From: Greg Kroah-Hartman Date: Thu, 29 Jun 2017 17:44:20 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.60~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=685a13f63369e07176a926983ba99e22f87b7bd7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch igmp-add-a-missing-spin_lock_init.patch ipv6-do-not-leak-throw-route-references.patch ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch rtnetlink-add-ifla_group-to-ifla_policy.patch sfc-provide-dummy-definitions-of-vswitch-functions.patch --- diff --git a/queue-4.4/af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch b/queue-4.4/af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch new file mode 100644 index 00000000000..8447bb49bf1 --- /dev/null +++ b/queue-4.4/af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Mateusz Jurczyk +Date: Thu, 8 Jun 2017 11:13:36 +0200 +Subject: af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers + +From: Mateusz Jurczyk + + +[ Upstream commit defbcf2decc903a28d8398aa477b6881e711e3ea ] + +Verify that the caller-provided sockaddr structure is large enough to +contain the sa_family field, before accessing it in bind() and connect() +handlers of the AF_UNIX socket. Since neither syscall enforces a minimum +size of the corresponding memory region, very short sockaddrs (zero or +one byte long) result in operating on uninitialized memory while +referencing .sa_family. + +Signed-off-by: Mateusz Jurczyk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -997,7 +997,8 @@ static int unix_bind(struct socket *sock + struct path path = { NULL, NULL }; + + err = -EINVAL; +- if (sunaddr->sun_family != AF_UNIX) ++ if (addr_len < offsetofend(struct sockaddr_un, sun_family) || ++ sunaddr->sun_family != AF_UNIX) + goto out; + + if (addr_len == sizeof(short)) { +@@ -1108,6 +1109,10 @@ static int unix_dgram_connect(struct soc + unsigned int hash; + int err; + ++ err = -EINVAL; ++ if (alen < offsetofend(struct sockaddr, sa_family)) ++ goto out; ++ + if (addr->sa_family != AF_UNSPEC) { + err = unix_mkname(sunaddr, alen, &hash); + if (err < 0) diff --git a/queue-4.4/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch b/queue-4.4/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch new file mode 100644 index 00000000000..c896b74e0da --- /dev/null +++ b/queue-4.4/decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch @@ -0,0 +1,89 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Wei Wang +Date: Fri, 16 Jun 2017 10:46:37 -0700 +Subject: decnet: always not take dst->__refcnt when inserting dst into hash table + +From: Wei Wang + + +[ Upstream commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f ] + +In the existing dn_route.c code, dn_route_output_slow() takes +dst->__refcnt before calling dn_insert_route() while dn_route_input_slow() +does not take dst->__refcnt before calling dn_insert_route(). +This makes the whole routing code very buggy. +In dn_dst_check_expire(), dnrt_free() is called when rt expires. This +makes the routes inserted by dn_route_output_slow() not able to be +freed as the refcnt is not released. +In dn_dst_gc(), dnrt_drop() is called to release rt which could +potentially cause the dst->__refcnt to be dropped to -1. +In dn_run_flush(), dst_free() is called to release all the dst. Again, +it makes the dst inserted by dn_route_output_slow() not able to be +released and also, it does not wait on the rcu and could potentially +cause crash in the path where other users still refer to this dst. + +This patch makes sure both input and output path do not take +dst->__refcnt before calling dn_insert_route() and also makes sure +dnrt_free()/dst_free() is called when removing dst from the hash table. +The only difference between those 2 calls is that dnrt_free() waits on +the rcu while dst_free() does not. + +Signed-off-by: Wei Wang +Acked-by: Martin KaFai Lau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/decnet/dn_route.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/net/decnet/dn_route.c ++++ b/net/decnet/dn_route.c +@@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_r + call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); + } + +-static inline void dnrt_drop(struct dn_route *rt) +-{ +- dst_release(&rt->dst); +- call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); +-} +- + static void dn_dst_check_expire(unsigned long dummy) + { + int i; +@@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops + } + *rtp = rt->dst.dn_next; + rt->dst.dn_next = NULL; +- dnrt_drop(rt); ++ dnrt_free(rt); + break; + } + spin_unlock_bh(&dn_rt_hash_table[i].lock); +@@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_rou + dst_use(&rth->dst, now); + spin_unlock_bh(&dn_rt_hash_table[hash].lock); + +- dnrt_drop(rt); ++ dst_free(&rt->dst); + *rp = rth; + return 0; + } +@@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long d + for(; rt; rt = next) { + next = rcu_dereference_raw(rt->dst.dn_next); + RCU_INIT_POINTER(rt->dst.dn_next, NULL); +- dst_free((struct dst_entry *)rt); ++ dnrt_free(rt); + } + + nothing_to_declare: +@@ -1187,7 +1181,7 @@ make_route: + if (dev_out->flags & IFF_LOOPBACK) + flags |= RTCF_LOCAL; + +- rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST); ++ rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST); + if (rt == NULL) + goto e_nobufs; + diff --git a/queue-4.4/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch b/queue-4.4/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch new file mode 100644 index 00000000000..db4a5b749b7 --- /dev/null +++ b/queue-4.4/decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Mateusz Jurczyk +Date: Wed, 7 Jun 2017 16:14:29 +0200 +Subject: decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb + +From: Mateusz Jurczyk + + +[ Upstream commit dd0da17b209ed91f39872766634ca967c170ada1 ] + +Verify that the length of the socket buffer is sufficient to cover the +nlmsghdr structure before accessing the nlh->nlmsg_len field for further +input sanitization. If the client only supplies 1-3 bytes of data in +sk_buff, then nlh->nlmsg_len remains partially uninitialized and +contains leftover memory from the corresponding kernel allocation. +Operating on such data may result in indeterminate evaluation of the +nlmsg_len < sizeof(*nlh) expression. + +The bug was discovered by a runtime instrumentation designed to detect +use of uninitialized memory in the kernel. The patch prevents this and +other similar tools (e.g. KMSAN) from flagging this behavior in the future. + +Signed-off-by: Mateusz Jurczyk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/decnet/netfilter/dn_rtmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/decnet/netfilter/dn_rtmsg.c ++++ b/net/decnet/netfilter/dn_rtmsg.c +@@ -102,7 +102,9 @@ static inline void dnrmg_receive_user_sk + { + struct nlmsghdr *nlh = nlmsg_hdr(skb); + +- if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) ++ if (skb->len < sizeof(*nlh) || ++ nlh->nlmsg_len < sizeof(*nlh) || ++ skb->len < nlh->nlmsg_len) + return; + + if (!netlink_capable(skb, CAP_NET_ADMIN)) diff --git a/queue-4.4/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch b/queue-4.4/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch new file mode 100644 index 00000000000..c26709df590 --- /dev/null +++ b/queue-4.4/fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Krister Johansen +Date: Thu, 8 Jun 2017 13:12:38 -0700 +Subject: Fix an intermittent pr_emerg warning about lo becoming free. + +From: Krister Johansen + + +[ Upstream commit f186ce61bb8235d80068c390dc2aad7ca427a4c2 ] + +It looks like this: + +Message from syslogd@flamingo at Apr 26 00:45:00 ... + kernel:unregister_netdevice: waiting for lo to become free. Usage count = 4 + +They seem to coincide with net namespace teardown. + +The message is emitted by netdev_wait_allrefs(). + +Forced a kdump in netdev_run_todo, but found that the refcount on the lo +device was already 0 at the time we got to the panic. + +Used bcc to check the blocking in netdev_run_todo. The only places +where we're off cpu there are in the rcu_barrier() and msleep() calls. +That behavior is expected. The msleep time coincides with the amount of +time we spend waiting for the refcount to reach zero; the rcu_barrier() +wait times are not excessive. + +After looking through the list of callbacks that the netdevice notifiers +invoke in this path, it appears that the dst_dev_event is the most +interesting. The dst_ifdown path places a hold on the loopback_dev as +part of releasing the dev associated with the original dst cache entry. +Most of our notifier callbacks are straight-forward, but this one a) +looks complex, and b) places a hold on the network interface in +question. + +I constructed a new bcc script that watches various events in the +liftime of a dst cache entry. Note that dst_ifdown will take a hold on +the loopback device until the invalidated dst entry gets freed. + +[ __dst_free] on DST: ffff883ccabb7900 IF tap1008300eth0 invoked at 1282115677036183 + __dst_free + rcu_nocb_kthread + kthread + ret_from_fork +Acked-by: Eric Dumazet + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dst.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -462,6 +462,20 @@ static int dst_dev_event(struct notifier + spin_lock_bh(&dst_garbage.lock); + dst = dst_garbage.list; + dst_garbage.list = NULL; ++ /* The code in dst_ifdown places a hold on the loopback device. ++ * If the gc entry processing is set to expire after a lengthy ++ * interval, this hold can cause netdev_wait_allrefs() to hang ++ * out and wait for a long time -- until the the loopback ++ * interface is released. If we're really unlucky, it'll emit ++ * pr_emerg messages to console too. Reset the interval here, ++ * so dst cleanups occur in a more timely fashion. ++ */ ++ if (dst_garbage.timer_inc > DST_GC_INC) { ++ dst_garbage.timer_inc = DST_GC_INC; ++ dst_garbage.timer_expires = DST_GC_MIN; ++ mod_delayed_work(system_wq, &dst_gc_work, ++ dst_garbage.timer_expires); ++ } + spin_unlock_bh(&dst_garbage.lock); + + if (last) diff --git a/queue-4.4/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch b/queue-4.4/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch new file mode 100644 index 00000000000..9c40e196485 --- /dev/null +++ b/queue-4.4/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch @@ -0,0 +1,82 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: WANG Cong +Date: Mon, 12 Jun 2017 09:52:26 -0700 +Subject: igmp: acquire pmc lock for ip_mc_clear_src() + +From: WANG Cong + + +[ Upstream commit c38b7d327aafd1e3ad7ff53eefac990673b65667 ] + +Andrey reported a use-after-free in add_grec(): + + for (psf = *psf_list; psf; psf = psf_next) { + ... + psf_next = psf->sf_next; + +where the struct ip_sf_list's were already freed by: + + kfree+0xe8/0x2b0 mm/slub.c:3882 + ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078 + ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618 + ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609 + inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411 + sock_release+0x8d/0x1e0 net/socket.c:597 + sock_close+0x16/0x20 net/socket.c:1072 + +This happens because we don't hold pmc->lock in ip_mc_clear_src() +and a parallel mr_ifc_timer timer could jump in and access them. + +The RCU lock is there but it is merely for pmc itself, this +spinlock could actually ensure we don't access them in parallel. + +Thanks to Eric and Long for discussion on this bug. + +Reported-by: Andrey Konovalov +Cc: Eric Dumazet +Cc: Xin Long +Signed-off-by: Cong Wang +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -2026,21 +2026,26 @@ static int ip_mc_add_src(struct in_devic + + static void ip_mc_clear_src(struct ip_mc_list *pmc) + { +- struct ip_sf_list *psf, *nextpsf; ++ struct ip_sf_list *psf, *nextpsf, *tomb, *sources; + +- for (psf = pmc->tomb; psf; psf = nextpsf) { ++ spin_lock_bh(&pmc->lock); ++ tomb = pmc->tomb; ++ pmc->tomb = NULL; ++ sources = pmc->sources; ++ pmc->sources = NULL; ++ pmc->sfmode = MCAST_EXCLUDE; ++ pmc->sfcount[MCAST_INCLUDE] = 0; ++ pmc->sfcount[MCAST_EXCLUDE] = 1; ++ spin_unlock_bh(&pmc->lock); ++ ++ for (psf = tomb; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->tomb = NULL; +- for (psf = pmc->sources; psf; psf = nextpsf) { ++ for (psf = sources; psf; psf = nextpsf) { + nextpsf = psf->sf_next; + kfree(psf); + } +- pmc->sources = NULL; +- pmc->sfmode = MCAST_EXCLUDE; +- pmc->sfcount[MCAST_INCLUDE] = 0; +- pmc->sfcount[MCAST_EXCLUDE] = 1; + } + + /* Join a multicast group diff --git a/queue-4.4/igmp-add-a-missing-spin_lock_init.patch b/queue-4.4/igmp-add-a-missing-spin_lock_init.patch new file mode 100644 index 00000000000..6796b594cd4 --- /dev/null +++ b/queue-4.4/igmp-add-a-missing-spin_lock_init.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: WANG Cong +Date: Tue, 20 Jun 2017 10:46:27 -0700 +Subject: igmp: add a missing spin_lock_init() + +From: WANG Cong + + +[ Upstream commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 ] + +Andrey reported a lockdep warning on non-initialized +spinlock: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755 + ? 0xffffffffa0000000 + __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255 + lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 + __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135 + _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175 + spin_lock_bh ./include/linux/spinlock.h:304 + ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076 + igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194 + ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736 + +We miss a spin_lock_init() in igmpv3_add_delrec(), probably +because previously we never use it on this code path. Since +we already unlink it from the global mc_tomb list, it is +probably safe not to acquire this spinlock here. It does not +harm to have it although, to avoid conditional locking. + +Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()") +Reported-by: Andrey Konovalov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/igmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1102,6 +1102,7 @@ static void igmpv3_add_delrec(struct in_ + pmc = kzalloc(sizeof(*pmc), GFP_KERNEL); + if (!pmc) + return; ++ spin_lock_init(&pmc->lock); + spin_lock_bh(&im->lock); + pmc->interface = im->interface; + in_dev_hold(in_dev); diff --git a/queue-4.4/ipv6-do-not-leak-throw-route-references.patch b/queue-4.4/ipv6-do-not-leak-throw-route-references.patch new file mode 100644 index 00000000000..5cbcc50d12c --- /dev/null +++ b/queue-4.4/ipv6-do-not-leak-throw-route-references.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Serhey Popovych +Date: Tue, 20 Jun 2017 13:29:25 +0300 +Subject: ipv6: Do not leak throw route references + +From: Serhey Popovych + + +[ Upstream commit 07f615574f8ac499875b21c1142f26308234a92c ] + +While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes") +does good job on error propagation to the fib_rules_lookup() +in fib rules core framework that also corrects throw routes +handling, it does not solve route reference leakage problem +happened when we return -EAGAIN to the fib_rules_lookup() +and leave routing table entry referenced in arg->result. + +If rule with matched throw route isn't last matched in the +list we overwrite arg->result losing reference on throw +route stored previously forever. + +We also partially revert commit ab997ad40839 ("ipv6: fix the +incorrect return value of throw route") since we never return +routing table entry with dst.error == -EAGAIN when +CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point +to check for RTF_REJECT flag since it is always set throw +route. + +Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes") +Signed-off-by: Serhey Popovych +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/fib6_rules.c | 22 ++++++---------------- + net/ipv6/ip6_fib.c | 3 +-- + 2 files changed, 7 insertions(+), 18 deletions(-) + +--- a/net/ipv6/fib6_rules.c ++++ b/net/ipv6/fib6_rules.c +@@ -32,7 +32,6 @@ struct fib6_rule { + struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, + int flags, pol_lookup_t lookup) + { +- struct rt6_info *rt; + struct fib_lookup_arg arg = { + .lookup_ptr = lookup, + .flags = FIB_LOOKUP_NOREF, +@@ -41,21 +40,11 @@ struct dst_entry *fib6_rule_lookup(struc + fib_rules_lookup(net->ipv6.fib6_rules_ops, + flowi6_to_flowi(fl6), flags, &arg); + +- rt = arg.result; ++ if (arg.result) ++ return arg.result; + +- if (!rt) { +- dst_hold(&net->ipv6.ip6_null_entry->dst); +- return &net->ipv6.ip6_null_entry->dst; +- } +- +- if (rt->rt6i_flags & RTF_REJECT && +- rt->dst.error == -EAGAIN) { +- ip6_rt_put(rt); +- rt = net->ipv6.ip6_null_entry; +- dst_hold(&rt->dst); +- } +- +- return &rt->dst; ++ dst_hold(&net->ipv6.ip6_null_entry->dst); ++ return &net->ipv6.ip6_null_entry->dst; + } + + static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, +@@ -116,7 +105,8 @@ static int fib6_rule_action(struct fib_r + flp6->saddr = saddr; + } + err = rt->dst.error; +- goto out; ++ if (err != -EAGAIN) ++ goto out; + } + again: + ip6_rt_put(rt); +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -290,8 +290,7 @@ struct dst_entry *fib6_rule_lookup(struc + struct rt6_info *rt; + + rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags); +- if (rt->rt6i_flags & RTF_REJECT && +- rt->dst.error == -EAGAIN) { ++ if (rt->dst.error == -EAGAIN) { + ip6_rt_put(rt); + rt = net->ipv6.ip6_null_entry; + dst_hold(&rt->dst); diff --git a/queue-4.4/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch b/queue-4.4/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch new file mode 100644 index 00000000000..2371feb085c --- /dev/null +++ b/queue-4.4/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Xin Long +Date: Thu, 15 Jun 2017 16:33:58 +0800 +Subject: ipv6: fix calling in6_ifa_hold incorrectly for dad work + +From: Xin Long + + +[ Upstream commit f8a894b218138888542a5058d0e902378fd0d4ec ] + +Now when starting the dad work in addrconf_mod_dad_work, if the dad work +is idle and queued, it needs to hold ifa. + +The problem is there's one gap in [1], during which if the pending dad work +is removed elsewhere. It will miss to hold ifa, but the dad word is still +idea and queue. + + if (!delayed_work_pending(&ifp->dad_work)) + in6_ifa_hold(ifp); + <--------------[1] + mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); + +An use-after-free issue can be caused by this. + +Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in +net6_ifa_finish_destroy was hit because of it. + +As Hannes' suggestion, this patch is to fix it by holding ifa first in +addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if +the dad_work is already in queue. + +Note that this patch did not choose to fix it with: + + if (!mod_delayed_work(delay)) + in6_ifa_hold(ifp); + +As with it, when delay == 0, dad_work would be scheduled immediately, all +addrconf_mod_dad_work(0) callings had to be moved under ifp->lock. + +Reported-by: Wei Chen +Suggested-by: Hannes Frederic Sowa +Acked-by: Hannes Frederic Sowa +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -291,9 +291,9 @@ static void addrconf_mod_rs_timer(struct + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, + unsigned long delay) + { +- if (!delayed_work_pending(&ifp->dad_work)) +- in6_ifa_hold(ifp); +- mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); ++ in6_ifa_hold(ifp); ++ if (mod_delayed_work(addrconf_wq, &ifp->dad_work, delay)) ++ in6_ifa_put(ifp); + } + + static int snmp6_alloc_dev(struct inet6_dev *idev) diff --git a/queue-4.4/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch b/queue-4.4/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch new file mode 100644 index 00000000000..7c496eb5953 --- /dev/null +++ b/queue-4.4/net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch @@ -0,0 +1,73 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Gao Feng +Date: Fri, 16 Jun 2017 15:00:02 +0800 +Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev + +From: Gao Feng + + +[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ] + +The register_vlan_device would invoke free_netdev directly, when +register_vlan_dev failed. It would trigger the BUG_ON in free_netdev +if the dev was already registered. In this case, the netdev would be +freed in netdev_run_todo later. + +So add one condition check now. Only when dev is not registered, then +free it directly. + +The following is the part coredump when netdev_upper_dev_link failed +in register_vlan_dev. I removed the lines which are too long. + +[ 411.237457] ------------[ cut here ]------------ +[ 411.237458] kernel BUG at net/core/dev.c:7998! +[ 411.237484] invalid opcode: 0000 [#1] SMP +[ 411.237705] [last unloaded: 8021q] +[ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6 +[ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 +[ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000 +[ 411.237782] RIP: 0010:free_netdev+0x116/0x120 +[ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297 +[ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878 +[ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000 +[ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801 +[ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000 +[ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000 +[ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000 +[ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0 +[ 411.240936] Call Trace: +[ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q] +[ 411.241910] sock_ioctl+0x18b/0x2c0 +[ 411.242394] do_vfs_ioctl+0xa1/0x5d0 +[ 411.242853] ? sock_alloc_file+0xa6/0x130 +[ 411.243465] SyS_ioctl+0x79/0x90 +[ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9 +[ 411.244425] RIP: 0033:0x7fb69089a357 +[ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357 +[ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003 +[ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999 +[ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004 +[ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001 +[ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0 + +Signed-off-by: Gao Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -278,7 +278,8 @@ static int register_vlan_device(struct n + return 0; + + out_free_newdev: +- free_netdev(new_dev); ++ if (new_dev->reg_state == NETREG_UNINITIALIZED) ++ free_netdev(new_dev); + return err; + } + diff --git a/queue-4.4/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch b/queue-4.4/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch new file mode 100644 index 00000000000..9718ff4f9c6 --- /dev/null +++ b/queue-4.4/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Jia-Ju Bai +Date: Sat, 10 Jun 2017 16:49:39 +0800 +Subject: net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx + +From: Jia-Ju Bai + + +[ Upstream commit f146e872eb12ebbe92d8e583b2637e0741440db3 ] + +The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the +function call path is: +cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock) + cfctrl_linkdown_req + cfpkt_create + cfpkt_create_pfx + alloc_skb(GFP_KERNEL) --> may sleep +cfserl_receive (acquire the lock by rcu_read_lock) + cfpkt_split + cfpkt_create_pfx + alloc_skb(GFP_KERNEL) --> may sleep + +There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or +"GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function +is called under a rcu read lock, instead in interrupt. + +To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/cfpkt_skbuff.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/caif/cfpkt_skbuff.c ++++ b/net/caif/cfpkt_skbuff.c +@@ -81,11 +81,7 @@ static struct cfpkt *cfpkt_create_pfx(u1 + { + struct sk_buff *skb; + +- if (likely(in_interrupt())) +- skb = alloc_skb(len + pfx, GFP_ATOMIC); +- else +- skb = alloc_skb(len + pfx, GFP_KERNEL); +- ++ skb = alloc_skb(len + pfx, GFP_ATOMIC); + if (unlikely(skb == NULL)) + return NULL; + diff --git a/queue-4.4/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch b/queue-4.4/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch new file mode 100644 index 00000000000..f274a8e77cf --- /dev/null +++ b/queue-4.4/net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Alexander Potapenko +Date: Tue, 6 Jun 2017 15:56:54 +0200 +Subject: net: don't call strlen on non-terminated string in dev_set_alias() + +From: Alexander Potapenko + + +[ Upstream commit c28294b941232931fbd714099798eb7aa7e865d7 ] + +KMSAN reported a use of uninitialized memory in dev_set_alias(), +which was caused by calling strlcpy() (which in turn called strlen()) +on the user-supplied non-terminated string. + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1246,8 +1246,9 @@ int dev_set_alias(struct net_device *dev + if (!new_ifalias) + return -ENOMEM; + dev->ifalias = new_ifalias; ++ memcpy(dev->ifalias, alias, len); ++ dev->ifalias[len] = 0; + +- strlcpy(dev->ifalias, alias, len+1); + return len; + } + diff --git a/queue-4.4/net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch b/queue-4.4/net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch new file mode 100644 index 00000000000..1ad9c6d5c75 --- /dev/null +++ b/queue-4.4/net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Eli Cohen +Date: Thu, 8 Jun 2017 11:33:16 -0500 +Subject: net/mlx5: Wait for FW readiness before initializing command interface + +From: Eli Cohen + + +[ Upstream commit 6c780a0267b8a1075f40b39851132eeaefefcff5 ] + +Before attempting to initialize the command interface we must wait till +the fw_initializing bit is clear. + +If we fail to meet this condition the hardware will drop our +configuration, specifically the descriptors page address. This scenario +can happen when the firmware is still executing an FLR flow and did not +finish yet so the driver needs to wait for that to finish. + +Fixes: e3297246c2c8 ('net/mlx5_core: Wait for FW readiness on startup') +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -153,8 +153,9 @@ static struct mlx5_profile profile[] = { + }, + }; + +-#define FW_INIT_TIMEOUT_MILI 2000 +-#define FW_INIT_WAIT_MS 2 ++#define FW_INIT_TIMEOUT_MILI 2000 ++#define FW_INIT_WAIT_MS 2 ++#define FW_PRE_INIT_TIMEOUT_MILI 10000 + + static int wait_fw_init(struct mlx5_core_dev *dev, u32 max_wait_mili) + { +@@ -934,6 +935,15 @@ static int mlx5_load_one(struct mlx5_cor + */ + dev->state = MLX5_DEVICE_STATE_UP; + ++ /* wait for firmware to accept initialization segments configurations ++ */ ++ err = wait_fw_init(dev, FW_PRE_INIT_TIMEOUT_MILI); ++ if (err) { ++ dev_err(&dev->pdev->dev, "Firmware over %d MS in pre-initializing state, aborting\n", ++ FW_PRE_INIT_TIMEOUT_MILI); ++ goto out; ++ } ++ + err = mlx5_cmd_init(dev); + if (err) { + dev_err(&pdev->dev, "Failed initializing command interface, aborting\n"); diff --git a/queue-4.4/net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch b/queue-4.4/net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch new file mode 100644 index 00000000000..2dd8a39268c --- /dev/null +++ b/queue-4.4/net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: "Mintz, Yuval" +Date: Wed, 7 Jun 2017 21:00:33 +0300 +Subject: net: Zero ifla_vf_info in rtnl_fill_vfinfo() + +From: "Mintz, Yuval" + + +[ Upstream commit 0eed9cf58446b28b233388b7f224cbca268b6986 ] + +Some of the structure's fields are not initialized by the +rtnetlink. If driver doesn't set those in ndo_get_vf_config(), +they'd leak memory to user. + +Signed-off-by: Yuval Mintz +CC: Michal Schmidt +Reviewed-by: Greg Rose +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1089,6 +1089,8 @@ static noinline_for_stack int rtnl_fill_ + struct ifla_vf_mac vf_mac; + struct ifla_vf_info ivi; + ++ memset(&ivi, 0, sizeof(ivi)); ++ + /* Not all SR-IOV capable drivers support the + * spoofcheck and "RSS query enable" query. Preset to + * -1 so the user space tool can detect that the driver +@@ -1097,7 +1099,6 @@ static noinline_for_stack int rtnl_fill_ + ivi.spoofchk = -1; + ivi.rss_query_en = -1; + ivi.trusted = -1; +- memset(ivi.mac, 0, sizeof(ivi.mac)); + /* The default value for VF link state is "auto" + * IFLA_VF_LINK_STATE_AUTO which equals zero + */ diff --git a/queue-4.4/rtnetlink-add-ifla_group-to-ifla_policy.patch b/queue-4.4/rtnetlink-add-ifla_group-to-ifla_policy.patch new file mode 100644 index 00000000000..017664aeafb --- /dev/null +++ b/queue-4.4/rtnetlink-add-ifla_group-to-ifla_policy.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Serhey Popovych +Date: Tue, 20 Jun 2017 14:35:23 +0300 +Subject: rtnetlink: add IFLA_GROUP to ifla_policy + +From: Serhey Popovych + + +[ Upstream commit db833d40ad3263b2ee3b59a1ba168bb3cfed8137 ] + +Network interface groups support added while ago, however +there is no IFLA_GROUP attribute description in policy +and netlink message size calculations until now. + +Add IFLA_GROUP attribute to the policy. + +Fixes: cbda10fa97d7 ("net_device: add support for network device groups") +Signed-off-by: Serhey Popovych +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -897,6 +897,7 @@ static noinline size_t if_nlmsg_size(con + + nla_total_size(1) /* IFLA_LINKMODE */ + + nla_total_size(4) /* IFLA_CARRIER_CHANGES */ + + nla_total_size(4) /* IFLA_LINK_NETNSID */ ++ + nla_total_size(4) /* IFLA_GROUP */ + + nla_total_size(ext_filter_mask + & RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */ + + rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */ +@@ -1371,6 +1372,7 @@ static const struct nla_policy ifla_poli + [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, + [IFLA_LINK_NETNSID] = { .type = NLA_S32 }, + [IFLA_PROTO_DOWN] = { .type = NLA_U8 }, ++ [IFLA_GROUP] = { .type = NLA_U32 }, + }; + + static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = { diff --git a/queue-4.4/series b/queue-4.4/series index 035e36a7921..edde3b0cba3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,16 @@ ipv6-release-dst-on-error-in-ip6_dst_lookup_tail.patch +net-don-t-call-strlen-on-non-terminated-string-in-dev_set_alias.patch +decnet-dn_rtmsg-improve-input-length-sanitization-in-dnrmg_receive_user_skb.patch +net-zero-ifla_vf_info-in-rtnl_fill_vfinfo.patch +af_unix-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-and-connect-handlers.patch +fix-an-intermittent-pr_emerg-warning-about-lo-becoming-free.patch +net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch +igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch +igmp-add-a-missing-spin_lock_init.patch +ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch +net-mlx5-wait-for-fw-readiness-before-initializing-command-interface.patch +decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch +net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch +sfc-provide-dummy-definitions-of-vswitch-functions.patch +ipv6-do-not-leak-throw-route-references.patch +rtnetlink-add-ifla_group-to-ifla_policy.patch diff --git a/queue-4.4/sfc-provide-dummy-definitions-of-vswitch-functions.patch b/queue-4.4/sfc-provide-dummy-definitions-of-vswitch-functions.patch new file mode 100644 index 00000000000..0f73a7a80b3 --- /dev/null +++ b/queue-4.4/sfc-provide-dummy-definitions-of-vswitch-functions.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Jun 29 19:38:17 CEST 2017 +From: Bert Kenward +Date: Fri, 16 Jun 2017 09:45:08 +0100 +Subject: sfc: provide dummy definitions of vswitch functions + +From: Bert Kenward + + +efx_probe_all() calls efx->type->vswitching_probe during probe. For +SFC4000 (Falcon) NICs this function is not defined, leading to a BUG +with the top of the call stack similar to: + ? efx_pci_probe_main+0x29a/0x830 + efx_pci_probe+0x7d3/0xe70 + +vswitching_restore and vswitching_remove also need to be defined. + +Fixed in mainline by: +commit 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver") + +Fixes: 6d8aaaf6f798 ("sfc: create VEB vswitch and vport above default firmware setup") +Signed-off-by: Bert Kenward +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/falcon.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/ethernet/sfc/falcon.c ++++ b/drivers/net/ethernet/sfc/falcon.c +@@ -2796,6 +2796,11 @@ const struct efx_nic_type falcon_a1_nic_ + .timer_period_max = 1 << FRF_AB_TC_TIMER_VAL_WIDTH, + .offload_features = NETIF_F_IP_CSUM, + .mcdi_max_ver = -1, ++#ifdef CONFIG_SFC_SRIOV ++ .vswitching_probe = efx_port_dummy_op_int, ++ .vswitching_restore = efx_port_dummy_op_int, ++ .vswitching_remove = efx_port_dummy_op_void, ++#endif + }; + + const struct efx_nic_type falcon_b0_nic_type = { +@@ -2897,4 +2902,9 @@ const struct efx_nic_type falcon_b0_nic_ + .offload_features = NETIF_F_IP_CSUM | NETIF_F_RXHASH | NETIF_F_NTUPLE, + .mcdi_max_ver = -1, + .max_rx_ip_filters = FR_BZ_RX_FILTER_TBL0_ROWS, ++#ifdef CONFIG_SFC_SRIOV ++ .vswitching_probe = efx_port_dummy_op_int, ++ .vswitching_restore = efx_port_dummy_op_int, ++ .vswitching_remove = efx_port_dummy_op_void, ++#endif + };