From: Greg Kroah-Hartman Date: Thu, 11 May 2017 09:46:28 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.68~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8dced6ec2c44cf78ab6f6fdb28d1e0b30f9e3534;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch ipv6-initialize-route-null-entry-in-addrconf_init.patch ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch macsec-dynamically-allocate-space-for-sglist.patch net-adjust-skb-truesize-in-___pskb_trim.patch net-ipv6-do-not-duplicate-dad-on-link-up.patch net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch net-usb-qmi_wwan-add-telit-me910-support.patch rtnetlink-nul-terminate-ifla_phys_port_name-string.patch tcp-do-not-inherit-fastopen_req-from-parent.patch tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch tcp-fix-wraparound-issue-in-tcp_lp.patch --- diff --git a/queue-4.9/bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch b/queue-4.9/bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch new file mode 100644 index 00000000000..842c92d30fd --- /dev/null +++ b/queue-4.9/bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Dan Carpenter +Date: Sat, 6 May 2017 03:49:01 +0300 +Subject: bnxt_en: allocate enough space for ->ntp_fltr_bmap + +From: Dan Carpenter + + +[ Upstream commit ac45bd93a5035c2f39c9862b8b6ed692db0fdc87 ] + +We have the number of longs, but we need to calculate the number of +bytes required. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Dan Carpenter +Acked-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -2867,7 +2867,8 @@ static int bnxt_alloc_ntp_fltrs(struct b + INIT_HLIST_HEAD(&bp->ntp_fltr_hash_tbl[i]); + + bp->ntp_fltr_count = 0; +- bp->ntp_fltr_bmap = kzalloc(BITS_TO_LONGS(BNXT_NTP_FLTR_MAX_FLTR), ++ bp->ntp_fltr_bmap = kcalloc(BITS_TO_LONGS(BNXT_NTP_FLTR_MAX_FLTR), ++ sizeof(long), + GFP_KERNEL); + + if (!bp->ntp_fltr_bmap) diff --git a/queue-4.9/bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch b/queue-4.9/bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch new file mode 100644 index 00000000000..09936979f86 --- /dev/null +++ b/queue-4.9/bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch @@ -0,0 +1,144 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Daniel Borkmann +Date: Tue, 2 May 2017 20:34:54 +0200 +Subject: bpf, arm64: fix jit branch offset related to ldimm64 + +From: Daniel Borkmann + + +[ Upstream commit ddc665a4bb4b728b4e6ecec8db1b64efa9184b9c ] + +When the instruction right before the branch destination is +a 64 bit load immediate, we currently calculate the wrong +jump offset in the ctx->offset[] array as we only account +one instruction slot for the 64 bit load immediate although +it uses two BPF instructions. Fix it up by setting the offset +into the right slot after we incremented the index. + +Before (ldimm64 test 1): + + [...] + 00000020: 52800007 mov w7, #0x0 // #0 + 00000024: d2800060 mov x0, #0x3 // #3 + 00000028: d2800041 mov x1, #0x2 // #2 + 0000002c: eb01001f cmp x0, x1 + 00000030: 54ffff82 b.cs 0x00000020 + 00000034: d29fffe7 mov x7, #0xffff // #65535 + 00000038: f2bfffe7 movk x7, #0xffff, lsl #16 + 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32 + 00000040: f2ffffe7 movk x7, #0xffff, lsl #48 + 00000044: d29dddc7 mov x7, #0xeeee // #61166 + 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16 + 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32 + 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48 + [...] + +After (ldimm64 test 1): + + [...] + 00000020: 52800007 mov w7, #0x0 // #0 + 00000024: d2800060 mov x0, #0x3 // #3 + 00000028: d2800041 mov x1, #0x2 // #2 + 0000002c: eb01001f cmp x0, x1 + 00000030: 540000a2 b.cs 0x00000044 + 00000034: d29fffe7 mov x7, #0xffff // #65535 + 00000038: f2bfffe7 movk x7, #0xffff, lsl #16 + 0000003c: f2dfffe7 movk x7, #0xffff, lsl #32 + 00000040: f2ffffe7 movk x7, #0xffff, lsl #48 + 00000044: d29dddc7 mov x7, #0xeeee // #61166 + 00000048: f2bdddc7 movk x7, #0xeeee, lsl #16 + 0000004c: f2ddddc7 movk x7, #0xeeee, lsl #32 + 00000050: f2fdddc7 movk x7, #0xeeee, lsl #48 + [...] + +Also, add a couple of test cases to make sure JITs pass +this test. Tested on Cavium ThunderX ARMv8. The added +test cases all pass after the fix. + +Fixes: 8eee539ddea0 ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()") +Reported-by: David S. Miller +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Cc: Xi Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/net/bpf_jit_comp.c | 8 +++---- + lib/test_bpf.c | 45 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 49 insertions(+), 4 deletions(-) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -779,14 +779,14 @@ static int build_body(struct jit_ctx *ct + int ret; + + ret = build_insn(insn, ctx); +- +- if (ctx->image == NULL) +- ctx->offset[i] = ctx->idx; +- + if (ret > 0) { + i++; ++ if (ctx->image == NULL) ++ ctx->offset[i] = ctx->idx; + continue; + } ++ if (ctx->image == NULL) ++ ctx->offset[i] = ctx->idx; + if (ret) + return ret; + } +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -4656,6 +4656,51 @@ static struct bpf_test tests[] = { + { }, + { { 0, 1 } }, + }, ++ { ++ /* Mainly testing JIT + imm64 here. */ ++ "JMP_JGE_X: ldimm64 test 1", ++ .u.insns_int = { ++ BPF_ALU32_IMM(BPF_MOV, R0, 0), ++ BPF_LD_IMM64(R1, 3), ++ BPF_LD_IMM64(R2, 2), ++ BPF_JMP_REG(BPF_JGE, R1, R2, 2), ++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL), ++ BPF_LD_IMM64(R0, 0xeeeeeeeeeeeeeeeeUL), ++ BPF_EXIT_INSN(), ++ }, ++ INTERNAL, ++ { }, ++ { { 0, 0xeeeeeeeeU } }, ++ }, ++ { ++ "JMP_JGE_X: ldimm64 test 2", ++ .u.insns_int = { ++ BPF_ALU32_IMM(BPF_MOV, R0, 0), ++ BPF_LD_IMM64(R1, 3), ++ BPF_LD_IMM64(R2, 2), ++ BPF_JMP_REG(BPF_JGE, R1, R2, 0), ++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL), ++ BPF_EXIT_INSN(), ++ }, ++ INTERNAL, ++ { }, ++ { { 0, 0xffffffffU } }, ++ }, ++ { ++ "JMP_JGE_X: ldimm64 test 3", ++ .u.insns_int = { ++ BPF_ALU32_IMM(BPF_MOV, R0, 1), ++ BPF_LD_IMM64(R1, 3), ++ BPF_LD_IMM64(R2, 2), ++ BPF_JMP_REG(BPF_JGE, R1, R2, 4), ++ BPF_LD_IMM64(R0, 0xffffffffffffffffUL), ++ BPF_LD_IMM64(R0, 0xeeeeeeeeeeeeeeeeUL), ++ BPF_EXIT_INSN(), ++ }, ++ INTERNAL, ++ { }, ++ { { 0, 1 } }, ++ }, + /* BPF_JMP | BPF_JNE | BPF_X */ + { + "JMP_JNE_X: if (3 != 2) return 1", diff --git a/queue-4.9/bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch b/queue-4.9/bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch new file mode 100644 index 00000000000..8cf280c10fc --- /dev/null +++ b/queue-4.9/bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch @@ -0,0 +1,79 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Daniel Borkmann +Date: Mon, 8 May 2017 00:04:09 +0200 +Subject: bpf: don't let ldimm64 leak map addresses on unprivileged + +From: Daniel Borkmann + + +[ Upstream commit 0d0e57697f162da4aa218b5feafe614fb666db07 ] + +The patch fixes two things at once: + +1) It checks the env->allow_ptr_leaks and only prints the map address to + the log if we have the privileges to do so, otherwise it just dumps 0 + as we would when kptr_restrict is enabled on %pK. Given the latter is + off by default and not every distro sets it, I don't want to rely on + this, hence the 0 by default for unprivileged. + +2) Printing of ldimm64 in the verifier log is currently broken in that + we don't print the full immediate, but only the 32 bit part of the + first insn part for ldimm64. Thus, fix this up as well; it's okay to + access, since we verified all ldimm64 earlier already (including just + constants) through replace_map_fd_with_map_ptr(). + +Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") +Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)") +Reported-by: Jann Horn +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -279,7 +279,8 @@ static const char *const bpf_jmp_string[ + [BPF_EXIT >> 4] = "exit", + }; + +-static void print_bpf_insn(struct bpf_insn *insn) ++static void print_bpf_insn(const struct bpf_verifier_env *env, ++ const struct bpf_insn *insn) + { + u8 class = BPF_CLASS(insn->code); + +@@ -343,9 +344,19 @@ static void print_bpf_insn(struct bpf_in + insn->code, + bpf_ldst_string[BPF_SIZE(insn->code) >> 3], + insn->src_reg, insn->imm); +- } else if (BPF_MODE(insn->code) == BPF_IMM) { +- verbose("(%02x) r%d = 0x%x\n", +- insn->code, insn->dst_reg, insn->imm); ++ } else if (BPF_MODE(insn->code) == BPF_IMM && ++ BPF_SIZE(insn->code) == BPF_DW) { ++ /* At this point, we already made sure that the second ++ * part of the ldimm64 insn is accessible. ++ */ ++ u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; ++ bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD; ++ ++ if (map_ptr && !env->allow_ptr_leaks) ++ imm = 0; ++ ++ verbose("(%02x) r%d = 0x%llx\n", insn->code, ++ insn->dst_reg, (unsigned long long)imm); + } else { + verbose("BUG_ld_%02x\n", insn->code); + return; +@@ -2674,7 +2685,7 @@ static int do_check(struct bpf_verifier_ + + if (log_level) { + verbose("%d: ", insn_idx); +- print_bpf_insn(insn); ++ print_bpf_insn(env, insn); + } + + err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx); diff --git a/queue-4.9/bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch b/queue-4.9/bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch new file mode 100644 index 00000000000..e66e1fda93d --- /dev/null +++ b/queue-4.9/bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch @@ -0,0 +1,91 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Yonghong Song +Date: Sat, 29 Apr 2017 22:52:42 -0700 +Subject: bpf: enhance verifier to understand stack pointer arithmetic + +From: Yonghong Song + + +[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ] + +llvm 4.0 and above generates the code like below: +.... +440: (b7) r1 = 15 +441: (05) goto pc+73 +515: (79) r6 = *(u64 *)(r10 -152) +516: (bf) r7 = r10 +517: (07) r7 += -112 +518: (bf) r2 = r7 +519: (0f) r2 += r1 +520: (71) r1 = *(u8 *)(r8 +0) +521: (73) *(u8 *)(r2 +45) = r1 +.... +and the verifier complains "R2 invalid mem access 'inv'" for insn #521. +This is because verifier marks register r2 as unknown value after #519 +where r2 is a stack pointer and r1 holds a constant value. + +Teach verifier to recognize "stack_ptr + imm" and +"stack_ptr + reg with const val" as valid stack_ptr with new offset. + +Signed-off-by: Yonghong Song +Acked-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 11 +++++++++++ + samples/bpf/test_verifier.c | 18 ++++++++++++------ + 2 files changed, 23 insertions(+), 6 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1749,6 +1749,17 @@ static int check_alu_op(struct bpf_verif + return 0; + } else if (opcode == BPF_ADD && + BPF_CLASS(insn->code) == BPF_ALU64 && ++ dst_reg->type == PTR_TO_STACK && ++ ((BPF_SRC(insn->code) == BPF_X && ++ regs[insn->src_reg].type == CONST_IMM) || ++ BPF_SRC(insn->code) == BPF_K)) { ++ if (BPF_SRC(insn->code) == BPF_X) ++ dst_reg->imm += regs[insn->src_reg].imm; ++ else ++ dst_reg->imm += insn->imm; ++ return 0; ++ } else if (opcode == BPF_ADD && ++ BPF_CLASS(insn->code) == BPF_ALU64 && + (dst_reg->type == PTR_TO_PACKET || + (BPF_SRC(insn->code) == BPF_X && + regs[insn->src_reg].type == PTR_TO_PACKET))) { +--- a/samples/bpf/test_verifier.c ++++ b/samples/bpf/test_verifier.c +@@ -1218,16 +1218,22 @@ static struct bpf_test tests[] = { + .result = ACCEPT, + }, + { +- "unpriv: obfuscate stack pointer", ++ "stack pointer arithmetic", + .insns = { +- BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), +- BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), ++ BPF_MOV64_IMM(BPF_REG_1, 4), ++ BPF_JMP_IMM(BPF_JA, 0, 0, 0), ++ BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), ++ BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), ++ BPF_ST_MEM(0, BPF_REG_2, 4, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), ++ BPF_ST_MEM(0, BPF_REG_2, 4, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, +- .errstr_unpriv = "R2 pointer arithmetic", +- .result_unpriv = REJECT, + .result = ACCEPT, + }, + { diff --git a/queue-4.9/ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch b/queue-4.9/ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch new file mode 100644 index 00000000000..c097fe11852 --- /dev/null +++ b/queue-4.9/ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch @@ -0,0 +1,112 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Alexander Potapenko +Date: Wed, 3 May 2017 17:06:58 +0200 +Subject: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header + +From: Alexander Potapenko + + +[ Upstream commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2 ] + +raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied +from the userspace contains the IPv4/IPv6 header, so if too few bytes are +copied, parts of the header may remain uninitialized. + +This bug has been detected with KMSAN. + +For the record, the KMSAN report: + +================================================================== +BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0 +inter: 0 +CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x143/0x1b0 lib/dump_stack.c:52 + kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078 + __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510 + nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577 + ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 + nf_hook_entry_hookfn ./include/linux/netfilter.h:102 + nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310 + nf_hook ./include/linux/netfilter.h:212 + NF_HOOK ./include/linux/netfilter.h:255 + rawv6_send_hdrinc net/ipv6/raw.c:673 + rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919 + inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 + sock_sendmsg net/socket.c:643 + SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 + SyS_sendto+0xbc/0xe0 net/socket.c:1664 + do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 + entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 +RIP: 0033:0x436e03 +RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000 +origin: 00000000d9400053 + save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362 + kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257 + kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270 + slab_alloc_node mm/slub.c:2735 + __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341 + __kmalloc_reserve net/core/skbuff.c:138 + __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231 + alloc_skb ./include/linux/skbuff.h:933 + alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678 + sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903 + sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920 + rawv6_send_hdrinc net/ipv6/raw.c:638 + rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919 + inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 + sock_sendmsg net/socket.c:643 + SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 + SyS_sendto+0xbc/0xe0 net/socket.c:1664 + do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 + return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 +================================================================== + +, triggered by the following syscalls: + socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3 + sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM + +A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket +instead of a PF_INET6 one. + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 3 +++ + net/ipv6/raw.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -356,6 +356,9 @@ static int raw_send_hdrinc(struct sock * + rt->dst.dev->mtu); + return -EMSGSIZE; + } ++ if (length < sizeof(struct iphdr)) ++ return -EINVAL; ++ + if (flags&MSG_PROBE) + goto out; + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -630,6 +630,8 @@ static int rawv6_send_hdrinc(struct sock + ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu); + return -EMSGSIZE; + } ++ if (length < sizeof(struct ipv6hdr)) ++ return -EINVAL; + if (flags&MSG_PROBE) + goto out; + diff --git a/queue-4.9/ipv6-initialize-route-null-entry-in-addrconf_init.patch b/queue-4.9/ipv6-initialize-route-null-entry-in-addrconf_init.patch new file mode 100644 index 00000000000..d901da3214d --- /dev/null +++ b/queue-4.9/ipv6-initialize-route-null-entry-in-addrconf_init.patch @@ -0,0 +1,97 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: WANG Cong +Date: Wed, 3 May 2017 22:07:31 -0700 +Subject: ipv6: initialize route null entry in addrconf_init() + +From: WANG Cong + + +[ Upstream commit 2f460933f58eee3393aba64f0f6d14acb08d1724 ] + +Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev +since it is always NULL. + +This is clearly wrong, we have code to initialize it to loopback_dev, +unfortunately the order is still not correct. + +loopback_dev is registered very early during boot, we lose a chance +to re-initialize it in notifier. addrconf_init() is called after +ip6_route_init(), which means we have no chance to correct it. + +Fix it by moving this initialization explicitly after +ipv6_add_dev(init_net.loopback_dev) in addrconf_init(). + +Reported-by: Andrey Konovalov +Signed-off-by: Cong Wang +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_route.h | 1 + + net/ipv6/addrconf.c | 2 ++ + net/ipv6/route.c | 26 +++++++++++++++----------- + 3 files changed, 18 insertions(+), 11 deletions(-) + +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -84,6 +84,7 @@ struct dst_entry *ip6_route_lookup(struc + struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table, + int ifindex, struct flowi6 *fl6, int flags); + ++void ip6_route_init_special_entries(void); + int ip6_route_init(void); + void ip6_route_cleanup(void); + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -6264,6 +6264,8 @@ int __init addrconf_init(void) + goto errlo; + } + ++ ip6_route_init_special_entries(); ++ + for (i = 0; i < IN6_ADDR_HSIZE; i++) + INIT_HLIST_HEAD(&inet6_addr_lst[i]); + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3798,6 +3798,21 @@ static struct notifier_block ip6_route_d + .priority = 0, + }; + ++void __init ip6_route_init_special_entries(void) ++{ ++ /* Registering of the loopback is done before this portion of code, ++ * the loopback reference in rt6_info will not be taken, do it ++ * manually for init_net */ ++ init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev; ++ init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); ++ #ifdef CONFIG_IPV6_MULTIPLE_TABLES ++ init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev; ++ init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); ++ init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev; ++ init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); ++ #endif ++} ++ + int __init ip6_route_init(void) + { + int ret; +@@ -3824,17 +3839,6 @@ int __init ip6_route_init(void) + + ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops_template.kmem_cachep; + +- /* Registering of the loopback is done before this portion of code, +- * the loopback reference in rt6_info will not be taken, do it +- * manually for init_net */ +- init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev; +- init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); +- #ifdef CONFIG_IPV6_MULTIPLE_TABLES +- init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev; +- init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); +- init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev; +- init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev); +- #endif + ret = fib6_init(); + if (ret) + goto out_register_subsys; diff --git a/queue-4.9/ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch b/queue-4.9/ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch new file mode 100644 index 00000000000..a7d6a74c367 --- /dev/null +++ b/queue-4.9/ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch @@ -0,0 +1,101 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: WANG Cong +Date: Mon, 8 May 2017 10:12:13 -0700 +Subject: ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf + +From: WANG Cong + + +[ Upstream commit 242d3a49a2a1a71d8eb9f953db1bcaa9d698ce00 ] + +For each netns (except init_net), we initialize its null entry +in 3 places: + +1) The template itself, as we use kmemdup() +2) Code around dst_init_metrics() in ip6_route_net_init() +3) ip6_route_dev_notify(), which is supposed to initialize it after + loopback registers + +Unfortunately the last one still happens in a wrong order because +we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to +net->loopback_dev's idev, thus we have to do that after we add +idev to loopback. However, this notifier has priority == 0 same as +ipv6_dev_notf, and ipv6_dev_notf is registered after +ip6_route_dev_notifier so it is called actually after +ip6_route_dev_notifier. This is similar to commit 2f460933f58e +("ipv6: initialize route null entry in addrconf_init()") which +fixes init_net. + +Fix it by picking a smaller priority for ip6_route_dev_notifier. +Also, we have to release the refcnt accordingly when unregistering +loopback_dev because device exit functions are called before subsys +exit functions. + +Acked-by: David Ahern +Tested-by: David Ahern +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/addrconf.h | 2 ++ + net/ipv6/addrconf.c | 1 + + net/ipv6/route.c | 13 +++++++++++-- + 3 files changed, 14 insertions(+), 2 deletions(-) + +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -20,6 +20,8 @@ + #define ADDRCONF_TIMER_FUZZ (HZ / 4) + #define ADDRCONF_TIMER_FUZZ_MAX (HZ) + ++#define ADDRCONF_NOTIFY_PRIORITY 0 ++ + #include + #include + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3492,6 +3492,7 @@ static int addrconf_notify(struct notifi + */ + static struct notifier_block ipv6_dev_notf = { + .notifier_call = addrconf_notify, ++ .priority = ADDRCONF_NOTIFY_PRIORITY, + }; + + static void addrconf_type_change(struct net_device *dev, unsigned long event) +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3480,7 +3480,10 @@ static int ip6_route_dev_notify(struct n + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct net *net = dev_net(dev); + +- if (event == NETDEV_REGISTER && (dev->flags & IFF_LOOPBACK)) { ++ if (!(dev->flags & IFF_LOOPBACK)) ++ return NOTIFY_OK; ++ ++ if (event == NETDEV_REGISTER) { + net->ipv6.ip6_null_entry->dst.dev = dev; + net->ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(dev); + #ifdef CONFIG_IPV6_MULTIPLE_TABLES +@@ -3489,6 +3492,12 @@ static int ip6_route_dev_notify(struct n + net->ipv6.ip6_blk_hole_entry->dst.dev = dev; + net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev); + #endif ++ } else if (event == NETDEV_UNREGISTER) { ++ in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev); ++#ifdef CONFIG_IPV6_MULTIPLE_TABLES ++ in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev); ++ in6_dev_put(net->ipv6.ip6_blk_hole_entry->rt6i_idev); ++#endif + } + + return NOTIFY_OK; +@@ -3795,7 +3804,7 @@ static struct pernet_operations ip6_rout + + static struct notifier_block ip6_route_dev_notifier = { + .notifier_call = ip6_route_dev_notify, +- .priority = 0, ++ .priority = ADDRCONF_NOTIFY_PRIORITY - 10, + }; + + void __init ip6_route_init_special_entries(void) diff --git a/queue-4.9/macsec-dynamically-allocate-space-for-sglist.patch b/queue-4.9/macsec-dynamically-allocate-space-for-sglist.patch new file mode 100644 index 00000000000..db2f5919b7d --- /dev/null +++ b/queue-4.9/macsec-dynamically-allocate-space-for-sglist.patch @@ -0,0 +1,118 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: "Jason A. Donenfeld" +Date: Tue, 25 Apr 2017 19:08:18 +0200 +Subject: macsec: dynamically allocate space for sglist + +From: "Jason A. Donenfeld" + + +[ Upstream commit 5294b83086cc1c35b4efeca03644cf9d12282e5b ] + +We call skb_cow_data, which is good anyway to ensure we can actually +modify the skb as such (another error from prior). Now that we have the +number of fragments required, we can safely allocate exactly that amount +of memory. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Jason A. Donenfeld +Acked-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -617,7 +617,8 @@ static void macsec_encrypt_done(struct c + + static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm, + unsigned char **iv, +- struct scatterlist **sg) ++ struct scatterlist **sg, ++ int num_frags) + { + size_t size, iv_offset, sg_offset; + struct aead_request *req; +@@ -629,7 +630,7 @@ static struct aead_request *macsec_alloc + + size = ALIGN(size, __alignof__(struct scatterlist)); + sg_offset = size; +- size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1); ++ size += sizeof(struct scatterlist) * num_frags; + + tmp = kmalloc(size, GFP_ATOMIC); + if (!tmp) +@@ -649,6 +650,7 @@ static struct sk_buff *macsec_encrypt(st + { + int ret; + struct scatterlist *sg; ++ struct sk_buff *trailer; + unsigned char *iv; + struct ethhdr *eth; + struct macsec_eth_header *hh; +@@ -723,7 +725,14 @@ static struct sk_buff *macsec_encrypt(st + return ERR_PTR(-EINVAL); + } + +- req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg); ++ ret = skb_cow_data(skb, 0, &trailer); ++ if (unlikely(ret < 0)) { ++ macsec_txsa_put(tx_sa); ++ kfree_skb(skb); ++ return ERR_PTR(ret); ++ } ++ ++ req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret); + if (!req) { + macsec_txsa_put(tx_sa); + kfree_skb(skb); +@@ -732,7 +741,7 @@ static struct sk_buff *macsec_encrypt(st + + macsec_fill_iv(iv, secy->sci, pn); + +- sg_init_table(sg, MAX_SKB_FRAGS + 1); ++ sg_init_table(sg, ret); + skb_to_sgvec(skb, sg, 0, skb->len); + + if (tx_sc->encrypt) { +@@ -914,6 +923,7 @@ static struct sk_buff *macsec_decrypt(st + { + int ret; + struct scatterlist *sg; ++ struct sk_buff *trailer; + unsigned char *iv; + struct aead_request *req; + struct macsec_eth_header *hdr; +@@ -924,7 +934,12 @@ static struct sk_buff *macsec_decrypt(st + if (!skb) + return ERR_PTR(-ENOMEM); + +- req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg); ++ ret = skb_cow_data(skb, 0, &trailer); ++ if (unlikely(ret < 0)) { ++ kfree_skb(skb); ++ return ERR_PTR(ret); ++ } ++ req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret); + if (!req) { + kfree_skb(skb); + return ERR_PTR(-ENOMEM); +@@ -933,7 +948,7 @@ static struct sk_buff *macsec_decrypt(st + hdr = (struct macsec_eth_header *)skb->data; + macsec_fill_iv(iv, sci, ntohl(hdr->packet_number)); + +- sg_init_table(sg, MAX_SKB_FRAGS + 1); ++ sg_init_table(sg, ret); + skb_to_sgvec(skb, sg, 0, skb->len); + + if (hdr->tci_an & MACSEC_TCI_E) { +@@ -2709,7 +2724,7 @@ static netdev_tx_t macsec_start_xmit(str + } + + #define MACSEC_FEATURES \ +- (NETIF_F_SG | NETIF_F_HIGHDMA) ++ (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) + static struct lock_class_key macsec_netdev_addr_lock_key; + + static int macsec_dev_init(struct net_device *dev) diff --git a/queue-4.9/net-adjust-skb-truesize-in-___pskb_trim.patch b/queue-4.9/net-adjust-skb-truesize-in-___pskb_trim.patch new file mode 100644 index 00000000000..ca7b08ce580 --- /dev/null +++ b/queue-4.9/net-adjust-skb-truesize-in-___pskb_trim.patch @@ -0,0 +1,43 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Eric Dumazet +Date: Wed, 26 Apr 2017 09:07:46 -0700 +Subject: net: adjust skb->truesize in ___pskb_trim() + +From: Eric Dumazet + + +[ Upstream commit c21b48cc1bbf2f5af3ef54ada559f7fadf8b508b ] + +Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in +skb_try_coalesce() using syzkaller and a filter attached to a TCP +socket. + +As we did recently in commit 158f323b9868 ("net: adjust skb->truesize in +pskb_expand_head()") we can adjust skb->truesize from ___pskb_trim(), +via a call to skb_condense(). + +If all frags were freed, then skb->truesize can be recomputed. + +This call can be done if skb is not yet owned, or destructor is +sock_edemux(). + +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -1572,6 +1572,8 @@ done: + skb_set_tail_pointer(skb, len); + } + ++ if (!skb->sk || skb->destructor == sock_edemux) ++ skb_condense(skb); + return 0; + } + EXPORT_SYMBOL(___pskb_trim); diff --git a/queue-4.9/net-ipv6-do-not-duplicate-dad-on-link-up.patch b/queue-4.9/net-ipv6-do-not-duplicate-dad-on-link-up.patch new file mode 100644 index 00000000000..68a300ec936 --- /dev/null +++ b/queue-4.9/net-ipv6-do-not-duplicate-dad-on-link-up.patch @@ -0,0 +1,119 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: David Ahern +Date: Tue, 2 May 2017 14:43:44 -0700 +Subject: net: ipv6: Do not duplicate DAD on link up + +From: David Ahern + + +[ Upstream commit 6d717134a1a6e1b34a7d0d70e953037bc2642046 ] + +Andrey reported a warning triggered by the rcu code: + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289 +debug_print_object+0x175/0x210 +ODEBUG: activate active (active state 1) object type: rcu_head hint: + (null) +Modules linked in: +CPU: 1 PID: 5911 Comm: a.out Not tainted 4.11.0-rc8+ #271 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x192/0x22d lib/dump_stack.c:52 + __warn+0x19f/0x1e0 kernel/panic.c:549 + warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564 + debug_print_object+0x175/0x210 lib/debugobjects.c:286 + debug_object_activate+0x574/0x7e0 lib/debugobjects.c:442 + debug_rcu_head_queue kernel/rcu/rcu.h:75 + __call_rcu.constprop.76+0xff/0x9c0 kernel/rcu/tree.c:3229 + call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288 + rt6_rcu_free net/ipv6/ip6_fib.c:158 + rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188 + fib6_del_route net/ipv6/ip6_fib.c:1461 + fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500 + __ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174 + ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187 + __ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520 + addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672 +... + +Andrey's reproducer program runs in a very tight loop, calling +'unshare -n' and then spawning 2 sets of 14 threads running random ioctl +calls. The relevant networking sequence: + +1. New network namespace created via unshare -n +- ip6tnl0 device is created in down state + +2. address added to ip6tnl0 +- equivalent to ip -6 addr add dev ip6tnl0 fd00::bb/1 +- DAD is started on the address and when it completes the host + route is inserted into the FIB + +3. ip6tnl0 is brought up +- the new fixup_permanent_addr function restarts DAD on the address + +4. exit namespace +- teardown / cleanup sequence starts +- once in a blue moon, lo teardown appears to happen BEFORE teardown + of ip6tunl0 + + down on 'lo' removes the host route from the FIB since the dst->dev + for the route is loobback + + host route added to rcu callback list + * rcu callback has not run yet, so rt is NOT on the gc list so it has + NOT been marked obsolete + +5. in parallel to 4. worker_thread runs addrconf_dad_completed +- DAD on the address on ip6tnl0 completes +- calls ipv6_ifa_notify which inserts the host route + +All of that happens very quickly. The result is that a host route that +has been deleted from the IPv6 FIB and added to the RCU list is re-inserted +into the FIB. + +The exit namespace eventually gets to cleaning up ip6tnl0 which removes the +host route from the FIB again, calls the rcu function for cleanup -- and +triggers the double rcu trace. + +The root cause is duplicate DAD on the address -- steps 2 and 3. Arguably, +DAD should not be started in step 2. The interface is in the down state, +so it can not really send out requests for the address which makes starting +DAD pointless. + +Since the second DAD was introduced by a recent change, seems appropriate +to use it for the Fixes tag and have the fixup function only start DAD for +addresses in the PREDAD state which occurs in addrconf_ifdown if the +address is retained. + +Big thanks to Andrey for isolating a reliable reproducer for this problem. +Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional") +Reported-by: Andrey Konovalov +Signed-off-by: David Ahern +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3278,7 +3278,8 @@ static int fixup_permanent_addr(struct i + idev->dev, 0, 0); + } + +- addrconf_dad_start(ifp); ++ if (ifp->state == INET6_IFADDR_STATE_PREDAD) ++ addrconf_dad_start(ifp); + + return 0; + } +@@ -3627,7 +3628,7 @@ restart: + if (keep) { + /* set state to skip the notifier below */ + state = INET6_IFADDR_STATE_DEAD; +- ifa->state = 0; ++ ifa->state = INET6_IFADDR_STATE_PREDAD; + if (!(ifa->flags & IFA_F_NODAD)) + ifa->flags |= IFA_F_TENTATIVE; + diff --git a/queue-4.9/net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch b/queue-4.9/net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch new file mode 100644 index 00000000000..8799e3377c5 --- /dev/null +++ b/queue-4.9/net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch @@ -0,0 +1,44 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Jon Mason +Date: Mon, 8 May 2017 17:48:35 -0400 +Subject: net: mdio-mux: bcm-iproc: call mdiobus_free() in error path + +From: Jon Mason + + +[ Upstream commit 922c60e89d52730050c6ccca218bff40cc8bcd8e ] + +If an error is encountered in mdio_mux_init(), the error path will call +mdiobus_free(). Since mdiobus_register() has been called prior to +mdio_mux_init(), the bus->state will not be MDIOBUS_UNREGISTERED. This +causes a BUG_ON() in mdiobus_free(). To correct this issue, add an +error path for mdio_mux_init() which calls mdiobus_unregister() prior to +mdiobus_free(). + +Signed-off-by: Jon Mason +Fixes: 98bc865a1ec8 ("net: mdio-mux: Add MDIO mux driver for iProc SoCs") +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-mux-bcm-iproc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/mdio-mux-bcm-iproc.c ++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c +@@ -203,11 +203,14 @@ static int mdio_mux_iproc_probe(struct p + &md->mux_handle, md, md->mii_bus); + if (rc) { + dev_info(md->dev, "mdiomux initialization failed\n"); +- goto out; ++ goto out_register; + } + + dev_info(md->dev, "iProc mdiomux registered\n"); + return 0; ++ ++out_register: ++ mdiobus_unregister(bus); + out: + mdiobus_free(bus); + return rc; diff --git a/queue-4.9/net-usb-qmi_wwan-add-telit-me910-support.patch b/queue-4.9/net-usb-qmi_wwan-add-telit-me910-support.patch new file mode 100644 index 00000000000..06cc2563b5f --- /dev/null +++ b/queue-4.9/net-usb-qmi_wwan-add-telit-me910-support.patch @@ -0,0 +1,30 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Daniele Palmas +Date: Wed, 3 May 2017 10:30:11 +0200 +Subject: net: usb: qmi_wwan: add Telit ME910 support + +From: Daniele Palmas + + +[ Upstream commit 4c54dc0277d0d55a9248c43aebd31858f926a056 ] + +This patch adds support for Telit ME910 PID 0x1100. + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -902,6 +902,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */ ++ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */ + {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ diff --git a/queue-4.9/rtnetlink-nul-terminate-ifla_phys_port_name-string.patch b/queue-4.9/rtnetlink-nul-terminate-ifla_phys_port_name-string.patch new file mode 100644 index 00000000000..65af89c65f1 --- /dev/null +++ b/queue-4.9/rtnetlink-nul-terminate-ifla_phys_port_name-string.patch @@ -0,0 +1,37 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Michal Schmidt +Date: Thu, 4 May 2017 16:48:58 +0200 +Subject: rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string + +From: Michal Schmidt + + +[ Upstream commit 77ef033b687c3e030017c94a29bf6ea3aaaef678 ] + +IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0. +Otherwise libnl3 fails to validate netlink messages with this attribute. +"ip -detail a" assumes too that the attribute is NUL-terminated when +printing it. It often was, due to padding. + +I noticed this as libvirtd failing to start on a system with sfc driver +after upgrading it to Linux 4.11, i.e. when sfc added support for +phys_port_name. + +Signed-off-by: Michal Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1059,7 +1059,7 @@ static int rtnl_phys_port_name_fill(stru + return err; + } + +- if (nla_put(skb, IFLA_PHYS_PORT_NAME, strlen(name), name)) ++ if (nla_put_string(skb, IFLA_PHYS_PORT_NAME, name)) + return -EMSGSIZE; + + return 0; diff --git a/queue-4.9/series b/queue-4.9/series index 27d8008e792..7409af1b467 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -81,3 +81,19 @@ staging-emxx_udc-remove-incorrect-__init-annotations.patch staging-lustre-mdc-make-it_open-take-lookup-bits-lock.patch alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch sparc64-fix-fault-handling-in-ngbzero.s-and-genbzero.s.patch +macsec-dynamically-allocate-space-for-sglist.patch +tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch +net-adjust-skb-truesize-in-___pskb_trim.patch +bpf-enhance-verifier-to-understand-stack-pointer-arithmetic.patch +bpf-arm64-fix-jit-branch-offset-related-to-ldimm64.patch +tcp-fix-wraparound-issue-in-tcp_lp.patch +net-ipv6-do-not-duplicate-dad-on-link-up.patch +net-usb-qmi_wwan-add-telit-me910-support.patch +tcp-do-not-inherit-fastopen_req-from-parent.patch +ipv4-ipv6-ensure-raw-socket-message-is-big-enough-to-hold-an-ip-header.patch +rtnetlink-nul-terminate-ifla_phys_port_name-string.patch +ipv6-initialize-route-null-entry-in-addrconf_init.patch +ipv6-reorder-ip6_route_dev_notifier-after-ipv6_dev_notf.patch +bnxt_en-allocate-enough-space-for-ntp_fltr_bmap.patch +bpf-don-t-let-ldimm64-leak-map-addresses-on-unprivileged.patch +net-mdio-mux-bcm-iproc-call-mdiobus_free-in-error-path.patch diff --git a/queue-4.9/tcp-do-not-inherit-fastopen_req-from-parent.patch b/queue-4.9/tcp-do-not-inherit-fastopen_req-from-parent.patch new file mode 100644 index 00000000000..ecc8fcd66c9 --- /dev/null +++ b/queue-4.9/tcp-do-not-inherit-fastopen_req-from-parent.patch @@ -0,0 +1,149 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Eric Dumazet +Date: Wed, 3 May 2017 06:39:31 -0700 +Subject: tcp: do not inherit fastopen_req from parent + +From: Eric Dumazet + + +[ Upstream commit 8b485ce69876c65db12ed390e7f9c0d2a64eff2c ] + +Under fuzzer stress, it is possible that a child gets a non NULL +fastopen_req pointer from its parent at accept() time, when/if parent +morphs from listener to active session. + +We need to make sure this can not happen, by clearing the field after +socket cloning. + +BUG: Double free or freeing an invalid pointer +Unexpected shadow byte: 0xFB +CPU: 3 PID: 20933 Comm: syz-executor3 Not tainted 4.11.0+ #306 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs +01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:16 [inline] + dump_stack+0x292/0x395 lib/dump_stack.c:52 + kasan_object_err+0x1c/0x70 mm/kasan/report.c:164 + kasan_report_double_free+0x5c/0x70 mm/kasan/report.c:185 + kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:580 + slab_free_hook mm/slub.c:1357 [inline] + slab_free_freelist_hook mm/slub.c:1379 [inline] + slab_free mm/slub.c:2961 [inline] + kfree+0xe8/0x2b0 mm/slub.c:3882 + tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline] + tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328 + inet_child_forget+0xb8/0x600 net/ipv4/inet_connection_sock.c:898 + inet_csk_reqsk_queue_add+0x1e7/0x250 +net/ipv4/inet_connection_sock.c:928 + tcp_get_cookie_sock+0x21a/0x510 net/ipv4/syncookies.c:217 + cookie_v4_check+0x1a19/0x28b0 net/ipv4/syncookies.c:384 + tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1384 [inline] + tcp_v4_do_rcv+0x731/0x940 net/ipv4/tcp_ipv4.c:1421 + tcp_v4_rcv+0x2dc0/0x31c0 net/ipv4/tcp_ipv4.c:1715 + ip_local_deliver_finish+0x4cc/0xc20 net/ipv4/ip_input.c:216 + NF_HOOK include/linux/netfilter.h:257 [inline] + ip_local_deliver+0x1ce/0x700 net/ipv4/ip_input.c:257 + dst_input include/net/dst.h:492 [inline] + ip_rcv_finish+0xb1d/0x20b0 net/ipv4/ip_input.c:396 + NF_HOOK include/linux/netfilter.h:257 [inline] + ip_rcv+0xd8c/0x19c0 net/ipv4/ip_input.c:487 + __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4210 + __netif_receive_skb+0x2a/0x1a0 net/core/dev.c:4248 + process_backlog+0xe5/0x6c0 net/core/dev.c:4868 + napi_poll net/core/dev.c:5270 [inline] + net_rx_action+0xe70/0x18e0 net/core/dev.c:5335 + __do_softirq+0x2fb/0xb99 kernel/softirq.c:284 + do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:899 + + do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328 + do_softirq kernel/softirq.c:176 [inline] + __local_bh_enable_ip+0x1cf/0x1e0 kernel/softirq.c:181 + local_bh_enable include/linux/bottom_half.h:31 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:931 [inline] + ip_finish_output2+0x9ab/0x15e0 net/ipv4/ip_output.c:230 + ip_finish_output+0xa35/0xdf0 net/ipv4/ip_output.c:316 + NF_HOOK_COND include/linux/netfilter.h:246 [inline] + ip_output+0x1f6/0x7b0 net/ipv4/ip_output.c:404 + dst_output include/net/dst.h:486 [inline] + ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 + ip_queue_xmit+0x9a8/0x1a10 net/ipv4/ip_output.c:503 + tcp_transmit_skb+0x1ade/0x3470 net/ipv4/tcp_output.c:1057 + tcp_write_xmit+0x79e/0x55b0 net/ipv4/tcp_output.c:2265 + __tcp_push_pending_frames+0xfa/0x3a0 net/ipv4/tcp_output.c:2450 + tcp_push+0x4ee/0x780 net/ipv4/tcp.c:683 + tcp_sendmsg+0x128d/0x39b0 net/ipv4/tcp.c:1342 + inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:643 + SYSC_sendto+0x660/0x810 net/socket.c:1696 + SyS_sendto+0x40/0x50 net/socket.c:1664 + entry_SYSCALL_64_fastpath+0x1f/0xbe +RIP: 0033:0x446059 +RSP: 002b:00007faa6761fb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000446059 +RDX: 0000000000000001 RSI: 0000000020ba3fcd RDI: 0000000000000017 +RBP: 00000000006e40a0 R08: 0000000020ba4ff0 R09: 0000000000000010 +R10: 0000000020000000 R11: 0000000000000282 R12: 0000000000708150 +R13: 0000000000000000 R14: 00007faa676209c0 R15: 00007faa67620700 +Object at ffff88003b5bbcb8, in cache kmalloc-64 size: 64 +Allocated: +PID = 20909 + save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:513 + set_track mm/kasan/kasan.c:525 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 + kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745 + kmalloc include/linux/slab.h:490 [inline] + kzalloc include/linux/slab.h:663 [inline] + tcp_sendmsg_fastopen net/ipv4/tcp.c:1094 [inline] + tcp_sendmsg+0x221a/0x39b0 net/ipv4/tcp.c:1139 + inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:643 + SYSC_sendto+0x660/0x810 net/socket.c:1696 + SyS_sendto+0x40/0x50 net/socket.c:1664 + entry_SYSCALL_64_fastpath+0x1f/0xbe +Freed: +PID = 20909 + save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:513 + set_track mm/kasan/kasan.c:525 [inline] + kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589 + slab_free_hook mm/slub.c:1357 [inline] + slab_free_freelist_hook mm/slub.c:1379 [inline] + slab_free mm/slub.c:2961 [inline] + kfree+0xe8/0x2b0 mm/slub.c:3882 + tcp_free_fastopen_req net/ipv4/tcp.c:1077 [inline] + tcp_disconnect+0xc15/0x13e0 net/ipv4/tcp.c:2328 + __inet_stream_connect+0x20c/0xf90 net/ipv4/af_inet.c:593 + tcp_sendmsg_fastopen net/ipv4/tcp.c:1111 [inline] + tcp_sendmsg+0x23a8/0x39b0 net/ipv4/tcp.c:1139 + inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:643 + SYSC_sendto+0x660/0x810 net/socket.c:1696 + SyS_sendto+0x40/0x50 net/socket.c:1664 + entry_SYSCALL_64_fastpath+0x1f/0xbe + +Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") +Fixes: 7db92362d2fe ("tcp: fix potential double free issue for fastopen_req") +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Acked-by: Wei Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_minisocks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -543,6 +543,7 @@ struct sock *tcp_create_openreq_child(co + newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len; + newtp->rx_opt.mss_clamp = req->mss; + tcp_ecn_openreq_child(newtp, req); ++ newtp->fastopen_req = NULL; + newtp->fastopen_rsk = NULL; + newtp->syn_data_acked = 0; + newtp->rack.mstamp.v64 = 0; diff --git a/queue-4.9/tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch b/queue-4.9/tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch new file mode 100644 index 00000000000..65bce63f502 --- /dev/null +++ b/queue-4.9/tcp-do-not-underestimate-skb-truesize-in-tcp_trim_head.patch @@ -0,0 +1,86 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Eric Dumazet +Date: Wed, 26 Apr 2017 17:15:40 -0700 +Subject: tcp: do not underestimate skb->truesize in tcp_trim_head() + +From: Eric Dumazet + + +[ Upstream commit 7162fb242cb8322beb558828fd26b33c3e9fc805 ] + +Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in +skb_try_coalesce() using syzkaller and a filter attached to a TCP +socket over loopback interface. + +I believe one issue with looped skbs is that tcp_trim_head() can end up +producing skb with under estimated truesize. + +It hardly matters for normal conditions, since packets sent over +loopback are never truncated. + +Bytes trimmed from skb->head should not change skb truesize, since +skb->head is not reallocated. + +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1246,7 +1246,7 @@ int tcp_fragment(struct sock *sk, struct + * eventually). The difference is that pulled data not copied, but + * immediately discarded. + */ +-static void __pskb_trim_head(struct sk_buff *skb, int len) ++static int __pskb_trim_head(struct sk_buff *skb, int len) + { + struct skb_shared_info *shinfo; + int i, k, eat; +@@ -1256,7 +1256,7 @@ static void __pskb_trim_head(struct sk_b + __skb_pull(skb, eat); + len -= eat; + if (!len) +- return; ++ return 0; + } + eat = len; + k = 0; +@@ -1282,23 +1282,28 @@ static void __pskb_trim_head(struct sk_b + skb_reset_tail_pointer(skb); + skb->data_len -= len; + skb->len = skb->data_len; ++ return len; + } + + /* Remove acked data from a packet in the transmit queue. */ + int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len) + { ++ u32 delta_truesize; ++ + if (skb_unclone(skb, GFP_ATOMIC)) + return -ENOMEM; + +- __pskb_trim_head(skb, len); ++ delta_truesize = __pskb_trim_head(skb, len); + + TCP_SKB_CB(skb)->seq += len; + skb->ip_summed = CHECKSUM_PARTIAL; + +- skb->truesize -= len; +- sk->sk_wmem_queued -= len; +- sk_mem_uncharge(sk, len); +- sock_set_flag(sk, SOCK_QUEUE_SHRUNK); ++ if (delta_truesize) { ++ skb->truesize -= delta_truesize; ++ sk->sk_wmem_queued -= delta_truesize; ++ sk_mem_uncharge(sk, delta_truesize); ++ sock_set_flag(sk, SOCK_QUEUE_SHRUNK); ++ } + + /* Any change of skb->len requires recalculation of tso factor. */ + if (tcp_skb_pcount(skb) > 1) diff --git a/queue-4.9/tcp-fix-wraparound-issue-in-tcp_lp.patch b/queue-4.9/tcp-fix-wraparound-issue-in-tcp_lp.patch new file mode 100644 index 00000000000..5fe72d63f70 --- /dev/null +++ b/queue-4.9/tcp-fix-wraparound-issue-in-tcp_lp.patch @@ -0,0 +1,41 @@ +From foo@baz Thu May 11 11:08:24 CEST 2017 +From: Eric Dumazet +Date: Mon, 1 May 2017 15:29:48 -0700 +Subject: tcp: fix wraparound issue in tcp_lp + +From: Eric Dumazet + + +[ Upstream commit a9f11f963a546fea9144f6a6d1a307e814a387e7 ] + +Be careful when comparing tcp_time_stamp to some u32 quantity, +otherwise result can be surprising. + +Fixes: 7c106d7e782b ("[TCP]: TCP Low Priority congestion control") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_lp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_lp.c ++++ b/net/ipv4/tcp_lp.c +@@ -264,13 +264,15 @@ static void tcp_lp_pkts_acked(struct soc + { + struct tcp_sock *tp = tcp_sk(sk); + struct lp *lp = inet_csk_ca(sk); ++ u32 delta; + + if (sample->rtt_us > 0) + tcp_lp_rtt_sample(sk, sample->rtt_us); + + /* calc inference */ +- if (tcp_time_stamp > tp->rx_opt.rcv_tsecr) +- lp->inference = 3 * (tcp_time_stamp - tp->rx_opt.rcv_tsecr); ++ delta = tcp_time_stamp - tp->rx_opt.rcv_tsecr; ++ if ((s32)delta > 0) ++ lp->inference = 3 * delta; + + /* test if within inference */ + if (lp->last_drop && (tcp_time_stamp - lp->last_drop < lp->inference))