From: Greg Kroah-Hartman Date: Wed, 1 Jan 2020 17:25:33 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.208~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c975fd835ec09be10f947cce4271aa19e4c42e5b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: 6pack-mkiss-fix-possible-deadlock.patch hrtimer-annotate-lockless-access-to-timer-state.patch net-icmp-fix-data-race-in-cmp_global_allow.patch netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch --- diff --git a/queue-4.4/6pack-mkiss-fix-possible-deadlock.patch b/queue-4.4/6pack-mkiss-fix-possible-deadlock.patch new file mode 100644 index 00000000000..ac5887f633f --- /dev/null +++ b/queue-4.4/6pack-mkiss-fix-possible-deadlock.patch @@ -0,0 +1,178 @@ +From 5c9934b6767b16ba60be22ec3cbd4379ad64170d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 12 Dec 2019 10:32:13 -0800 +Subject: 6pack,mkiss: fix possible deadlock + +From: Eric Dumazet + +commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream. + +We got another syzbot report [1] that tells us we must use +write_lock_irq()/write_unlock_irq() to avoid possible deadlock. + +[1] + +WARNING: inconsistent lock state +5.5.0-rc1-syzkaller #0 Not tainted +-------------------------------- +inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. +syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: +ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 +{HARDIRQ-ON-W} state was registered at: + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] + _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 + sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 + tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 + tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 + tiocsetd drivers/tty/tty_io.c:2337 [inline] + tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 + vfs_ioctl fs/ioctl.c:47 [inline] + file_ioctl fs/ioctl.c:545 [inline] + do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 + __do_sys_ioctl fs/ioctl.c:756 [inline] + __se_sys_ioctl fs/ioctl.c:754 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 3946 +hardirqs last enabled at (3945): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] +hardirqs last enabled at (3945): [] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 +hardirqs last disabled at (3946): [] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 +softirqs last enabled at (2658): [] spin_unlock_bh include/linux/spinlock.h:383 [inline] +softirqs last enabled at (2658): [] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 +softirqs last disabled at (2656): [] spin_lock_bh include/linux/spinlock.h:343 [inline] +softirqs last disabled at (2656): [] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(disc_data_lock); + + lock(disc_data_lock); + + *** DEADLOCK *** + +5 locks held by syz-executor826/9605: + #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 + #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 + #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 + +stack backtrace: +CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 + valid_state kernel/locking/lockdep.c:3112 [inline] + mark_lock_irq kernel/locking/lockdep.c:3309 [inline] + mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 + mark_usage kernel/locking/lockdep.c:3554 [inline] + __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] + _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 + sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 + sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 + tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 + tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 + tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 + uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 + serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 + serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 + serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] + serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 + serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 + __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 + handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 + handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 + generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] + do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 + +RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] +RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 +Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 +RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 +RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd +RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 +RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 +R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 +R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 + mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] + __mutex_lock_common kernel/locking/mutex.c:962 [inline] + __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 + mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 + tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x8e7/0x2ef0 kernel/exit.c:797 + do_group_exit+0x135/0x360 kernel/exit.c:895 + __do_sys_exit_group kernel/exit.c:906 [inline] + __se_sys_exit_group kernel/exit.c:904 [inline] + __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x43fef8 +Code: Bad RIP value. +RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 +RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 +RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 +R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 +R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Arnd Bergmann +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/hamradio/6pack.c | 4 ++-- + drivers/net/hamradio/mkiss.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -669,10 +669,10 @@ static void sixpack_close(struct tty_str + { + struct sixpack *sp; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + sp = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + if (!sp) + return; + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -783,10 +783,10 @@ static void mkiss_close(struct tty_struc + { + struct mkiss *ax; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + ax = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + + if (!ax) + return; diff --git a/queue-4.4/hrtimer-annotate-lockless-access-to-timer-state.patch b/queue-4.4/hrtimer-annotate-lockless-access-to-timer-state.patch new file mode 100644 index 00000000000..a4abcf365be --- /dev/null +++ b/queue-4.4/hrtimer-annotate-lockless-access-to-timer-state.patch @@ -0,0 +1,160 @@ +From 56144737e67329c9aaed15f942d46a6302e2e3d8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 6 Nov 2019 09:48:04 -0800 +Subject: hrtimer: Annotate lockless access to timer->state + +From: Eric Dumazet + +commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream. + +syzbot reported various data-race caused by hrtimer_is_queued() reading +timer->state. A READ_ONCE() is required there to silence the warning. + +Also add the corresponding WRITE_ONCE() when timer->state is set. + +In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid +loading timer->state twice. + +KCSAN reported these cases: + +BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check + +write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0: + __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991 + __run_hrtimer kernel/time/hrtimer.c:1496 [inline] + __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576 + hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 + smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1: + tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline] + tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225 + tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044 + tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558 + tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717 + tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696 + tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 + sk_backlog_rcv include/net/sock.h:945 [inline] + __release_sock+0x135/0x1e0 net/core/sock.c:2435 + release_sock+0x61/0x160 net/core/sock.c:2951 + sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145 + tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393 + tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434 + inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0x9f/0xc0 net/socket.c:657 + +BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check + +write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0: + __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991 + __run_hrtimer kernel/time/hrtimer.c:1496 [inline] + __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576 + hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + +read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1: + __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265 + tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline] + tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708 + tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 + sk_backlog_rcv include/net/sock.h:945 [inline] + __release_sock+0x135/0x1e0 net/core/sock.c:2435 + release_sock+0x61/0x160 net/core/sock.c:2951 + sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145 + tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393 + tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434 + inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0x9f/0xc0 net/socket.c:657 + __sys_sendto+0x21f/0x320 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto net/socket.c:1960 [inline] + __x64_sys_sendto+0x89/0xb0 net/socket.c:1960 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +[ tglx: Added comments ] + +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hrtimer.h | 14 ++++++++++---- + kernel/time/hrtimer.c | 11 +++++++---- + 2 files changed, 17 insertions(+), 8 deletions(-) + +--- a/include/linux/hrtimer.h ++++ b/include/linux/hrtimer.h +@@ -424,12 +424,18 @@ extern u64 hrtimer_get_next_event(void); + + extern bool hrtimer_active(const struct hrtimer *timer); + +-/* +- * Helper function to check, whether the timer is on one of the queues ++/** ++ * hrtimer_is_queued = check, whether the timer is on one of the queues ++ * @timer: Timer to check ++ * ++ * Returns: True if the timer is queued, false otherwise ++ * ++ * The function can be used lockless, but it gives only a current snapshot. + */ +-static inline int hrtimer_is_queued(struct hrtimer *timer) ++static inline bool hrtimer_is_queued(struct hrtimer *timer) + { +- return timer->state & HRTIMER_STATE_ENQUEUED; ++ /* The READ_ONCE pairs with the update functions of timer->state */ ++ return !!(READ_ONCE(timer->state) & HRTIMER_STATE_ENQUEUED); + } + + /* +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -887,7 +887,8 @@ static int enqueue_hrtimer(struct hrtime + + base->cpu_base->active_bases |= 1 << base->index; + +- timer->state = HRTIMER_STATE_ENQUEUED; ++ /* Pairs with the lockless read in hrtimer_is_queued() */ ++ WRITE_ONCE(timer->state, HRTIMER_STATE_ENQUEUED); + + return timerqueue_add(&base->active, &timer->node); + } +@@ -909,7 +910,8 @@ static void __remove_hrtimer(struct hrti + struct hrtimer_cpu_base *cpu_base = base->cpu_base; + u8 state = timer->state; + +- timer->state = newstate; ++ /* Pairs with the lockless read in hrtimer_is_queued() */ ++ WRITE_ONCE(timer->state, newstate); + if (!(state & HRTIMER_STATE_ENQUEUED)) + return; + +@@ -936,8 +938,9 @@ static void __remove_hrtimer(struct hrti + static inline int + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart) + { +- if (hrtimer_is_queued(timer)) { +- u8 state = timer->state; ++ u8 state = timer->state; ++ ++ if (state & HRTIMER_STATE_ENQUEUED) { + int reprogram; + + /* diff --git a/queue-4.4/net-icmp-fix-data-race-in-cmp_global_allow.patch b/queue-4.4/net-icmp-fix-data-race-in-cmp_global_allow.patch new file mode 100644 index 00000000000..68942a3c2ec --- /dev/null +++ b/queue-4.4/net-icmp-fix-data-race-in-cmp_global_allow.patch @@ -0,0 +1,116 @@ +From bbab7ef235031f6733b5429ae7877bfa22339712 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Nov 2019 10:34:47 -0800 +Subject: net: icmp: fix data-race in cmp_global_allow() + +From: Eric Dumazet + +commit bbab7ef235031f6733b5429ae7877bfa22339712 upstream. + +This code reads two global variables without protection +of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to +avoid load/store-tearing and better document the intent. + +KCSAN reported : +BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow + +read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0: + icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254 + icmpv6_global_allow net/ipv6/icmp.c:184 [inline] + icmpv6_global_allow net/ipv6/icmp.c:179 [inline] + icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 + icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 + ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 + dst_link_failure include/net/dst.h:419 [inline] + vti_xmit net/ipv4/ip_vti.c:243 [inline] + vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 + __netdev_start_xmit include/linux/netdevice.h:4420 [inline] + netdev_start_xmit include/linux/netdevice.h:4434 [inline] + xmit_one net/core/dev.c:3280 [inline] + dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 + __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 + dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 + neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 + +write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1: + icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272 + icmpv6_global_allow net/ipv6/icmp.c:184 [inline] + icmpv6_global_allow net/ipv6/icmp.c:179 [inline] + icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 + icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 + ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 + dst_link_failure include/net/dst.h:419 [inline] + vti_xmit net/ipv4/ip_vti.c:243 [inline] + vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 + __netdev_start_xmit include/linux/netdevice.h:4420 [inline] + netdev_start_xmit include/linux/netdevice.h:4434 [inline] + xmit_one net/core/dev.c:3280 [inline] + dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 + __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 + dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 + neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/icmp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -256,10 +256,11 @@ bool icmp_global_allow(void) + bool rc = false; + + /* Check if token bucket is empty and cannot be refilled +- * without taking the spinlock. ++ * without taking the spinlock. The READ_ONCE() are paired ++ * with the following WRITE_ONCE() in this same function. + */ +- if (!icmp_global.credit) { +- delta = min_t(u32, now - icmp_global.stamp, HZ); ++ if (!READ_ONCE(icmp_global.credit)) { ++ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); + if (delta < HZ / 50) + return false; + } +@@ -269,14 +270,14 @@ bool icmp_global_allow(void) + if (delta >= HZ / 50) { + incr = sysctl_icmp_msgs_per_sec * delta / HZ ; + if (incr) +- icmp_global.stamp = now; ++ WRITE_ONCE(icmp_global.stamp, now); + } + credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); + if (credit) { + credit--; + rc = true; + } +- icmp_global.credit = credit; ++ WRITE_ONCE(icmp_global.credit, credit); + spin_unlock(&icmp_global.lock); + return rc; + } diff --git a/queue-4.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch b/queue-4.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch new file mode 100644 index 00000000000..1ee7c941997 --- /dev/null +++ b/queue-4.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch @@ -0,0 +1,110 @@ +From 5604285839aaedfb23ebe297799c6e558939334d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 7 Dec 2019 14:43:39 -0800 +Subject: netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() + +From: Eric Dumazet + +commit 5604285839aaedfb23ebe297799c6e558939334d upstream. + +syzbot is kind enough to remind us we need to call skb_may_pull() + +BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 +CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245 + br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 + nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] + nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512 + nf_hook include/linux/netfilter.h:260 [inline] + NF_HOOK include/linux/netfilter.h:303 [inline] + __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109 + br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234 + br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162 + nf_hook_bridge_pre net/bridge/br_input.c:245 [inline] + br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348 + __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830 + __netif_receive_skb_one_core net/core/dev.c:4927 [inline] + __netif_receive_skb net/core/dev.c:5043 [inline] + process_backlog+0x610/0x13c0 net/core/dev.c:5874 + napi_poll net/core/dev.c:6311 [inline] + net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379 + __do_softirq+0x4a1/0x83a kernel/softirq.c:293 + do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091 + + do_softirq kernel/softirq.c:338 [inline] + __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190 + local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 + rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline] + __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825 + packet_snd net/packet/af_packet.c:2959 [inline] + packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45a679 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679 +RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4 +R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline] + kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132 + kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86 + slab_alloc_node mm/slub.c:2773 [inline] + __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x306/0xa10 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662 + sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244 + packet_alloc_skb net/packet/af_packet.c:2807 [inline] + packet_snd net/packet/af_packet.c:2902 [inline] + packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_netfilter_hooks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -638,6 +638,9 @@ static unsigned int br_nf_forward_arp(vo + nf_bridge_pull_encap_header(skb); + } + ++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) ++ return NF_DROP; ++ + if (arp_hdr(skb)->ar_pln != 4) { + if (IS_VLAN_ARP(skb)) + nf_bridge_push_encap_header(skb); diff --git a/queue-4.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch b/queue-4.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch new file mode 100644 index 00000000000..7c6b14f23c7 --- /dev/null +++ b/queue-4.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch @@ -0,0 +1,138 @@ +From e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 15 Dec 2019 03:49:25 +0100 +Subject: netfilter: ebtables: compat: reject all padding in matches/watchers + +From: Florian Westphal + +commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream. + +syzbot reported following splat: + +BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] +BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 +Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937 + +CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0 + size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] + compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 + compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249 + compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333 + [..] + +Because padding isn't considered during computation of ->buf_user_offset, +"total" is decremented by fewer bytes than it should. + +Therefore, the first part of + +if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) + +will pass, -- it should not have. This causes oob access: +entry->next_offset is past the vmalloced size. + +Reject padding and check that computed user offset (sum of ebt_entry +structure plus all individual matches/watchers/targets) is same +value that userspace gave us as the offset of the next entry. + +Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1883,7 +1883,7 @@ static int ebt_buf_count(struct ebt_entr + } + + static int ebt_buf_add(struct ebt_entries_buf_state *state, +- void *data, unsigned int sz) ++ const void *data, unsigned int sz) + { + if (state->buf_kern_start == NULL) + goto count_only; +@@ -1917,7 +1917,7 @@ enum compat_mwt { + EBT_COMPAT_TARGET, + }; + +-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, ++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, + enum compat_mwt compat_mwt, + struct ebt_entries_buf_state *state, + const unsigned char *base) +@@ -1994,22 +1994,23 @@ static int compat_mtw_from_user(struct c + * return size of all matches, watchers or target, including necessary + * alignment and padding. + */ +-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, ++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32, + unsigned int size_left, enum compat_mwt type, + struct ebt_entries_buf_state *state, const void *base) + { ++ const char *buf = (const char *)match32; + int growth = 0; +- char *buf; + + if (size_left == 0) + return 0; + +- buf = (char *) match32; +- +- while (size_left >= sizeof(*match32)) { ++ do { + struct ebt_entry_match *match_kern; + int ret; + ++ if (size_left < sizeof(*match32)) ++ return -EINVAL; ++ + match_kern = (struct ebt_entry_match *) state->buf_kern_start; + if (match_kern) { + char *tmp; +@@ -2046,22 +2047,18 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- /* rule should have no remaining data after target */ +- if (type == EBT_COMPAT_TARGET && size_left) +- return -EINVAL; +- + match32 = (struct compat_ebt_entry_mwt *) buf; +- } ++ } while (size_left); + + return growth; + } + + /* called for all ebt_entry structures. */ +-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, ++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base, + unsigned int *total, + struct ebt_entries_buf_state *state) + { +- unsigned int i, j, startoff, new_offset = 0; ++ unsigned int i, j, startoff, next_expected_off, new_offset = 0; + /* stores match/watchers/targets & offset of next struct ebt_entry: */ + unsigned int offsets[4]; + unsigned int *offsets_update = NULL; +@@ -2149,11 +2146,13 @@ static int size_entry_mwt(struct ebt_ent + return ret; + } + +- startoff = state->buf_user_offset - startoff; ++ next_expected_off = state->buf_user_offset - startoff; ++ if (next_expected_off != entry->next_offset) ++ return -EINVAL; + +- if (WARN_ON(*total < startoff)) ++ if (*total < entry->next_offset) + return -EINVAL; +- *total -= startoff; ++ *total -= entry->next_offset; + return 0; + } + diff --git a/queue-4.4/series b/queue-4.4/series index b9cd561d625..8fcc5f6e2af 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -128,3 +128,8 @@ alsa-hda-downgrade-error-message-for-single-cmd-fall.patch make-filldir-verify-the-directory-entry-filename-is-valid.patch filldir-remove-warn_on_once-for-bad-directory-entries.patch net-davinci_cpdma-use-dma_addr_t-for-dma-address.patch +netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch +6pack-mkiss-fix-possible-deadlock.patch +netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch +net-icmp-fix-data-race-in-cmp_global_allow.patch +hrtimer-annotate-lockless-access-to-timer-state.patch