From: Greg Kroah-Hartman Date: Mon, 27 Jan 2020 14:27:32 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.212~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8e90e89bec5c5f3e0412bf038cb19eb9237d37b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch firestream-fix-memory-leaks.patch gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch ipv6-sr-remove-skb_gso_ipxip6-on-end.d-actions.patch net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch net-ip6_tunnel-fix-namespaces-move.patch net-ip_tunnel-fix-namespaces-move.patch net-rtnetlink-validate-ifla_mtu-attribute-in-rtnl_create_link.patch net-sysfs-fix-reference-count-leak.patch net-usb-lan78xx-add-.ndo_features_check.patch net_sched-fix-datalen-for-ematch.patch tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch --- diff --git a/queue-4.14/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch b/queue-4.14/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch new file mode 100644 index 00000000000..ad3e3875a55 --- /dev/null +++ b/queue-4.14/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch @@ -0,0 +1,109 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Richard Palethorpe +Date: Tue, 21 Jan 2020 14:42:58 +0100 +Subject: can, slip: Protect tty->disc_data in write_wakeup and close with RCU + +From: Richard Palethorpe + +[ Upstream commit 0ace17d56824165c7f4c68785d6b58971db954dd ] + +write_wakeup can happen in parallel with close/hangup where tty->disc_data +is set to NULL and the netdevice is freed thus also freeing +disc_data. write_wakeup accesses disc_data so we must prevent close from +freeing the netdev while write_wakeup has a non-NULL view of +tty->disc_data. + +We also need to make sure that accesses to disc_data are atomic. Which can +all be done with RCU. + +This problem was found by Syzkaller on SLCAN, but the same issue is +reproducible with the SLIP line discipline using an LTP test based on the +Syzkaller reproducer. + +A fix which didn't use RCU was posted by Hillf Danton. + +Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup") +Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip") +Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com +Signed-off-by: Richard Palethorpe +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: "David S. Miller" +Cc: Tyler Hall +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: syzkaller@googlegroups.com +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/slcan.c | 12 ++++++++++-- + drivers/net/slip/slip.c | 12 ++++++++++-- + 2 files changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -343,9 +343,16 @@ static void slcan_transmit(struct work_s + */ + static void slcan_write_wakeup(struct tty_struct *tty) + { +- struct slcan *sl = tty->disc_data; ++ struct slcan *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + /* Send a can_frame to a TTY queue. */ +@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* Flush network side */ +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st + */ + static void slip_write_wakeup(struct tty_struct *tty) + { +- struct slip *sl = tty->disc_data; ++ struct slip *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + static void sl_tx_timeout(struct net_device *dev) +@@ -886,10 +893,11 @@ static void slip_close(struct tty_struct + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* VSV = very important to remove timers */ diff --git a/queue-4.14/firestream-fix-memory-leaks.patch b/queue-4.14/firestream-fix-memory-leaks.patch new file mode 100644 index 00000000000..f01c2783461 --- /dev/null +++ b/queue-4.14/firestream-fix-memory-leaks.patch @@ -0,0 +1,52 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Wenwen Wang +Date: Sat, 25 Jan 2020 14:33:29 +0000 +Subject: firestream: fix memory leaks + +From: Wenwen Wang + +[ Upstream commit fa865ba183d61c1ec8cbcab8573159c3b72b89a4 ] + +In fs_open(), 'vcc' is allocated through kmalloc() and assigned to +'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g., +there is no more free channel, an error code EBUSY or ENOMEM will be +returned. However, 'vcc' is not deallocated, leading to memory leaks. Note +that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated +in fs_close(). But, if fs_open() fails, there is no guarantee that +fs_close() will be invoked. + +To fix this issue, deallocate 'vcc' before the error code is returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/firestream.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/atm/firestream.c ++++ b/drivers/atm/firestream.c +@@ -927,6 +927,7 @@ static int fs_open(struct atm_vcc *atm_v + } + if (!to) { + printk ("No more free channels for FS50..\n"); ++ kfree(vcc); + return -EBUSY; + } + vcc->channo = dev->channo; +@@ -937,6 +938,7 @@ static int fs_open(struct atm_vcc *atm_v + if (((DO_DIRECTION(rxtp) && dev->atm_vccs[vcc->channo])) || + ( DO_DIRECTION(txtp) && test_bit (vcc->channo, dev->tx_inuse))) { + printk ("Channel is in use for FS155.\n"); ++ kfree(vcc); + return -EBUSY; + } + } +@@ -950,6 +952,7 @@ static int fs_open(struct atm_vcc *atm_v + tc, sizeof (struct fs_transmit_config)); + if (!tc) { + fs_dprintk (FS_DEBUG_OPEN, "fs: can't alloc transmit_config.\n"); ++ kfree(vcc); + return -ENOMEM; + } + diff --git a/queue-4.14/gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch b/queue-4.14/gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch new file mode 100644 index 00000000000..49b90e13be4 --- /dev/null +++ b/queue-4.14/gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch @@ -0,0 +1,119 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Eric Dumazet +Date: Tue, 21 Jan 2020 23:17:14 -0800 +Subject: gtp: make sure only SOCK_DGRAM UDP sockets are accepted + +From: Eric Dumazet + +[ Upstream commit 940ba14986657a50c15f694efca1beba31fa568f ] + +A malicious user could use RAW sockets and fool +GTP using them as standard SOCK_DGRAM UDP sockets. + +BUG: KMSAN: uninit-value in udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline] +BUG: KMSAN: uninit-value in setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85 +CPU: 0 PID: 11262 Comm: syz-executor613 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline] + setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85 + gtp_encap_enable_socket+0x37f/0x5a0 drivers/net/gtp.c:827 + gtp_encap_enable drivers/net/gtp.c:844 [inline] + gtp_newlink+0xfb/0x1e50 drivers/net/gtp.c:666 + __rtnl_newlink net/core/rtnetlink.c:3305 [inline] + rtnl_newlink+0x2973/0x3920 net/core/rtnetlink.c:3363 + rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x441359 +Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fff1cd0ac28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441359 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020d0 +R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144 + kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline] + kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336 + __alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800 + alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2207 + alloc_pages include/linux/gfp.h:534 [inline] + alloc_slab_page+0x111/0x12f0 mm/slub.c:1511 + allocate_slab mm/slub.c:1656 [inline] + new_slab+0x2bc/0x1130 mm/slub.c:1722 + new_slab_objects mm/slub.c:2473 [inline] + ___slab_alloc+0x1533/0x1f30 mm/slub.c:2624 + __slab_alloc mm/slub.c:2664 [inline] + slab_alloc_node mm/slub.c:2738 [inline] + slab_alloc mm/slub.c:2783 [inline] + kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2788 + sk_prot_alloc+0xf2/0x620 net/core/sock.c:1597 + sk_alloc+0xf0/0xbe0 net/core/sock.c:1657 + inet_create+0x7c7/0x1370 net/ipv4/af_inet.c:321 + __sock_create+0x8eb/0xf00 net/socket.c:1420 + sock_create net/socket.c:1471 [inline] + __sys_socket+0x1a1/0x600 net/socket.c:1513 + __do_sys_socket net/socket.c:1522 [inline] + __se_sys_socket+0x8d/0xb0 net/socket.c:1520 + __x64_sys_socket+0x4a/0x70 net/socket.c:1520 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Eric Dumazet +Cc: Pablo Neira +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -807,19 +807,21 @@ static struct sock *gtp_encap_enable_soc + return NULL; + } + +- if (sock->sk->sk_protocol != IPPROTO_UDP) { ++ sk = sock->sk; ++ if (sk->sk_protocol != IPPROTO_UDP || ++ sk->sk_type != SOCK_DGRAM || ++ (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)) { + pr_debug("socket fd=%d not UDP\n", fd); + sk = ERR_PTR(-EINVAL); + goto out_sock; + } + +- lock_sock(sock->sk); +- if (sock->sk->sk_user_data) { ++ lock_sock(sk); ++ if (sk->sk_user_data) { + sk = ERR_PTR(-EBUSY); + goto out_rel_sock; + } + +- sk = sock->sk; + sock_hold(sk); + + tuncfg.sk_user_data = gtp; diff --git a/queue-4.14/ipv6-sr-remove-skb_gso_ipxip6-on-end.d-actions.patch b/queue-4.14/ipv6-sr-remove-skb_gso_ipxip6-on-end.d-actions.patch new file mode 100644 index 00000000000..7992edbccd3 --- /dev/null +++ b/queue-4.14/ipv6-sr-remove-skb_gso_ipxip6-on-end.d-actions.patch @@ -0,0 +1,53 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Yuki Taguchi +Date: Mon, 20 Jan 2020 13:48:37 +0900 +Subject: ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions + +From: Yuki Taguchi + +[ Upstream commit 62ebaeaedee7591c257543d040677a60e35c7aec ] + +After LRO/GRO is applied, SRv6 encapsulated packets have +SKB_GSO_IPXIP6 feature flag, and this flag must be removed right after +decapulation procedure. + +Currently, SKB_GSO_IPXIP6 flag is not removed on End.D* actions, which +creates inconsistent packet state, that is, a normal TCP/IP packets +have the SKB_GSO_IPXIP6 flag. This behavior can cause unexpected +fallback to GSO on routing to netdevices that do not support +SKB_GSO_IPXIP6. For example, on inter-VRF forwarding, decapsulated +packets separated into small packets by GSO because VRF devices do not +support TSO for packets with SKB_GSO_IPXIP6 flag, and this degrades +forwarding performance. + +This patch removes encapsulation related GSO flags from the skb right +after the End.D* action is applied. + +Fixes: d7a669dd2f8b ("ipv6: sr: add helper functions for seg6local") +Signed-off-by: Yuki Taguchi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_local.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #ifdef CONFIG_IPV6_SEG6_HMAC + #include + #endif +@@ -126,7 +127,8 @@ static bool decap_and_validate(struct sk + + skb_reset_network_header(skb); + skb_reset_transport_header(skb); +- skb->encapsulation = 0; ++ if (iptunnel_pull_offloads(skb)) ++ return false; + + return true; + } diff --git a/queue-4.14/net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch b/queue-4.14/net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch new file mode 100644 index 00000000000..d38757195c8 --- /dev/null +++ b/queue-4.14/net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch @@ -0,0 +1,45 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Michael Ellerman +Date: Fri, 24 Jan 2020 20:41:44 +1100 +Subject: net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM + +From: Michael Ellerman + +[ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a = + +The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet +adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in +cxgb_extension_ioctl(). + +One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears +to read memory directly out of the adapter and return it to userspace. +It's not entirely clear what the contents of the adapter memory +contains, but the assumption is that it shouldn't be accessible to all +users. + +So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after +the is_offload() check, which matches two of the other subcommands in +the same function which also check for is_offload() and CAP_NET_ADMIN. + +Found by Ilja by code inspection, not tested as I don't have the +required hardware. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Michael Ellerman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -2449,6 +2449,8 @@ static int cxgb_extension_ioctl(struct n + + if (!is_offload(adapter)) + return -EOPNOTSUPP; ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; + if (!(adapter->flags & FULL_INIT_DONE)) + return -EIO; /* need the memory controllers */ + if (copy_from_user(&t, useraddr, sizeof(t))) diff --git a/queue-4.14/net-ip6_tunnel-fix-namespaces-move.patch b/queue-4.14/net-ip6_tunnel-fix-namespaces-move.patch new file mode 100644 index 00000000000..19d50873d63 --- /dev/null +++ b/queue-4.14/net-ip6_tunnel-fix-namespaces-move.patch @@ -0,0 +1,37 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: William Dauchy +Date: Tue, 21 Jan 2020 21:49:54 +0100 +Subject: net, ip6_tunnel: fix namespaces move + +From: William Dauchy + +[ Upstream commit 5311a69aaca30fa849c3cc46fb25f75727fb72d0 ] + +in the same manner as commit d0f418516022 ("net, ip_tunnel: fix +namespaces move"), fix namespace moving as it was broken since commit +8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnel"), but for +ipv6 this time; there is no reason to keep it for ip6_tunnel. + +Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnel") +Signed-off-by: William Dauchy +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1878,10 +1878,8 @@ static int ip6_tnl_dev_init(struct net_d + if (err) + return err; + ip6_tnl_link_config(t); +- if (t->parms.collect_md) { +- dev->features |= NETIF_F_NETNS_LOCAL; ++ if (t->parms.collect_md) + netif_keep_dst(dev); +- } + return 0; + } + diff --git a/queue-4.14/net-ip_tunnel-fix-namespaces-move.patch b/queue-4.14/net-ip_tunnel-fix-namespaces-move.patch new file mode 100644 index 00000000000..cf6087406e3 --- /dev/null +++ b/queue-4.14/net-ip_tunnel-fix-namespaces-move.patch @@ -0,0 +1,40 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: William Dauchy +Date: Tue, 21 Jan 2020 15:26:24 +0100 +Subject: net, ip_tunnel: fix namespaces move + +From: William Dauchy + +[ Upstream commit d0f418516022c32ecceaf4275423e5bd3f8743a9 ] + +in the same manner as commit 690afc165bb3 ("net: ip6_gre: fix moving +ip6gre between namespaces"), fix namespace moving as it was broken since +commit 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata."). +Indeed, the ip6_gre commit removed the local flag for collect_md +condition, so there is no reason to keep it for ip_gre/ip_tunnel. + +this patch will fix both ip_tunnel and ip_gre modules. + +Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") +Signed-off-by: William Dauchy +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -1202,10 +1202,8 @@ int ip_tunnel_init(struct net_device *de + iph->version = 4; + iph->ihl = 5; + +- if (tunnel->collect_md) { +- dev->features |= NETIF_F_NETNS_LOCAL; ++ if (tunnel->collect_md) + netif_keep_dst(dev); +- } + return 0; + } + EXPORT_SYMBOL_GPL(ip_tunnel_init); diff --git a/queue-4.14/net-rtnetlink-validate-ifla_mtu-attribute-in-rtnl_create_link.patch b/queue-4.14/net-rtnetlink-validate-ifla_mtu-attribute-in-rtnl_create_link.patch new file mode 100644 index 00000000000..15b9e4895e6 --- /dev/null +++ b/queue-4.14/net-rtnetlink-validate-ifla_mtu-attribute-in-rtnl_create_link.patch @@ -0,0 +1,179 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Eric Dumazet +Date: Tue, 21 Jan 2020 22:47:29 -0800 +Subject: net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() + +From: Eric Dumazet + +[ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ] + +rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu +checks that we apply in do_setlink() + +Otherwise malicious users can crash the kernel, for example after +an integer overflow : + +BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline] +BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 +Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0 + +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:639 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 + memset+0x24/0x40 mm/kasan/common.c:108 + memset include/linux/string.h:365 [inline] + __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 + alloc_skb include/linux/skbuff.h:1049 [inline] + alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664 + sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242 + sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259 + mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609 + add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713 + add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:1970 [inline] + mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477 + call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786 + __do_softirq+0x262/0x98c kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0x19b/0x1e0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 +Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79 +RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 +RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000 +RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54 +RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 +R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000 + arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690 + default_idle_call+0x84/0xb0 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361 + rest_init+0x23b/0x371 init/main.c:451 + arch_call_rest_init+0xe/0x1b + start_kernel+0x904/0x943 init/main.c:784 + x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 + x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242 + +The buggy address belongs to the page: +page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 +raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +>ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 ++ + net/core/dev.c | 31 +++++++++++++++++++------------ + net/core/rtnetlink.c | 13 +++++++++++-- + 3 files changed, 32 insertions(+), 14 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3313,6 +3313,8 @@ int dev_set_alias(struct net_device *, c + int dev_change_net_namespace(struct net_device *, struct net *, const char *); + int __dev_set_mtu(struct net_device *, int); + int dev_set_mtu(struct net_device *, int); ++int dev_validate_mtu(struct net_device *dev, int mtu, ++ struct netlink_ext_ack *extack); + void dev_set_group(struct net_device *, int); + int dev_set_mac_address(struct net_device *, struct sockaddr *); + int dev_change_carrier(struct net_device *, bool new_carrier); +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6896,18 +6896,9 @@ int dev_set_mtu(struct net_device *dev, + if (new_mtu == dev->mtu) + return 0; + +- /* MTU must be positive, and in range */ +- if (new_mtu < 0 || new_mtu < dev->min_mtu) { +- net_err_ratelimited("%s: Invalid MTU %d requested, hw min %d\n", +- dev->name, new_mtu, dev->min_mtu); +- return -EINVAL; +- } +- +- if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) { +- net_err_ratelimited("%s: Invalid MTU %d requested, hw max %d\n", +- dev->name, new_mtu, dev->max_mtu); +- return -EINVAL; +- } ++ err = dev_validate_mtu(dev, new_mtu, extack); ++ if (err) ++ return err; + + if (!netif_device_present(dev)) + return -ENODEV; +@@ -7769,6 +7760,22 @@ int init_dummy_netdev(struct net_device + EXPORT_SYMBOL_GPL(init_dummy_netdev); + + ++int dev_validate_mtu(struct net_device *dev, int new_mtu, ++ struct netlink_ext_ack *extack) ++{ ++ /* MTU must be positive, and in range */ ++ if (new_mtu < 0 || new_mtu < dev->min_mtu) { ++ NL_SET_ERR_MSG(extack, "mtu less than device minimum"); ++ return -EINVAL; ++ } ++ ++ if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) { ++ NL_SET_ERR_MSG(extack, "mtu greater than device maximum"); ++ return -EINVAL; ++ } ++ return 0; ++} ++ + /** + * register_netdev - register a network device + * @dev: device to register +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2466,8 +2466,17 @@ struct net_device *rtnl_create_link(stru + dev->rtnl_link_ops = ops; + dev->rtnl_link_state = RTNL_LINK_INITIALIZING; + +- if (tb[IFLA_MTU]) +- dev->mtu = nla_get_u32(tb[IFLA_MTU]); ++ if (tb[IFLA_MTU]) { ++ u32 mtu = nla_get_u32(tb[IFLA_MTU]); ++ int err; ++ ++ err = dev_validate_mtu(dev, mtu, NULL); ++ if (err) { ++ free_netdev(dev); ++ return ERR_PTR(err); ++ } ++ dev->mtu = mtu; ++ } + if (tb[IFLA_ADDRESS]) { + memcpy(dev->dev_addr, nla_data(tb[IFLA_ADDRESS]), + nla_len(tb[IFLA_ADDRESS])); diff --git a/queue-4.14/net-sysfs-fix-reference-count-leak.patch b/queue-4.14/net-sysfs-fix-reference-count-leak.patch new file mode 100644 index 00000000000..b00b3d5ec7a --- /dev/null +++ b/queue-4.14/net-sysfs-fix-reference-count-leak.patch @@ -0,0 +1,99 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Jouni Hogander +Date: Mon, 20 Jan 2020 09:51:03 +0200 +Subject: net-sysfs: Fix reference count leak + +From: Jouni Hogander + +[ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ] + +Netdev_register_kobject is calling device_initialize. In case of error +reference taken by device_initialize is not given up. + +Drivers are supposed to call free_netdev in case of error. In non-error +case the last reference is given up there and device release sequence +is triggered. In error case this reference is kept and the release +sequence is never started. + +Fix this by setting reg_state as NETREG_UNREGISTERED if registering +fails. + +This is the rootcause for couple of memory leaks reported by Syzkaller: + +BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256): + comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280 + [<000000002340019b>] device_add+0x882/0x1750 + [<000000001d588c3a>] netdev_register_kobject+0x128/0x380 + [<0000000011ef5535>] register_netdevice+0xa1b/0xf00 + [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0 + [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40 + [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510 + [<00000000fba062ea>] ksys_ioctl+0x99/0xb0 + [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0 + [<00000000984cabb9>] do_syscall_64+0x16f/0x580 + [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<00000000e6ca2d9f>] 0xffffffffffffffff + +BUG: memory leak +unreferenced object 0xffff8880668ba588 (size 8): + comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s) + hex dump (first 8 bytes): + 6e 72 30 00 cc be df 2b nr0....+ + backtrace: + [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290 + [<00000000236fd26b>] kstrdup+0x3e/0x70 + [<00000000dd4a2815>] kstrdup_const+0x3e/0x50 + [<0000000049a377fc>] kvasprintf_const+0x10e/0x160 + [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140 + [<0000000019eeab06>] dev_set_name+0xc0/0xf0 + [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320 + [<00000000f2e83732>] register_netdevice+0xa1b/0xf00 + [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0 + [<000000009c560784>] tun_chr_ioctl+0x2f/0x40 + [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510 + [<00000000351d7c31>] ksys_ioctl+0x99/0xb0 + [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0 + [<0000000052d196b7>] do_syscall_64+0x16f/0x580 + [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<00000000bc384531>] 0xffffffffffffffff + +v3 -> v4: + Set reg_state to NETREG_UNREGISTERED if registering fails + +v2 -> v3: +* Replaced BUG_ON with WARN_ON in free_netdev and netdev_release + +v1 -> v2: +* Relying on driver calling free_netdev rather than calling + put_device directly in error path + +Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com +Cc: David Miller +Cc: Greg Kroah-Hartman +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7667,8 +7667,10 @@ int register_netdevice(struct net_device + goto err_uninit; + + ret = netdev_register_kobject(dev); +- if (ret) ++ if (ret) { ++ dev->reg_state = NETREG_UNREGISTERED; + goto err_uninit; ++ } + dev->reg_state = NETREG_REGISTERED; + + __netdev_update_features(dev); diff --git a/queue-4.14/net-usb-lan78xx-add-.ndo_features_check.patch b/queue-4.14/net-usb-lan78xx-add-.ndo_features_check.patch new file mode 100644 index 00000000000..dcc292e8f9a --- /dev/null +++ b/queue-4.14/net-usb-lan78xx-add-.ndo_features_check.patch @@ -0,0 +1,62 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: James Hughes +Date: Mon, 20 Jan 2020 11:12:40 +0000 +Subject: net: usb: lan78xx: Add .ndo_features_check + +From: James Hughes + +[ Upstream commit ce896476c65d72b4b99fa09c2f33436b4198f034 ] + +As reported by Eric Dumazet, there are still some outstanding +cases where the driver does not handle TSO correctly when skb's +are over a certain size. Most cases have been fixed, this patch +should ensure that forwarded SKB's that are greater than +MAX_SINGLE_PACKET_SIZE - TX_OVERHEAD are software segmented +and handled correctly. + +Signed-off-by: James Hughes +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3525,6 +3526,19 @@ static void lan78xx_tx_timeout(struct ne + tasklet_schedule(&dev->bh); + } + ++static netdev_features_t lan78xx_features_check(struct sk_buff *skb, ++ struct net_device *netdev, ++ netdev_features_t features) ++{ ++ if (skb->len + TX_OVERHEAD > MAX_SINGLE_PACKET_SIZE) ++ features &= ~NETIF_F_GSO_MASK; ++ ++ features = vlan_features_check(skb, features); ++ features = vxlan_features_check(skb, features); ++ ++ return features; ++} ++ + static const struct net_device_ops lan78xx_netdev_ops = { + .ndo_open = lan78xx_open, + .ndo_stop = lan78xx_stop, +@@ -3538,6 +3552,7 @@ static const struct net_device_ops lan78 + .ndo_set_features = lan78xx_set_features, + .ndo_vlan_rx_add_vid = lan78xx_vlan_rx_add_vid, + .ndo_vlan_rx_kill_vid = lan78xx_vlan_rx_kill_vid, ++ .ndo_features_check = lan78xx_features_check, + }; + + static void lan78xx_stat_monitor(unsigned long param) diff --git a/queue-4.14/net_sched-fix-datalen-for-ematch.patch b/queue-4.14/net_sched-fix-datalen-for-ematch.patch new file mode 100644 index 00000000000..41c434e0295 --- /dev/null +++ b/queue-4.14/net_sched-fix-datalen-for-ematch.patch @@ -0,0 +1,47 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Cong Wang +Date: Wed, 22 Jan 2020 15:42:02 -0800 +Subject: net_sched: fix datalen for ematch + +From: Cong Wang + +[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ] + +syzbot reported an out-of-bound access in em_nbyte. As initially +analyzed by Eric, this is because em_nbyte sets its own em->datalen +in em_nbyte_change() other than the one specified by user, but this +value gets overwritten later by its caller tcf_em_validate(). +We should leave em->datalen untouched to respect their choices. + +I audit all the in-tree ematch users, all of those implement +->change() set em->datalen, so we can just avoid setting it twice +in this case. + +Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com +Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/ematch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -267,12 +267,12 @@ static int tcf_em_validate(struct tcf_pr + } + em->data = (unsigned long) v; + } ++ em->datalen = data_len; + } + } + + em->matchid = em_hdr->matchid; + em->flags = em_hdr->flags; +- em->datalen = data_len; + em->net = net; + + err = 0; diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..b1d2a163fe0 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,12 @@ +can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch +firestream-fix-memory-leaks.patch +gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch +ipv6-sr-remove-skb_gso_ipxip6-on-end.d-actions.patch +net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch +net-ip6_tunnel-fix-namespaces-move.patch +net-ip_tunnel-fix-namespaces-move.patch +net_sched-fix-datalen-for-ematch.patch +net-sysfs-fix-reference-count-leak.patch +net-usb-lan78xx-add-.ndo_features_check.patch +tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch +net-rtnetlink-validate-ifla_mtu-attribute-in-rtnl_create_link.patch diff --git a/queue-4.14/tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch b/queue-4.14/tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch new file mode 100644 index 00000000000..9b530f4b108 --- /dev/null +++ b/queue-4.14/tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch @@ -0,0 +1,39 @@ +From foo@baz Mon 27 Jan 2020 03:20:22 PM CET +From: Wen Yang +Date: Mon, 20 Jan 2020 18:04:56 +0800 +Subject: tcp_bbr: improve arithmetic division in bbr_update_bw() + +From: Wen Yang + +[ Upstream commit 5b2f1f3070b6447b76174ea8bfb7390dc6253ebd ] + +do_div() does a 64-by-32 division. Use div64_long() instead of it +if the divisor is long, to avoid truncation to 32-bit. +And as a nice side effect also cleans up the function a bit. + +Signed-off-by: Wen Yang +Cc: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_bbr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -678,8 +678,7 @@ static void bbr_update_bw(struct sock *s + * bandwidth sample. Delivered is in packets and interval_us in uS and + * ratio will be <<1 for most connections. So delivered is first scaled. + */ +- bw = (u64)rs->delivered * BW_UNIT; +- do_div(bw, rs->interval_us); ++ bw = div64_long((u64)rs->delivered * BW_UNIT, rs->interval_us); + + /* If this sample is application-limited, it is likely to have a very + * low delivered count that represents application behavior rather than