From: Sasha Levin (Microsoft) Date: Sun, 14 Apr 2019 00:32:40 +0000 (-0400) Subject: patches for 4.19 X-Git-Tag: v4.9.169~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb2c670e134ef6ca788aecc2e66bb8b22847a9e3;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.19 Signed-off-by: Sasha Levin (Microsoft) --- diff --git a/queue-4.19/arm64-kaslr-reserve-size-of-arm64_memstart_align-in-.patch b/queue-4.19/arm64-kaslr-reserve-size-of-arm64_memstart_align-in-.patch new file mode 100644 index 00000000000..75e72c4b6a2 --- /dev/null +++ b/queue-4.19/arm64-kaslr-reserve-size-of-arm64_memstart_align-in-.patch @@ -0,0 +1,39 @@ +From 47ed7d6da8d07637f01dab77a252bc36fe19dfcb Mon Sep 17 00:00:00 2001 +From: Yueyi Li +Date: Mon, 24 Dec 2018 07:40:07 +0000 +Subject: arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region + +[ Upstream commit c8a43c18a97845e7f94ed7d181c11f41964976a2 ] + +When KASLR is enabled (CONFIG_RANDOMIZE_BASE=y), the top 4K of kernel +virtual address space may be mapped to physical addresses despite being +reserved for ERR_PTR values. + +Fix the randomization of the linear region so that we avoid mapping the +last page of the virtual address space. + +Cc: Ard Biesheuvel +Signed-off-by: liyueyi +[will: rewrote commit message; merged in suggestion from Ard] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm64/mm/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c +index 787e27964ab9..774c3e17c798 100644 +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -450,7 +450,7 @@ void __init arm64_memblock_init(void) + * memory spans, randomize the linear region as well. + */ + if (memstart_offset_seed > 0 && range >= ARM64_MEMSTART_ALIGN) { +- range = range / ARM64_MEMSTART_ALIGN + 1; ++ range /= ARM64_MEMSTART_ALIGN; + memstart_addr -= ARM64_MEMSTART_ALIGN * + ((range * memstart_offset_seed) >> 16); + } +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nfnetlink_cttimeout-fetch-timeouts-for-udp.patch b/queue-4.19/netfilter-nfnetlink_cttimeout-fetch-timeouts-for-udp.patch new file mode 100644 index 00000000000..618df287b6c --- /dev/null +++ b/queue-4.19/netfilter-nfnetlink_cttimeout-fetch-timeouts-for-udp.patch @@ -0,0 +1,140 @@ +From 6255a964f4da99e383ff4382ebce2efae4d26b3b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 12 Apr 2019 10:55:03 -0700 +Subject: netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, + too + +commit 89259088c1b7fecb43e8e245dc931909132a4e03 upstream + +syzbot was able to trigger the WARN in cttimeout_default_get() by +passing UDPLITE as l4protocol. Alias UDPLITE to UDP, both use +same timeout values. + +Furthermore, also fetch GRE timeouts. GRE is a bit more complicated, +as it still can be a module and its netns_proto_gre struct layout isn't +visible outside of the gre module. Can't move timeouts around, it +appears conntrack sysctl unregister assumes net_generic() returns +nf_proto_net, so we get crash. Expose layout of netns_proto_gre instead. + +A followup nf-next patch could make gre tracker be built-in as well +if needed, its not that large. + +Last, make the WARN() mention the missing protocol value in case +anything else is missing. + +Reported-by: syzbot+2fae8fa157dd92618cae@syzkaller.appspotmail.com +Fixes: 8866df9264a3 ("netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Zubin Mithra +Signed-off-by: Sasha Levin (Microsoft) +--- + include/linux/netfilter/nf_conntrack_proto_gre.h | 13 +++++++++++++ + net/netfilter/nf_conntrack_proto_gre.c | 14 ++------------ + net/netfilter/nfnetlink_cttimeout.c | 15 +++++++++++++-- + 3 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/include/linux/netfilter/nf_conntrack_proto_gre.h b/include/linux/netfilter/nf_conntrack_proto_gre.h +index b8d95564bd53..14edb795ab43 100644 +--- a/include/linux/netfilter/nf_conntrack_proto_gre.h ++++ b/include/linux/netfilter/nf_conntrack_proto_gre.h +@@ -21,6 +21,19 @@ struct nf_ct_gre_keymap { + struct nf_conntrack_tuple tuple; + }; + ++enum grep_conntrack { ++ GRE_CT_UNREPLIED, ++ GRE_CT_REPLIED, ++ GRE_CT_MAX ++}; ++ ++struct netns_proto_gre { ++ struct nf_proto_net nf; ++ rwlock_t keymap_lock; ++ struct list_head keymap_list; ++ unsigned int gre_timeouts[GRE_CT_MAX]; ++}; ++ + /* add new tuple->key_reply pair to keymap */ + int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir, + struct nf_conntrack_tuple *t); +diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c +index 650eb4fba2c5..841c472aae1c 100644 +--- a/net/netfilter/nf_conntrack_proto_gre.c ++++ b/net/netfilter/nf_conntrack_proto_gre.c +@@ -43,24 +43,12 @@ + #include + #include + +-enum grep_conntrack { +- GRE_CT_UNREPLIED, +- GRE_CT_REPLIED, +- GRE_CT_MAX +-}; +- + static const unsigned int gre_timeouts[GRE_CT_MAX] = { + [GRE_CT_UNREPLIED] = 30*HZ, + [GRE_CT_REPLIED] = 180*HZ, + }; + + static unsigned int proto_gre_net_id __read_mostly; +-struct netns_proto_gre { +- struct nf_proto_net nf; +- rwlock_t keymap_lock; +- struct list_head keymap_list; +- unsigned int gre_timeouts[GRE_CT_MAX]; +-}; + + static inline struct netns_proto_gre *gre_pernet(struct net *net) + { +@@ -408,6 +396,8 @@ static int __init nf_ct_proto_gre_init(void) + { + int ret; + ++ BUILD_BUG_ON(offsetof(struct netns_proto_gre, nf) != 0); ++ + ret = register_pernet_subsys(&proto_gre_net_ops); + if (ret < 0) + goto out_pernet; +diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c +index 1dc4ea327cbe..70a7382b9787 100644 +--- a/net/netfilter/nfnetlink_cttimeout.c ++++ b/net/netfilter/nfnetlink_cttimeout.c +@@ -469,7 +469,8 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, + case IPPROTO_TCP: + timeouts = net->ct.nf_ct_proto.tcp.timeouts; + break; +- case IPPROTO_UDP: ++ case IPPROTO_UDP: /* fallthrough */ ++ case IPPROTO_UDPLITE: + timeouts = net->ct.nf_ct_proto.udp.timeouts; + break; + case IPPROTO_DCCP: +@@ -483,13 +484,23 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, + case IPPROTO_SCTP: + #ifdef CONFIG_NF_CT_PROTO_SCTP + timeouts = net->ct.nf_ct_proto.sctp.timeouts; ++#endif ++ break; ++ case IPPROTO_GRE: ++#ifdef CONFIG_NF_CT_PROTO_GRE ++ if (l4proto->net_id) { ++ struct netns_proto_gre *net_gre; ++ ++ net_gre = net_generic(net, *l4proto->net_id); ++ timeouts = net_gre->gre_timeouts; ++ } + #endif + break; + case 255: + timeouts = &net->ct.nf_ct_proto.generic.timeout; + break; + default: +- WARN_ON_ONCE(1); ++ WARN_ONCE(1, "Missing timeouts for proto %d", l4proto->l4proto); + break; + } + +-- +2.19.1 + diff --git a/queue-4.19/netfilter-nfnetlink_cttimeout-pass-default-timeout-p.patch b/queue-4.19/netfilter-nfnetlink_cttimeout-pass-default-timeout-p.patch new file mode 100644 index 00000000000..56502463a46 --- /dev/null +++ b/queue-4.19/netfilter-nfnetlink_cttimeout-pass-default-timeout-p.patch @@ -0,0 +1,119 @@ +From f6ba29638407e087751948214419fb695cec8347 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 12 Apr 2019 10:55:02 -0700 +Subject: netfilter: nfnetlink_cttimeout: pass default timeout policy to + obj_to_nlattr + +commit 8866df9264a34e675b4ee8a151db819b87cce2d3 upstream + +Otherwise, we hit a NULL pointer deference since handlers always assume +default timeout policy is passed. + + netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'. + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] PREEMPT SMP KASAN + CPU: 0 PID: 9575 Comm: syz-executor1 Not tainted 4.19.0+ #312 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:icmp_timeout_obj_to_nlattr+0x77/0x170 net/netfilter/nf_conntrack_proto_icmp.c:297 + +Fixes: c779e849608a ("netfilter: conntrack: remove get_timeout() indirection") +Reported-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Zubin Mithra +Signed-off-by: Sasha Levin (Microsoft) +--- + net/netfilter/nfnetlink_cttimeout.c | 46 +++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c +index a30f8ba4b89a..1dc4ea327cbe 100644 +--- a/net/netfilter/nfnetlink_cttimeout.c ++++ b/net/netfilter/nfnetlink_cttimeout.c +@@ -392,7 +392,8 @@ err: + static int + cttimeout_default_fill_info(struct net *net, struct sk_buff *skb, u32 portid, + u32 seq, u32 type, int event, +- const struct nf_conntrack_l4proto *l4proto) ++ const struct nf_conntrack_l4proto *l4proto, ++ const unsigned int *timeouts) + { + struct nlmsghdr *nlh; + struct nfgenmsg *nfmsg; +@@ -421,7 +422,7 @@ cttimeout_default_fill_info(struct net *net, struct sk_buff *skb, u32 portid, + if (!nest_parms) + goto nla_put_failure; + +- ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, NULL); ++ ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, timeouts); + if (ret < 0) + goto nla_put_failure; + +@@ -444,6 +445,7 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, + struct netlink_ext_ack *extack) + { + const struct nf_conntrack_l4proto *l4proto; ++ unsigned int *timeouts = NULL; + struct sk_buff *skb2; + int ret, err; + __u16 l3num; +@@ -456,12 +458,44 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, + l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]); + l4proto = nf_ct_l4proto_find_get(l3num, l4num); + +- /* This protocol is not supported, skip. */ +- if (l4proto->l4proto != l4num) { +- err = -EOPNOTSUPP; ++ err = -EOPNOTSUPP; ++ if (l4proto->l4proto != l4num) + goto err; ++ ++ switch (l4proto->l4proto) { ++ case IPPROTO_ICMP: ++ timeouts = &net->ct.nf_ct_proto.icmp.timeout; ++ break; ++ case IPPROTO_TCP: ++ timeouts = net->ct.nf_ct_proto.tcp.timeouts; ++ break; ++ case IPPROTO_UDP: ++ timeouts = net->ct.nf_ct_proto.udp.timeouts; ++ break; ++ case IPPROTO_DCCP: ++#ifdef CONFIG_NF_CT_PROTO_DCCP ++ timeouts = net->ct.nf_ct_proto.dccp.dccp_timeout; ++#endif ++ break; ++ case IPPROTO_ICMPV6: ++ timeouts = &net->ct.nf_ct_proto.icmpv6.timeout; ++ break; ++ case IPPROTO_SCTP: ++#ifdef CONFIG_NF_CT_PROTO_SCTP ++ timeouts = net->ct.nf_ct_proto.sctp.timeouts; ++#endif ++ break; ++ case 255: ++ timeouts = &net->ct.nf_ct_proto.generic.timeout; ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ break; + } + ++ if (!timeouts) ++ goto err; ++ + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (skb2 == NULL) { + err = -ENOMEM; +@@ -472,7 +506,7 @@ static int cttimeout_default_get(struct net *net, struct sock *ctnl, + nlh->nlmsg_seq, + NFNL_MSG_TYPE(nlh->nlmsg_type), + IPCTNL_MSG_TIMEOUT_DEFAULT_SET, +- l4proto); ++ l4proto, timeouts); + if (ret <= 0) { + kfree_skb(skb2); + err = -ENOMEM; +-- +2.19.1 + diff --git a/queue-4.19/series b/queue-4.19/series index ae615b03001..21eec166ba0 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -39,3 +39,6 @@ kbuild-clang-choose-gcc_toolchain_dir-not-on-ld.patch x86-vdso-drop-implicit-common-page-size-linker-flag.patch lib-string.c-implement-a-basic-bcmp.patch revert-clk-meson-clean-up-clock-registration.patch +netfilter-nfnetlink_cttimeout-pass-default-timeout-p.patch +netfilter-nfnetlink_cttimeout-fetch-timeouts-for-udp.patch +arm64-kaslr-reserve-size-of-arm64_memstart_align-in-.patch