From: Greg Kroah-Hartman Date: Thu, 23 Feb 2017 20:19:14 +0000 (+0100) Subject: 3.18 stuff X-Git-Tag: v4.4.52~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffb637b5d1e514efe06cc8d3992b6b4f588d765a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 stuff --- diff --git a/queue-3.18/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch b/queue-3.18/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch new file mode 100644 index 00000000000..442b36be7b7 --- /dev/null +++ b/queue-3.18/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Feb 23 21:15:11 CET 2017 +From: Andrey Konovalov +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +From: Andrey Konovalov + + +[ Upstream commit 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 ] + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock * + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; diff --git a/queue-3.18/net-llc-avoid-bug_on-in-skb_orphan.patch b/queue-3.18/net-llc-avoid-bug_on-in-skb_orphan.patch new file mode 100644 index 00000000000..69b830148e7 --- /dev/null +++ b/queue-3.18/net-llc-avoid-bug_on-in-skb_orphan.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Feb 23 21:15:11 CET 2017 +From: Eric Dumazet +Date: Sun, 12 Feb 2017 14:03:52 -0800 +Subject: net/llc: avoid BUG_ON() in skb_orphan() + +From: Eric Dumazet + + +[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ] + +It seems nobody used LLC since linux-3.12. + +Fortunately fuzzers like syzkaller still know how to run this code, +otherwise it would be no fun. + +Setting skb->sk without skb->destructor leads to all kinds of +bugs, we now prefer to be very strict about it. + +Ideally here we would use skb_set_owner() but this helper does not exist yet, +only CAN seems to have a private helper for that. + +Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()") +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/llc_conn.c | 3 +++ + net/llc/llc_sap.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa + * another trick required to cope with how the PROCOM state + * machine works. -acme + */ ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + } + if (!sock_owned_by_user(sk)) + llc_conn_rcv(sk, skb); +--- a/net/llc/llc_sap.c ++++ b/net/llc/llc_sap.c +@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap * + + ev->type = LLC_SAP_EV_TYPE_PDU; + ev->reason = 0; ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + llc_sap_state_process(sap, skb); + } + diff --git a/queue-3.18/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch b/queue-3.18/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch new file mode 100644 index 00000000000..62c2572118d --- /dev/null +++ b/queue-3.18/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Feb 23 21:15:11 CET 2017 +From: Maxime Jayat +Date: Tue, 21 Feb 2017 18:35:51 +0100 +Subject: net: socket: fix recvmmsg not returning error from sock_error + +From: Maxime Jayat + + +[ Upstream commit e623a9e9dec29ae811d11f83d0074ba254aba374 ] + +Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"), +changed the exit path of recvmmsg to always return the datagrams +variable and modified the error paths to set the variable to the error +code returned by recvmsg if necessary. + +However in the case sock_error returned an error, the error code was +then ignored, and recvmmsg returned 0. + +Change the error path of recvmmsg to correctly return the error code +of sock_error. + +The bug was triggered by using recvmmsg on a CAN interface which was +not up. Linux 4.6 and later return 0 in this case while earlier +releases returned -ENETDOWN. + +Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") +Signed-off-by: Maxime Jayat +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -2355,8 +2355,10 @@ int __sys_recvmmsg(int fd, struct mmsghd + return err; + + err = sock_error(sock->sk); +- if (err) ++ if (err) { ++ datagrams = err; + goto out_put; ++ } + + entry = mmsg; + compat_entry = (struct compat_mmsghdr __user *)mmsg; diff --git a/queue-3.18/series b/queue-3.18/series index 267e8b4a306..f896acbf354 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -53,3 +53,6 @@ revert-staging-nvec-ps2-change-serio-type-to-passthrough.patch usb-cdc-acm-fix-tiocmiwait.patch usb-gadget-u_ether-remove-interrupt-throttling.patch drbd-fix-kernel_sendmsg-usage-potential-null-deref.patch +net-llc-avoid-bug_on-in-skb_orphan.patch +dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch +net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch