From: Greg Kroah-Hartman Date: Tue, 10 Apr 2018 21:22:28 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v4.16.2~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d4b606b88818292a89e2d4a426f8ae71e78c6fd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: arp-fix-arp_filter-on-l3slave-devices.patch ip6_gre-better-validate-user-provided-tunnel-names.patch ip6_tunnel-better-validate-user-provided-tunnel-names.patch ip_tunnel-better-validate-user-provided-tunnel-names.patch ipv6-sit-better-validate-user-provided-tunnel-names.patch net-dsa-discard-frames-from-unused-ports.patch net-fool-proof-dev_valid_name.patch net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch nfp-use-full-40-bits-of-the-nsp-buffer-address.patch pptp-remove-a-buggy-dst-release-in-pptp_connect.patch sctp-do-not-leak-kernel-memory-to-user-space.patch sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch vti6-better-validate-user-provided-tunnel-names.patch --- diff --git a/queue-4.16/arp-fix-arp_filter-on-l3slave-devices.patch b/queue-4.16/arp-fix-arp_filter-on-l3slave-devices.patch new file mode 100644 index 00000000000..27262455e3e --- /dev/null +++ b/queue-4.16/arp-fix-arp_filter-on-l3slave-devices.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Miguel Fadon Perlines +Date: Thu, 5 Apr 2018 10:25:38 +0200 +Subject: arp: fix arp_filter on l3slave devices + +From: Miguel Fadon Perlines + + +[ Upstream commit 58b35f27689b5eb514fc293c332966c226b1b6e4 ] + +arp_filter performs an ip_route_output search for arp source address and +checks if output device is the same where the arp request was received, +if it is not, the arp request is not answered. + +This route lookup is always done on main route table so l3slave devices +never find the proper route and arp is not answered. + +Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the +lookup for l3slave devices while maintaining same behavior for non +l3slave devices as this function returns 0 in that case. + +Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX") +Signed-off-by: Miguel Fadon Perlines +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/arp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -437,7 +437,7 @@ static int arp_filter(__be32 sip, __be32 + /*unsigned long now; */ + struct net *net = dev_net(dev); + +- rt = ip_route_output(net, sip, tip, 0, 0); ++ rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev)); + if (IS_ERR(rt)) + return 1; + if (rt->dst.dev != dev) { diff --git a/queue-4.16/ip6_gre-better-validate-user-provided-tunnel-names.patch b/queue-4.16/ip6_gre-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..3b6b5d99035 --- /dev/null +++ b/queue-4.16/ip6_gre-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:29 -0700 +Subject: ip6_gre: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 +Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466 + +CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 + ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -335,11 +335,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc + if (t || !create) + return t; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ return NULL; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "ip6gre%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6gre_tunnel_setup); + if (!dev) diff --git a/queue-4.16/ip6_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-4.16/ip6_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..92f73e4398b --- /dev/null +++ b/queue-4.16/ip6_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:30 -0700 +Subject: ip6_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -297,13 +297,16 @@ static struct ip6_tnl *ip6_tnl_create(st + struct net_device *dev; + struct ip6_tnl *t; + char name[IFNAMSIZ]; +- int err = -ENOMEM; ++ int err = -E2BIG; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6tnl%%d"); +- ++ } ++ err = -ENOMEM; + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6_tnl_dev_setup); + if (!dev) diff --git a/queue-4.16/ip_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-4.16/ip_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..0ae1904e1ac --- /dev/null +++ b/queue-4.16/ip_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:27 -0700 +Subject: ip_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 +Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482 + +CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 + ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline] + ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861 + ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -253,13 +253,14 @@ static struct net_device *__ip_tunnel_cr + struct net_device *dev; + char name[IFNAMSIZ]; + +- if (parms->name[0]) ++ err = -E2BIG; ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else { +- if (strlen(ops->kind) > (IFNAMSIZ - 3)) { +- err = -E2BIG; ++ } else { ++ if (strlen(ops->kind) > (IFNAMSIZ - 3)) + goto failed; +- } + strlcpy(name, ops->kind, IFNAMSIZ); + strncat(name, "%d", 2); + } diff --git a/queue-4.16/ipv6-sit-better-validate-user-provided-tunnel-names.patch b/queue-4.16/ipv6-sit-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..98e2009aea3 --- /dev/null +++ b/queue-4.16/ipv6-sit-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:28 -0700 +Subject: ipv6: sit: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 +Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453 + +CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 + ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -250,11 +250,13 @@ static struct ip_tunnel *ipip6_tunnel_lo + if (!create) + goto failed; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "sit%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ipip6_tunnel_setup); + if (!dev) diff --git a/queue-4.16/net-dsa-discard-frames-from-unused-ports.patch b/queue-4.16/net-dsa-discard-frames-from-unused-ports.patch new file mode 100644 index 00000000000..339797bc449 --- /dev/null +++ b/queue-4.16/net-dsa-discard-frames-from-unused-ports.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Andrew Lunn +Date: Sat, 7 Apr 2018 20:37:40 +0200 +Subject: net: dsa: Discard frames from unused ports + +From: Andrew Lunn + + +[ Upstream commit fc5f33768cca7144f8d793205b229d46740d183b ] + +The Marvell switches under some conditions will pass a frame to the +host with the port being the CPU port. Such frames are invalid, and +should be dropped. Not dropping them can result in a crash when +incrementing the receive statistics for an invalid port. + +Reported-by: Chris Healy +Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") +Signed-off-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa_priv.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/dsa/dsa_priv.h ++++ b/net/dsa/dsa_priv.h +@@ -126,6 +126,7 @@ static inline struct net_device *dsa_mas + struct dsa_port *cpu_dp = dev->dsa_ptr; + struct dsa_switch_tree *dst = cpu_dp->dst; + struct dsa_switch *ds; ++ struct dsa_port *slave_port; + + if (device < 0 || device >= DSA_MAX_SWITCHES) + return NULL; +@@ -137,7 +138,12 @@ static inline struct net_device *dsa_mas + if (port < 0 || port >= ds->num_ports) + return NULL; + +- return ds->ports[port].slave; ++ slave_port = &ds->ports[port]; ++ ++ if (unlikely(slave_port->type != DSA_PORT_TYPE_USER)) ++ return NULL; ++ ++ return slave_port->slave; + } + + /* port.c */ diff --git a/queue-4.16/net-fool-proof-dev_valid_name.patch b/queue-4.16/net-fool-proof-dev_valid_name.patch new file mode 100644 index 00000000000..066791b6640 --- /dev/null +++ b/queue-4.16/net-fool-proof-dev_valid_name.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:26 -0700 +Subject: net: fool proof dev_valid_name() + +From: Eric Dumazet + + +[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ] + +We want to use dev_valid_name() to validate tunnel names, +so better use strnlen(name, IFNAMSIZ) than strlen(name) to make +sure to not upset KASAN. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1027,7 +1027,7 @@ bool dev_valid_name(const char *name) + { + if (*name == '\0') + return false; +- if (strlen(name) >= IFNAMSIZ) ++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ) + return false; + if (!strcmp(name, ".") || !strcmp(name, "..")) + return false; diff --git a/queue-4.16/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch b/queue-4.16/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch new file mode 100644 index 00000000000..a5891532058 --- /dev/null +++ b/queue-4.16/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Jeff Barnhill <0xeffeff@gmail.com> +Date: Thu, 5 Apr 2018 21:29:47 +0000 +Subject: net/ipv6: Increment OUTxxx counters after netfilter hook + +From: Jeff Barnhill <0xeffeff@gmail.com> + + +[ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ] + +At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and +IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call +for NFPROTO_IPV6 / NF_INET_FORWARD. As a result, these counters get +incremented regardless of whether or not the netfilter hook allows the +packet to continue being processed. This change increments the counters +in ip6_forward_finish() so that it will not happen if the netfilter hook +chooses to terminate the packet, which is similar to how IPv4 works. + +Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -375,6 +375,11 @@ static int ip6_forward_proxy_check(struc + static inline int ip6_forward_finish(struct net *net, struct sock *sk, + struct sk_buff *skb) + { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); ++ + return dst_output(net, sk, skb); + } + +@@ -569,8 +574,6 @@ int ip6_forward(struct sk_buff *skb) + + hdr->hop_limit--; + +- __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); +- __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); + return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, + net, NULL, skb, skb->dev, dst->dev, + ip6_forward_finish); diff --git a/queue-4.16/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch b/queue-4.16/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch new file mode 100644 index 00000000000..66758ae77cf --- /dev/null +++ b/queue-4.16/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch @@ -0,0 +1,100 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Davide Caratti +Date: Fri, 6 Apr 2018 01:19:37 +0200 +Subject: net/sched: fix NULL dereference in the error path of tcf_bpf_init() + +From: Davide Caratti + + +[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ] + +when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid +number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or +bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes +the following error: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0 + Oops: 0000 [#1] SMP PTI + Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf] + CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:__bpf_prog_put+0xc/0xc0 + RSP: 0018:ffff9594003ef728 EFLAGS: 00010202 + RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 + R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000 + R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054 + FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0 + Call Trace: + tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf] + tcf_bpf_cleanup+0x4c/0x70 [act_bpf] + __tcf_idr_release+0x79/0x140 + tcf_bpf_init+0x125/0x330 [act_bpf] + tcf_action_init_1+0x2cc/0x430 + ? get_page_from_freelist+0x3f0/0x11b0 + tcf_action_init+0xd3/0x1b0 + tc_ctl_action+0x18b/0x240 + rtnetlink_rcv_msg+0x29c/0x310 + ? _cond_resched+0x15/0x30 + ? __kmalloc_node_track_caller+0x1b9/0x270 + ? rtnl_calcit.isra.29+0x100/0x100 + netlink_rcv_skb+0xd2/0x110 + netlink_unicast+0x17c/0x230 + netlink_sendmsg+0x2cd/0x3c0 + sock_sendmsg+0x30/0x40 + ___sys_sendmsg+0x27a/0x290 + ? mem_cgroup_commit_charge+0x80/0x130 + ? page_add_new_anon_rmap+0x73/0xc0 + ? do_anonymous_page+0x2a2/0x560 + ? __handle_mm_fault+0xc75/0xe20 + __sys_sendmsg+0x58/0xa0 + do_syscall_64+0x6e/0x1a0 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + RIP: 0033:0x7fcb2e58eba0 + RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0 + RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003 + RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000 + R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0 + Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00 + RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728 + CR2: 0000000000000020 + +Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f) +is called only when f is not NULL. + +Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()") +Reported-by: Lucas Bates +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_bpf.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -248,10 +248,14 @@ static int tcf_bpf_init_from_efd(struct + + static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg) + { +- if (cfg->is_ebpf) +- bpf_prog_put(cfg->filter); +- else +- bpf_prog_destroy(cfg->filter); ++ struct bpf_prog *filter = cfg->filter; ++ ++ if (filter) { ++ if (cfg->is_ebpf) ++ bpf_prog_put(filter); ++ else ++ bpf_prog_destroy(filter); ++ } + + kfree(cfg->bpf_ops); + kfree(cfg->bpf_name); diff --git a/queue-4.16/net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch b/queue-4.16/net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch new file mode 100644 index 00000000000..901461ac4ee --- /dev/null +++ b/queue-4.16/net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Cong Wang +Date: Fri, 6 Apr 2018 17:19:41 -0700 +Subject: net_sched: fix a missing idr_remove() in u32_delete_key() + +From: Cong Wang + + +[ Upstream commit f12c643209db0626f2f54780d86bb93bfa7a9c2d ] + +When we delete a u32 key via u32_delete_key(), we forget to +call idr_remove() to remove its handle from IDR. + +Fixes: e7614370d6f0 ("net_sched: use idr to allocate u32 filter handles") +Reported-by: Marcin Kabiesz +Tested-by: Marcin Kabiesz +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_u32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -489,6 +489,7 @@ static int u32_delete_key(struct tcf_pro + RCU_INIT_POINTER(*kp, key->next); + + tcf_unbind_filter(tp, &key->res); ++ idr_remove(&ht->handle_idr, key->handle); + tcf_exts_get_net(&key->exts); + call_rcu(&key->rcu, u32_delete_key_freepf_rcu); + return 0; diff --git a/queue-4.16/nfp-use-full-40-bits-of-the-nsp-buffer-address.patch b/queue-4.16/nfp-use-full-40-bits-of-the-nsp-buffer-address.patch new file mode 100644 index 00000000000..634afe13563 --- /dev/null +++ b/queue-4.16/nfp-use-full-40-bits-of-the-nsp-buffer-address.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Dirk van der Merwe +Date: Tue, 3 Apr 2018 17:24:23 -0700 +Subject: nfp: use full 40 bits of the NSP buffer address + +From: Dirk van der Merwe + + +[ Upstream commit 1489bbd10e16079ce30a53d3c22a431fd47af791 ] + +The NSP default buffer is a piece of NFP memory where additional +command data can be placed. Its format has been copied from +host buffer, but the PCIe selection bits do not make sense in +this case. If those get masked out from a NFP address - writes +to random place in the chip memory may be issued and crash the +device. + +Even in the general NSP buffer case, it doesn't make sense to have the +PCIe selection bits there anymore. These are unused at the moment, and +when it becomes necessary, the PCIe selection bits should rather be +moved to another register to utilise more bits for the buffer address. + +This has never been an issue because the buffer used to be +allocated in memory with less-than-38-bit-long address but that +is about to change. + +Fixes: 1a64821c6af7 ("nfp: add support for service processor access") +Signed-off-by: Dirk van der Merwe +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c +@@ -71,10 +71,11 @@ + /* CPP address to retrieve the data from */ + #define NSP_BUFFER 0x10 + #define NSP_BUFFER_CPP GENMASK_ULL(63, 40) +-#define NSP_BUFFER_PCIE GENMASK_ULL(39, 38) +-#define NSP_BUFFER_ADDRESS GENMASK_ULL(37, 0) ++#define NSP_BUFFER_ADDRESS GENMASK_ULL(39, 0) + + #define NSP_DFLT_BUFFER 0x18 ++#define NSP_DFLT_BUFFER_CPP GENMASK_ULL(63, 40) ++#define NSP_DFLT_BUFFER_ADDRESS GENMASK_ULL(39, 0) + + #define NSP_DFLT_BUFFER_CONFIG 0x20 + #define NSP_DFLT_BUFFER_SIZE_MB GENMASK_ULL(7, 0) +@@ -427,8 +428,8 @@ __nfp_nsp_command_buf(struct nfp_nsp *ns + if (err < 0) + return err; + +- cpp_id = FIELD_GET(NSP_BUFFER_CPP, reg) << 8; +- cpp_buf = FIELD_GET(NSP_BUFFER_ADDRESS, reg); ++ cpp_id = FIELD_GET(NSP_DFLT_BUFFER_CPP, reg) << 8; ++ cpp_buf = FIELD_GET(NSP_DFLT_BUFFER_ADDRESS, reg); + + if (in_buf && in_size) { + err = nfp_cpp_write(cpp, cpp_id, cpp_buf, in_buf, in_size); diff --git a/queue-4.16/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch b/queue-4.16/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch new file mode 100644 index 00000000000..71eecbdecd4 --- /dev/null +++ b/queue-4.16/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch @@ -0,0 +1,115 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Mon, 2 Apr 2018 18:48:37 -0700 +Subject: pptp: remove a buggy dst release in pptp_connect() + +From: Eric Dumazet + + +[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ] + +Once dst has been cached in socket via sk_setup_caps(), +it is illegal to call ip_rt_put() (or dst_release()), +since sk_setup_caps() did not change dst refcount. + +We can still dereference it since we hold socket lock. + +Caugth by syzbot : + +BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] +BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185 +Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088 + +CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1a7/0x27d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23c/0x360 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 + kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 + atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] + dst_release+0x27/0xa0 net/core/dst.c:185 + sk_dst_set include/net/sock.h:1812 [inline] + sk_dst_reset include/net/sock.h:1824 [inline] + sock_setbindtodevice net/core/sock.c:610 [inline] + sock_setsockopt+0x431/0x1b20 net/core/sock.c:707 + SYSC_setsockopt net/socket.c:1845 [inline] + SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4552d9 +RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9 +RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013 +RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 +R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000 + +Allocated by task 20088: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 + kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542 + dst_alloc+0x11f/0x1a0 net/core/dst.c:104 + rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520 + __mkroute_output net/ipv4/route.c:2265 [inline] + ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493 + ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322 + __ip_route_output_key include/net/route.h:126 [inline] + ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577 + ip_route_output_ports include/net/route.h:163 [inline] + pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453 + SYSC_connect+0x213/0x4a0 net/socket.c:1639 + SyS_connect+0x24/0x30 net/socket.c:1620 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Freed by task 20082: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 + __cache_free mm/slab.c:3486 [inline] + kmem_cache_free+0x83/0x2a0 mm/slab.c:3744 + dst_destroy+0x266/0x380 net/core/dst.c:140 + dst_destroy_rcu+0x16/0x20 net/core/dst.c:153 + __rcu_reclaim kernel/rcu/rcu.h:178 [inline] + rcu_do_batch kernel/rcu/tree.c:2675 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline] + __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline] + rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914 + __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 + +The buggy address belongs to the object at ffff8801c54dc000 + which belongs to the cache ip_dst_cache of size 168 +The buggy address is located 64 bytes inside of + 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8) +The buggy address belongs to the page: +page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010 +raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000 +page dumped because: kasan: bad access detected + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -464,7 +464,6 @@ static int pptp_connect(struct socket *s + po->chan.mtu = dst_mtu(&rt->dst); + if (!po->chan.mtu) + po->chan.mtu = PPP_MRU; +- ip_rt_put(rt); + po->chan.mtu -= PPTP_HEADER_OVERHEAD; + + po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); diff --git a/queue-4.16/sctp-do-not-leak-kernel-memory-to-user-space.patch b/queue-4.16/sctp-do-not-leak-kernel-memory-to-user-space.patch new file mode 100644 index 00000000000..69e9ed276f9 --- /dev/null +++ b/queue-4.16/sctp-do-not-leak-kernel-memory-to-user-space.patch @@ -0,0 +1,95 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 17:15:22 -0700 +Subject: sctp: do not leak kernel memory to user space + +From: Eric Dumazet + + +[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ] + +syzbot produced a nice report [1] + +Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory +to user space, because sin_zero (padding field) was not properly cleared. + +[1] +BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] +BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227 +CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x4401c9 +RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 +RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0 +R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----addr@___sys_recvmsg +Variable was created at: + ___sys_recvmsg+0xd5/0x810 net/socket.c:2172 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + +Bytes 8-15 of 16 are uninitialized + +================================================================== +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + panic+0x39d/0x940 kernel/panic.c:183 + kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -728,8 +728,10 @@ static int sctp_v6_addr_to_user(struct s + sctp_v6_map_v4(addr); + } + +- if (addr->sa.sa_family == AF_INET) ++ if (addr->sa.sa_family == AF_INET) { ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); ++ } + return sizeof(struct sockaddr_in6); + } + diff --git a/queue-4.16/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch b/queue-4.16/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch new file mode 100644 index 00000000000..bbfb5d2699b --- /dev/null +++ b/queue-4.16/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch @@ -0,0 +1,76 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Sun, 8 Apr 2018 07:52:08 -0700 +Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 + +From: Eric Dumazet + + +[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ] + +Check must happen before call to ipv6_addr_v4mapped() + +syzbot report was : + +BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline] +BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 +CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + sctp_sockaddr_af net/sctp/socket.c:359 [inline] + sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 + sctp_bind+0x149/0x190 net/sctp/socket.c:332 + inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293 + SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 + SyS_bind+0x54/0x80 net/socket.c:1460 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fd49 +RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49 +RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670 +R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----address@SYSC_bind +Variable was created at: + SYSC_bind+0x6f/0x4b0 net/socket.c:1461 + SyS_bind+0x54/0x80 net/socket.c:1460 + +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -354,11 +354,14 @@ static struct sctp_af *sctp_sockaddr_af( + if (!opt->pf->af_supported(addr->sa.sa_family, opt)) + return NULL; + +- /* V4 mapped address are really of AF_INET family */ +- if (addr->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr->v6.sin6_addr) && +- !opt->pf->af_supported(AF_INET, opt)) +- return NULL; ++ if (addr->sa.sa_family == AF_INET6) { ++ if (len < SIN6_LEN_RFC2133) ++ return NULL; ++ /* V4 mapped address are really of AF_INET family */ ++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) && ++ !opt->pf->af_supported(AF_INET, opt)) ++ return NULL; ++ } + + /* If we get this far, af is valid. */ + af = sctp_get_af_specific(addr->sa.sa_family); diff --git a/queue-4.16/series b/queue-4.16/series index 3018aaef8be..95e08971929 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -1 +1,18 @@ sparc64-oracle-dax-driver-depends-on-sparc64.patch +arp-fix-arp_filter-on-l3slave-devices.patch +net-dsa-discard-frames-from-unused-ports.patch +net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch +net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch +pptp-remove-a-buggy-dst-release-in-pptp_connect.patch +sctp-do-not-leak-kernel-memory-to-user-space.patch +sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch +sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch +vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch +net-fool-proof-dev_valid_name.patch +ip_tunnel-better-validate-user-provided-tunnel-names.patch +ipv6-sit-better-validate-user-provided-tunnel-names.patch +ip6_gre-better-validate-user-provided-tunnel-names.patch +ip6_tunnel-better-validate-user-provided-tunnel-names.patch +vti6-better-validate-user-provided-tunnel-names.patch +net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch +nfp-use-full-40-bits-of-the-nsp-buffer-address.patch diff --git a/queue-4.16/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch b/queue-4.16/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch new file mode 100644 index 00000000000..319d33853a5 --- /dev/null +++ b/queue-4.16/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Kai-Heng Feng +Date: Sat, 31 Mar 2018 23:42:03 +0800 +Subject: sky2: Increase D3 delay to sky2 stops working after suspend + +From: Kai-Heng Feng + + +[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ] + +The sky2 ethernet stops working after system resume from suspend: +[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3 + +The current 150ms delay is not enough, change it to 200ms can solve the +issue. + +BugLink: https://bugs.launchpad.net/bugs/1758507 +Cc: Stable +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5087,7 +5087,7 @@ static int sky2_probe(struct pci_dev *pd + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 150; ++ pdev->d3_delay = 200; + + return 0; + diff --git a/queue-4.16/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch b/queue-4.16/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch new file mode 100644 index 00000000000..09b69dfcc68 --- /dev/null +++ b/queue-4.16/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Hangbin Liu +Date: Fri, 30 Mar 2018 09:44:00 +0800 +Subject: vlan: also check phy_driver ts_info for vlan's real device + +From: Hangbin Liu + + +[ Upstream commit ec1d8ccb07deaf30fd0508af6755364ac47dc08d ] + +Just like function ethtool_get_ts_info(), we should also consider the +phy_driver ts_info call back. For example, driver dp83640. + +Fixes: 37dd9255b2f6 ("vlan: Pass ethtool get_ts_info queries to real device.") +Acked-by: Richard Cochran +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -665,8 +666,11 @@ static int vlan_ethtool_get_ts_info(stru + { + const struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops; ++ struct phy_device *phydev = vlan->real_dev->phydev; + +- if (ops->get_ts_info) { ++ if (phydev && phydev->drv && phydev->drv->ts_info) { ++ return phydev->drv->ts_info(phydev, info); ++ } else if (ops->get_ts_info) { + return ops->get_ts_info(vlan->real_dev, info); + } else { + info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE | diff --git a/queue-4.16/vti6-better-validate-user-provided-tunnel-names.patch b/queue-4.16/vti6-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..ee6f2fec8a4 --- /dev/null +++ b/queue-4.16/vti6-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 10 23:19:25 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:31 -0700 +Subject: vti6: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(s + char name[IFNAMSIZ]; + int err; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6_vti%%d"); ++ } + + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup); + if (!dev)