From: Sasha Levin Date: Mon, 12 Oct 2020 02:46:09 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.239~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=feec242e0b62c14ba501ab6317b9244b28697374;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch b/queue-4.9/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch new file mode 100644 index 00000000000..a6981df503e --- /dev/null +++ b/queue-4.9/bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch @@ -0,0 +1,71 @@ +From f7eb4346f12400b926c5aca072748c4707466536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:38:07 -0700 +Subject: bonding: set dev->needed_headroom in bond_setup_by_slave() + +From: Eric Dumazet + +[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ] + +syzbot managed to crash a host by creating a bond +with a GRE device. + +For non Ethernet device, bonding calls bond_setup_by_slave() +instead of ether_setup(), and unfortunately dev->needed_headroom +was not copied from the new added member. + +[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0 +[ 171.243111] ------------[ cut here ]------------ +[ 171.243112] kernel BUG at net/core/skbuff.c:112! +[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 171.243469] gsmi: Log Shutdown Reason 0x03 +[ 171.243505] Call Trace: +[ 171.243506] +[ 171.243512] [] skb_push+0x49/0x50 +[ 171.243516] [] ipgre_header+0x2a/0xf0 +[ 171.243520] [] neigh_connected_output+0xb7/0x100 +[ 171.243524] [] ip6_finish_output2+0x383/0x490 +[ 171.243528] [] __ip6_finish_output+0xa2/0x110 +[ 171.243531] [] ip6_finish_output+0x2c/0xa0 +[ 171.243534] [] ip6_output+0x69/0x110 +[ 171.243537] [] ? ip6_output+0x110/0x110 +[ 171.243541] [] mld_sendpack+0x1b2/0x2d0 +[ 171.243544] [] ? mld_send_report+0xf0/0xf0 +[ 171.243548] [] mld_ifc_timer_expire+0x2d7/0x3b0 +[ 171.243551] [] ? mld_gq_timer_expire+0x50/0x50 +[ 171.243556] [] call_timer_fn+0x30/0x130 +[ 171.243559] [] expire_timers+0x4c/0x110 +[ 171.243563] [] __run_timers+0x213/0x260 +[ 171.243566] [] ? ktime_get+0x3d/0xa0 +[ 171.243570] [] ? clockevents_program_event+0x7e/0xe0 +[ 171.243574] [] ? sched_clock_cpu+0x15/0x190 +[ 171.243577] [] run_timer_softirq+0x1d/0x40 +[ 171.243581] [] __do_softirq+0x152/0x2f0 +[ 171.243585] [] irq_exit+0x9f/0xb0 +[ 171.243588] [] smp_apic_timer_interrupt+0xfd/0x1a0 +[ 171.243591] [] apic_timer_interrupt+0x86/0x90 + +Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8322129c3f987..240d7850c8252 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1129,6 +1129,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; ++ bond_dev->needed_headroom = slave_dev->needed_headroom; + bond_dev->addr_len = slave_dev->addr_len; + + memcpy(bond_dev->broadcast, slave_dev->broadcast, +-- +2.25.1 + diff --git a/queue-4.9/mdio-fix-mdio-thunder.c-dependency-build-error.patch b/queue-4.9/mdio-fix-mdio-thunder.c-dependency-build-error.patch new file mode 100644 index 00000000000..1a5961dcd44 --- /dev/null +++ b/queue-4.9/mdio-fix-mdio-thunder.c-dependency-build-error.patch @@ -0,0 +1,45 @@ +From aadd7a1f609c679f91e1a531025d355ba99add2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 21:33:43 -0700 +Subject: mdio: fix mdio-thunder.c dependency & build error + +From: Randy Dunlap + +[ Upstream commit 7dbbcf496f2a4b6d82cfc7810a0746e160b79762 ] + +Fix build error by selecting MDIO_DEVRES for MDIO_THUNDER. +Fixes this build error: + +ld: drivers/net/phy/mdio-thunder.o: in function `thunder_mdiobus_pci_probe': +drivers/net/phy/mdio-thunder.c:78: undefined reference to `devm_mdiobus_alloc_size' + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Cc: Bartosz Golaszewski +Cc: Andrew Lunn +Cc: Heiner Kallweit +Cc: netdev@vger.kernel.org +Cc: David Daney +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig +index 2651c8d8de2f8..032017bd0ced5 100644 +--- a/drivers/net/phy/Kconfig ++++ b/drivers/net/phy/Kconfig +@@ -135,6 +135,7 @@ config MDIO_THUNDER + depends on 64BIT + depends on PCI + select MDIO_CAVIUM ++ select MDIO_DEVRES + help + This driver supports the MDIO interfaces found on Cavium + ThunderX SoCs when the MDIO bus device appears as a PCI +-- +2.25.1 + diff --git a/queue-4.9/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch b/queue-4.9/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch new file mode 100644 index 00000000000..d33dcdae77a --- /dev/null +++ b/queue-4.9/net-stmmac-removed-enabling-eee-in-eee-set-callback.patch @@ -0,0 +1,66 @@ +From 86c224699ef900dda3c711a2caaf74d76b8b7795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 16:56:14 +0800 +Subject: net: stmmac: removed enabling eee in EEE set callback + +From: Voon Weifeng + +[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ] + +EEE should be only be enabled during stmmac_mac_link_up() when the +link are up and being set up properly. set_eee should only do settings +configuration and disabling the eee. + +Without this fix, turning on EEE using ethtool will return +"Operation not supported". This is due to the driver is in a dead loop +waiting for eee to be advertised in the for eee to be activated but the +driver will only configure the EEE advertisement after the eee is +activated. + +Ethtool should only return "Operation not supported" if there is no EEE +capbility in the MAC controller. + +Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback") +Signed-off-by: Voon Weifeng +Acked-by: Mark Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index 3519a8a589dda..c8673e231a880 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -678,23 +678,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev, + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- if (!edata->eee_enabled) { ++ if (!priv->dma_cap.eee) ++ return -EOPNOTSUPP; ++ ++ if (!edata->eee_enabled) + stmmac_disable_eee_mode(priv); +- } else { +- /* We are asking for enabling the EEE but it is safe +- * to verify all by invoking the eee_init function. +- * In case of failure it will return an error. +- */ +- edata->eee_enabled = stmmac_eee_init(priv); +- if (!edata->eee_enabled) +- return -EOPNOTSUPP; +- } + + ret = phy_ethtool_set_eee(dev->phydev, edata); + if (ret) + return ret; + +- priv->eee_enabled = edata->eee_enabled; + priv->tx_lpi_timer = edata->tx_lpi_timer; + return 0; + } +-- +2.25.1 + diff --git a/queue-4.9/perf-fix-task_function_call-error-handling.patch b/queue-4.9/perf-fix-task_function_call-error-handling.patch new file mode 100644 index 00000000000..58f0a00c6dc --- /dev/null +++ b/queue-4.9/perf-fix-task_function_call-error-handling.patch @@ -0,0 +1,57 @@ +From 91bcc1f20a7d6d0b432ac5e99448bcfd95399cd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 12:17:32 +0530 +Subject: perf: Fix task_function_call() error handling + +From: Kajol Jain + +[ Upstream commit 6d6b8b9f4fceab7266ca03d194f60ec72bd4b654 ] + +The error handling introduced by commit: + + 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") + +looses any return value from smp_call_function_single() that is not +{0, -EINVAL}. This is a problem because it will return -EXNIO when the +target CPU is offline. Worse, in that case it'll turn into an infinite +loop. + +Fixes: 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()") +Reported-by: Srikar Dronamraju +Signed-off-by: Kajol Jain +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Reviewed-by: Barret Rhoden +Tested-by: Srikar Dronamraju +Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index b562467d2d498..7aad4d22b4223 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -94,7 +94,7 @@ static void remote_function(void *data) + * retry due to any failures in smp_call_function_single(), such as if the + * task_cpu() goes offline concurrently. + * +- * returns @func return value or -ESRCH when the process isn't running ++ * returns @func return value or -ESRCH or -ENXIO when the process isn't running + */ + static int + task_function_call(struct task_struct *p, remote_function_f func, void *info) +@@ -110,7 +110,8 @@ task_function_call(struct task_struct *p, remote_function_f func, void *info) + for (;;) { + ret = smp_call_function_single(task_cpu(p), remote_function, + &data, 1); +- ret = !ret ? data.ret : -EAGAIN; ++ if (!ret) ++ ret = data.ret; + + if (ret != -EAGAIN) + break; +-- +2.25.1 + diff --git a/queue-4.9/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch b/queue-4.9/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch new file mode 100644 index 00000000000..ba0afaecf43 --- /dev/null +++ b/queue-4.9/rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch @@ -0,0 +1,47 @@ +From e6e0b9244ce5c03dd44878b910d6532d9f895c47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 22:09:04 +0100 +Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + +From: David Howells + +[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ] + +If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a +type it doesn't recognise, it can BUG in a couple of places, which is +unnecessary as it can easily get back to userspace. + +Fix this to print an error message instead. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index fd9260620824e..01d2d40ef21cb 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1104,7 +1104,8 @@ static long rxrpc_read(const struct key *key, + break; + + default: /* we have a ticket we can't encode */ +- BUG(); ++ pr_err("Unsupported key token type (%u)\n", ++ token->security_index); + continue; + } + +@@ -1225,7 +1226,6 @@ static long rxrpc_read(const struct key *key, + break; + + default: +- BUG(); + break; + } + +-- +2.25.1 + diff --git a/queue-4.9/rxrpc-fix-rxkad-token-xdr-encoding.patch b/queue-4.9/rxrpc-fix-rxkad-token-xdr-encoding.patch new file mode 100644 index 00000000000..2c601002e48 --- /dev/null +++ b/queue-4.9/rxrpc-fix-rxkad-token-xdr-encoding.patch @@ -0,0 +1,59 @@ +From fa1c8371b76bda5f35f417cff96ebbc37283e19d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:01:24 -0300 +Subject: rxrpc: Fix rxkad token xdr encoding + +From: Marc Dionne + +[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ] + +The session key should be encoded with just the 8 data bytes and +no length; ENCODE_DATA precedes it with a 4 byte length, which +confuses some existing tools that try to parse this format. + +Add an ENCODE_BYTES macro that does not include a length, and use +it for the key. Also adjust the expected length. + +Note that commit 774521f353e1d ("rxrpc: Fix an assertion in +rxrpc_read()") had fixed a BUG by changing the length rather than +fixing the encoding. The original length was correct. + +Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 7fc340726d034..fd9260620824e 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -1139,6 +1139,14 @@ static long rxrpc_read(const struct key *key, + goto fault; \ + xdr += (_l + 3) >> 2; \ + } while(0) ++#define ENCODE_BYTES(l, s) \ ++ do { \ ++ u32 _l = (l); \ ++ memcpy(xdr, (s), _l); \ ++ if (_l & 3) \ ++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ ++ xdr += (_l + 3) >> 2; \ ++ } while(0) + #define ENCODE64(x) \ + do { \ + __be64 y = cpu_to_be64(x); \ +@@ -1167,7 +1175,7 @@ static long rxrpc_read(const struct key *key, + case RXRPC_SECURITY_RXKAD: + ENCODE(token->kad->vice_id); + ENCODE(token->kad->kvno); +- ENCODE_DATA(8, token->kad->session_key); ++ ENCODE_BYTES(8, token->kad->session_key); + ENCODE(token->kad->start); + ENCODE(token->kad->expiry); + ENCODE(token->kad->primary_flag); +-- +2.25.1 + diff --git a/queue-4.9/rxrpc-fix-server-keyring-leak.patch b/queue-4.9/rxrpc-fix-server-keyring-leak.patch new file mode 100644 index 00000000000..eb824e9ea45 --- /dev/null +++ b/queue-4.9/rxrpc-fix-server-keyring-leak.patch @@ -0,0 +1,37 @@ +From 815e4a8388bfdd2db5e8e6d79e3370b78079644c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:04:51 +0100 +Subject: rxrpc: Fix server keyring leak + +From: David Howells + +[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ] + +If someone calls setsockopt() twice to set a server key keyring, the first +keyring is leaked. + +Fix it to return an error instead if the server key keyring is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c +index 01d2d40ef21cb..fa475b02bdceb 100644 +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -899,7 +899,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen) + + _enter(""); + +- if (optlen <= 0 || optlen > PAGE_SIZE - 1) ++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities) + return -EINVAL; + + description = memdup_user_nul(optval, optlen); +-- +2.25.1 + diff --git a/queue-4.9/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch b/queue-4.9/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch new file mode 100644 index 00000000000..c272dcbd9d5 --- /dev/null +++ b/queue-4.9/rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch @@ -0,0 +1,51 @@ +From 93304187ea727e3909decab7bb716f98169e9b0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 11:57:40 +0100 +Subject: rxrpc: Fix some missing _bh annotations on locking conn->state_lock + +From: David Howells + +[ Upstream commit fa1d113a0f96f9ab7e4fe4f8825753ba1e34a9d3 ] + +conn->state_lock may be taken in softirq mode, but a previous patch +replaced an outer lock in the response-packet event handling code, and lost +the _bh from that when doing so. + +Fix this by applying the _bh annotation to the state_lock locking. + +Fixes: a1399f8bb033 ("rxrpc: Call channels should have separate call number spaces") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index b099b64366f35..ec02dd7c12ef4 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -309,18 +309,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, + return ret; + + spin_lock(&conn->channel_lock); +- spin_lock(&conn->state_lock); ++ spin_lock_bh(&conn->state_lock); + + if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { + conn->state = RXRPC_CONN_SERVICE; +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + for (loop = 0; loop < RXRPC_MAXCALLS; loop++) + rxrpc_call_is_secure( + rcu_dereference_protected( + conn->channels[loop].call, + lockdep_is_held(&conn->channel_lock))); + } else { +- spin_unlock(&conn->state_lock); ++ spin_unlock_bh(&conn->state_lock); + } + + spin_unlock(&conn->channel_lock); +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 54f1c47402c..c5176e53d54 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -39,3 +39,14 @@ team-set-dev-needed_headroom-in-team_setup_by_port.patch net-team-fix-memory-leak-in-__team_options_register.patch openvswitch-handle-dnat-tuple-collision.patch drm-amdgpu-prevent-double-kfree-ttm-sg.patch +xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch +xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch +net-stmmac-removed-enabling-eee-in-eee-set-callback.patch +xfrm-use-correct-address-family-in-xfrm_state_find.patch +bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch +mdio-fix-mdio-thunder.c-dependency-build-error.patch +rxrpc-fix-rxkad-token-xdr-encoding.patch +rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch +rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch +rxrpc-fix-server-keyring-leak.patch +perf-fix-task_function_call-error-handling.patch diff --git a/queue-4.9/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch b/queue-4.9/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch new file mode 100644 index 00000000000..7aee7aa9bd2 --- /dev/null +++ b/queue-4.9/xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch @@ -0,0 +1,39 @@ +From 51827ab02961872ca8e0a5494691aaba6231d843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:50:29 +0200 +Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ] + +When we clone state only add_time was cloned. It missed values like +bytes, packets. Now clone the all members of the structure. + +v1->v3: + - use memcpy to copy the entire structure + +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 3734ad56b456c..e210d9b77de18 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1244,7 +1244,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig) + x->tfcpad = orig->tfcpad; + x->replay_maxdiff = orig->replay_maxdiff; + x->replay_maxage = orig->replay_maxage; +- x->curlft.add_time = orig->curlft.add_time; ++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft)); + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; + x->replay = orig->replay; +-- +2.25.1 + diff --git a/queue-4.9/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch b/queue-4.9/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch new file mode 100644 index 00000000000..79f72f1c1b1 --- /dev/null +++ b/queue-4.9/xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch @@ -0,0 +1,58 @@ +From 78576fd613f0d9246a9d7d940b923aa33ac3b938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 08:49:55 +0200 +Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + +From: Antony Antony + +[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ] + +XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new. +Migrate this attribute during XFRMA_MSG_MIGRATE + +v1->v2: + - move curleft cloning to a separate patch + +Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 9e2f260cbb518..b2a405c93a342 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1726,21 +1726,17 @@ static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay + static inline int xfrm_replay_clone(struct xfrm_state *x, + struct xfrm_state *orig) + { +- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn), ++ ++ x->replay_esn = kmemdup(orig->replay_esn, ++ xfrm_replay_state_esn_len(orig->replay_esn), + GFP_KERNEL); + if (!x->replay_esn) + return -ENOMEM; +- +- x->replay_esn->bmp_len = orig->replay_esn->bmp_len; +- x->replay_esn->replay_window = orig->replay_esn->replay_window; +- +- x->preplay_esn = kmemdup(x->replay_esn, +- xfrm_replay_state_esn_len(x->replay_esn), ++ x->preplay_esn = kmemdup(orig->preplay_esn, ++ xfrm_replay_state_esn_len(orig->preplay_esn), + GFP_KERNEL); +- if (!x->preplay_esn) { +- kfree(x->replay_esn); ++ if (!x->preplay_esn) + return -ENOMEM; +- } + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.9/xfrm-use-correct-address-family-in-xfrm_state_find.patch b/queue-4.9/xfrm-use-correct-address-family-in-xfrm_state_find.patch new file mode 100644 index 00000000000..ffc15d3c595 --- /dev/null +++ b/queue-4.9/xfrm-use-correct-address-family-in-xfrm_state_find.patch @@ -0,0 +1,82 @@ +From dd861f415f2c20017446f6211e1ce59353ae7a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:42:56 +1000 +Subject: xfrm: Use correct address family in xfrm_state_find + +From: Herbert Xu + +[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ] + +The struct flowi must never be interpreted by itself as its size +depends on the address family. Therefore it must always be grouped +with its original family value. + +In this particular instance, the original family value is lost in +the function xfrm_state_find. Therefore we get a bogus read when +it's coupled with the wrong family which would occur with inter- +family xfrm states. + +This patch fixes it by keeping the original family value. + +Note that the same bug could potentially occur in LSM through +the xfrm_state_pol_flow_match hook. I checked the current code +there and it seems to be safe for now as only secid is used which +is part of struct flowi_common. But that API should be changed +so that so that we don't get new bugs in the future. We could +do that by replacing fl with just secid or adding a family field. + +Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com +Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index e210d9b77de18..0eb85765d35a1 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -761,7 +761,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + */ + if (x->km.state == XFRM_STATE_VALID) { + if ((x->sel.family && +- !xfrm_selector_match(&x->sel, fl, x->sel.family)) || ++ (x->sel.family != family || ++ !xfrm_selector_match(&x->sel, fl, family))) || + !security_xfrm_state_pol_flow_match(x, pol, fl)) + return; + +@@ -774,7 +775,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, + *acq_in_progress = 1; + } else if (x->km.state == XFRM_STATE_ERROR || + x->km.state == XFRM_STATE_EXPIRED) { +- if (xfrm_selector_match(&x->sel, fl, x->sel.family) && ++ if ((!x->sel.family || ++ (x->sel.family == family && ++ xfrm_selector_match(&x->sel, fl, family))) && + security_xfrm_state_pol_flow_match(x, pol, fl)) + *error = -ESRCH; + } +@@ -813,7 +816,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + if (best || acquire_in_progress) +@@ -829,7 +832,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + tmpl->mode == x->props.mode && + tmpl->id.proto == x->id.proto && + (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) +- xfrm_state_look_at(pol, x, fl, encap_family, ++ xfrm_state_look_at(pol, x, fl, family, + &best, &acquire_in_progress, &error); + } + +-- +2.25.1 +