From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 14 Aug 2016 18:49:30 +0000 (+0200)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.76~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d362c2165125350b6d5c7dbbc9db85935f1386e;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	bonding-set-carrier-off-for-devices-created-through-netlink.patch
	net-irda-fix-null-pointer-dereference-on-memory-allocation-failure.patch
	tcp-consider-recv-buf-for-the-initial-window-scale.patch
	tcp-make-challenge-acks-less-predictable.patch
---

diff --git a/queue-3.14/bonding-set-carrier-off-for-devices-created-through-netlink.patch b/queue-3.14/bonding-set-carrier-off-for-devices-created-through-netlink.patch
new file mode 100644
index 00000000000..886d57eacf4
--- /dev/null
+++ b/queue-3.14/bonding-set-carrier-off-for-devices-created-through-netlink.patch
@@ -0,0 +1,50 @@
+From foo@baz Sun Aug 14 20:39:28 CEST 2016
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 13 Jul 2016 18:25:08 +0200
+Subject: bonding: set carrier off for devices created through netlink
+Status: RO
+Content-Length: 1378
+Lines: 44
+
+From: Beniamino Galvani <bgalvani@redhat.com>
+
+[ Upstream commit 005db31d5f5f7c31cfdc43505d77eb3ca5cf8ec6 ]
+
+Commit e826eafa65c6 ("bonding: Call netif_carrier_off after
+register_netdevice") moved netif_carrier_off() from bond_init() to
+bond_create(), but the latter is called only for initial default
+devices and ones created through sysfs:
+
+ $ modprobe bonding
+ $ echo +bond1 > /sys/class/net/bonding_masters
+ $ ip link add bond2 type bond
+ $ grep "MII Status" /proc/net/bonding/*
+ /proc/net/bonding/bond0:MII Status: down
+ /proc/net/bonding/bond1:MII Status: down
+ /proc/net/bonding/bond2:MII Status: up
+
+Ensure that carrier is initially off also for devices created through
+netlink.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_netlink.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_netlink.c
++++ b/drivers/net/bonding/bond_netlink.c
+@@ -360,7 +360,11 @@ static int bond_newlink(struct net *src_
+ 	if (err < 0)
+ 		return err;
+ 
+-	return register_netdevice(bond_dev);
++	err = register_netdevice(bond_dev);
++
++	netif_carrier_off(bond_dev);
++
++	return err;
+ }
+ 
+ static size_t bond_get_size(const struct net_device *bond_dev)
diff --git a/queue-3.14/net-irda-fix-null-pointer-dereference-on-memory-allocation-failure.patch b/queue-3.14/net-irda-fix-null-pointer-dereference-on-memory-allocation-failure.patch
new file mode 100644
index 00000000000..d0d86123ce2
--- /dev/null
+++ b/queue-3.14/net-irda-fix-null-pointer-dereference-on-memory-allocation-failure.patch
@@ -0,0 +1,72 @@
+From foo@baz Sun Aug 14 20:39:28 CEST 2016
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Sat, 23 Jul 2016 07:43:50 +0200
+Subject: net/irda: fix NULL pointer dereference on memory allocation failure
+Status: RO
+Content-Length: 2956
+Lines: 66
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+[ Upstream commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d ]
+
+I ran into this:
+
+    kasan: CONFIG_KASAN_INLINE enabled
+    kasan: GPF could be caused by NULL-ptr deref or user memory access
+    general protection fault: 0000 [#1] PREEMPT SMP KASAN
+    CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+    task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
+    RIP: 0010:[<ffffffff82bbf066>]  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
+    RSP: 0018:ffff880111747bb8  EFLAGS: 00010286
+    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
+    RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
+    RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
+    R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
+    R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
+    FS:  00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
+    Stack:
+     0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
+     ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
+     ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
+    Call Trace:
+     [<ffffffff82bca542>] irda_connect+0x562/0x1190
+     [<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
+     [<ffffffff825b4489>] SyS_connect+0x9/0x10
+     [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
+     [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
+    Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
+    RIP  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
+     RSP <ffff880111747bb8>
+    ---[ end trace 4cda2588bc055b30 ]---
+
+The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
+and then irttp_connect_request() almost immediately dereferences it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/irda/af_irda.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1037,8 +1037,11 @@ static int irda_connect(struct socket *s
+ 	}
+ 
+ 	/* Check if we have opened a local TSAP */
+-	if (!self->tsap)
+-		irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++	if (!self->tsap) {
++		err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
++		if (err)
++			goto out;
++	}
+ 
+ 	/* Move to connecting socket, start sending Connect Requests */
+ 	sock->state = SS_CONNECTING;
diff --git a/queue-3.14/series b/queue-3.14/series
index 185046ce51f..326fd14c0a4 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -22,3 +22,7 @@ ext4-check-for-extents-that-wrap-around.patch
 ext4-fix-deadlock-during-page-writeback.patch
 ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch
 ext4-short-cut-orphan-cleanup-on-error.patch
+bonding-set-carrier-off-for-devices-created-through-netlink.patch
+net-irda-fix-null-pointer-dereference-on-memory-allocation-failure.patch
+tcp-consider-recv-buf-for-the-initial-window-scale.patch
+tcp-make-challenge-acks-less-predictable.patch
diff --git a/queue-3.14/tcp-consider-recv-buf-for-the-initial-window-scale.patch b/queue-3.14/tcp-consider-recv-buf-for-the-initial-window-scale.patch
new file mode 100644
index 00000000000..a8f2ff5e78a
--- /dev/null
+++ b/queue-3.14/tcp-consider-recv-buf-for-the-initial-window-scale.patch
@@ -0,0 +1,47 @@
+From foo@baz Sun Aug 14 20:39:28 CEST 2016
+From: Soheil Hassas Yeganeh <soheil@google.com>
+Date: Fri, 29 Jul 2016 09:34:02 -0400
+Subject: tcp: consider recv buf for the initial window scale
+Status: RO
+Content-Length: 1613
+Lines: 40
+
+From: Soheil Hassas Yeganeh <soheil@google.com>
+
+[ Upstream commit f626300a3e776ccc9671b0dd94698fb3aa315966 ]
+
+tcp_select_initial_window() intends to advertise a window
+scaling for the maximum possible window size. To do so,
+it considers the maximum of net.ipv4.tcp_rmem[2] and
+net.core.rmem_max as the only possible upper-bounds.
+However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
+to set the socket's receive buffer size to values
+larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
+Thus, SO_RCVBUFFORCE is effectively ignored by
+tcp_select_initial_window().
+
+To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
+net.core.rmem_max and socket's initial buffer space.
+
+Fixes: b0573dea1fb3 ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Suggested-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -242,7 +242,8 @@ void tcp_select_initial_window(int __spa
+ 		/* Set window scaling on max possible window
+ 		 * See RFC1323 for an explanation of the limit to 14
+ 		 */
+-		space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
++		space = max_t(u32, space, sysctl_tcp_rmem[2]);
++		space = max_t(u32, space, sysctl_rmem_max);
+ 		space = min_t(u32, space, *window_clamp);
+ 		while (space > 65535 && (*rcv_wscale) < 14) {
+ 			space >>= 1;
diff --git a/queue-3.14/tcp-make-challenge-acks-less-predictable.patch b/queue-3.14/tcp-make-challenge-acks-less-predictable.patch
new file mode 100644
index 00000000000..1dbbaefb66e
--- /dev/null
+++ b/queue-3.14/tcp-make-challenge-acks-less-predictable.patch
@@ -0,0 +1,71 @@
+From a0d876bf464ea9abeb3f74aaf6737b6bcfd650c2 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 10 Jul 2016 10:04:02 +0200
+Subject: [PATCH 1/8] tcp: make challenge acks less predictable
+Status: RO
+Content-Length: 2797
+Lines: 78
+
+[ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ]
+
+Yue Cao claims that current host rate limiting of challenge ACKS
+(RFC 5961) could leak enough information to allow a patient attacker
+to hijack TCP sessions. He will soon provide details in an academic
+paper.
+
+This patch increases the default limit from 100 to 1000, and adds
+some randomization so that the attacker can no longer hijack
+sessions without spending a considerable amount of probes.
+
+Based on initial analysis and patch from Linus.
+
+Note that we also have per socket rate limiting, so it is tempting
+to remove the host limit in the future.
+
+v2: randomize the count of challenge acks per second, not the period.
+
+Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
+Reported-by: Yue Cao <ycao009@ucr.edu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/tcp_input.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+ 
+ /* rfc5961 challenge ack rate limiting */
+-int sysctl_tcp_challenge_ack_limit = 100;
++int sysctl_tcp_challenge_ack_limit = 1000;
+ 
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+@@ -3293,12 +3293,18 @@ static void tcp_send_challenge_ack(struc
+ 	static u32 challenge_timestamp;
+ 	static unsigned int challenge_count;
+ 	u32 now = jiffies / HZ;
++	u32 count;
+ 
+ 	if (now != challenge_timestamp) {
++		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
++
+ 		challenge_timestamp = now;
+-		challenge_count = 0;
++		challenge_count = half +
++				  prandom_u32_max(sysctl_tcp_challenge_ack_limit);
+ 	}
+-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++	count = challenge_count;
++	if (count > 0) {
++		challenge_count = count - 1;
+ 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ 		tcp_send_ack(sk);
+ 	}