_off = !!val; ++ ret = 0; ++ } ++ release_sock(sk); + return 0; + } + case PACKET_QDISC_BYPASS: +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -109,10 +109,12 @@ struct packet_sock { + int copy_thresh; + spinlock_t bind_lock; + struct mutex pg_vec_lock; +- unsigned int running:1, /* prot_hook is attached*/ +- auxdata:1, ++ unsigned int running; /* bind_lock must be held */ ++ unsigned int auxdata:1, /* writer must hold sock lock */ + origdev:1, +- has_vnet_hdr:1; ++ has_vnet_hdr:1, ++ tp_loss:1, ++ tp_tx_has_off:1; + int pressure; + int ifindex; /* bound device */ + __be16 num; +@@ -122,8 +124,6 @@ struct packet_sock { + enum tpacket_versions tp_version; + unsigned int tp_hdrlen; + unsigned int tp_reserve; +- unsigned int tp_loss:1; +- unsigned int tp_tx_has_off:1; + unsigned int tp_tstamp; + struct net_device __rcu *cached_dev; + int (*xmit)(struct sk_buff *skb); diff --git a/queue-4.9/pppoe-check-sockaddr-length-in-pppoe_connect.patch b/queue-4.9/pppoe-check-sockaddr-length-in-pppoe_connect.patch new file mode 100644 index 00000000000..69dd39c1a23 --- /dev/null +++ b/queue-4.9/pppoe-check-sockaddr-length-in-pppoe_connect.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Guillaume Nault +Date: Mon, 23 Apr 2018 16:38:27 +0200 +Subject: pppoe: check sockaddr length in pppoe_connect() + +From: Guillaume Nault + + +[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ] + +We must validate sockaddr_len, otherwise userspace can pass fewer data +than we expect and we end up accessing invalid data. + +Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") +Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -620,6 +620,10 @@ static int pppoe_connect(struct socket * + lock_sock(sk); + + error = -EINVAL; ++ ++ if (sockaddr_len != sizeof(struct sockaddr_pppox)) ++ goto end; ++ + if (sp->sa_protocol != PX_PROTO_OE) + goto end; + diff --git a/queue-4.9/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch b/queue-4.9/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch new file mode 100644 index 00000000000..0e336275aa1 --- /dev/null +++ b/queue-4.9/sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch @@ -0,0 +1,136 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Xin Long +Date: Thu, 12 Apr 2018 14:24:31 +0800 +Subject: sctp: do not check port in sctp_inet6_cmp_addr + +From: Xin Long + + +[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ] + +pf->cmp_addr() is called before binding a v6 address to the sock. It +should not check ports, like in sctp_inet_cmp_addr. + +But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr, +sctp_v6_cmp_addr where it also compares the ports. + +This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind +multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp: +lack the check for ports in sctp_v6_cmp_addr"). + +This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr, +but do the proper check for both v6 addrs and v4mapped addrs. + +v1->v2: + - define __sctp_v6_cmp_addr to do the common address comparison + used for both pf and af v6 cmp_addr. + +Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr") +Reported-by: Jianwen Ji +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 60 ++++++++++++++++++++++++++++---------------------------- + 1 file changed, 30 insertions(+), 30 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -521,46 +521,49 @@ static void sctp_v6_to_addr(union sctp_a + addr->v6.sin6_scope_id = 0; + } + +-/* Compare addresses exactly. +- * v4-mapped-v6 is also in consideration. +- */ +-static int sctp_v6_cmp_addr(const union sctp_addr *addr1, +- const union sctp_addr *addr2) ++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) + { + if (addr1->sa.sa_family != addr2->sa.sa_family) { + if (addr1->sa.sa_family == AF_INET && + addr2->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) { +- if (addr2->v6.sin6_port == addr1->v4.sin_port && +- addr2->v6.sin6_addr.s6_addr32[3] == +- addr1->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) && ++ addr2->v6.sin6_addr.s6_addr32[3] == ++ addr1->v4.sin_addr.s_addr) ++ return 1; ++ + if (addr2->sa.sa_family == AF_INET && + addr1->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) { +- if (addr1->v6.sin6_port == addr2->v4.sin_port && +- addr1->v6.sin6_addr.s6_addr32[3] == +- addr2->v4.sin_addr.s_addr) +- return 1; +- } ++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) && ++ addr1->v6.sin6_addr.s6_addr32[3] == ++ addr2->v4.sin_addr.s_addr) ++ return 1; ++ + return 0; + } +- if (addr1->v6.sin6_port != addr2->v6.sin6_port) +- return 0; ++ + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) + return 0; ++ + /* If this is a linklocal address, compare the scope_id. */ +- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { +- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && +- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) { +- return 0; +- } +- } ++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) && ++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id && ++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id) ++ return 0; + + return 1; + } + ++/* Compare addresses exactly. ++ * v4-mapped-v6 is also in consideration. ++ */ ++static int sctp_v6_cmp_addr(const union sctp_addr *addr1, ++ const union sctp_addr *addr2) ++{ ++ return __sctp_v6_cmp_addr(addr1, addr2) && ++ addr1->v6.sin6_port == addr2->v6.sin6_port; ++} ++ + /* Initialize addr struct to INADDR_ANY. */ + static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port) + { +@@ -844,8 +847,8 @@ static int sctp_inet6_cmp_addr(const uni + const union sctp_addr *addr2, + struct sctp_sock *opt) + { +- struct sctp_af *af1, *af2; + struct sock *sk = sctp_opt2sk(opt); ++ struct sctp_af *af1, *af2; + + af1 = sctp_get_af_specific(addr1->sa.sa_family); + af2 = sctp_get_af_specific(addr2->sa.sa_family); +@@ -861,10 +864,7 @@ static int sctp_inet6_cmp_addr(const uni + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2)) + return 1; + +- if (addr1->sa.sa_family != addr2->sa.sa_family) +- return 0; +- +- return af1->cmp_addr(addr1, addr2); ++ return __sctp_v6_cmp_addr(addr1, addr2); + } + + /* Verify that the provided sockaddr looks bindable. Common verification, diff --git a/queue-4.9/series b/queue-4.9/series index 2df5900e590..e86dac37e4a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -44,3 +44,29 @@ s390-report-spectre-mitigation-via-syslog.patch s390-add-sysfs-attributes-for-spectre.patch s390-correct-nospec-auto-detection-init-order.patch s390-correct-module-section-names-for-expoline-code-revert.patch +bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch +keys-dns-limit-the-length-of-option-strings.patch +l2tp-check-sockaddr-length-in-pppol2tp_connect.patch +net-validate-attribute-sizes-in-neigh_dump_table.patch +llc-delete-timers-synchronously-in-llc_sk_free.patch +tcp-don-t-read-out-of-bounds-opsize.patch +team-avoid-adding-twice-the-same-option-to-the-event-list.patch +team-fix-netconsole-setup-over-team.patch +packet-fix-bitfield-update-race.patch +tipc-add-policy-for-tipc_nla_net_addr.patch +pppoe-check-sockaddr-length-in-pppoe_connect.patch +vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch +sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch +net-sched-ife-signal-not-finding-metaid.patch +llc-hold-llc_sap-before-release_sock.patch +llc-fix-null-pointer-deref-for-sock_zapped.patch +net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch + +net-fix-deadlock-while-clearing-neighbor-proxy-table.patch +tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch +net-af_packet-fix-race-in-packet_-r-t-x_ring.patch +ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch + +strparser-fix-incorrect-strp-need_bytes-value.patch + + diff --git a/queue-4.9/strparser-fix-incorrect-strp-need_bytes-value.patch b/queue-4.9/strparser-fix-incorrect-strp-need_bytes-value.patch new file mode 100644 index 00000000000..f14d2d79a88 --- /dev/null +++ b/queue-4.9/strparser-fix-incorrect-strp-need_bytes-value.patch @@ -0,0 +1,70 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Doron Roberts-Kedes +Date: Wed, 11 Apr 2018 15:05:16 -0700 +Subject: strparser: Fix incorrect strp->need_bytes value. + +From: Doron Roberts-Kedes + + +[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ] + +strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates +that the remainder of the message has been received. However, +do_strp_work does not reset strp->need_bytes to 0. If do_strp_work +completes a partial message, the value of strp->need_bytes will continue +to reflect the needed bytes of the previous message, causing +future invocations of strp_data_ready to return early if +strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes +to 0 in __strp_recv on handing a full message to the upper layer solves +this problem. + +__strp_recv also calculates strp->need_bytes using stm->accum_len before +stm->accum_len has been incremented by cand_len. This can cause +strp->need_bytes to be equal to the full length of the message instead +of the full length minus the accumulated length. This, in turn, causes +strp_data_ready to return early, even when there is sufficient data to +complete the partial message. Incrementing stm->accum_len before using +it to calculate strp->need_bytes solves this problem. + +Found while testing net/tls_sw recv path. + +Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages") +Signed-off-by: Doron Roberts-Kedes +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -285,9 +285,9 @@ static int strp_recv(read_descriptor_t * + strp_start_rx_timer(strp); + } + ++ rxm->accum_len += cand_len; + strp->rx_need_bytes = rxm->strp.full_len - + rxm->accum_len; +- rxm->accum_len += cand_len; + rxm->early_eaten = cand_len; + STRP_STATS_ADD(strp->stats.rx_bytes, cand_len); + desc->count = 0; /* Stop reading socket */ +@@ -310,6 +310,7 @@ static int strp_recv(read_descriptor_t * + /* Hurray, we have a new message! */ + del_timer(&strp->rx_msg_timer); + strp->rx_skb_head = NULL; ++ strp->rx_need_bytes = 0; + STRP_STATS_INCR(strp->stats.rx_msgs); + + /* Give skb to upper layer */ +@@ -374,9 +375,7 @@ void strp_data_ready(struct strparser *s + return; + + if (strp->rx_need_bytes) { +- if (strp_peek_len(strp) >= strp->rx_need_bytes) +- strp->rx_need_bytes = 0; +- else ++ if (strp_peek_len(strp) < strp->rx_need_bytes) + return; + } + diff --git a/queue-4.9/tcp-don-t-read-out-of-bounds-opsize.patch b/queue-4.9/tcp-don-t-read-out-of-bounds-opsize.patch new file mode 100644 index 00000000000..0a3be4b57d4 --- /dev/null +++ b/queue-4.9/tcp-don-t-read-out-of-bounds-opsize.patch @@ -0,0 +1,181 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Jann Horn +Date: Fri, 20 Apr 2018 15:57:30 +0200 +Subject: tcp: don't read out-of-bounds opsize + +From: Jann Horn + + +[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ] + +The old code reads the "opsize" variable from out-of-bounds memory (first +byte behind the segment) if a broken TCP segment ends directly after an +opcode that is neither EOL nor NOP. + +The result of the read isn't used for anything, so the worst thing that +could theoretically happen is a pagefault; and since the physmap is usually +mostly contiguous, even that seems pretty unlikely. + +The following C reproducer triggers the uninitialized read - however, you +can't actually see anything happen unless you put something like a +pr_warn() in tcp_parse_md5sig_option() to print the opsize. + +==================================== +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void systemf(const char *command, ...) { + char *full_command; + va_list ap; + va_start(ap, command); + if (vasprintf(&full_command, command, ap) == -1) + err(1, "vasprintf"); + va_end(ap); + printf("systemf: <<<%s>>>\n", full_command); + system(full_command); +} + +char *devname; + +int tun_alloc(char *name) { + int fd = open("/dev/net/tun", O_RDWR); + if (fd == -1) + err(1, "open tun dev"); + static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI }; + strcpy(req.ifr_name, name); + if (ioctl(fd, TUNSETIFF, &req)) + err(1, "TUNSETIFF"); + devname = req.ifr_name; + printf("device name: %s\n", devname); + return fd; +} + +#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24)) + +void sum_accumulate(unsigned int *sum, void *data, int len) { + assert((len&2)==0); + for (int i=0; i> 16) + (sum & 0xffff); + sum = (sum >> 16) + (sum & 0xffff); + return htons(~sum); +} + +void fix_ip_sum(struct iphdr *ip) { + unsigned int sum = 0; + sum_accumulate(&sum, ip, sizeof(*ip)); + ip->check = sum_final(sum); +} + +void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) { + unsigned int sum = 0; + struct { + unsigned int saddr; + unsigned int daddr; + unsigned char pad; + unsigned char proto_num; + unsigned short tcp_len; + } fakehdr = { + .saddr = ip->saddr, + .daddr = ip->daddr, + .proto_num = ip->protocol, + .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4) + }; + sum_accumulate(&sum, &fakehdr, sizeof(fakehdr)); + sum_accumulate(&sum, tcp, tcp->doff*4); + tcp->check = sum_final(sum); +} + +int main(void) { + int tun_fd = tun_alloc("inject_dev%d"); + systemf("ip link set %s up", devname); + systemf("ip addr add 192.168.42.1/24 dev %s", devname); + + struct { + struct iphdr ip; + struct tcphdr tcp; + unsigned char tcp_opts[20]; + } __attribute__((packed)) syn_packet = { + .ip = { + .ihl = sizeof(struct iphdr)/4, + .version = 4, + .tot_len = htons(sizeof(syn_packet)), + .ttl = 30, + .protocol = IPPROTO_TCP, + /* FIXUP check */ + .saddr = IPADDR(192,168,42,2), + .daddr = IPADDR(192,168,42,1) + }, + .tcp = { + .source = htons(1), + .dest = htons(1337), + .seq = 0x12345678, + .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4, + .syn = 1, + .window = htons(64), + .check = 0 /*FIXUP*/ + }, + .tcp_opts = { + /* INVALID: trailing MD5SIG opcode after NOPs */ + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, + 1, 1, 1, 1, 19 + } + }; + fix_ip_sum(&syn_packet.ip); + fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp); + while (1) { + int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet)); + if (write_res != sizeof(syn_packet)) + err(1, "packet write failed"); + } +} +==================================== + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Signed-off-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3943,11 +3943,8 @@ const u8 *tcp_parse_md5sig_option(const + int length = (th->doff << 2) - sizeof(*th); + const u8 *ptr = (const u8 *)(th + 1); + +- /* If the TCP option is too short, we can short cut */ +- if (length < TCPOLEN_MD5SIG) +- return NULL; +- +- while (length > 0) { ++ /* If not enough data remaining, we can short cut */ ++ while (length >= TCPOLEN_MD5SIG) { + int opcode = *ptr++; + int opsize; + diff --git a/queue-4.9/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch b/queue-4.9/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch new file mode 100644 index 00000000000..68687d8c746 --- /dev/null +++ b/queue-4.9/tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch @@ -0,0 +1,110 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Dumazet +Date: Wed, 11 Apr 2018 14:36:28 -0700 +Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets + +From: Eric Dumazet + + +[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ] + +syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1] + +I believe this was caused by a TCP_MD5SIG being set on live +flow. + +This is highly unexpected, since TCP option space is limited. + +For instance, presence of TCP MD5 option automatically disables +TCP TimeStamp option at SYN/SYNACK time, which we can not do +once flow has been established. + +Really, adding/deleting an MD5 key only makes sense on sockets +in CLOSE or LISTEN state. + +[1] +BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 +CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720 + tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline] + tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184 + tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453 + tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 + SyS_sendto+0x8a/0xb0 net/socket.c:1715 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x448fe9 +RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9 +RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004 +RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010 +R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000 +R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624 + __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline] + tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline] + tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469 + tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 + SyS_sendto+0x8a/0xb0 net/socket.c:1715 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2662,8 +2662,10 @@ static int do_tcp_setsockopt(struct sock + + #ifdef CONFIG_TCP_MD5SIG + case TCP_MD5SIG: +- /* Read the IP->Key mappings from userspace */ +- err = tp->af_specific->md5_parse(sk, optval, optlen); ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ++ err = tp->af_specific->md5_parse(sk, optval, optlen); ++ else ++ err = -EINVAL; + break; + #endif + case TCP_USER_TIMEOUT: diff --git a/queue-4.9/team-avoid-adding-twice-the-same-option-to-the-event-list.patch b/queue-4.9/team-avoid-adding-twice-the-same-option-to-the-event-list.patch new file mode 100644 index 00000000000..497b53a436c --- /dev/null +++ b/queue-4.9/team-avoid-adding-twice-the-same-option-to-the-event-list.patch @@ -0,0 +1,118 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Paolo Abeni +Date: Fri, 13 Apr 2018 13:59:25 +0200 +Subject: team: avoid adding twice the same option to the event list + +From: Paolo Abeni + + +[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ] + +When parsing the options provided by the user space, +team_nl_cmd_options_set() insert them in a temporary list to send +multiple events with a single message. +While each option's attribute is correctly validated, the code does +not check for duplicate entries before inserting into the event +list. + +Exploiting the above, the syzbot was able to trigger the following +splat: + +kernel BUG at lib/list_debug.c:31! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29 +RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286 +RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000 +RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f +RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90 +R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90 +R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000 +FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __list_add include/linux/list.h:60 [inline] + list_add include/linux/list.h:79 [inline] + team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571 + genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599 + genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624 + netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg+0xd5/0x120 net/socket.c:639 + ___sys_sendmsg+0x805/0x940 net/socket.c:2117 + __sys_sendmsg+0x115/0x270 net/socket.c:2155 + SYSC_sendmsg net/socket.c:2164 [inline] + SyS_sendmsg+0x29/0x30 net/socket.c:2162 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4458b9 +RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9 +RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004 +RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348 +R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000 +Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48 +89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f +40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 +RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248 + +This changeset addresses the avoiding list_add() if the current +option is already present in the event list. + +Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -261,6 +261,17 @@ static void __team_option_inst_mark_remo + } + } + ++static bool __team_option_inst_tmp_find(const struct list_head *opts, ++ const struct team_option_inst *needle) ++{ ++ struct team_option_inst *opt_inst; ++ ++ list_for_each_entry(opt_inst, opts, tmp_list) ++ if (opt_inst == needle) ++ return true; ++ return false; ++} ++ + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2569,6 +2580,14 @@ static int team_nl_cmd_options_set(struc + if (err) + goto team_put; + opt_inst->changed = true; ++ ++ /* dumb/evil user-space can send us duplicate opt, ++ * keep only the last one ++ */ ++ if (__team_option_inst_tmp_find(&opt_inst_list, ++ opt_inst)) ++ continue; ++ + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { diff --git a/queue-4.9/team-fix-netconsole-setup-over-team.patch b/queue-4.9/team-fix-netconsole-setup-over-team.patch new file mode 100644 index 00000000000..73a61c76f05 --- /dev/null +++ b/queue-4.9/team-fix-netconsole-setup-over-team.patch @@ -0,0 +1,88 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Xin Long +Date: Tue, 24 Apr 2018 14:33:37 +0800 +Subject: team: fix netconsole setup over team + +From: Xin Long + + +[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ] + +The same fix in Commit dbe173079ab5 ("bridge: fix netconsole +setup over bridge") is also needed for team driver. + +While at it, remove the unnecessary parameter *team from +team_port_enable_netpoll(). + +v1->v2: + - fix it in a better way, as does bridge. + +Fixes: 0fb52a27a04a ("team: cleanup netpoll clode") +Reported-by: João Avelino Bellomo Filho +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1078,14 +1078,11 @@ static void team_port_leave(struct team + } + + #ifdef CONFIG_NET_POLL_CONTROLLER +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int __team_port_enable_netpoll(struct team_port *port) + { + struct netpoll *np; + int err; + +- if (!team->dev->npinfo) +- return 0; +- + np = kzalloc(sizeof(*np), GFP_KERNEL); + if (!np) + return -ENOMEM; +@@ -1099,6 +1096,14 @@ static int team_port_enable_netpoll(stru + return err; + } + ++static int team_port_enable_netpoll(struct team_port *port) ++{ ++ if (!port->team->dev->npinfo) ++ return 0; ++ ++ return __team_port_enable_netpoll(port); ++} ++ + static void team_port_disable_netpoll(struct team_port *port) + { + struct netpoll *np = port->np; +@@ -1113,7 +1118,7 @@ static void team_port_disable_netpoll(st + kfree(np); + } + #else +-static int team_port_enable_netpoll(struct team *team, struct team_port *port) ++static int team_port_enable_netpoll(struct team_port *port) + { + return 0; + } +@@ -1221,7 +1226,7 @@ static int team_port_add(struct team *te + goto err_vids_add; + } + +- err = team_port_enable_netpoll(team, port); ++ err = team_port_enable_netpoll(port); + if (err) { + netdev_err(dev, "Failed to enable netpoll on device %s\n", + portname); +@@ -1919,7 +1924,7 @@ static int team_netpoll_setup(struct net + + mutex_lock(&team->lock); + list_for_each_entry(port, &team->port_list, list) { +- err = team_port_enable_netpoll(team, port); ++ err = __team_port_enable_netpoll(port); + if (err) { + __team_netpoll_cleanup(team); + break; diff --git a/queue-4.9/tipc-add-policy-for-tipc_nla_net_addr.patch b/queue-4.9/tipc-add-policy-for-tipc_nla_net_addr.patch new file mode 100644 index 00000000000..8b87956491b --- /dev/null +++ b/queue-4.9/tipc-add-policy-for-tipc_nla_net_addr.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Eric Dumazet +Date: Mon, 16 Apr 2018 08:29:42 -0700 +Subject: tipc: add policy for TIPC_NLA_NET_ADDR + +From: Eric Dumazet + + +[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ] + +Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR + +Fixes: 27c21416727a ("tipc: add net set to new netlink api") +Signed-off-by: Eric Dumazet +Cc: Jon Maloy +Cc: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -79,7 +79,8 @@ const struct nla_policy tipc_nl_sock_pol + + const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_NET_ID] = { .type = NLA_U32 } ++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 }, ++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 }, + }; + + const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = { diff --git a/queue-4.9/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch b/queue-4.9/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch new file mode 100644 index 00000000000..ae70d6fbbe4 --- /dev/null +++ b/queue-4.9/vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch @@ -0,0 +1,135 @@ +From foo@baz Fri Apr 27 12:23:41 CEST 2018 +From: Toshiaki Makita +Date: Tue, 17 Apr 2018 18:46:14 +0900 +Subject: vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi + +From: Toshiaki Makita + + +[ Upstream commit 7ce2367254e84753bceb07327aaf5c953cfce117 ] + +Syzkaller spotted an old bug which leads to reading skb beyond tail by 4 +bytes on vlan tagged packets. +This is caused because skb_vlan_tagged_multi() did not check +skb_headlen. + +BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline] +BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] +BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline] +BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline] +BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 +CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + eth_type_vlan include/linux/if_vlan.h:283 [inline] + skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline] + vlan_features_check include/linux/if_vlan.h:672 [inline] + dflt_features_check net/core/dev.c:2949 [inline] + netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009 + validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084 + __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590 + packet_snd net/packet/af_packet.c:2944 [inline] + packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + sock_write_iter+0x3b9/0x470 net/socket.c:909 + do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 + do_iter_write+0x30d/0xd40 fs/read_write.c:932 + vfs_writev fs/read_write.c:977 [inline] + do_writev+0x3c9/0x830 fs/read_write.c:1012 + SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 + SyS_writev+0x56/0x80 fs/read_write.c:1082 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43ffa9 +RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9 +RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0 +R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 + sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 + packet_alloc_skb net/packet/af_packet.c:2803 [inline] + packet_snd net/packet/af_packet.c:2894 [inline] + packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + sock_write_iter+0x3b9/0x470 net/socket.c:909 + do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 + do_iter_write+0x30d/0xd40 fs/read_write.c:932 + vfs_writev fs/read_write.c:977 [inline] + do_writev+0x3c9/0x830 fs/read_write.c:1012 + SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 + SyS_writev+0x56/0x80 fs/read_write.c:1082 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.") +Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_vlan.h | 7 +++++-- + net/core/dev.c | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -600,7 +600,7 @@ static inline bool skb_vlan_tagged(const + * Returns true if the skb is tagged with multiple vlan headers, regardless + * of whether it is hardware accelerated or not. + */ +-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) ++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb) + { + __be16 protocol = skb->protocol; + +@@ -610,6 +610,9 @@ static inline bool skb_vlan_tagged_multi + if (likely(!eth_type_vlan(protocol))) + return false; + ++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN))) ++ return false; ++ + veh = (struct vlan_ethhdr *)skb->data; + protocol = veh->h_vlan_encapsulated_proto; + } +@@ -627,7 +630,7 @@ static inline bool skb_vlan_tagged_multi + * + * Returns features without unsafe ones if the skb has multiple tags. + */ +-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb, ++static inline netdev_features_t vlan_features_check(struct sk_buff *skb, + netdev_features_t features) + { + if (skb_vlan_tagged_multi(skb)) { +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2871,7 +2871,7 @@ netdev_features_t passthru_features_chec + } + EXPORT_SYMBOL(passthru_features_check); + +-static netdev_features_t dflt_features_check(const struct sk_buff *skb, ++static netdev_features_t dflt_features_check(struct sk_buff *skb, + struct net_device *dev, + netdev_features_t features) + {