From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 May 2019 17:38:56 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.9.175~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccabc633b4f44b47ef261cc77fbe3bec1edc3045;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ipv6-fix-a-potential-deadlock-in-do_ipv6_setsockopt.patch
---

diff --git a/queue-4.4/ipv6-fix-a-potential-deadlock-in-do_ipv6_setsockopt.patch b/queue-4.4/ipv6-fix-a-potential-deadlock-in-do_ipv6_setsockopt.patch
new file mode 100644
index 00000000000..bdd76b6461f
--- /dev/null
+++ b/queue-4.4/ipv6-fix-a-potential-deadlock-in-do_ipv6_setsockopt.patch
@@ -0,0 +1,109 @@
+From 8651be8f14a12d24f203f283601d9b0418c389ff Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 19 Oct 2016 23:35:12 -0700
+Subject: ipv6: fix a potential deadlock in do_ipv6_setsockopt()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit 8651be8f14a12d24f203f283601d9b0418c389ff upstream.
+
+Baozeng reported this deadlock case:
+
+       CPU0                    CPU1
+       ----                    ----
+  lock([  165.136033] sk_lock-AF_INET6);
+                               lock([  165.136033] rtnl_mutex);
+                               lock([  165.136033] sk_lock-AF_INET6);
+  lock([  165.136033] rtnl_mutex);
+
+Similar to commit 87e9f0315952
+("ipv4: fix a potential deadlock in mcast getsockopt() path")
+this is due to we still have a case, ipv6_sock_mc_close(),
+where we acquire sk_lock before rtnl_lock. Close this deadlock
+with the similar solution, that is always acquire rtnl lock first.
+
+Fixes: baf606d9c9b1 ("ipv4,ipv6: grab rtnl before locking the socket")
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Tested-by: Baozeng Ding <sploving1@gmail.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/addrconf.h   |    1 +
+ net/ipv6/ipv6_sockglue.c |    3 ++-
+ net/ipv6/mcast.c         |   17 ++++++++++++-----
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -162,6 +162,7 @@ int ipv6_sock_mc_join(struct sock *sk, i
+ 		      const struct in6_addr *addr);
+ int ipv6_sock_mc_drop(struct sock *sk, int ifindex,
+ 		      const struct in6_addr *addr);
++void __ipv6_sock_mc_close(struct sock *sk);
+ void ipv6_sock_mc_close(struct sock *sk);
+ bool inet6_mc_check(struct sock *sk, const struct in6_addr *mc_addr,
+ 		    const struct in6_addr *src_addr);
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -121,6 +121,7 @@ struct ipv6_txoptions *ipv6_update_optio
+ static bool setsockopt_needs_rtnl(int optname)
+ {
+ 	switch (optname) {
++	case IPV6_ADDRFORM:
+ 	case IPV6_ADD_MEMBERSHIP:
+ 	case IPV6_DROP_MEMBERSHIP:
+ 	case IPV6_JOIN_ANYCAST:
+@@ -199,7 +200,7 @@ static int do_ipv6_setsockopt(struct soc
+ 			}
+ 
+ 			fl6_free_socklist(sk);
+-			ipv6_sock_mc_close(sk);
++			__ipv6_sock_mc_close(sk);
+ 
+ 			/*
+ 			 * Sock is moving from IPv6 to IPv4 (sk_prot), so
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -276,16 +276,14 @@ static struct inet6_dev *ip6_mc_find_dev
+ 	return idev;
+ }
+ 
+-void ipv6_sock_mc_close(struct sock *sk)
++void __ipv6_sock_mc_close(struct sock *sk)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct ipv6_mc_socklist *mc_lst;
+ 	struct net *net = sock_net(sk);
+ 
+-	if (!rcu_access_pointer(np->ipv6_mc_list))
+-		return;
++	ASSERT_RTNL();
+ 
+-	rtnl_lock();
+ 	while ((mc_lst = rtnl_dereference(np->ipv6_mc_list)) != NULL) {
+ 		struct net_device *dev;
+ 
+@@ -303,8 +301,17 @@ void ipv6_sock_mc_close(struct sock *sk)
+ 
+ 		atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc);
+ 		kfree_rcu(mc_lst, rcu);
+-
+ 	}
++}
++
++void ipv6_sock_mc_close(struct sock *sk)
++{
++	struct ipv6_pinfo *np = inet6_sk(sk);
++
++	if (!rcu_access_pointer(np->ipv6_mc_list))
++		return;
++	rtnl_lock();
++	__ipv6_sock_mc_close(sk);
+ 	rtnl_unlock();
+ }
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index c09864c4cde..ad30dd7ae64 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -154,3 +154,4 @@ scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch
 bluetooth-hidp-fix-buffer-overflow.patch
 bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch
 uas-fix-alignment-of-scatter-gather-segments.patch
+ipv6-fix-a-potential-deadlock-in-do_ipv6_setsockopt.patch