From 14fadbde3dd47c98d209314f69d2e52a6a6579d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 Oct 2019 16:23:15 +0200 Subject: [PATCH] 4.9-stable patches added patches: appletalk-enforce-cap_net_raw-for-raw-sockets.patch arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch ax25-enforce-cap_net_raw-for-raw-sockets.patch cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch ieee802154-enforce-cap_net_raw-for-raw-sockets.patch macsec-drop-skb-sk-before-calling-gro_cells_receive.patch misdn-enforce-cap_net_raw-for-raw-sockets.patch net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch net-qrtr-stop-rx_worker-before-freeing-node.patch nfc-enforce-cap_net_raw-for-raw-sockets.patch openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch ppp-fix-memory-leak-in-ppp_write.patch sch_netem-fix-a-divide-by-zero-in-tabledist.patch skge-fix-checksum-byte-order.patch usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch --- ...-enforce-cap_net_raw-for-raw-sockets.patch | 34 ++++++ ...g-enough-to-actually-receive-packets.patch | 101 ++++++++++++++++++ ...-enforce-cap_net_raw-for-raw-sockets.patch | 31 ++++++ ...ero-caused-by-invalid-wmaxpacketsize.patch | 41 +++++++ ...-enforce-cap_net_raw-for-raw-sockets.patch | 33 ++++++ ...-sk-before-calling-gro_cells_receive.patch | 61 +++++++++++ ...-enforce-cap_net_raw-for-raw-sockets.patch | 31 ++++++ ...0-mbps-hdx-loopback-disable-function.patch | 45 ++++++++ ...r-stop-rx_worker-before-freeing-node.patch | 33 ++++++ ...-enforce-cap_net_raw-for-raw-sockets.patch | 38 +++++++ ...f-upcall_pid-attribute-to-nla_unspec.patch | 40 +++++++ .../ppp-fix-memory-leak-in-ppp_write.patch | 61 +++++++++++ ...em-fix-a-divide-by-zero-in-tabledist.patch | 36 +++++++ queue-4.9/series | 16 +++ queue-4.9/skge-fix-checksum-byte-order.patch | 32 ++++++ ...ndpoints-with-invalid-wmaxpacketsize.patch | 39 +++++++ ...cking-of-packet-sizes-and-device-mtu.patch | 41 +++++++ 17 files changed, 713 insertions(+) create mode 100644 queue-4.9/appletalk-enforce-cap_net_raw-for-raw-sockets.patch create mode 100644 queue-4.9/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch create mode 100644 queue-4.9/ax25-enforce-cap_net_raw-for-raw-sockets.patch create mode 100644 queue-4.9/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch create mode 100644 queue-4.9/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch create mode 100644 queue-4.9/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch create mode 100644 queue-4.9/misdn-enforce-cap_net_raw-for-raw-sockets.patch create mode 100644 queue-4.9/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch create mode 100644 queue-4.9/net-qrtr-stop-rx_worker-before-freeing-node.patch create mode 100644 queue-4.9/nfc-enforce-cap_net_raw-for-raw-sockets.patch create mode 100644 queue-4.9/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch create mode 100644 queue-4.9/ppp-fix-memory-leak-in-ppp_write.patch create mode 100644 queue-4.9/sch_netem-fix-a-divide-by-zero-in-tabledist.patch create mode 100644 queue-4.9/skge-fix-checksum-byte-order.patch create mode 100644 queue-4.9/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch create mode 100644 queue-4.9/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch diff --git a/queue-4.9/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.9/appletalk-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..bbf62249e69 --- /dev/null +++ b/queue-4.9/appletalk-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:46 +0200 +Subject: appletalk: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ] + +When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/appletalk/ddp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1029,6 +1029,11 @@ static int atalk_create(struct net *net, + */ + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) + goto out; ++ ++ rc = -EPERM; ++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) ++ goto out; ++ + rc = -ENOMEM; + sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern); + if (!sk) diff --git a/queue-4.9/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch b/queue-4.9/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch new file mode 100644 index 00000000000..1ce10f68db1 --- /dev/null +++ b/queue-4.9/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch @@ -0,0 +1,101 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: "Uwe Kleine-König" +Date: Fri, 20 Sep 2019 16:08:21 +0200 +Subject: arcnet: provide a buffer big enough to actually receive packets + +From: "Uwe Kleine-König" + +[ Upstream commit 108639aac35eb57f1d0e8333f5fc8c7ff68df938 ] + +struct archdr is only big enough to hold the header of various types of +arcnet packets. So to provide enough space to hold the data read from +hardware provide a buffer large enough to hold a packet with maximal +size. + +The problem was noticed by the stack protector which makes the kernel +oops. + +Signed-off-by: Uwe Kleine-König +Acked-by: Michael Grzeschik +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/arcnet/arcnet.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -1009,31 +1009,34 @@ EXPORT_SYMBOL(arcnet_interrupt); + static void arcnet_rx(struct net_device *dev, int bufnum) + { + struct arcnet_local *lp = netdev_priv(dev); +- struct archdr pkt; ++ union { ++ struct archdr pkt; ++ char buf[512]; ++ } rxdata; + struct arc_rfc1201 *soft; + int length, ofs; + +- soft = &pkt.soft.rfc1201; ++ soft = &rxdata.pkt.soft.rfc1201; + +- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE); +- if (pkt.hard.offset[0]) { +- ofs = pkt.hard.offset[0]; ++ lp->hw.copy_from_card(dev, bufnum, 0, &rxdata.pkt, ARC_HDR_SIZE); ++ if (rxdata.pkt.hard.offset[0]) { ++ ofs = rxdata.pkt.hard.offset[0]; + length = 256 - ofs; + } else { +- ofs = pkt.hard.offset[1]; ++ ofs = rxdata.pkt.hard.offset[1]; + length = 512 - ofs; + } + + /* get the full header, if possible */ +- if (sizeof(pkt.soft) <= length) { +- lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(pkt.soft)); ++ if (sizeof(rxdata.pkt.soft) <= length) { ++ lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(rxdata.pkt.soft)); + } else { +- memset(&pkt.soft, 0, sizeof(pkt.soft)); ++ memset(&rxdata.pkt.soft, 0, sizeof(rxdata.pkt.soft)); + lp->hw.copy_from_card(dev, bufnum, ofs, soft, length); + } + + arc_printk(D_DURING, dev, "Buffer #%d: received packet from %02Xh to %02Xh (%d+4 bytes)\n", +- bufnum, pkt.hard.source, pkt.hard.dest, length); ++ bufnum, rxdata.pkt.hard.source, rxdata.pkt.hard.dest, length); + + dev->stats.rx_packets++; + dev->stats.rx_bytes += length + ARC_HDR_SIZE; +@@ -1042,13 +1045,13 @@ static void arcnet_rx(struct net_device + if (arc_proto_map[soft->proto]->is_ip) { + if (BUGLVL(D_PROTO)) { + struct ArcProto +- *oldp = arc_proto_map[lp->default_proto[pkt.hard.source]], ++ *oldp = arc_proto_map[lp->default_proto[rxdata.pkt.hard.source]], + *newp = arc_proto_map[soft->proto]; + + if (oldp != newp) { + arc_printk(D_PROTO, dev, + "got protocol %02Xh; encap for host %02Xh is now '%c' (was '%c')\n", +- soft->proto, pkt.hard.source, ++ soft->proto, rxdata.pkt.hard.source, + newp->suffix, oldp->suffix); + } + } +@@ -1057,10 +1060,10 @@ static void arcnet_rx(struct net_device + lp->default_proto[0] = soft->proto; + + /* in striking contrast, the following isn't a hack. */ +- lp->default_proto[pkt.hard.source] = soft->proto; ++ lp->default_proto[rxdata.pkt.hard.source] = soft->proto; + } + /* call the protocol-specific receiver. */ +- arc_proto_map[soft->proto]->rx(dev, bufnum, &pkt, length); ++ arc_proto_map[soft->proto]->rx(dev, bufnum, &rxdata.pkt, length); + } + + static void null_rx(struct net_device *dev, int bufnum, diff --git a/queue-4.9/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.9/ax25-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..4c4bcd42a7b --- /dev/null +++ b/queue-4.9/ax25-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:47 +0200 +Subject: ax25: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ] + +When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -859,6 +859,8 @@ static int ax25_create(struct net *net, + break; + + case SOCK_RAW: ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + break; + default: + return -ESOCKTNOSUPPORT; diff --git a/queue-4.9/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/queue-4.9/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch new file mode 100644 index 00000000000..2fd648291de --- /dev/null +++ b/queue-4.9/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: "Bjørn Mork" +Date: Wed, 18 Sep 2019 14:01:46 +0200 +Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize + +From: "Bjørn Mork" + +[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the driver more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of the out pipe is used as divisor. So this change +fixes a divide-by-zero bug. + +Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com +Signed-off-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -679,8 +679,12 @@ cdc_ncm_find_endpoints(struct usbnet *de + u8 ep; + + for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) { +- + e = intf->cur_altsetting->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { + case USB_ENDPOINT_XFER_INT: + if (usb_endpoint_dir_in(&e->desc)) { diff --git a/queue-4.9/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.9/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..c601976bc6b --- /dev/null +++ b/queue-4.9/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:48 +0200 +Subject: ieee802154: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ] + +When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be +checked first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Acked-by: Stefan Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1003,6 +1003,9 @@ static int ieee802154_create(struct net + + switch (sock->type) { + case SOCK_RAW: ++ rc = -EPERM; ++ if (!capable(CAP_NET_RAW)) ++ goto out; + proto = &ieee802154_raw_prot; + ops = &ieee802154_raw_ops; + break; diff --git a/queue-4.9/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch b/queue-4.9/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch new file mode 100644 index 00000000000..c6a052f48b3 --- /dev/null +++ b/queue-4.9/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch @@ -0,0 +1,61 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Xin Long +Date: Mon, 23 Sep 2019 17:02:46 +0800 +Subject: macsec: drop skb sk before calling gro_cells_receive + +From: Xin Long + +[ Upstream commit ba56d8ce38c8252fff5b745db3899cf092578ede ] + +Fei Liu reported a crash when doing netperf on a topo of macsec +dev over veth: + + [ 448.919128] refcount_t: underflow; use-after-free. + [ 449.090460] Call trace: + [ 449.092895] refcount_sub_and_test+0xb4/0xc0 + [ 449.097155] tcp_wfree+0x2c/0x150 + [ 449.100460] ip_rcv+0x1d4/0x3a8 + [ 449.103591] __netif_receive_skb_core+0x554/0xae0 + [ 449.108282] __netif_receive_skb+0x28/0x78 + [ 449.112366] netif_receive_skb_internal+0x54/0x100 + [ 449.117144] napi_gro_complete+0x70/0xc0 + [ 449.121054] napi_gro_flush+0x6c/0x90 + [ 449.124703] napi_complete_done+0x50/0x130 + [ 449.128788] gro_cell_poll+0x8c/0xa8 + [ 449.132351] net_rx_action+0x16c/0x3f8 + [ 449.136088] __do_softirq+0x128/0x320 + +The issue was caused by skb's true_size changed without its sk's +sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the +skb is being freed and the skb's truesize is subtracted from its +sk's sk_wmem_alloc in tcp_wfree(), underflow occurs. + +macsec is calling gro_cells_receive() to receive a packet, which +actually requires skb->sk to be NULL. However when macsec dev is +over veth, it's possible the skb->sk is still set if the skb was +not unshared or expanded from the peer veth. + +ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy, +but it is too late for macsec's calling gro_cells_receive(). So +fix it by dropping the skb's sk earlier on rx path of macsec. + +Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices") +Reported-by: Xiumei Mu +Reported-by: Fei Liu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -1240,6 +1240,7 @@ deliver: + macsec_rxsa_put(rx_sa); + macsec_rxsc_put(rx_sc); + ++ skb_orphan(skb); + ret = gro_cells_receive(&macsec->gro_cells, skb); + if (ret == NET_RX_SUCCESS) + count_rx(dev, skb->len); diff --git a/queue-4.9/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.9/misdn-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..4dc6e2992e4 --- /dev/null +++ b/queue-4.9/misdn-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,31 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:45 +0200 +Subject: mISDN: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ] + +When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -766,6 +766,8 @@ base_sock_create(struct net *net, struct + + if (sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + + sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern); + if (!sk) diff --git a/queue-4.9/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/queue-4.9/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch new file mode 100644 index 00000000000..81597456ee1 --- /dev/null +++ b/queue-4.9/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch @@ -0,0 +1,45 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Peter Mamonov +Date: Wed, 18 Sep 2019 19:27:55 +0300 +Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function + +From: Peter Mamonov + +[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ] + +According to the DP83865 datasheet "the 10 Mbps HDX loopback can be +disabled in the expanded memory register 0x1C0.1". The driver erroneously +used bit 0 instead of bit 1. + +Fixes: 4621bf129856 ("phy: Add file missed in previous commit.") +Signed-off-by: Peter Mamonov +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/national.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/national.c ++++ b/drivers/net/phy/national.c +@@ -110,14 +110,17 @@ static void ns_giga_speed_fallback(struc + + static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable) + { ++ u16 lb_dis = BIT(1); ++ + if (disable) +- ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1); ++ ns_exp_write(phydev, 0x1c0, ++ ns_exp_read(phydev, 0x1c0) | lb_dis); + else + ns_exp_write(phydev, 0x1c0, +- ns_exp_read(phydev, 0x1c0) & 0xfffe); ++ ns_exp_read(phydev, 0x1c0) & ~lb_dis); + + pr_debug("10BASE-T HDX loopback %s\n", +- (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on"); ++ (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on"); + } + + static int ns_config_init(struct phy_device *phydev) diff --git a/queue-4.9/net-qrtr-stop-rx_worker-before-freeing-node.patch b/queue-4.9/net-qrtr-stop-rx_worker-before-freeing-node.patch new file mode 100644 index 00000000000..c2fc246c8a1 --- /dev/null +++ b/queue-4.9/net-qrtr-stop-rx_worker-before-freeing-node.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Bjorn Andersson +Date: Wed, 18 Sep 2019 10:21:17 -0700 +Subject: net: qrtr: Stop rx_worker before freeing node + +From: Bjorn Andersson + +[ Upstream commit 73f0c11d11329a0d6d205d4312b6e5d2512af7c5 ] + +As the endpoint is unregistered there might still be work pending to +handle incoming messages, which will result in a use after free +scenario. The plan is to remove the rx_worker, but until then (and for +stable@) ensure that the work is stopped before the node is freed. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Cc: stable@vger.kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -126,6 +126,7 @@ static void __qrtr_node_release(struct k + list_del(&node->item); + mutex_unlock(&qrtr_node_lock); + ++ cancel_work_sync(&node->work); + skb_queue_purge(&node->rx_queue); + kfree(node); + } diff --git a/queue-4.9/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.9/nfc-enforce-cap_net_raw-for-raw-sockets.patch new file mode 100644 index 00000000000..ef6efb82f07 --- /dev/null +++ b/queue-4.9/nfc-enforce-cap_net_raw-for-raw-sockets.patch @@ -0,0 +1,38 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Ori Nimron +Date: Fri, 20 Sep 2019 09:35:49 +0200 +Subject: nfc: enforce CAP_NET_RAW for raw sockets + +From: Ori Nimron + +[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ] + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -1011,10 +1011,13 @@ static int llcp_sock_create(struct net * + sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &llcp_rawsock_ops; +- else ++ } else { + sock->ops = &llcp_sock_ops; ++ } + + sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern); + if (sk == NULL) diff --git a/queue-4.9/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/queue-4.9/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch new file mode 100644 index 00000000000..71474694136 --- /dev/null +++ b/queue-4.9/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch @@ -0,0 +1,40 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Li RongQing +Date: Tue, 24 Sep 2019 19:11:52 +0800 +Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC + +From: Li RongQing + +[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ] + +userspace openvswitch patch "(dpif-linux: Implement the API +functions to allow multiple handler threads read upcall)" +changes its type from U32 to UNSPEC, but leave the kernel +unchanged + +and after kernel 6e237d099fac "(netlink: Relax attr validation +for fixed length types)", this bug is exposed by the below +warning + + [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length. + +Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's") +Signed-off-by: Li RongQing +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/datapath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -2218,7 +2218,7 @@ static const struct nla_policy vport_pol + [OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) }, + [OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 }, + [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 }, +- [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 }, ++ [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC }, + [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED }, + }; + diff --git a/queue-4.9/ppp-fix-memory-leak-in-ppp_write.patch b/queue-4.9/ppp-fix-memory-leak-in-ppp_write.patch new file mode 100644 index 00000000000..94b982958e6 --- /dev/null +++ b/queue-4.9/ppp-fix-memory-leak-in-ppp_write.patch @@ -0,0 +1,61 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Takeshi Misawa +Date: Sun, 22 Sep 2019 16:45:31 +0900 +Subject: ppp: Fix memory leak in ppp_write + +From: Takeshi Misawa + +[ Upstream commit 4c247de564f1ff614d11b3bb5313fb70d7b9598b ] + +When ppp is closing, __ppp_xmit_process() failed to enqueue skb +and skb allocated in ppp_write() is leaked. + +syzbot reported : +BUG: memory leak +unreferenced object 0xffff88812a17bc00 (size 224): + comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline] + [<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline] + [<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574 + [<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197 + [<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline] + [<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502 + [<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494 + [<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline] + [<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542 + [<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611 + [<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline] + [<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline] + [<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620 + [<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296 + [<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by freeing skb, if ppp is closing. + +Fixes: 6d066734e9f0 ("ppp: avoid loop in xmit recursion detection code") +Reported-and-tested-by: syzbot+d9c8bf24e56416d7ce2c@syzkaller.appspotmail.com +Signed-off-by: Takeshi Misawa +Reviewed-by: Guillaume Nault +Tested-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1432,6 +1432,8 @@ static void __ppp_xmit_process(struct pp + netif_wake_queue(ppp->dev); + else + netif_stop_queue(ppp->dev); ++ } else { ++ kfree_skb(skb); + } + ppp_xmit_unlock(ppp); + } diff --git a/queue-4.9/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/queue-4.9/sch_netem-fix-a-divide-by-zero-in-tabledist.patch new file mode 100644 index 00000000000..c76d2597ef2 --- /dev/null +++ b/queue-4.9/sch_netem-fix-a-divide-by-zero-in-tabledist.patch @@ -0,0 +1,36 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Eric Dumazet +Date: Wed, 18 Sep 2019 08:05:39 -0700 +Subject: sch_netem: fix a divide by zero in tabledist() + +From: Eric Dumazet + +[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ] + +syzbot managed to crash the kernel in tabledist() loading +an empty distribution table. + + t = dist->table[rnd % dist->size]; + +Simply return an error when such load is attempted. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_netem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -711,7 +711,7 @@ static int get_dist_table(struct Qdisc * + int i; + size_t s; + +- if (n > NETEM_DIST_MAX) ++ if (!n || n > NETEM_DIST_MAX) + return -EINVAL; + + s = sizeof(struct disttable) + n * sizeof(s16); diff --git a/queue-4.9/series b/queue-4.9/series index df4ff3f6a28..9b3f85fad08 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -20,3 +20,19 @@ f2fs-fix-to-do-sanity-check-on-segment-bitmap-of-lfs.patch drm-flush-output-polling-on-shutdown.patch xfs-don-t-crash-on-null-attr-fork-xfs_bmapi_read.patch bluetooth-btrtl-additional-realtek-8822ce-bluetooth-.patch +arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch +cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch +macsec-drop-skb-sk-before-calling-gro_cells_receive.patch +net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch +net-qrtr-stop-rx_worker-before-freeing-node.patch +openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch +ppp-fix-memory-leak-in-ppp_write.patch +sch_netem-fix-a-divide-by-zero-in-tabledist.patch +skge-fix-checksum-byte-order.patch +usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch +usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch +misdn-enforce-cap_net_raw-for-raw-sockets.patch +appletalk-enforce-cap_net_raw-for-raw-sockets.patch +ax25-enforce-cap_net_raw-for-raw-sockets.patch +ieee802154-enforce-cap_net_raw-for-raw-sockets.patch +nfc-enforce-cap_net_raw-for-raw-sockets.patch diff --git a/queue-4.9/skge-fix-checksum-byte-order.patch b/queue-4.9/skge-fix-checksum-byte-order.patch new file mode 100644 index 00000000000..4a721db5828 --- /dev/null +++ b/queue-4.9/skge-fix-checksum-byte-order.patch @@ -0,0 +1,32 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Stephen Hemminger +Date: Fri, 20 Sep 2019 18:18:26 +0200 +Subject: skge: fix checksum byte order + +From: Stephen Hemminger + +[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ] + +Running old skge driver on PowerPC causes checksum errors +because hardware reported 1's complement checksum is in little-endian +byte order. + +Reported-by: Benoit +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/skge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -3114,7 +3114,7 @@ static struct sk_buff *skge_rx_get(struc + skb_put(skb, len); + + if (dev->features & NETIF_F_RXCSUM) { +- skb->csum = csum; ++ skb->csum = le16_to_cpu(csum); + skb->ip_summed = CHECKSUM_COMPLETE; + } + diff --git a/queue-4.9/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/queue-4.9/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch new file mode 100644 index 00000000000..9c780eae633 --- /dev/null +++ b/queue-4.9/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch @@ -0,0 +1,39 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: "Bjørn Mork" +Date: Wed, 18 Sep 2019 14:17:38 +0200 +Subject: usbnet: ignore endpoints with invalid wMaxPacketSize + +From: "Bjørn Mork" + +[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ] + +Endpoints with zero wMaxPacketSize are not usable for transferring +data. Ignore such endpoints when looking for valid in, out and +status pipes, to make the drivers more robust against invalid and +meaningless descriptors. + +The wMaxPacketSize of these endpoints are used for memory allocations +and as divisors in many usbnet minidrivers. Avoiding zero is therefore +critical. + +Signed-off-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -114,6 +114,11 @@ int usbnet_get_endpoints(struct usbnet * + int intr = 0; + + e = alt->endpoint + ep; ++ ++ /* ignore endpoints which cannot transfer data */ ++ if (!usb_endpoint_maxp(&e->desc)) ++ continue; ++ + switch (e->desc.bmAttributes) { + case USB_ENDPOINT_XFER_INT: + if (!usb_endpoint_dir_in(&e->desc)) diff --git a/queue-4.9/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/queue-4.9/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch new file mode 100644 index 00000000000..49a0c1df0e3 --- /dev/null +++ b/queue-4.9/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch @@ -0,0 +1,41 @@ +From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST +From: Oliver Neukum +Date: Thu, 19 Sep 2019 10:23:08 +0200 +Subject: usbnet: sanity checking of packet sizes and device mtu + +From: Oliver Neukum + +[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ] + +After a reset packet sizes and device mtu can change and need +to be reevaluated to calculate queue sizes. +Malicious devices can set this to zero and we divide by it. +Introduce sanity checking. + +Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -354,6 +354,8 @@ void usbnet_update_max_qlen(struct usbne + { + enum usb_device_speed speed = dev->udev->speed; + ++ if (!dev->rx_urb_size || !dev->hard_mtu) ++ goto insanity; + switch (speed) { + case USB_SPEED_HIGH: + dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size; +@@ -370,6 +372,7 @@ void usbnet_update_max_qlen(struct usbne + dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu; + break; + default: ++insanity: + dev->rx_qlen = dev->tx_qlen = 4; + } + } -- 2.47.2