From: Sasha Levin Date: Mon, 12 Oct 2020 02:46:10 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.239~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=60f80db0ab0b7a4e133531103e68955a58f420c0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch b/queue-4.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch new file mode 100644 index 00000000000..d3483bbb708 --- /dev/null +++ b/queue-4.4/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch @@ -0,0 +1,71 @@ +From b783de399d681bc9ff5b3079debb1138f8740b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:38:07 -0700 +Subject: bonding: set dev->needed_headroom in bond_setup_by_slave() + +From: Eric Dumazet + +[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ] + +syzbot managed to crash a host by creating a bond +with a GRE device. + +For non Ethernet device, bonding calls bond_setup_by_slave() +instead of ether_setup(), and unfortunately dev->needed_headroom +was not copied from the new added member. + +[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0 +[ 171.243111] ------------[ cut here ]------------ +[ 171.243112] kernel BUG at net/core/skbuff.c:112! +[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 171.243469] gsmi: Log Shutdown Reason 0x03 +[ 171.243505] Call Trace: +[ 171.243506] +[ 171.243512] [] skb_push+0x49/0x50 +[ 171.243516] [] ipgre_header+0x2a/0xf0 +[ 171.243520] [] neigh_connected_output+0xb7/0x100 +[ 171.243524] [] ip6_finish_output2+0x383/0x490 +[ 171.243528] [] __ip6_finish_output+0xa2/0x110 +[ 171.243531] [] ip6_finish_output+0x2c/0xa0 +[ 171.243534] [] ip6_output+0x69/0x110 +[ 171.243537] [] ? ip6_output+0x110/0x110 +[ 171.243541] [] mld_sendpack+0x1b2/0x2d0 +[ 171.243544] [] ? mld_send_report+0xf0/0xf0 +[ 171.243548] [] mld_ifc_timer_expire+0x2d7/0x3b0 +[ 171.243551] [] ? mld_gq_timer_expire+0x50/0x50 +[ 171.243556] [] call_timer_fn+0x30/0x130 +[ 171.243559] [] expire_timers+0x4c/0x110 +[ 171.243563] [] __run_timers+0x213/0x260 +[ 171.243566] [] ? ktime_get+0x3d/0xa0 +[ 171.243570] [] ? clockevents_program_event+0x7e/0xe0 +[ 171.243574] [] ? sched_clock_cpu+0x15/0x190 +[ 171.243577] [] run_timer_softirq+0x1d/0x40 +[ 171.243581] [] __do_softirq+0x152/0x2f0 +[ 171.243585] [] irq_exit+0x9f/0xb0 +[ 171.243588] [] smp_apic_timer_interrupt+0xfd/0x1a0 +[ 171.243591] [] apic_timer_interrupt+0x86/0x90 + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index aaf75d5e6e480..5811235a64c89 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1132,6 +1132,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; ++ bond_dev->needed_headroom = slave_dev->needed_headroom; + bond_dev->addr_len = slave_dev->addr_len; + + memcpy(bond_dev->broadcast, slave_dev->broadcast, +-- +2.25.1 + diff --git a/queue-4.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch b/queue-4.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch new file mode 100644 index 00000000000..bf2c428926e --- /dev/null +++ b/queue-4.4/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch @@ -0,0 +1,66 @@ +From c95b2efd325f48edac0506be72362728d93a7f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 16:56:14 +0800 +Subject: net: stmmac: removed enabling eee in EEE set callback + +From: Voon Weifeng + +[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ] + +EEE should be only be enabled during stmmac_mac_link_up() when the +link are up and being set up properly. set_eee should only do settings +configuration and disabling the eee. + +Without this fix, turning on EEE using ethtool will return +"Operation not supported". This is due to the driver is in a dead loop +waiting for eee to be advertised in the for eee to be activated but the +driver will only configure the EEE advertisement after the eee is +activated. + +Ethtool should only return "Operation not supported" if there is no EEE +capbility in the MAC controller. + +Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback") +Signed-off-by: Voon Weifeng +Acked-by: Mark Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index fbf701e5f1e9f..6fe441696882d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -616,23 +616,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev, + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- if (!edata->eee_enabled) { ++ if (!priv->dma_cap.eee) ++ return -EOPNOTSUPP; ++ ++ if (!edata->eee_enabled) + stmmac_disable_eee_mode(priv); +- } else { +- /* We are asking for enabling the EEE but it is safe +- * to verify all by invoking the eee_init function. +- * In case of failure it will return an error. +- */ +- edata->eee_enabled = stmmac_eee_init(priv); +- if (!edata->eee_enabled) +- return -EOPNOTSUPP; +- } + + ret = phy_ethtool_set_eee(dev->phydev, edata); + if (ret) + return ret; + +- priv->eee_enabled = edata->eee_enabled; + priv->tx_lpi_timer = edata->tx_lpi_timer; + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch b/queue-4.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch new file mode 100644 index 00000000000..3383273044a --- /dev/null +++ b/queue-4.4/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch @@ -0,0 +1,47 @@ +From d52983c3522099cf0fa106231460e791c2ce172d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 22:09:04 +0100 +Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ] + +If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a +type it doesn't recognise, it can BUG in a couple of places, which is +unnecessary as it can easily get back to userspace. + +Fix this to print an error message instead. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c +index 543d200f4fa14..20549c13eb13d 100644 +--- a/net/rxrpc/ar-key.c ++++ b/net/rxrpc/ar-key.c +@@ -1114,7 +1114,8 @@ static long rxrpc_read(const struct key *key, + break; + + default: /* we have a ticket we can't encode */ +- BUG(); ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); + continue; + } + +@@ -1235,7 +1236,6 @@ static long rxrpc_read(const struct key *key, + break; + + default: +- BUG(); + break; + } + +-- +2.25.1 + diff --git a/queue-4.4/rxrpc-fix-rxkad-token-xdr-encoding.patch b/queue-4.4/rxrpc-fix-rxkad-token-xdr-encoding.patch new file mode 100644 index 00000000000..b115535bd91 --- /dev/null +++ b/queue-4.4/rxrpc-fix-rxkad-token-xdr-encoding.patch @@ -0,0 +1,59 @@ +From 565b3e6accc8a5eb9894ef503f54e7bbffa7d616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:01:24 -0300 +Subject: rxrpc: Fix rxkad token xdr encoding + +From: Marc Dionne + +[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ] + +The session key should be encoded with just the 8 data bytes and +no length; ENCODE_DATA precedes it with a 4 byte length, which +confuses some existing tools that try to parse this format. + +Add an ENCODE_BYTES macro that does not include a length, and use +it for the key. Also adjust the expected length. + +Note that commit 774521f353e1d ("rxrpc: Fix an assertion in +rxrpc_read()") had fixed a BUG by changing the length rather than +fixing the encoding. The original length was correct. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-key.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c +index 91d43ab3a9610..543d200f4fa14 100644 +--- a/net/rxrpc/ar-key.c ++++ b/net/rxrpc/ar-key.c +@@ -1149,6 +1149,14 @@ static long rxrpc_read(const struct key *key, + goto fault; \ + xdr += (_l + 3) >> 2; \ + } while(0) ++#define ENCODE_BYTES(l, s) \ ++ do { \ ++ u32 _l = (l); \ ++ memcpy(xdr, (s), _l); \ ++ if (_l & 3) \ ++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ ++ xdr += (_l + 3) >> 2; \ ++ } while(0) + #define ENCODE64(x) \ + do { \ + __be64 y = cpu_to_be64(x); \ +@@ -1177,7 +1185,7 @@ static long rxrpc_read(const struct key *key, + case RXRPC_SECURITY_RXKAD: + ENCODE(token->kad->vice_id); + ENCODE(token->kad->kvno); +- ENCODE_DATA(8, token->kad->session_key); ++ ENCODE_BYTES(8, token->kad->session_key); + ENCODE(token->kad->start); + ENCODE(token->kad->expiry); + ENCODE(token->kad->primary_flag); +-- +2.25.1 + diff --git a/queue-4.4/rxrpc-fix-server-keyring-leak.patch b/queue-4.4/rxrpc-fix-server-keyring-leak.patch new file mode 100644 index 00000000000..52c30d5bbc1 --- /dev/null +++ b/queue-4.4/rxrpc-fix-server-keyring-leak.patch @@ -0,0 +1,37 @@ +From 038c4f6683920927a5b8b66a07e47a2cb7c927ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:04:51 +0100 +Subject: rxrpc: Fix server keyring leak + +From: David Howells + +[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ] + +If someone calls setsockopt() twice to set a server key keyring, the first +keyring is leaked. + +Fix it to return an error instead if the server key keyring is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c +index 20549c13eb13d..ea615e53eab28 100644 +--- a/net/rxrpc/ar-key.c ++++ b/net/rxrpc/ar-key.c +@@ -897,7 +897,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) + return -EINVAL; + + description = kmalloc(optlen + 1, GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 4e8747fdd9d..009d11f337e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -28,3 +28,11 @@ sctp-fix-sctp_auth_init_hmacs-error-path.patch team-set-dev-needed_headroom-in-team_setup_by_port.patch net-team-fix-memory-leak-in-__team_options_register.patch mtd-nand-provide-nand_cleanup-function-to-free-nand-.patch +xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch +xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch +net-stmmac-removed-enabling-eee-in-eee-set-callback.patch +xfrm-use-correct-address-family-in-xfrm_state_find.patch +bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch +rxrpc-fix-rxkad-token-xdr-encoding.patch +rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch +rxrpc-fix-server-keyring-leak.patch diff --git a/queue-4.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch b/queue-4.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch new file mode 100644 index 00000000000..a8ee1b704b3 --- /dev/null +++ b/queue-4.4/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch @@ -0,0 +1,39 @@ +From 0b3b59a4815d0c35f132099b2988f14855ca34a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:29 +0200 +Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ] + +When we clone state only add_time was cloned. It missed values like +bytes, packets. Now clone the all members of the structure. + +v1->v3: + - use memcpy to copy the entire structure + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index d3595f1d00f25..a3114abe74f20 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1207,7 +1207,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig) + x->tfcpad = orig->tfcpad; + x->replay_maxdiff = orig->replay_maxdiff; + x->replay_maxage = orig->replay_maxage; +- x->curlft.add_time = orig->curlft.add_time; ++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft)); + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; + x->replay = orig->replay; +-- +2.25.1 + diff --git a/queue-4.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch b/queue-4.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..51bfbd872f7 --- /dev/null +++ b/queue-4.4/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch @@ -0,0 +1,58 @@ +From 324ca99617985de382a2cedf5f6943f5c43f53b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:49:55 +0200 +Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ] + +XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - move curleft cloning to a separate patch + +Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 89685c7bc7c0f..7a9c18deaa512 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1730,21 +1730,17 @@ static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay + static inline int xfrm_replay_clone(struct xfrm_state *x, + struct xfrm_state *orig) + { +- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn), ++ ++ x->replay_esn = kmemdup(orig->replay_esn, ++ xfrm_replay_state_esn_len(orig->replay_esn), + GFP_KERNEL); + if (!x->replay_esn) + return -ENOMEM; +- +- x->replay_esn->bmp_len = orig->replay_esn->bmp_len; +- x->replay_esn->replay_window = orig->replay_esn->replay_window; +- +- x->preplay_esn = kmemdup(x->replay_esn, +- xfrm_replay_state_esn_len(x->replay_esn), ++ x->preplay_esn = kmemdup(orig->preplay_esn, ++ xfrm_replay_state_esn_len(orig->preplay_esn), + GFP_KERNEL); +- if (!x->preplay_esn) { +- kfree(x->replay_esn); ++ if (!x->preplay_esn) + return -ENOMEM; +- } + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch b/queue-4.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch new file mode 100644 index 00000000000..f9daaba37a8 --- /dev/null +++ b/queue-4.4/xfrm-use-correct-address-family-in-xfrm_state_find.patch @@ -0,0 +1,82 @@ +From 2bdda036343451243c222e1641e1ba46c7dc8498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:42:56 +1000 +Subject: xfrm: Use correct address family in xfrm_state_find + +From: Herbert Xu + +[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ] + +The struct flowi must never be interpreted by itself as its size +depends on the address family. Therefore it must always be grouped +with its original family value. + +In this particular instance, the original family value is lost in +the function xfrm_state_find. Therefore we get a bogus read when +it's coupled with the wrong family which would occur with inter- +family xfrm states. + +This patch fixes it by keeping the original family value. + +Note that the same bug could potentially occur in LSM through +the xfrm_state_pol_flow_match hook. I checked the current code +there and it seems to be safe for now as only secid is used which +is part of struct flowi_common. But that API should be changed +so that so that we don't get new bugs in the future. We could +do that by replacing fl with just secid or adding a family field. + +Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com +Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index a3114abe74f20..5bb5950d6276b 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -742,7 +742,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + */ + if (x->km.state == XFRM_STATE_VALID) { + if ((x->sel.family && +- !xfrm_selector_match(&x->sel, fl, x->sel.family)) || ++ (x->sel.family != family || ++ !xfrm_selector_match(&x->sel, fl, family))) || + !security_xfrm_state_pol_flow_match(x, pol, fl)) + return; + +@@ -755,7 +756,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + *acq_in_progress = 1; + } else if (x->km.state == XFRM_STATE_ERROR || + x->km.state == XFRM_STATE_EXPIRED) { +- if (xfrm_selector_match(&x->sel, fl, x->sel.family) && ++ if ((!x->sel.family || ++ (x->sel.family == family && ++ xfrm_selector_match(&x->sel, fl, family))) && + security_xfrm_state_pol_flow_match(x, pol, fl)) + *error = -ESRCH; + } +@@ -791,7 +794,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + if (best || acquire_in_progress) +@@ -807,7 +810,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + +-- +2.25.1 +