From: Greg Kroah-Hartman Date: Wed, 9 Aug 2017 00:56:10 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v4.12.6~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b398084b9526eb8d24d246c1c7e1620ec1e8e26d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch ipv4-initialize-fib_trie-prior-to-register_netdev_notifier-call.patch ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch mcs7780-fix-initialization-when-config_vmap_stack-is-enabled.patch net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch net-zero-terminate-ifr_name-in-dev_ifname.patch packet-fix-use-after-free-in-prb_retire_rx_blk_timer_expired.patch rtnetlink-allocate-more-memory-for-dev_set_mac_address.patch sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors.patch sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch xen-netback-correctly-schedule-rate-limited-queues.patch --- diff --git a/queue-3.18/dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch b/queue-3.18/dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch new file mode 100644 index 00000000000..9535846e3ea --- /dev/null +++ b/queue-3.18/dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Xin Long +Date: Wed, 26 Jul 2017 14:20:15 +0800 +Subject: dccp: fix a memleak for dccp_feat_init err process + +From: Xin Long + + +[ Upstream commit e90ce2fc27cad7e7b1e72b9e66201a7a4c124c2b ] + +In dccp_feat_init, when ccid_get_builtin_ccids failsto alloc +memory for rx.val, it should free tx.val before returning an +error. + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/feat.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -1471,9 +1471,12 @@ int dccp_feat_init(struct sock *sk) + * singleton values (which always leads to failure). + * These settings can still (later) be overridden via sockopts. + */ +- if (ccid_get_builtin_ccids(&tx.val, &tx.len) || +- ccid_get_builtin_ccids(&rx.val, &rx.len)) ++ if (ccid_get_builtin_ccids(&tx.val, &tx.len)) + return -ENOBUFS; ++ if (ccid_get_builtin_ccids(&rx.val, &rx.len)) { ++ kfree(tx.val); ++ return -ENOBUFS; ++ } + + if (!dccp_feat_prefer(sysctl_dccp_tx_ccid, tx.val, tx.len) || + !dccp_feat_prefer(sysctl_dccp_rx_ccid, rx.val, rx.len)) diff --git a/queue-3.18/ipv4-initialize-fib_trie-prior-to-register_netdev_notifier-call.patch b/queue-3.18/ipv4-initialize-fib_trie-prior-to-register_netdev_notifier-call.patch new file mode 100644 index 00000000000..10cc9c5f00e --- /dev/null +++ b/queue-3.18/ipv4-initialize-fib_trie-prior-to-register_netdev_notifier-call.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Mahesh Bandewar +Date: Wed, 19 Jul 2017 15:41:33 -0700 +Subject: ipv4: initialize fib_trie prior to register_netdev_notifier call. + +From: Mahesh Bandewar + + +[ Upstream commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 ] + +Net stack initialization currently initializes fib-trie after the +first call to netdevice_notifier() call. In fact fib_trie initialization +needs to happen before first rtnl_register(). It does not cause any problem +since there are no devices UP at this moment, but trying to bring 'lo' +UP at initialization would make this assumption wrong and exposes the issue. + +Fixes following crash + + Call Trace: + ? alternate_node_alloc+0x76/0xa0 + fib_table_insert+0x1b7/0x4b0 + fib_magic.isra.17+0xea/0x120 + fib_add_ifaddr+0x7b/0x190 + fib_netdev_event+0xc0/0x130 + register_netdevice_notifier+0x1c1/0x1d0 + ip_fib_init+0x72/0x85 + ip_rt_init+0x187/0x1e9 + ip_init+0xe/0x1a + inet_init+0x171/0x26c + ? ipv4_offload_init+0x66/0x66 + do_one_initcall+0x43/0x160 + kernel_init_freeable+0x191/0x219 + ? rest_init+0x80/0x80 + kernel_init+0xe/0x150 + ret_from_fork+0x22/0x30 + Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08 + RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28 + CR2: 0000000000000014 + +Fixes: 7b1a74fdbb9e ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.") +Fixes: 7f9b80529b8a ("[IPV4]: fib hash|trie initialization") + +Signed-off-by: Mahesh Bandewar +Acked-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1174,13 +1174,14 @@ static struct pernet_operations fib_net_ + + void __init ip_fib_init(void) + { +- rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); +- rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); +- rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); ++ fib_trie_init(); + + register_pernet_subsys(&fib_net_ops); ++ + register_netdevice_notifier(&fib_netdev_notifier); + register_inetaddr_notifier(&fib_inetaddr_notifier); + +- fib_trie_init(); ++ rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL); ++ rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL); ++ rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL); + } diff --git a/queue-3.18/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/queue-3.18/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch new file mode 100644 index 00000000000..ee2171d3ae4 --- /dev/null +++ b/queue-3.18/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Sabrina Dubroca +Date: Wed, 19 Jul 2017 22:28:55 +0200 +Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt + +From: Sabrina Dubroca + + +[ Upstream commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 ] + +In some cases, offset can overflow and can cause an infinite loop in +ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and +cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. + +This problem has been here since before the beginning of git history. + +Signed-off-by: Sabrina Dubroca +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/output_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -44,7 +44,7 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -52,6 +52,7 @@ int ip6_find_1stfragopt(struct sk_buff * + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -77,7 +78,10 @@ int ip6_find_1stfragopt(struct sk_buff * + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + diff --git a/queue-3.18/mcs7780-fix-initialization-when-config_vmap_stack-is-enabled.patch b/queue-3.18/mcs7780-fix-initialization-when-config_vmap_stack-is-enabled.patch new file mode 100644 index 00000000000..64e940e1887 --- /dev/null +++ b/queue-3.18/mcs7780-fix-initialization-when-config_vmap_stack-is-enabled.patch @@ -0,0 +1,81 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Thomas Jarosch +Date: Sat, 22 Jul 2017 17:14:34 +0200 +Subject: mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled + +From: Thomas Jarosch + + +[ Upstream commit 9476d393667968b4a02afbe9d35a3558482b943e ] + +DMA transfers are not allowed to buffers that are on the stack. +Therefore allocate a buffer to store the result of usb_control_message(). + +Fixes these bugreports: +https://bugzilla.kernel.org/show_bug.cgi?id=195217 + +https://bugzilla.redhat.com/show_bug.cgi?id=1421387 +https://bugzilla.redhat.com/show_bug.cgi?id=1427398 + +Shortened kernel backtrace from 4.11.9-200.fc25.x86_64: +kernel: ------------[ cut here ]------------ +kernel: WARNING: CPU: 3 PID: 2957 at drivers/usb/core/hcd.c:1587 +kernel: transfer buffer not dma capable +kernel: Call Trace: +kernel: dump_stack+0x63/0x86 +kernel: __warn+0xcb/0xf0 +kernel: warn_slowpath_fmt+0x5a/0x80 +kernel: usb_hcd_map_urb_for_dma+0x37f/0x570 +kernel: ? try_to_del_timer_sync+0x53/0x80 +kernel: usb_hcd_submit_urb+0x34e/0xb90 +kernel: ? schedule_timeout+0x17e/0x300 +kernel: ? del_timer_sync+0x50/0x50 +kernel: ? __slab_free+0xa9/0x300 +kernel: usb_submit_urb+0x2f4/0x560 +kernel: ? urb_destroy+0x24/0x30 +kernel: usb_start_wait_urb+0x6e/0x170 +kernel: usb_control_msg+0xdc/0x120 +kernel: mcs_get_reg+0x36/0x40 [mcs7780] +kernel: mcs_net_open+0xb5/0x5c0 [mcs7780] +... + +Regression goes back to 4.9, so it's a good candidate for -stable. +Though it's the decision of the maintainer. + +Thanks to Dan Williams for adding the "transfer buffer not dma capable" +warning in the first place. It instantly pointed me in the right direction. + +Patch has been tested with transferring data from a Polar watch. + +Signed-off-by: Thomas Jarosch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/irda/mcs7780.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/net/irda/mcs7780.c ++++ b/drivers/net/irda/mcs7780.c +@@ -141,9 +141,19 @@ static int mcs_set_reg(struct mcs_cb *mc + static int mcs_get_reg(struct mcs_cb *mcs, __u16 reg, __u16 * val) + { + struct usb_device *dev = mcs->usbdev; +- int ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, +- MCS_RD_RTYPE, 0, reg, val, 2, +- msecs_to_jiffies(MCS_CTRL_TIMEOUT)); ++ void *dmabuf; ++ int ret; ++ ++ dmabuf = kmalloc(sizeof(__u16), GFP_KERNEL); ++ if (!dmabuf) ++ return -ENOMEM; ++ ++ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, ++ MCS_RD_RTYPE, 0, reg, dmabuf, 2, ++ msecs_to_jiffies(MCS_CTRL_TIMEOUT)); ++ ++ memcpy(val, dmabuf, sizeof(__u16)); ++ kfree(dmabuf); + + return ret; + } diff --git a/queue-3.18/net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch b/queue-3.18/net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch new file mode 100644 index 00000000000..b802975d6e8 --- /dev/null +++ b/queue-3.18/net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Florian Fainelli +Date: Fri, 28 Jul 2017 11:58:36 -0700 +Subject: net: phy: Correctly process PHY_HALTED in phy_stop_machine() + +From: Florian Fainelli + + +[ Upstream commit 7ad813f208533cebfcc32d3d7474dc1677d1b09a ] + +Marc reported that he was not getting the PHY library adjust_link() +callback function to run when calling phy_stop() + phy_disconnect() +which does not indeed happen because we set the state machine to +PHY_HALTED but we don't get to run it to process this state past that +point. + +Fix this with a synchronous call to phy_state_machine() in order to have +the state machine actually act on PHY_HALTED, set the PHY device's link +down, turn the network device's carrier off and finally call the +adjust_link() function. + +Reported-by: Marc Gonzalez +Fixes: a390d1f379cf ("phylib: convert state_queue work to delayed_work") +Signed-off-by: Florian Fainelli +Signed-off-by: Marc Gonzalez +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -509,6 +509,9 @@ void phy_stop_machine(struct phy_device + if (phydev->state > PHY_UP && phydev->state != PHY_HALTED) + phydev->state = PHY_UP; + mutex_unlock(&phydev->lock); ++ ++ /* Now we can run the state machine synchronously */ ++ phy_state_machine(&phydev->state_queue.work); + } + + /** diff --git a/queue-3.18/net-zero-terminate-ifr_name-in-dev_ifname.patch b/queue-3.18/net-zero-terminate-ifr_name-in-dev_ifname.patch new file mode 100644 index 00000000000..ae668a5218d --- /dev/null +++ b/queue-3.18/net-zero-terminate-ifr_name-in-dev_ifname.patch @@ -0,0 +1,28 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: "David S. Miller" +Date: Wed, 19 Jul 2017 13:33:24 -0700 +Subject: net: Zero terminate ifr_name in dev_ifname(). + +From: "David S. Miller" + + +[ Upstream commit 63679112c536289826fec61c917621de95ba2ade ] + +The ifr.ifr_name is passed around and assumed to be NULL terminated. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev_ioctl.c ++++ b/net/core/dev_ioctl.c +@@ -28,6 +28,7 @@ static int dev_ifname(struct net *net, s + + if (copy_from_user(&ifr, arg, sizeof(struct ifreq))) + return -EFAULT; ++ ifr.ifr_name[IFNAMSIZ-1] = 0; + + error = netdev_get_name(net, ifr.ifr_name, ifr.ifr_ifindex); + if (error) diff --git a/queue-3.18/packet-fix-use-after-free-in-prb_retire_rx_blk_timer_expired.patch b/queue-3.18/packet-fix-use-after-free-in-prb_retire_rx_blk_timer_expired.patch new file mode 100644 index 00000000000..0ee771d3595 --- /dev/null +++ b/queue-3.18/packet-fix-use-after-free-in-prb_retire_rx_blk_timer_expired.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: WANG Cong +Date: Mon, 24 Jul 2017 10:07:32 -0700 +Subject: packet: fix use-after-free in prb_retire_rx_blk_timer_expired() + +From: WANG Cong + + +[ Upstream commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042 ] + +There are multiple reports showing we have a use-after-free in +the timer prb_retire_rx_blk_timer_expired(), where we use struct +tpacket_kbdq_core::pkbdq, a pg_vec, after it gets freed by +free_pg_vec(). + +The interesting part is it is not freed via packet_release() but +via packet_setsockopt(), which means we are not closing the socket. +Looking into the big and fat function packet_set_ring(), this could +happen if we satisfy the following conditions: + +1. closing == 0, not on packet_release() path +2. req->tp_block_nr == 0, we don't allocate a new pg_vec +3. rx_ring->pg_vec is already set as V3, which means we already called + packet_set_ring() wtih req->tp_block_nr > 0 previously +4. req->tp_frame_nr == 0, pass sanity check +5. po->mapped == 0, never called mmap() + +In this scenario we are clearing the old rx_ring->pg_vec, so we need +to free this pg_vec, but we don't stop the timer on this path because +of closing==0. + +The timer has to be stopped as long as we need to free pg_vec, therefore +the check on closing!=0 is wrong, we should check pg_vec!=NULL instead. + +Thanks to liujian for testing different fixes. + +Reported-by: alexander.levin@verizon.com +Reported-by: Dave Jones +Reported-by: liujian (CE) +Tested-by: liujian (CE) +Cc: Ding Tianhong +Cc: Willem de Bruijn +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3895,7 +3895,7 @@ static int packet_set_ring(struct sock * + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +- if (closing && (po->tp_version > TPACKET_V2)) { ++ if (pg_vec && (po->tp_version > TPACKET_V2)) { + /* Because we don't support block-based V3 on tx-ring */ + if (!tx_ring) + prb_shutdown_retire_blk_timer(po, tx_ring, rb_queue); diff --git a/queue-3.18/rtnetlink-allocate-more-memory-for-dev_set_mac_address.patch b/queue-3.18/rtnetlink-allocate-more-memory-for-dev_set_mac_address.patch new file mode 100644 index 00000000000..dae6c5708a6 --- /dev/null +++ b/queue-3.18/rtnetlink-allocate-more-memory-for-dev_set_mac_address.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: WANG Cong +Date: Thu, 20 Jul 2017 11:27:57 -0700 +Subject: rtnetlink: allocate more memory for dev_set_mac_address() + +From: WANG Cong + + +[ Upstream commit 153711f9421be5dbc973dc57a4109dc9d54c89b1 ] + +virtnet_set_mac_address() interprets mac address as struct +sockaddr, but upper layer only allocates dev->addr_len +which is ETH_ALEN + sizeof(sa_family_t) in this case. + +We lack a unified definition for mac address, so just fix +the upper layer, this also allows drivers to interpret it +to struct sockaddr freely. + +Reported-by: David Ahern +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1554,7 +1554,8 @@ static int do_setlink(const struct sk_bu + struct sockaddr *sa; + int len; + +- len = sizeof(sa_family_t) + dev->addr_len; ++ len = sizeof(sa_family_t) + max_t(size_t, dev->addr_len, ++ sizeof(*sa)); + sa = kmalloc(len, GFP_KERNEL); + if (!sa) { + err = -ENOMEM; diff --git a/queue-3.18/sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors.patch b/queue-3.18/sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors.patch new file mode 100644 index 00000000000..5b93d37cf53 --- /dev/null +++ b/queue-3.18/sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors.patch @@ -0,0 +1,140 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Alexander Potapenko +Date: Fri, 14 Jul 2017 18:32:45 +0200 +Subject: sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() + +From: Alexander Potapenko + + +[ Upstream commit b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a ] + +If the length field of the iterator (|pos.p| or |err|) is past the end +of the chunk, we shouldn't access it. + +This bug has been detected by KMSAN. For the following pair of system +calls: + + socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3 + sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0), + inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, + sin6_scope_id=0}, 28) = 1 + +the tool has reported a use of uninitialized memory: + + ================================================================== + BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0 + CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs + 01/01/2011 + Call Trace: + + __dump_stack lib/dump_stack.c:16 + dump_stack+0x172/0x1c0 lib/dump_stack.c:52 + kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927 + __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469 + __sctp_rcv_init_lookup net/sctp/input.c:1074 + __sctp_rcv_lookup_harder net/sctp/input.c:1233 + __sctp_rcv_lookup net/sctp/input.c:1255 + sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170 + sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984 + ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279 + NF_HOOK ./include/linux/netfilter.h:257 + ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322 + dst_input ./include/net/dst.h:492 + ip6_rcv_finish net/ipv6/ip6_input.c:69 + NF_HOOK ./include/linux/netfilter.h:257 + ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203 + __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208 + __netif_receive_skb net/core/dev.c:4246 + process_backlog+0x667/0xba0 net/core/dev.c:4866 + napi_poll net/core/dev.c:5268 + net_rx_action+0xc95/0x1590 net/core/dev.c:5333 + __do_softirq+0x485/0x942 kernel/softirq.c:284 + do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902 + + do_softirq kernel/softirq.c:328 + __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181 + local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31 + rcu_read_unlock_bh ./include/linux/rcupdate.h:931 + ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124 + ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149 + NF_HOOK_COND ./include/linux/netfilter.h:246 + ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163 + dst_output ./include/net/dst.h:486 + NF_HOOK ./include/linux/netfilter.h:257 + ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261 + sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225 + sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632 + sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 + sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 + sctp_side_effects net/sctp/sm_sideeffect.c:1773 + sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 + sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 + sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 + inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 + sock_sendmsg net/socket.c:643 + SYSC_sendto+0x608/0x710 net/socket.c:1696 + SyS_sendto+0x8a/0xb0 net/socket.c:1664 + do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 + entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 + RIP: 0033:0x401133 + RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133 + RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003 + RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c + R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 + R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000 + origin: + save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 + kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198 + kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211 + slab_alloc_node mm/slub.c:2743 + __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351 + __kmalloc_reserve net/core/skbuff.c:138 + __alloc_skb+0x26b/0x840 net/core/skbuff.c:231 + alloc_skb ./include/linux/skbuff.h:933 + sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570 + sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885 + sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750 + sctp_side_effects net/sctp/sm_sideeffect.c:1773 + sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147 + sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88 + sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954 + inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 + sock_sendmsg_nosec net/socket.c:633 + sock_sendmsg net/socket.c:643 + SYSC_sendto+0x608/0x710 net/socket.c:1696 + SyS_sendto+0x8a/0xb0 net/socket.c:1664 + do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285 + return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 + ================================================================== + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/sctp.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -441,6 +441,8 @@ _sctp_walk_params((pos), (chunk), ntohs( + + #define _sctp_walk_params(pos, chunk, end, member)\ + for (pos.v = chunk->member;\ ++ (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\ ++ (void *)chunk + end) &&\ + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ + ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ + pos.v += WORD_ROUND(ntohs(pos.p->length))) +@@ -451,6 +453,8 @@ _sctp_walk_errors((err), (chunk_hdr), nt + #define _sctp_walk_errors(err, chunk_hdr, end)\ + for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ + sizeof(sctp_chunkhdr_t));\ ++ ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\ ++ (void *)chunk_hdr + end) &&\ + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ + ntohs(err->length) >= sizeof(sctp_errhdr_t); \ + err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length)))) diff --git a/queue-3.18/sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch b/queue-3.18/sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch new file mode 100644 index 00000000000..8e5fe932327 --- /dev/null +++ b/queue-3.18/sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Xin Long +Date: Wed, 26 Jul 2017 16:24:59 +0800 +Subject: sctp: fix the check for _sctp_walk_params and _sctp_walk_errors + +From: Xin Long + + +[ Upstream commit 6b84202c946cd3da3a8daa92c682510e9ed80321 ] + +Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving +_sctp_walk_{params, errors}()") tried to fix the issue that it +may overstep the chunk end for _sctp_walk_{params, errors} with +'chunk_end > offset(length) + sizeof(length)'. + +But it introduced a side effect: When processing INIT, it verifies +the chunks with 'param.v == chunk_end' after iterating all params +by sctp_walk_params(). With the check 'chunk_end > offset(length) ++ sizeof(length)', it would return when the last param is not yet +accessed. Because the last param usually is fwdtsn supported param +whose size is 4 and 'chunk_end == offset(length) + sizeof(length)' + +This is a badly issue even causing sctp couldn't process 4-shakes. +Client would always get abort when connecting to server, due to +the failure of INIT chunk verification on server. + +The patch is to use 'chunk_end <= offset(length) + sizeof(length)' +instead of 'chunk_end < offset(length) + sizeof(length)' for both +_sctp_walk_params and _sctp_walk_errors. + +Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()") +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/sctp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -441,7 +441,7 @@ _sctp_walk_params((pos), (chunk), ntohs( + + #define _sctp_walk_params(pos, chunk, end, member)\ + for (pos.v = chunk->member;\ +- (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\ ++ (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\ + (void *)chunk + end) &&\ + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\ + ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\ +@@ -453,7 +453,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt + #define _sctp_walk_errors(err, chunk_hdr, end)\ + for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \ + sizeof(sctp_chunkhdr_t));\ +- ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\ ++ ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\ + (void *)chunk_hdr + end) &&\ + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\ + ntohs(err->length) >= sizeof(sctp_errhdr_t); \ diff --git a/queue-3.18/series b/queue-3.18/series index 4480b2ebd59..4337b2b5692 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -68,3 +68,14 @@ iscsi-target-fix-early-sk_data_ready-login_flags_ready-race.patch iscsi-target-fix-initial-login-pdu-asynchronous-socket-close-oops.patch iscsi-target-fix-delayed-logout-processing-greater-than-seconds_for_logout_comp.patch f2fs-sanity-check-checkpoint-segno-and-blkoff.patch +net-zero-terminate-ifr_name-in-dev_ifname.patch +ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch +ipv4-initialize-fib_trie-prior-to-register_netdev_notifier-call.patch +rtnetlink-allocate-more-memory-for-dev_set_mac_address.patch +mcs7780-fix-initialization-when-config_vmap_stack-is-enabled.patch +packet-fix-use-after-free-in-prb_retire_rx_blk_timer_expired.patch +dccp-fix-a-memleak-for-dccp_feat_init-err-process.patch +sctp-don-t-dereference-ptr-before-leaving-_sctp_walk_-params-errors.patch +sctp-fix-the-check-for-_sctp_walk_params-and-_sctp_walk_errors.patch +net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch +xen-netback-correctly-schedule-rate-limited-queues.patch diff --git a/queue-3.18/xen-netback-correctly-schedule-rate-limited-queues.patch b/queue-3.18/xen-netback-correctly-schedule-rate-limited-queues.patch new file mode 100644 index 00000000000..de7194dfa9d --- /dev/null +++ b/queue-3.18/xen-netback-correctly-schedule-rate-limited-queues.patch @@ -0,0 +1,82 @@ +From foo@baz Tue Aug 8 16:54:20 PDT 2017 +From: Wei Liu +Date: Wed, 21 Jun 2017 10:21:22 +0100 +Subject: xen-netback: correctly schedule rate-limited queues + +From: Wei Liu + + +[ Upstream commit dfa523ae9f2542bee4cddaea37b3be3e157f6e6b ] + +Add a flag to indicate if a queue is rate-limited. Test the flag in +NAPI poll handler and avoid rescheduling the queue if true, otherwise +we risk locking up the host. The rescheduling will be done in the +timer callback function. + +Reported-by: Jean-Louis Dupond +Signed-off-by: Wei Liu +Tested-by: Jean-Louis Dupond +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/common.h | 1 + + drivers/net/xen-netback/interface.c | 6 +++++- + drivers/net/xen-netback/netback.c | 6 +++++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -195,6 +195,7 @@ struct xenvif_queue { /* Per-queue data + unsigned long remaining_credit; + struct timer_list credit_timeout; + u64 credit_window_start; ++ bool rate_limited; + + /* Statistics */ + struct xenvif_stats stats; +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -99,7 +99,11 @@ int xenvif_poll(struct napi_struct *napi + + if (work_done < budget) { + napi_complete(napi); +- xenvif_napi_schedule_or_enable_events(queue); ++ /* If the queue is rate-limited, it shall be ++ * rescheduled in the timer callback. ++ */ ++ if (likely(!queue->rate_limited)) ++ xenvif_napi_schedule_or_enable_events(queue); + } + + return work_done; +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -819,6 +819,7 @@ static void tx_add_credit(struct xenvif_ + max_credit = ULONG_MAX; /* wrapped: clamp to ULONG_MAX */ + + queue->remaining_credit = min(max_credit, max_burst); ++ queue->rate_limited = false; + } + + static void tx_credit_callback(unsigned long data) +@@ -1336,8 +1337,10 @@ static bool tx_credit_exceeded(struct xe + msecs_to_jiffies(queue->credit_usec / 1000); + + /* Timer could already be pending in rare cases. */ +- if (timer_pending(&queue->credit_timeout)) ++ if (timer_pending(&queue->credit_timeout)) { ++ queue->rate_limited = true; + return true; ++ } + + /* Passed the point where we can replenish credit? */ + if (time_after_eq64(now, next_credit)) { +@@ -1354,6 +1357,7 @@ static bool tx_credit_exceeded(struct xe + mod_timer(&queue->credit_timeout, + next_credit); + queue->credit_window_start = next_credit; ++ queue->rate_limited = true; + + return true; + }