From: Greg Kroah-Hartman Date: Sat, 1 Jul 2017 14:13:16 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.60~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e077f5d1fa8c0c10322d9c52b92811491b18766;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch igmp-add-a-missing-spin_lock_init.patch ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch netfilter-synproxy-fix-conntrackd-interaction.patch netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch --- diff --git a/queue-3.18/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch b/queue-3.18/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch new file mode 100644 index 00000000000..11e9a585c93 --- /dev/null +++ b/queue-3.18/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch @@ -0,0 +1,89 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Wei Wang +Date: Fri, 16 Jun 2017 10:46:37 -0700 +Subject: decnet: always not take dst->__refcnt when inserting dst into hash table + +From: Wei Wang + + +[ Upstream commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f ] + +In the existing dn_route.c code, dn_route_output_slow() takes +dst->__refcnt before calling dn_insert_route() while dn_route_input_slow() +does not take dst->__refcnt before calling dn_insert_route(). +This makes the whole routing code very buggy. +In dn_dst_check_expire(), dnrt_free() is called when rt expires. This +makes the routes inserted by dn_route_output_slow() not able to be +freed as the refcnt is not released. +In dn_dst_gc(), dnrt_drop() is called to release rt which could +potentially cause the dst->__refcnt to be dropped to -1. +In dn_run_flush(), dst_free() is called to release all the dst. Again, +it makes the dst inserted by dn_route_output_slow() not able to be +released and also, it does not wait on the rcu and could potentially +cause crash in the path where other users still refer to this dst. + +This patch makes sure both input and output path do not take +dst->__refcnt before calling dn_insert_route() and also makes sure +dnrt_free()/dst_free() is called when removing dst from the hash table. +The only difference between those 2 calls is that dnrt_free() waits on +the rcu while dst_free() does not. + +Signed-off-by: Wei Wang +Acked-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/decnet/dn_route.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -189,12 +189,6 @@ static inline void dnrt_free(struct dn_r + call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); + } + +-static inline void dnrt_drop(struct dn_route *rt) +-{ +- dst_release(&rt->dst); +- call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); +-} +- + static void dn_dst_check_expire(unsigned long dummy) + { + int i; +@@ -249,7 +243,7 @@ static int dn_dst_gc(struct dst_ops *ops + } + *rtp = rt->dst.dn_next; + rt->dst.dn_next = NULL; +- dnrt_drop(rt); ++ dnrt_free(rt); + break; + } + spin_unlock_bh(&dn_rt_hash_table[i].lock); +@@ -351,7 +345,7 @@ static int dn_insert_route(struct dn_rou + dst_use(&rth->dst, now); + spin_unlock_bh(&dn_rt_hash_table[hash].lock); + +- dnrt_drop(rt); ++ dst_free(&rt->dst); + *rp = rth; + return 0; + } +@@ -381,7 +375,7 @@ static void dn_run_flush(unsigned long d + for(; rt; rt = next) { + next = rcu_dereference_raw(rt->dst.dn_next); + RCU_INIT_POINTER(rt->dst.dn_next, NULL); +- dst_free((struct dst_entry *)rt); ++ dnrt_free(rt); + } + + nothing_to_declare: +@@ -1195,7 +1189,7 @@ make_route: + if (dev_out->flags & IFF_LOOPBACK) + flags |= RTCF_LOCAL; + +- rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST); ++ rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST); + if (rt == NULL) + goto e_nobufs; + diff --git a/queue-3.18/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch b/queue-3.18/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch new file mode 100644 index 00000000000..0016bb40cd9 --- /dev/null +++ b/queue-3.18/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Mateusz Jurczyk +Date: Wed, 7 Jun 2017 16:14:29 +0200 +Subject: decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb + +From: Mateusz Jurczyk + + +[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ] + +Verify that the length of the socket buffer is sufficient to cover the +nlmsghdr structure before accessing the nlh->nlmsg_len field for further +input sanitization. If the client only supplies 1-3 bytes of data in +sk_buff, then nlh->nlmsg_len remains partially uninitialized and +contains leftover memory from the corresponding kernel allocation. +Operating on such data may result in indeterminate evaluation of the +nlmsg_len < sizeof(*nlh) expression. + +The bug was discovered by a runtime instrumentation designed to detect +use of uninitialized memory in the kernel. The patch prevents this and +other similar tools (e.g. KMSAN) from flagging this behavior in the future. + +Signed-off-by: Mateusz Jurczyk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/decnet/netfilter/dn_rtmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/decnet/netfilter/dn_rtmsg.c ++++ b/net/decnet/netfilter/dn_rtmsg.c +@@ -104,7 +104,9 @@ static inline void dnrmg_receive_user_sk + { + struct nlmsghdr *nlh = nlmsg_hdr(skb); + +- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) ++ if (skb->len < sizeof(*nlh) || ++ nlh->nlmsg_len < sizeof(*nlh) || ++ skb->len < nlh->nlmsg_len) + return; + + if (!netlink_capable(skb, CAP_NET_ADMIN)) diff --git a/queue-3.18/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch b/queue-3.18/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch new file mode 100644 index 00000000000..1e24f63f1d9 --- /dev/null +++ b/queue-3.18/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Krister Johansen +Date: Thu, 8 Jun 2017 13:12:38 -0700 +Subject: Fix an intermittent pr_emerg warning about lo becoming free. + +From: Krister Johansen + + +[ Upstream commit f186ce61bb8235d80068c390dc2aad7ca427a4c2 ] + +It looks like this: + +Message from syslogd@flamingo at Apr 26 00:45:00 ... + kernel:unregister_netdevice: waiting for lo to become free. Usage count = 4 + +They seem to coincide with net namespace teardown. + +The message is emitted by netdev_wait_allrefs(). + +Forced a kdump in netdev_run_todo, but found that the refcount on the lo +device was already 0 at the time we got to the panic. + +Used bcc to check the blocking in netdev_run_todo. The only places +where we're off cpu there are in the rcu_barrier() and msleep() calls. +That behavior is expected. The msleep time coincides with the amount of +time we spend waiting for the refcount to reach zero; the rcu_barrier() +wait times are not excessive. + +After looking through the list of callbacks that the netdevice notifiers +invoke in this path, it appears that the dst_dev_event is the most +interesting. The dst_ifdown path places a hold on the loopback_dev as +part of releasing the dev associated with the original dst cache entry. +Most of our notifier callbacks are straight-forward, but this one a) +looks complex, and b) places a hold on the network interface in +question. + +I constructed a new bcc script that watches various events in the +liftime of a dst cache entry. Note that dst_ifdown will take a hold on +the loopback device until the invalidated dst entry gets freed. + +[ __dst_free] on DST: ffff883ccabb7900 IF tap1008300eth0 invoked at 1282115677036183 + __dst_free + rcu_nocb_kthread + kthread + ret_from_fork +Acked-by: Eric Dumazet + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -397,6 +397,20 @@ static int dst_dev_event(struct notifier + spin_lock_bh(&dst_garbage.lock); + dst = dst_garbage.list; + dst_garbage.list = NULL; ++ /* The code in dst_ifdown places a hold on the loopback device. ++ * If the gc entry processing is set to expire after a lengthy ++ * interval, this hold can cause netdev_wait_allrefs() to hang ++ * out and wait for a long time -- until the the loopback ++ * interface is released. If we're really unlucky, it'll emit ++ * pr_emerg messages to console too. Reset the interval here, ++ * so dst cleanups occur in a more timely fashion. ++ */ ++ if (dst_garbage.timer_inc > DST_GC_INC) { ++ dst_garbage.timer_inc = DST_GC_INC; ++ dst_garbage.timer_expires = DST_GC_MIN; ++ mod_delayed_work(system_wq, &dst_gc_work, ++ dst_garbage.timer_expires); ++ } + spin_unlock_bh(&dst_garbage.lock); + + if (last) diff --git a/queue-3.18/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch b/queue-3.18/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch new file mode 100644 index 00000000000..aee5d5afd74 --- /dev/null +++ b/queue-3.18/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch @@ -0,0 +1,82 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: WANG Cong +Date: Mon, 12 Jun 2017 09:52:26 -0700 +Subject: igmp: acquire pmc lock for ip_mc_clear_src() + +From: WANG Cong + + +[ Upstream commit c38b7d327aafd1e3ad7ff53eefac990673b65667 ] + +Andrey reported a use-after-free in add_grec(): + + for (psf = *psf_list; psf; psf = psf_next) { + ... + psf_next = psf->sf_next; + +where the struct ip_sf_list's were already freed by: + + kfree+0xe8/0x2b0 mm/slub.c:3882 + ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078 + ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618 + ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609 + inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411 + sock_release+0x8d/0x1e0 net/socket.c:597 + sock_close+0x16/0x20 net/socket.c:1072 + +This happens because we don't hold pmc->lock in ip_mc_clear_src() +and a parallel mr_ifc_timer timer could jump in and access them. + +The RCU lock is there but it is merely for pmc itself, this +spinlock could actually ensure we don't access them in parallel. + +Thanks to Eric and Long for discussion on this bug. + +Reported-by: Andrey Konovalov +Cc: Eric Dumazet +Cc: Xin Long +Signed-off-by: Cong Wang +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1832,21 +1832,26 @@ static int ip_mc_add_src(struct in_devic + + static void ip_mc_clear_src(struct ip_mc_list *pmc) + { +- struct ip_sf_list *psf, *nextpsf; ++ struct ip_sf_list *psf, *nextpsf, *tomb, *sources; + +- for (psf = pmc->tomb; psf; psf = nextpsf) { ++ spin_lock_bh(&pmc->lock); ++ tomb = pmc->tomb; ++ pmc->tomb = NULL; ++ sources = pmc->sources; ++ pmc->sources = NULL; ++ pmc->sfmode = MCAST_EXCLUDE; ++ pmc->sfcount[MCAST_INCLUDE] = 0; ++ pmc->sfcount[MCAST_EXCLUDE] = 1; ++ spin_unlock_bh(&pmc->lock); ++ ++ for (psf = tomb; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->tomb = NULL; +- for (psf = pmc->sources; psf; psf = nextpsf) { ++ for (psf = sources; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->sources = NULL; +- pmc->sfmode = MCAST_EXCLUDE; +- pmc->sfcount[MCAST_INCLUDE] = 0; +- pmc->sfcount[MCAST_EXCLUDE] = 1; + } + + diff --git a/queue-3.18/igmp-add-a-missing-spin_lock_init.patch b/queue-3.18/igmp-add-a-missing-spin_lock_init.patch new file mode 100644 index 00000000000..df7c50195e2 --- /dev/null +++ b/queue-3.18/igmp-add-a-missing-spin_lock_init.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: WANG Cong +Date: Tue, 20 Jun 2017 10:46:27 -0700 +Subject: igmp: add a missing spin_lock_init() + +From: WANG Cong + + +[ Upstream commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 ] + +Andrey reported a lockdep warning on non-initialized +spinlock: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755 + ? 0xffffffffa0000000 + __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255 + lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 + __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135 + _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175 + spin_lock_bh ./include/linux/spinlock.h:304 + ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076 + igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194 + ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736 + +We miss a spin_lock_init() in igmpv3_add_delrec(), probably +because previously we never use it on this code path. Since +we already unlink it from the global mc_tomb list, it is +probably safe not to acquire this spinlock here. It does not +harm to have it although, to avoid conditional locking. + +Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()") +Reported-by: Andrey Konovalov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1080,6 +1080,7 @@ static void igmpv3_add_delrec(struct in_ + pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); + if (!pmc) + return; ++ spin_lock_init(&pmc->lock); + spin_lock_bh(&im->lock); + pmc->interface = im->interface; + in_dev_hold(in_dev); diff --git a/queue-3.18/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch b/queue-3.18/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch new file mode 100644 index 00000000000..1ffad3910e4 --- /dev/null +++ b/queue-3.18/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Xin Long +Date: Thu, 15 Jun 2017 16:33:58 +0800 +Subject: ipv6: fix calling in6_ifa_hold incorrectly for dad work + +From: Xin Long + + +[ Upstream commit f8a894b218138888542a5058d0e902378fd0d4ec ] + +Now when starting the dad work in addrconf_mod_dad_work, if the dad work +is idle and queued, it needs to hold ifa. + +The problem is there's one gap in [1], during which if the pending dad work +is removed elsewhere. It will miss to hold ifa, but the dad word is still +idea and queue. + + if (!delayed_work_pending(&ifp->dad_work)) + in6_ifa_hold(ifp); + <--------------[1] + mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); + +An use-after-free issue can be caused by this. + +Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in +net6_ifa_finish_destroy was hit because of it. + +As Hannes' suggestion, this patch is to fix it by holding ifa first in +addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if +the dad_work is already in queue. + +Note that this patch did not choose to fix it with: + + if (!mod_delayed_work(delay)) + in6_ifa_hold(ifp); + +As with it, when delay == 0, dad_work would be scheduled immediately, all +addrconf_mod_dad_work(0) callings had to be moved under ifp->lock. + +Reported-by: Wei Chen +Suggested-by: Hannes Frederic Sowa +Acked-by: Hannes Frederic Sowa +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -269,9 +269,9 @@ static void addrconf_mod_rs_timer(struct + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, + unsigned long delay) + { +- if (!delayed_work_pending(&ifp->dad_work)) +- in6_ifa_hold(ifp); +- mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); ++ in6_ifa_hold(ifp); ++ if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay)) ++ in6_ifa_put(ifp); + } + + static int snmp6_alloc_dev(struct inet6_dev *idev) diff --git a/queue-3.18/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch b/queue-3.18/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch new file mode 100644 index 00000000000..808d6478ea0 --- /dev/null +++ b/queue-3.18/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch @@ -0,0 +1,73 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Gao Feng +Date: Fri, 16 Jun 2017 15:00:02 +0800 +Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev + +From: Gao Feng + + +[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ] + +The register_vlan_device would invoke free_netdev directly, when +register_vlan_dev failed. It would trigger the BUG_ON in free_netdev +if the dev was already registered. In this case, the netdev would be +freed in netdev_run_todo later. + +So add one condition check now. Only when dev is not registered, then +free it directly. + +The following is the part coredump when netdev_upper_dev_link failed +in register_vlan_dev. I removed the lines which are too long. + +[ 411.237457] ------------[ cut here ]------------ +[ 411.237458] kernel BUG at net/core/dev.c:7998! +[ 411.237484] invalid opcode: 0000 [#1] SMP +[ 411.237705] [last unloaded: 8021q] +[ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6 +[ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 +[ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000 +[ 411.237782] RIP: 0010:free_netdev+0x116/0x120 +[ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297 +[ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878 +[ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000 +[ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801 +[ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000 +[ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000 +[ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000 +[ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0 +[ 411.240936] Call Trace: +[ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q] +[ 411.241910] sock_ioctl+0x18b/0x2c0 +[ 411.242394] do_vfs_ioctl+0xa1/0x5d0 +[ 411.242853] ? sock_alloc_file+0xa6/0x130 +[ 411.243465] SyS_ioctl+0x79/0x90 +[ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9 +[ 411.244425] RIP: 0033:0x7fb69089a357 +[ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357 +[ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003 +[ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999 +[ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004 +[ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001 +[ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0 + +Signed-off-by: Gao Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -278,7 +278,8 @@ static int register_vlan_device(struct n + return 0; + + out_free_newdev: +- free_netdev(new_dev); ++ if (new_dev->reg_state == NETREG_UNINITIALIZED) ++ free_netdev(new_dev); + return err; + } + diff --git a/queue-3.18/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch b/queue-3.18/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch new file mode 100644 index 00000000000..c2eff433547 --- /dev/null +++ b/queue-3.18/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Jia-Ju Bai +Date: Sat, 10 Jun 2017 16:49:39 +0800 +Subject: net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx + +From: Jia-Ju Bai + + +[ Upstream commit f146e872eb12ebbe92d8e583b2637e0741440db3 ] + +The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the +function call path is: +cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock) + cfctrl_linkdown_req + cfpkt_create + cfpkt_create_pfx + alloc_skb(GFP_KERNEL) --> may sleep +cfserl_receive (acquire the lock by rcu_read_lock) + cfpkt_split + cfpkt_create_pfx + alloc_skb(GFP_KERNEL) --> may sleep + +There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or +"GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function +is called under a rcu read lock, instead in interrupt. + +To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/cfpkt_skbuff.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/caif/cfpkt_skbuff.c ++++ b/net/caif/cfpkt_skbuff.c +@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u1 + { + struct sk_buff *skb; + +- if (likely(in_interrupt())) +- skb = alloc_skb(len + pfx, GFP_ATOMIC); +- else +- skb = alloc_skb(len + pfx, GFP_KERNEL); +- ++ skb = alloc_skb(len + pfx, GFP_ATOMIC); + if (unlikely(skb == NULL)) + return NULL; + diff --git a/queue-3.18/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch b/queue-3.18/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch new file mode 100644 index 00000000000..903de3732db --- /dev/null +++ b/queue-3.18/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jun 29 19:45:34 CEST 2017 +From: Alexander Potapenko +Date: Tue, 6 Jun 2017 15:56:54 +0200 +Subject: net: don't call strlen on non-terminated string in dev_set_alias() + +From: Alexander Potapenko + + +[ Upstream commit c28294b941232931fbd714099798eb7aa7e865d7 ] + +KMSAN reported a use of uninitialized memory in dev_set_alias(), +which was caused by calling strlcpy() (which in turn called strlen()) +on the user-supplied non-terminated string. + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1194,8 +1194,9 @@ int dev_set_alias(struct net_device *dev + if (!new_ifalias) + return -ENOMEM; + dev->ifalias = new_ifalias; ++ memcpy(dev->ifalias, alias, len); ++ dev->ifalias[len] = 0; + +- strlcpy(dev->ifalias, alias, len+1); + return len; + } + diff --git a/queue-3.18/netfilter-synproxy-fix-conntrackd-interaction.patch b/queue-3.18/netfilter-synproxy-fix-conntrackd-interaction.patch new file mode 100644 index 00000000000..e91b8f4be9d --- /dev/null +++ b/queue-3.18/netfilter-synproxy-fix-conntrackd-interaction.patch @@ -0,0 +1,45 @@ +From 87e94dbc210a720a34be5c1174faee5c84be963e Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Thu, 11 May 2017 18:56:38 +0200 +Subject: netfilter: synproxy: fix conntrackd interaction + +From: Eric Leblond + +commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream. + +This patch fixes the creation of connection tracking entry from +netlink when synproxy is used. It was missing the addition of +the synproxy extension. + +This was causing kernel crashes when a conntrack entry created by +conntrackd was used after the switch of traffic from active node +to the passive node. + +Signed-off-by: Eric Leblond +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_netlink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -45,6 +45,8 @@ + #include + #include + #include ++#include ++#include + #ifdef CONFIG_NF_NAT_NEEDED + #include + #include +@@ -1688,6 +1690,8 @@ ctnetlink_create_conntrack(struct net *n + nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); + nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); + nf_ct_labels_ext_add(ct); ++ nfct_seqadj_ext_add(ct); ++ nfct_synproxy_ext_add(ct); + + /* we must add conntrack extensions before confirmation. */ + ct->status |= IPS_CONFIRMED; diff --git a/queue-3.18/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch b/queue-3.18/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch new file mode 100644 index 00000000000..5948f5f8e9f --- /dev/null +++ b/queue-3.18/netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch @@ -0,0 +1,47 @@ +From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 3 Apr 2017 10:55:11 -0700 +Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff + +From: Eric Dumazet + +commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream. + +Denys provided an awesome KASAN report pointing to an use +after free in xt_TCPMSS + +I have provided three patches to fix this issue, either in xt_TCPMSS or +in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible +impact. + +Signed-off-by: Eric Dumazet +Reported-by: Denys Fedoryshchenko +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_TCPMSS.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/netfilter/xt_TCPMSS.c ++++ b/net/netfilter/xt_TCPMSS.c +@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb + tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); + tcp_hdrlen = tcph->doff * 4; + +- if (len < tcp_hdrlen) ++ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) + return -1; + + if (info->mss == XT_TCPMSS_CLAMP_PMTU) { +@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb + if (len > tcp_hdrlen) + return 0; + ++ /* tcph->doff has 4 bits, do not wrap it to 0 */ ++ if (tcp_hdrlen >= 15 * 4) ++ return 0; ++ + /* + * MSS Option not found ?! add it.. + */ diff --git a/queue-3.18/series b/queue-3.18/series index e6f2c1c06be..aba262bf0e8 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,2 +1,13 @@ xhci-fix-deadlock-at-host-remove-by-running-watchdog-correctly.patch ipv6-release-dst-on-error-in-ip6_dst_lookup_tail.patch +netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch +netfilter-synproxy-fix-conntrackd-interaction.patch +net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch +decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch +fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch +net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch +igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch +igmp-add-a-missing-spin_lock_init.patch +ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch +decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch +net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch