From: Greg Kroah-Hartman Date: Wed, 26 Aug 2020 14:11:30 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.7.19~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e576c7481be3dc31076fc1b7e31e89c859aa8d22;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch ipvlan-fix-device-features.patch net-ena-make-missed_tx-stat-incremental.patch net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch --- diff --git a/queue-4.19/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch b/queue-4.19/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch new file mode 100644 index 00000000000..49db49dd13f --- /dev/null +++ b/queue-4.19/gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Mark Tomlinson +Date: Wed, 19 Aug 2020 13:53:58 +1200 +Subject: gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY + +From: Mark Tomlinson + +[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ] + +When receiving an IPv4 packet inside an IPv6 GRE packet, and the +IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would +get corrupted. This is due to the common ip6_tnl_rcv() function assuming +that the inner header is always IPv6. This patch checks the tunnel +protocol for IPv4 inner packets, but still defaults to IPv6. + +Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions") +Signed-off-by: Mark Tomlinson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -865,7 +865,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc + struct metadata_dst *tun_dst, + bool log_ecn_err) + { +- return __ip6_tnl_rcv(t, skb, tpi, tun_dst, ip6ip6_dscp_ecn_decapsulate, ++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t, ++ const struct ipv6hdr *ipv6h, ++ struct sk_buff *skb); ++ ++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate; ++ if (tpi->proto == htons(ETH_P_IP)) ++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate; ++ ++ return __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate, + log_ecn_err); + } + EXPORT_SYMBOL(ip6_tnl_rcv); diff --git a/queue-4.19/ipvlan-fix-device-features.patch b/queue-4.19/ipvlan-fix-device-features.patch new file mode 100644 index 00000000000..09b6b27c8ab --- /dev/null +++ b/queue-4.19/ipvlan-fix-device-features.patch @@ -0,0 +1,108 @@ +From foo@baz Wed Aug 26 03:58:58 PM CEST 2020 +From: Mahesh Bandewar +Date: Fri, 14 Aug 2020 22:53:24 -0700 +Subject: ipvlan: fix device features + +From: Mahesh Bandewar + +[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ] + +Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose +NETIF_F_LLTX feature because of the incorrect handling of +features in ipvlan_fix_features(). + +--before-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Actual changes: +vlan-challenged: off [fixed] +tx-lockless: off [fixed] +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: off [fixed] +lpaa10:~# + +--after-- +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# ethtool -K ipvl0 tso off +Cannot change tcp-segmentation-offload +Could not change any device features +lpaa10:~# ethtool -k ipvl0 | grep tx-lockless +tx-lockless: on [fixed] +lpaa10:~# + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Mahesh Bandewar +Cc: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -177,12 +177,21 @@ static void ipvlan_port_destroy(struct n + kfree(port); + } + ++#define IPVLAN_ALWAYS_ON_OFLOADS \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | \ ++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL) ++ ++#define IPVLAN_ALWAYS_ON \ ++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED) ++ + #define IPVLAN_FEATURES \ +- (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ ++ (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \ + NETIF_F_GSO | NETIF_F_TSO | NETIF_F_GSO_ROBUST | \ + NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \ + NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER) + ++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */ ++ + #define IPVLAN_STATE_MASK \ + ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT)) + +@@ -196,7 +205,9 @@ static int ipvlan_init(struct net_device + dev->state = (dev->state & ~IPVLAN_STATE_MASK) | + (phy_dev->state & IPVLAN_STATE_MASK); + dev->features = phy_dev->features & IPVLAN_FEATURES; +- dev->features |= NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED; ++ dev->features |= IPVLAN_ALWAYS_ON; ++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES; ++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS; + dev->gso_max_size = phy_dev->gso_max_size; + dev->gso_max_segs = phy_dev->gso_max_segs; + dev->hard_header_len = phy_dev->hard_header_len; +@@ -297,7 +308,14 @@ static netdev_features_t ipvlan_fix_feat + { + struct ipvl_dev *ipvlan = netdev_priv(dev); + +- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features |= NETIF_F_ALL_FOR_ALL; ++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES); ++ features = netdev_increment_features(ipvlan->phy_dev->features, ++ features, features); ++ features |= IPVLAN_ALWAYS_ON; ++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON); ++ ++ return features; + } + + static void ipvlan_change_rx_flags(struct net_device *dev, int change) +@@ -802,10 +820,9 @@ static int ipvlan_device_event(struct no + + case NETDEV_FEAT_CHANGE: + list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- ipvlan->dev->features = dev->features & IPVLAN_FEATURES; + ipvlan->dev->gso_max_size = dev->gso_max_size; + ipvlan->dev->gso_max_segs = dev->gso_max_segs; +- netdev_features_change(ipvlan->dev); ++ netdev_update_features(ipvlan->dev); + } + break; + diff --git a/queue-4.19/net-ena-make-missed_tx-stat-incremental.patch b/queue-4.19/net-ena-make-missed_tx-stat-incremental.patch new file mode 100644 index 00000000000..7433952c663 --- /dev/null +++ b/queue-4.19/net-ena-make-missed_tx-stat-incremental.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Shay Agroskin +Date: Wed, 19 Aug 2020 20:28:38 +0300 +Subject: net: ena: Make missed_tx stat incremental + +From: Shay Agroskin + +[ Upstream commit ccd143e5150f24b9ba15145c7221b61dd9e41021 ] + +Most statistics in ena driver are incremented, meaning that a stat's +value is a sum of all increases done to it since driver/queue +initialization. + +This patch makes all statistics this way, effectively making missed_tx +statistic incremental. +Also added a comment regarding rx_drops and tx_drops to make it +clearer how these counters are calculated. + +Fixes: 11095fdb712b ("net: ena: add statistics for missed tx packets") +Signed-off-by: Shay Agroskin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2736,7 +2736,7 @@ static int check_missing_comp_in_tx_queu + } + + u64_stats_update_begin(&tx_ring->syncp); +- tx_ring->tx_stats.missed_tx = missed_tx; ++ tx_ring->tx_stats.missed_tx += missed_tx; + u64_stats_update_end(&tx_ring->syncp); + + return rc; +@@ -3544,6 +3544,9 @@ static void ena_keep_alive_wd(void *adap + rx_drops = ((u64)desc->rx_drops_high << 32) | desc->rx_drops_low; + + u64_stats_update_begin(&adapter->syncp); ++ /* These stats are accumulated by the device, so the counters indicate ++ * all drops since last reset. ++ */ + adapter->dev_stats.rx_drops = rx_drops; + u64_stats_update_end(&adapter->syncp); + } diff --git a/queue-4.19/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch b/queue-4.19/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch new file mode 100644 index 00000000000..c382c200c00 --- /dev/null +++ b/queue-4.19/net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Miaohe Lin +Date: Sat, 15 Aug 2020 04:44:31 -0400 +Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag() + +From: Miaohe Lin + +[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ] + +We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So +we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or +we may access the wrong data. + +Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.") +Signed-off-by: Miaohe Lin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5128,8 +5128,8 @@ struct sk_buff *skb_vlan_untag(struct sk + skb = skb_share_check(skb, GFP_ATOMIC); + if (unlikely(!skb)) + goto err_free; +- +- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) ++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ ++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) + goto err_free; + + vhdr = (struct vlan_hdr *)skb->data; diff --git a/queue-4.19/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch b/queue-4.19/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch new file mode 100644 index 00000000000..1c849f9a648 --- /dev/null +++ b/queue-4.19/net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Necip Fazil Yildiran +Date: Mon, 17 Aug 2020 15:54:48 +0000 +Subject: net: qrtr: fix usage of idr in port assignment to socket + +From: Necip Fazil Yildiran + +[ Upstream commit 8dfddfb79653df7c38a9c8c4c034f242a36acee9 ] + +Passing large uint32 sockaddr_qrtr.port numbers for port allocation +triggers a warning within idr_alloc() since the port number is cast +to int, and thus interpreted as a negative number. This leads to +the rejection of such valid port numbers in qrtr_port_assign() as +idr_alloc() fails. + +To avoid the problem, switch to idr_alloc_u32() instead. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com +Signed-off-by: Necip Fazil Yildiran +Reviewed-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -554,23 +554,25 @@ static void qrtr_port_remove(struct qrtr + */ + static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) + { ++ u32 min_port; + int rc; + + mutex_lock(&qrtr_port_lock); + if (!*port) { +- rc = idr_alloc(&qrtr_ports, ipc, +- QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET + 1, +- GFP_ATOMIC); +- if (rc >= 0) +- *port = rc; ++ min_port = QRTR_MIN_EPH_SOCKET; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC); ++ if (!rc) ++ *port = min_port; + } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) { + rc = -EACCES; + } else if (*port == QRTR_PORT_CTRL) { +- rc = idr_alloc(&qrtr_ports, ipc, 0, 1, GFP_ATOMIC); ++ min_port = 0; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC); + } else { +- rc = idr_alloc(&qrtr_ports, ipc, *port, *port + 1, GFP_ATOMIC); +- if (rc >= 0) +- *port = rc; ++ min_port = *port; ++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC); ++ if (!rc) ++ *port = min_port; + } + mutex_unlock(&qrtr_port_lock); + diff --git a/queue-4.19/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch b/queue-4.19/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch new file mode 100644 index 00000000000..26015392a45 --- /dev/null +++ b/queue-4.19/net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Peilin Ye +Date: Thu, 20 Aug 2020 16:30:52 +0200 +Subject: net/smc: Prevent kernel-infoleak in __smc_diag_dump() + +From: Peilin Ye + +[ Upstream commit ce51f63e63c52a4e1eee4dd040fb0ba0af3b43ab ] + +__smc_diag_dump() is potentially copying uninitialized kernel stack memory +into socket buffers, since the compiler may leave a 4-byte hole near the +beginning of `struct smcd_diag_dmbinfo`. Fix it by initializing `dinfo` +with memset(). + +Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support") +Suggested-by: Dan Carpenter +Signed-off-by: Peilin Ye +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_diag.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/net/smc/smc_diag.c ++++ b/net/smc/smc_diag.c +@@ -169,13 +169,15 @@ static int __smc_diag_dump(struct sock * + (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) && + !list_empty(&smc->conn.lgr->list)) { + struct smc_connection *conn = &smc->conn; +- struct smcd_diag_dmbinfo dinfo = { +- .linkid = *((u32 *)conn->lgr->id), +- .peer_gid = conn->lgr->peer_gid, +- .my_gid = conn->lgr->smcd->local_gid, +- .token = conn->rmb_desc->token, +- .peer_token = conn->peer_token +- }; ++ struct smcd_diag_dmbinfo dinfo; ++ ++ memset(&dinfo, 0, sizeof(dinfo)); ++ ++ dinfo.linkid = *((u32 *)conn->lgr->id); ++ dinfo.peer_gid = conn->lgr->peer_gid; ++ dinfo.my_gid = conn->lgr->smcd->local_gid; ++ dinfo.token = conn->rmb_desc->token; ++ dinfo.peer_token = conn->peer_token; + + if (nla_put(skb, SMC_DIAG_DMBINFO, sizeof(dinfo), &dinfo) < 0) + goto errout; diff --git a/queue-4.19/powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch b/queue-4.19/powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch new file mode 100644 index 00000000000..055ec32cf00 --- /dev/null +++ b/queue-4.19/powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch @@ -0,0 +1,79 @@ +From 0828137e8f16721842468e33df0460044a0c588b Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Thu, 28 May 2020 00:58:40 +1000 +Subject: powerpc/64s: Don't init FSCR_DSCR in __init_FSCR() + +From: Michael Ellerman + +commit 0828137e8f16721842468e33df0460044a0c588b upstream. + +__init_FSCR() was added originally in commit 2468dcf641e4 ("powerpc: +Add support for context switching the TAR register") (Feb 2013), and +only set FSCR_TAR. + +At that point FSCR (Facility Status and Control Register) was not +context switched, so the setting was permanent after boot. + +Later we added initialisation of FSCR_DSCR to __init_FSCR(), in commit +54c9b2253d34 ("powerpc: Set DSCR bit in FSCR setup") (Mar 2013), again +that was permanent after boot. + +Then commit 2517617e0de6 ("powerpc: Fix context switch DSCR on +POWER8") (Aug 2013) added a limited context switch of FSCR, just the +FSCR_DSCR bit was context switched based on thread.dscr_inherit. That +commit said "This clears the H/FSCR DSCR bit initially", but it +didn't, it left the initialisation of FSCR_DSCR in __init_FSCR(). +However the initial context switch from init_task to pid 1 would clear +FSCR_DSCR because thread.dscr_inherit was 0. + +That commit also introduced the requirement that FSCR_DSCR be clear +for user processes, so that we can take the facility unavailable +interrupt in order to manage dscr_inherit. + +Then in commit 152d523e6307 ("powerpc: Create context switch helpers +save_sprs() and restore_sprs()") (Dec 2015) FSCR was added to +thread_struct. However it still wasn't fully context switched, we just +took the existing value and set FSCR_DSCR if the new thread had +dscr_inherit set. FSCR was still initialised at boot to FSCR_DSCR | +FSCR_TAR, but that value was not propagated into the thread_struct, so +the initial context switch set FSCR_DSCR back to 0. + +Finally commit b57bd2de8c6c ("powerpc: Improve FSCR init and context +switching") (Jun 2016) added a full context switch of the FSCR, and +added an initialisation of init_task.thread.fscr to FSCR_TAR | +FSCR_EBB, but omitted FSCR_DSCR. + +The end result is that swapper runs with FSCR_DSCR set because of the +initialisation in __init_FSCR(), but no other processes do, they use +the value from init_task.thread.fscr. + +Having FSCR_DSCR set for swapper allows it to access SPR 3 from +userspace, but swapper never runs userspace, so it has no useful +effect. It's also confusing to have the value initialised in two +places to two different values. + +So remove FSCR_DSCR from __init_FSCR(), this at least gets us to the +point where there's a single value of FSCR, even if it's still set in +two places. + +Signed-off-by: Michael Ellerman +Tested-by: Alistair Popple +Link: https://lore.kernel.org/r/20200527145843.2761782-1-mpe@ellerman.id.au +Cc: Thadeu Lima de Souza Cascardo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/cpu_setup_power.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/cpu_setup_power.S ++++ b/arch/powerpc/kernel/cpu_setup_power.S +@@ -183,7 +183,7 @@ __init_LPCR_ISA300: + + __init_FSCR: + mfspr r3,SPRN_FSCR +- ori r3,r3,FSCR_TAR|FSCR_DSCR|FSCR_EBB ++ ori r3,r3,FSCR_TAR|FSCR_EBB + mtspr SPRN_FSCR,r3 + blr + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..58b7fcef3c1 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,8 @@ +powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch +gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch +net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch +net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch +net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch +tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch +net-ena-make-missed_tx-stat-incremental.patch +ipvlan-fix-device-features.patch diff --git a/queue-4.19/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch b/queue-4.19/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch new file mode 100644 index 00000000000..bce1891ae15 --- /dev/null +++ b/queue-4.19/tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Aug 26 04:08:50 PM CEST 2020 +From: Cong Wang +Date: Sat, 15 Aug 2020 16:29:15 -0700 +Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit() + +From: Cong Wang + +[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ] + +__tipc_nl_compat_dumpit() has two callers, and it expects them to +pass a valid nlmsghdr via arg->data. This header is artificial and +crafted just for __tipc_nl_compat_dumpit(). + +tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well +as some nested attribute, TIPC_NLA_SOCK. But the other caller +tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized +on this call path. + +Fix this by just adding a similar nlmsghdr without any payload in +tipc_nl_compat_dumpit(). + +This bug exists since day 1, but the recent commit 6ea67769ff33 +("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it +easier to appear. + +Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com +Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat") +Cc: Jon Maloy +Cc: Ying Xue +Cc: Richard Alpe +Signed-off-by: Cong Wang +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/netlink_compat.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -255,8 +255,9 @@ err_out: + static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + struct tipc_nl_compat_msg *msg) + { +- int err; ++ struct nlmsghdr *nlh; + struct sk_buff *arg; ++ int err; + + if (msg->req_type && (!msg->req_size || + !TLV_CHECK_TYPE(msg->req, msg->req_type))) +@@ -285,6 +286,15 @@ static int tipc_nl_compat_dumpit(struct + return -ENOMEM; + } + ++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI); ++ if (!nlh) { ++ kfree_skb(arg); ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return -EMSGSIZE; ++ } ++ nlmsg_end(arg, nlh); ++ + err = __tipc_nl_compat_dumpit(cmd, msg, arg); + if (err) { + kfree_skb(msg->rep);