From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 20:06:06 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.139~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3bca3f05944149f38036839aa4b28c6bc6e78bcc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bonding-fix-event-handling-for-stacked-bonds.patch ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch ipv4-recompile-ip-options-in-ipv4_link_failure.patch net-atm-fix-potential-spectre-v1-vulnerabilities.patch net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch tcp-tcp_grow_window-needs-to-respect-tcp_space.patch --- diff --git a/queue-4.4/bonding-fix-event-handling-for-stacked-bonds.patch b/queue-4.4/bonding-fix-event-handling-for-stacked-bonds.patch new file mode 100644 index 00000000000..d74c303334f --- /dev/null +++ b/queue-4.4/bonding-fix-event-handling-for-stacked-bonds.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Sabrina Dubroca +Date: Fri, 12 Apr 2019 15:04:10 +0200 +Subject: bonding: fix event handling for stacked bonds + +From: Sabrina Dubroca + +[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ] + +When a bond is enslaved to another bond, bond_netdev_event() only +handles the event as if the bond is a master, and skips treating the +bond as a slave. + +This leads to a refcount leak on the slave, since we don't remove the +adjacency to its master and the master holds a reference on the slave. + +Reproducer: + ip link add bondL type bond + ip link add bondU type bond + ip link set bondL master bondU + ip link del bondL + +No "Fixes:" tag, this code is older than git history. + +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3067,8 +3067,12 @@ static int bond_netdev_event(struct noti + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { diff --git a/queue-4.4/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch b/queue-4.4/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..325fb7743b8 --- /dev/null +++ b/queue-4.4/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch @@ -0,0 +1,88 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Eric Dumazet +Date: Sat, 13 Apr 2019 17:32:21 -0700 +Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure() + +From: Eric Dumazet + +[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ] + +fib_compute_spec_dst() needs to be called under rcu protection. + +syzbot reported : + +WARNING: suspicious RCU usage +5.1.0-rc4+ #165 Not tainted +include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by swapper/0/0: + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline] + #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315 + +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162 + __in_dev_get_rcu include/linux/inetdevice.h:220 [inline] + fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294 + spec_dst_fill net/ipv4/ip_options.c:245 [inline] + __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343 + ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195 + dst_link_failure include/net/dst.h:427 [inline] + arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297 + neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995 + neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:374 [inline] + irq_exit+0x180/0x1d0 kernel/softirq.c:414 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1164,14 +1164,20 @@ static struct dst_entry *ipv4_dst_check( + + static void ipv4_link_failure(struct sk_buff *skb) + { +- struct rtable *rt; + struct ip_options opt; ++ struct rtable *rt; ++ int res; + + /* Recompile ip options since IPCB may not be valid anymore. + */ + memset(&opt, 0, sizeof(opt)); + opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); +- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) + return; + + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); diff --git a/queue-4.4/ipv4-recompile-ip-options-in-ipv4_link_failure.patch b/queue-4.4/ipv4-recompile-ip-options-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..7a01ca96144 --- /dev/null +++ b/queue-4.4/ipv4-recompile-ip-options-in-ipv4_link_failure.patch @@ -0,0 +1,42 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Stephen Suryaputra +Date: Fri, 12 Apr 2019 16:19:27 -0400 +Subject: ipv4: recompile ip options in ipv4_link_failure + +From: Stephen Suryaputra + +[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ] + +Recompile IP options since IPCB may not be valid anymore when +ipv4_link_failure is called from arp_error_report. + +Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error") +and the commit before that (9ef6b42ad6fd) for a similar issue. + +Signed-off-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1165,8 +1165,16 @@ static struct dst_entry *ipv4_dst_check( + static void ipv4_link_failure(struct sk_buff *skb) + { + struct rtable *rt; ++ struct ip_options opt; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL)) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) diff --git a/queue-4.4/net-atm-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.4/net-atm-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..4504f08eee7 --- /dev/null +++ b/queue-4.4/net-atm-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,53 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: "Gustavo A. R. Silva" +Date: Mon, 15 Apr 2019 15:57:23 -0500 +Subject: net: atm: Fix potential Spectre v1 vulnerabilities + +From: "Gustavo A. R. Silva" + +[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ] + +arg is controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap) + +Fix this by sanitizing arg before using it to index dev_lec. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/atm/lec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -721,7 +721,10 @@ static int lec_vcc_attach(struct atm_vcc + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -739,6 +742,7 @@ static int lecd_attach(struct atm_vcc *v + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + diff --git a/queue-4.4/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch b/queue-4.4/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch new file mode 100644 index 00000000000..8db6924ac50 --- /dev/null +++ b/queue-4.4/net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Nikolay Aleksandrov +Date: Thu, 11 Apr 2019 15:08:25 +0300 +Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier + +From: Nikolay Aleksandrov + +[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ] + +br_multicast_start_querier() walks over the port list but it can be +called from a timer with only multicast_lock held which doesn't protect +the port list, so use RCU to walk over it. + +Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1894,7 +1894,8 @@ static void br_multicast_start_querier(s + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -1906,6 +1907,7 @@ static void br_multicast_start_querier(s + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-4.4/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch b/queue-4.4/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch new file mode 100644 index 00000000000..09675076826 --- /dev/null +++ b/queue-4.4/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch @@ -0,0 +1,48 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Lorenzo Bianconi +Date: Tue, 9 Apr 2019 11:47:20 +0200 +Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv + +From: Lorenzo Bianconi + +[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ] + +gue tunnels run iptunnel_pull_offloads on received skbs. This can +determine a possible use-after-free accessing guehdr pointer since +the packet will be 'uncloned' running pskb_expand_head if it is a +cloned gso skb (e.g if the packet has been sent though a veth device) + +Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fou.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -116,6 +116,7 @@ static int gue_udp_recv(struct sock *sk, + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -173,13 +174,14 @@ static int gue_udp_recv(struct sock *sk, + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); diff --git a/queue-4.4/series b/queue-4.4/series index a138925b2c2..a0ad44f65de 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -134,6 +134,13 @@ include-linux-swap.h-use-offsetof-instead-of-custom-.patch tpm-tpm_crb-avoid-unaligned-reads-in-crb_recv.patch ovl-fix-uid-gid-when-creating-over-whiteout.patch appletalk-fix-compile-regression.patch +bonding-fix-event-handling-for-stacked-bonds.patch +net-atm-fix-potential-spectre-v1-vulnerabilities.patch +net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch +net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch +tcp-tcp_grow_window-needs-to-respect-tcp_space.patch +ipv4-recompile-ip-options-in-ipv4_link_failure.patch +ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch crypto-crypto4xx-properly-set-iv-after-de-and-encryp.patch modpost-file2alias-go-back-to-simple-devtable-lookup.patch modpost-file2alias-check-prototype-of-handler.patch diff --git a/queue-4.4/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch b/queue-4.4/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch new file mode 100644 index 00000000000..cf1c79b2b3f --- /dev/null +++ b/queue-4.4/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch @@ -0,0 +1,63 @@ +From foo@baz Tue 23 Apr 2019 10:01:13 PM CEST +From: Eric Dumazet +Date: Tue, 16 Apr 2019 10:55:20 -0700 +Subject: tcp: tcp_grow_window() needs to respect tcp_space() + +From: Eric Dumazet + +[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ] + +For some reason, tcp_grow_window() correctly tests if enough room +is present before attempting to increase tp->rcv_ssthresh, +but does not prevent it to grow past tcp_space() + +This is causing hard to debug issues, like failing +the (__tcp_select_window(sk) >= tp->rcv_wnd) test +in __tcp_ack_snd_check(), causing ACK delays and possibly +slow flows. + +Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio, +we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000" +after about 60 round trips, when the active side no longer sends +immediate acks. + +This bug predates git history. + +Signed-off-by: Eric Dumazet +Acked-by: Soheil Hassas Yeganeh +Acked-by: Neal Cardwell +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -365,11 +365,12 @@ static int __tcp_grow_window(const struc + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -382,8 +383,7 @@ static void tcp_grow_window(struct sock + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + }