From: Greg Kroah-Hartman Date: Sun, 25 Jan 2015 17:49:51 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.66~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=833279f73130adebe6b1690d30fa5d841f30c6f8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: net-fix-creation-adjacent-device-symlinks.patch net-prevent-of-emerging-cross-namespace-symlinks.patch netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch --- diff --git a/queue-3.14/net-fix-creation-adjacent-device-symlinks.patch b/queue-3.14/net-fix-creation-adjacent-device-symlinks.patch new file mode 100644 index 00000000000..42378e1b8ae --- /dev/null +++ b/queue-3.14/net-fix-creation-adjacent-device-symlinks.patch @@ -0,0 +1,74 @@ +From 7ce64c79c4decdeb1afe0bf2f6ef834b382871d1 Mon Sep 17 00:00:00 2001 +From: "Alexander Y. Fomichev" +Date: Mon, 15 Sep 2014 14:22:35 +0400 +Subject: net: fix creation adjacent device symlinks + +From: "Alexander Y. Fomichev" + +commit 7ce64c79c4decdeb1afe0bf2f6ef834b382871d1 upstream. + +__netdev_adjacent_dev_insert may add adjust device of different net +namespace, without proper check it leads to emergence of broken +sysfs links from/to devices in another namespace. +Fix: rewrite netdev_adjacent_is_neigh_list macro as a function, + move net_eq check into netdev_adjacent_is_neigh_list. + (thanks David) + related to: 4c75431ac3520631f1d9e74aa88407e6374dbbc4 + +Signed-off-by: Alexander Fomichev +Signed-off-by: David S. Miller +Cc: Miquel van Smoorenburg +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/dev.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4705,9 +4705,14 @@ static void netdev_adjacent_sysfs_del(st + sysfs_remove_link(&(dev->dev.kobj), linkname); + } + +-#define netdev_adjacent_is_neigh_list(dev, dev_list) \ +- (dev_list == &dev->adj_list.upper || \ +- dev_list == &dev->adj_list.lower) ++static inline bool netdev_adjacent_is_neigh_list(struct net_device *dev, ++ struct net_device *adj_dev, ++ struct list_head *dev_list) ++{ ++ return (dev_list == &dev->adj_list.upper || ++ dev_list == &dev->adj_list.lower) && ++ net_eq(dev_net(dev), dev_net(adj_dev)); ++} + + static int __netdev_adjacent_dev_insert(struct net_device *dev, + struct net_device *adj_dev, +@@ -4737,7 +4742,7 @@ static int __netdev_adjacent_dev_insert( + pr_debug("dev_hold for %s, because of link added from %s to %s\n", + adj_dev->name, dev->name, adj_dev->name); + +- if (netdev_adjacent_is_neigh_list(dev, dev_list)) { ++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list)) { + ret = netdev_adjacent_sysfs_add(dev, adj_dev, dev_list); + if (ret) + goto free_adj; +@@ -4758,7 +4763,7 @@ static int __netdev_adjacent_dev_insert( + return 0; + + remove_symlinks: +- if (netdev_adjacent_is_neigh_list(dev, dev_list)) ++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list)) + netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list); + free_adj: + kfree(adj); +@@ -4791,8 +4796,7 @@ static void __netdev_adjacent_dev_remove + if (adj->master) + sysfs_remove_link(&(dev->dev.kobj), "master"); + +- if (netdev_adjacent_is_neigh_list(dev, dev_list) && +- net_eq(dev_net(dev),dev_net(adj_dev))) ++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list)) + netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list); + + list_del_rcu(&adj->list); diff --git a/queue-3.14/net-prevent-of-emerging-cross-namespace-symlinks.patch b/queue-3.14/net-prevent-of-emerging-cross-namespace-symlinks.patch new file mode 100644 index 00000000000..facb8c4e123 --- /dev/null +++ b/queue-3.14/net-prevent-of-emerging-cross-namespace-symlinks.patch @@ -0,0 +1,134 @@ +From 4c75431ac3520631f1d9e74aa88407e6374dbbc4 Mon Sep 17 00:00:00 2001 +From: "Alexander Y. Fomichev" +Date: Mon, 25 Aug 2014 16:26:45 +0400 +Subject: net: prevent of emerging cross-namespace symlinks + +From: "Alexander Y. Fomichev" + +commit 4c75431ac3520631f1d9e74aa88407e6374dbbc4 upstream. + +Code manipulating sysfs symlinks on adjacent net_devices(s) +currently doesn't take into account that devices potentially +belong to different namespaces. + +This patch trying to fix an issue as follows: +- check for net_ns before creating / deleting symlink. + for now only netdev_adjacent_rename_links and + __netdev_adjacent_dev_remove are affected, afaics + __netdev_adjacent_dev_insert implies both net_devs + belong to the same namespace. +- Drop all existing symlinks to / from all adj_devs before + switching namespace and recreate them just after. + +Signed-off-by: Alexander Y. Fomichev +Signed-off-by: David S. Miller +Cc: Miquel van Smoorenburg +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/dev.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4791,7 +4791,8 @@ static void __netdev_adjacent_dev_remove + if (adj->master) + sysfs_remove_link(&(dev->dev.kobj), "master"); + +- if (netdev_adjacent_is_neigh_list(dev, dev_list)) ++ if (netdev_adjacent_is_neigh_list(dev, dev_list) && ++ net_eq(dev_net(dev),dev_net(adj_dev))) + netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list); + + list_del_rcu(&adj->list); +@@ -5061,11 +5062,65 @@ void netdev_upper_dev_unlink(struct net_ + } + EXPORT_SYMBOL(netdev_upper_dev_unlink); + ++void netdev_adjacent_add_links(struct net_device *dev) ++{ ++ struct netdev_adjacent *iter; ++ ++ struct net *net = dev_net(dev); ++ ++ list_for_each_entry(iter, &dev->adj_list.upper, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; ++ netdev_adjacent_sysfs_add(iter->dev, dev, ++ &iter->dev->adj_list.lower); ++ netdev_adjacent_sysfs_add(dev, iter->dev, ++ &dev->adj_list.upper); ++ } ++ ++ list_for_each_entry(iter, &dev->adj_list.lower, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; ++ netdev_adjacent_sysfs_add(iter->dev, dev, ++ &iter->dev->adj_list.upper); ++ netdev_adjacent_sysfs_add(dev, iter->dev, ++ &dev->adj_list.lower); ++ } ++} ++ ++void netdev_adjacent_del_links(struct net_device *dev) ++{ ++ struct netdev_adjacent *iter; ++ ++ struct net *net = dev_net(dev); ++ ++ list_for_each_entry(iter, &dev->adj_list.upper, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; ++ netdev_adjacent_sysfs_del(iter->dev, dev->name, ++ &iter->dev->adj_list.lower); ++ netdev_adjacent_sysfs_del(dev, iter->dev->name, ++ &dev->adj_list.upper); ++ } ++ ++ list_for_each_entry(iter, &dev->adj_list.lower, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; ++ netdev_adjacent_sysfs_del(iter->dev, dev->name, ++ &iter->dev->adj_list.upper); ++ netdev_adjacent_sysfs_del(dev, iter->dev->name, ++ &dev->adj_list.lower); ++ } ++} ++ + void netdev_adjacent_rename_links(struct net_device *dev, char *oldname) + { + struct netdev_adjacent *iter; + ++ struct net *net = dev_net(dev); ++ + list_for_each_entry(iter, &dev->adj_list.upper, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; + netdev_adjacent_sysfs_del(iter->dev, oldname, + &iter->dev->adj_list.lower); + netdev_adjacent_sysfs_add(iter->dev, dev, +@@ -5073,6 +5128,8 @@ void netdev_adjacent_rename_links(struct + } + + list_for_each_entry(iter, &dev->adj_list.lower, list) { ++ if (!net_eq(net,dev_net(iter->dev))) ++ continue; + netdev_adjacent_sysfs_del(iter->dev, oldname, + &iter->dev->adj_list.upper); + netdev_adjacent_sysfs_add(iter->dev, dev, +@@ -6679,6 +6736,7 @@ int dev_change_net_namespace(struct net_ + + /* Send a netdev-removed uevent to the old namespace */ + kobject_uevent(&dev->dev.kobj, KOBJ_REMOVE); ++ netdev_adjacent_del_links(dev); + + /* Actually switch the network namespace */ + dev_net_set(dev, net); +@@ -6693,6 +6751,7 @@ int dev_change_net_namespace(struct net_ + + /* Send a netdev-add uevent to the new namespace */ + kobject_uevent(&dev->dev.kobj, KOBJ_ADD); ++ netdev_adjacent_add_links(dev); + + /* Fixup kobjects */ + err = device_rename(&dev->dev, dev->name); diff --git a/queue-3.14/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch b/queue-3.14/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch new file mode 100644 index 00000000000..452a516c144 --- /dev/null +++ b/queue-3.14/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch @@ -0,0 +1,37 @@ +From 2196937e12b1b4ba139806d132647e1651d655df Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 10 Nov 2014 17:11:21 +0100 +Subject: netfilter: ipset: small potential read beyond the end of buffer + +From: Dan Carpenter + +commit 2196937e12b1b4ba139806d132647e1651d655df upstream. + +We could be reading 8 bytes into a 4 byte buffer here. It seems +harmless but adding a check is the right thing to do and it silences a +static checker warning. + +Signed-off-by: Dan Carpenter +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1839,6 +1839,12 @@ ip_set_sockfn_get(struct sock *sk, int o + if (*op < IP_SET_OP_VERSION) { + /* Check the version at the beginning of operations */ + struct ip_set_req_version *req_version = data; ++ ++ if (*len < sizeof(struct ip_set_req_version)) { ++ ret = -EINVAL; ++ goto done; ++ } ++ + if (req_version->version != IPSET_PROTOCOL) { + ret = -EPROTO; + goto done; diff --git a/queue-3.14/series b/queue-3.14/series index 833c18f54bf..715cef709ea 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -90,3 +90,6 @@ iser-target-handle-addr_change-event-for-listener-cm_id.patch iser-target-fix-implicit-termination-of-connections.patch bcache-make-sure-to-pass-gfp_wait-to-mempool_alloc.patch kvm-nvmx-disable-unrestricted-mode-if-ept-0.patch +netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch +net-prevent-of-emerging-cross-namespace-symlinks.patch +net-fix-creation-adjacent-device-symlinks.patch