From 25fc8abea3e9a03312497ef3bbd84de086a3c265 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Apr 2013 10:43:55 -0700 Subject: [PATCH] 3.4-stable patches added patches: af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch atm-update-msg_namelen-in-vcc_recvmsg.patch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch cbq-incorrect-processing-of-high-limits.patch esp4-fix-error-return-code-in-esp_output.patch irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch net-count-hw_addr-syncs-so-that-unsync-works-properly.patch net-drop-dst-before-queueing-fragments.patch netfilter-don-t-reset-nf_trace-in-nf_reset.patch net-fix-incorrect-credentials-passing.patch net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch net-rate-limit-warn-bad-offload-splats.patch netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch rtnetlink-call-nlmsg_parse-with-correct-header-length.patch tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch tcp-incoming-connections-might-use-wrong-route-under-synflood.patch tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch --- ...t-credentials-coallesce-all-messages.patch | 55 ++++++ ...generation-of-wrong-ip-length-fields.patch | 44 +++++ ...tm-update-msg_namelen-in-vcc_recvmsg.patch | 36 ++++ ...fo-leak-via-msg_name-in-ax25_recvmsg.patch | 39 +++++ ...ossible-info-leak-in-bt_sock_recvmsg.patch | 48 ++++++ ...amelen-update-in-rfcomm_sock_recvmsg.patch | 37 +++++ ...ers-race-condition-in-bond-unloading.patch | 49 ++++++ ...g-is-not-stripped-on-enslave-failure.patch | 34 ++++ ...amelen-update-in-caif_seqpkt_recvmsg.patch | 38 +++++ ...-incorrect-processing-of-high-limits.patch | 53 ++++++ ...-fix-error-return-code-in-esp_output.patch | 44 +++++ ...namelen-update-in-irda_recvmsg_dgram.patch | 38 +++++ ..._namelen-update-in-iucv_sock_recvmsg.patch | 37 +++++ ...msg_namelen-update-in-llc_ui_recvmsg.patch | 38 +++++ ...-syncs-so-that-unsync-works-properly.patch | 71 ++++++++ ...t-drop-dst-before-queueing-fragments.patch | 92 +++++++++++ ...et-fix-incorrect-credentials-passing.patch | 93 +++++++++++ ...routing-table-after-loopback-down-up.patch | 129 +++++++++++++++ ...t-rate-limit-warn-bad-offload-splats.patch | 38 +++++ ..._key_put-use-kzfree-instead-of-kfree.patch | 34 ++++ ...ter-don-t-reset-nf_trace-in-nf_reset.patch | 69 ++++++++ ...info-leak-via-msg_name-in-nr_recvmsg.patch | 40 +++++ ...-invalid-use-of-sizeof-in-nr_recvmsg.patch | 32 ++++ ...ks-via-msg_name-in-llcp_sock_recvmsg.patch | 49 ++++++ ...fo-leak-via-msg_name-in-rose_recvmsg.patch | 37 +++++ ...msg_parse-with-correct-header-length.patch | 40 +++++ queue-3.4/series | 30 ++++ ...l-tcp_replace_ts_recent-from-tcp_ack.patch | 156 ++++++++++++++++++ ...might-use-wrong-route-under-synflood.patch | 41 +++++ ...room-if-it-would-overflow-csum_start.patch | 48 ++++++ ...via-msg_name-in-recv_msg-recv_stream.patch | 64 +++++++ 31 files changed, 1653 insertions(+) create mode 100644 queue-3.4/af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch create mode 100644 queue-3.4/atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch create mode 100644 queue-3.4/atm-update-msg_namelen-in-vcc_recvmsg.patch create mode 100644 queue-3.4/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch create mode 100644 queue-3.4/bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch create mode 100644 queue-3.4/bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch create mode 100644 queue-3.4/bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch create mode 100644 queue-3.4/bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch create mode 100644 queue-3.4/caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch create mode 100644 queue-3.4/cbq-incorrect-processing-of-high-limits.patch create mode 100644 queue-3.4/esp4-fix-error-return-code-in-esp_output.patch create mode 100644 queue-3.4/irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch create mode 100644 queue-3.4/iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch create mode 100644 queue-3.4/llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch create mode 100644 queue-3.4/net-count-hw_addr-syncs-so-that-unsync-works-properly.patch create mode 100644 queue-3.4/net-drop-dst-before-queueing-fragments.patch create mode 100644 queue-3.4/net-fix-incorrect-credentials-passing.patch create mode 100644 queue-3.4/net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch create mode 100644 queue-3.4/net-rate-limit-warn-bad-offload-splats.patch create mode 100644 queue-3.4/net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch create mode 100644 queue-3.4/netfilter-don-t-reset-nf_trace-in-nf_reset.patch create mode 100644 queue-3.4/netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch create mode 100644 queue-3.4/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch create mode 100644 queue-3.4/nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch create mode 100644 queue-3.4/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch create mode 100644 queue-3.4/rtnetlink-call-nlmsg_parse-with-correct-header-length.patch create mode 100644 queue-3.4/tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch create mode 100644 queue-3.4/tcp-incoming-connections-might-use-wrong-route-under-synflood.patch create mode 100644 queue-3.4/tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch create mode 100644 queue-3.4/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch diff --git a/queue-3.4/af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch b/queue-3.4/af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch new file mode 100644 index 00000000000..c5b55b1576b --- /dev/null +++ b/queue-3.4/af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch @@ -0,0 +1,55 @@ +From 7d758add176d3e35f202b92886061f7323576d41 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 3 Apr 2013 16:14:47 +0000 +Subject: af_unix: If we don't care about credentials coallesce all messages + + +From: "Eric W. Biederman" + +[ Upstream commit 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 ] + +It was reported that the following LSB test case failed +https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we +were not coallescing unix stream messages when the application was +expecting us to. + +The problem was that the first send was before the socket was accepted +and thus sock->sk_socket was NULL in maybe_add_creds, and the second +send after the socket was accepted had a non-NULL value for sk->socket +and thus we could tell the credentials were not needed so we did not +bother. + +The unnecessary credentials on the first message cause +unix_stream_recvmsg to start verifying that all messages had the same +credentials before coallescing and then the coallescing failed because +the second message had no credentials. + +Ignoring credentials when we don't care in unix_stream_recvmsg fixes a +long standing pessimization which would fail to coallesce messages when +reading from a unix stream socket if the senders were different even if +we did not care about their credentials. + +I have tested this and verified that the in the LSB test case mentioned +above that the messages do coallesce now, while the were failing to +coallesce without this change. + +Reported-by: Karel Srot +Reported-by: Ding Tianhong +Signed-off-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1986,7 +1986,7 @@ again: + if ((UNIXCB(skb).pid != siocb->scm->pid) || + (UNIXCB(skb).cred != siocb->scm->cred)) + break; +- } else { ++ } else if (test_bit(SOCK_PASSCRED, &sock->flags)) { + /* Copy credentials */ + scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred); + check_creds = 1; diff --git a/queue-3.4/atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch b/queue-3.4/atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch new file mode 100644 index 00000000000..e659e9b68dc --- /dev/null +++ b/queue-3.4/atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch @@ -0,0 +1,44 @@ +From db7408189c80397d5b036a2cc7a2eda889cd437e Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 2 Apr 2013 14:36:46 +0000 +Subject: atl1e: limit gso segment size to prevent generation of wrong ip length fields + + +From: Hannes Frederic Sowa + +[ Upstream commit 31d1670e73f4911fe401273a8f576edc9c2b5fea ] + +The limit of 0x3c00 is taken from the windows driver. + +Suggested-by: Huang, Xiong +Cc: Huang, Xiong +Cc: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1e/atl1e.h | 2 +- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/atheros/atl1e/atl1e.h ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e.h +@@ -186,7 +186,7 @@ struct atl1e_tpd_desc { + /* how about 0x2000 */ + #define MAX_TX_BUF_LEN 0x2000 + #define MAX_TX_BUF_SHIFT 13 +-/*#define MAX_TX_BUF_LEN 0x3000 */ ++#define MAX_TSO_SEG_SIZE 0x3c00 + + /* rrs word 1 bit 0:31 */ + #define RRS_RX_CSUM_MASK 0xFFFF +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -2354,6 +2354,7 @@ static int __devinit atl1e_probe(struct + + INIT_WORK(&adapter->reset_task, atl1e_reset_task); + INIT_WORK(&adapter->link_chg_task, atl1e_link_chg_task); ++ netif_set_gso_max_size(netdev, MAX_TSO_SEG_SIZE); + err = register_netdev(netdev); + if (err) { + netdev_err(netdev, "register netdevice failed\n"); diff --git a/queue-3.4/atm-update-msg_namelen-in-vcc_recvmsg.patch b/queue-3.4/atm-update-msg_namelen-in-vcc_recvmsg.patch new file mode 100644 index 00000000000..6e1b9506c0e --- /dev/null +++ b/queue-3.4/atm-update-msg_namelen-in-vcc_recvmsg.patch @@ -0,0 +1,36 @@ +From 243e5c6c1f78e9c846d63e9ff7cc1b4f7b7c7088 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:47 +0000 +Subject: atm: update msg_namelen in vcc_recvmsg() + + +From: Mathias Krause + +[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ] + +The current code does not fill the msg_name member in case it is set. +It also does not set the msg_namelen member to 0 and therefore makes +net/socket.c leak the local, uninitialized sockaddr_storage variable +to userland -- 128 bytes of kernel stack memory. + +Fix that by simply setting msg_namelen to 0 as obviously nobody cared +about vcc_recvmsg() not filling the msg_name in case it was set. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/atm/common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -520,6 +520,8 @@ int vcc_recvmsg(struct kiocb *iocb, stru + struct sk_buff *skb; + int copied, error = -EINVAL; + ++ msg->msg_namelen = 0; ++ + if (sock->state != SS_CONNECTED) + return -ENOTCONN; + diff --git a/queue-3.4/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch b/queue-3.4/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch new file mode 100644 index 00000000000..b57065f7e45 --- /dev/null +++ b/queue-3.4/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch @@ -0,0 +1,39 @@ +From 2730a8b5b87c74838f431f4ee61dc8637d316e64 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:48 +0000 +Subject: ax25: fix info leak via msg_name in ax25_recvmsg() + + +From: Mathias Krause + +[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ] + +When msg_namelen is non-zero the sockaddr info gets filled out, as +requested, but the code fails to initialize the padding bytes of struct +sockaddr_ax25 inserted by the compiler for alignment. Additionally the +msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is +not always filled up to this size. + +Both issues lead to the fact that the code will leak uninitialized +kernel stack bytes in net/socket.c. + +Fix both issues by initializing the memory with memset(0). + +Signed-off-by: Mathias Krause +Cc: Ralf Baechle +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1646,6 +1646,7 @@ static int ax25_recvmsg(struct kiocb *io + ax25_address src; + const unsigned char *mac = skb_mac_header(skb); + ++ memset(sax, 0, sizeof(struct full_sockaddr_ax25)); + ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, + &digi, NULL, NULL); + sax->sax25_family = AF_AX25; diff --git a/queue-3.4/bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch b/queue-3.4/bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch new file mode 100644 index 00000000000..fac7d9c20cf --- /dev/null +++ b/queue-3.4/bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch @@ -0,0 +1,48 @@ +From 6bcc4146079e2b4c3e78591e595094f5bea90d9a Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:49 +0000 +Subject: Bluetooth: fix possible info leak in bt_sock_recvmsg() + + +From: Mathias Krause + +[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ] + +In case the socket is already shutting down, bt_sock_recvmsg() returns +with 0 without updating msg_namelen leading to net/socket.c leaking the +local, uninitialized sockaddr_storage variable to userland -- 128 bytes +of kernel stack memory. + +Fix this by moving the msg_namelen assignment in front of the shutdown +test. + +Signed-off-by: Mathias Krause +Cc: Marcel Holtmann +Cc: Gustavo Padovan +Cc: Johan Hedberg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/af_bluetooth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -240,6 +240,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, + if (flags & (MSG_OOB)) + return -EOPNOTSUPP; + ++ msg->msg_namelen = 0; ++ + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) { + if (sk->sk_shutdown & RCV_SHUTDOWN) +@@ -247,8 +249,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, + return err; + } + +- msg->msg_namelen = 0; +- + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; diff --git a/queue-3.4/bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch b/queue-3.4/bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch new file mode 100644 index 00000000000..736565f73bf --- /dev/null +++ b/queue-3.4/bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch @@ -0,0 +1,37 @@ +From 9b06a61eca8515c1db466f92792bce1f5d8a2bee Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:50 +0000 +Subject: Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() + + +From: Mathias Krause + +[ Upstream commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 ] + +If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns +early with 0 without updating the possibly set msg_namelen member. This, +in turn, leads to a 128 byte kernel stack leak in net/socket.c. + +Fix this by updating msg_namelen in this case. For all other cases it +will be handled in bt_sock_stream_recvmsg(). + +Signed-off-by: Mathias Krause +Cc: Marcel Holtmann +Cc: Gustavo Padovan +Cc: Johan Hedberg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -628,6 +628,7 @@ static int rfcomm_sock_recvmsg(struct ki + + if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { + rfcomm_dlc_accept(d); ++ msg->msg_namelen = 0; + return 0; + } + diff --git a/queue-3.4/bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch b/queue-3.4/bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch new file mode 100644 index 00000000000..e03b986e7f2 --- /dev/null +++ b/queue-3.4/bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch @@ -0,0 +1,49 @@ +From 1d0ca04f861a39a45e1dd3e5533aa88a0aff4d8d Mon Sep 17 00:00:00 2001 +From: "nikolay@redhat.com" +Date: Sat, 6 Apr 2013 00:54:38 +0000 +Subject: bonding: fix bonding_masters race condition in bond unloading + + +From: "nikolay@redhat.com" + +[ Upstream commit 69b0216ac255f523556fa3d4ff030d857eaaa37f ] + +While the bonding module is unloading, it is considered that after +rtnl_link_unregister all bond devices are destroyed but since no +synchronization mechanism exists, a new bond device can be created +via bonding_masters before unregister_pernet_subsys which would +lead to multiple problems (e.g. NULL pointer dereference, wrong RIP, +list corruption). + +This patch fixes the issue by removing any bond devices left in the +netns after bonding_masters is removed from sysfs. + +Signed-off-by: Nikolay Aleksandrov +Acked-by: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4864,9 +4864,18 @@ static int __net_init bond_net_init(stru + static void __net_exit bond_net_exit(struct net *net) + { + struct bond_net *bn = net_generic(net, bond_net_id); ++ struct bonding *bond, *tmp_bond; ++ LIST_HEAD(list); + + bond_destroy_sysfs(bn); + bond_destroy_proc_dir(bn); ++ ++ /* Kill off any bonds created after unregistering bond rtnl ops */ ++ rtnl_lock(); ++ list_for_each_entry_safe(bond, tmp_bond, &bn->dev_list, bond_list) ++ unregister_netdevice_queue(bond->dev, &list); ++ unregister_netdevice_many(&list); ++ rtnl_unlock(); + } + + static struct pernet_operations bond_net_ops = { diff --git a/queue-3.4/bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch b/queue-3.4/bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch new file mode 100644 index 00000000000..37efa45381f --- /dev/null +++ b/queue-3.4/bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch @@ -0,0 +1,34 @@ +From 185c9303d5dad0517146172d792cc044c429e8f1 Mon Sep 17 00:00:00 2001 +From: "nikolay@redhat.com" +Date: Thu, 11 Apr 2013 09:18:56 +0000 +Subject: bonding: IFF_BONDING is not stripped on enslave failure + + +From: "nikolay@redhat.com" + +[ Upstream commit b6a5a7b9a528a8b4c8bec940b607c5dd9102b8cc ] + +While enslaving a new device and after IFF_BONDING flag is set, in case +of failure it is not stripped from the device's priv_flags while +cleaning up, which could lead to other problems. +Cleaning at err_close because the flag is set after dev_open(). + +v2: no change + +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1888,6 +1888,7 @@ err_detach: + write_unlock_bh(&bond->lock); + + err_close: ++ slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); + + err_unset_master: diff --git a/queue-3.4/caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch b/queue-3.4/caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch new file mode 100644 index 00000000000..06db9848474 --- /dev/null +++ b/queue-3.4/caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch @@ -0,0 +1,38 @@ +From 2eb568f45b28caf3f42bb797cf20cc54a3a87ba0 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:52 +0000 +Subject: caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() + + +From: Mathias Krause + +[ Upstream commit 2d6fbfe733f35c6b355c216644e08e149c61b271 ] + +The current code does not fill the msg_name member in case it is set. +It also does not set the msg_namelen member to 0 and therefore makes +net/socket.c leak the local, uninitialized sockaddr_storage variable +to userland -- 128 bytes of kernel stack memory. + +Fix that by simply setting msg_namelen to 0 as obviously nobody cared +about caif_seqpkt_recvmsg() not filling the msg_name in case it was +set. + +Signed-off-by: Mathias Krause +Cc: Sjur Braendeland +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -287,6 +287,8 @@ static int caif_seqpkt_recvmsg(struct ki + if (m->msg_flags&MSG_OOB) + goto read_error; + ++ m->msg_namelen = 0; ++ + skb = skb_recv_datagram(sk, flags, 0 , &ret); + if (!skb) + goto read_error; diff --git a/queue-3.4/cbq-incorrect-processing-of-high-limits.patch b/queue-3.4/cbq-incorrect-processing-of-high-limits.patch new file mode 100644 index 00000000000..9d971c76a00 --- /dev/null +++ b/queue-3.4/cbq-incorrect-processing-of-high-limits.patch @@ -0,0 +1,53 @@ +From 9706be11b9c30a6b11a5b779a3298309aa44ee71 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Mon, 1 Apr 2013 03:01:32 +0000 +Subject: cbq: incorrect processing of high limits + + +From: Vasily Averin + +[ Upstream commit f0f6ee1f70c4eaab9d52cf7d255df4bd89f8d1c2 ] + +currently cbq works incorrectly for limits > 10% real link bandwidth, +and practically does not work for limits > 50% real link bandwidth. +Below are results of experiments taken on 1 Gbit link + + In shaper | Actual Result +-----------+--------------- + 100M | 108 Mbps + 200M | 244 Mbps + 300M | 412 Mbps + 500M | 893 Mbps + +This happen because of q->now changes incorrectly in cbq_dequeue(): +when it is called before real end of packet transmitting, +L2T is greater than real time delay, q_now gets an extra boost +but never compensate it. + +To fix this problem we prevent change of q->now until its synchronization +with real time. + +Signed-off-by: Vasily Averin +Reviewed-by: Alexey Kuznetsov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -963,8 +963,11 @@ cbq_dequeue(struct Qdisc *sch) + cbq_update(q); + if ((incr -= incr2) < 0) + incr = 0; ++ q->now += incr; ++ } else { ++ if (now > q->now) ++ q->now = now; + } +- q->now += incr; + q->now_rt = now; + + for (;;) { diff --git a/queue-3.4/esp4-fix-error-return-code-in-esp_output.patch b/queue-3.4/esp4-fix-error-return-code-in-esp_output.patch new file mode 100644 index 00000000000..c7449e22d01 --- /dev/null +++ b/queue-3.4/esp4-fix-error-return-code-in-esp_output.patch @@ -0,0 +1,44 @@ +From 89d77a1bc32aea264ec81dbf433ddf5bcfbb461a Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Sat, 13 Apr 2013 15:49:03 +0000 +Subject: esp4: fix error return code in esp_output() + + +From: Wei Yongjun + +[ Upstream commit 06848c10f720cbc20e3b784c0df24930b7304b93 ] + +Fix to return a negative error code from the error handling +case instead of 0, as returned elsewhere in this function. + +Signed-off-by: Wei Yongjun +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/esp4.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -139,8 +139,6 @@ static int esp_output(struct xfrm_state + + /* skb is pure payload to encrypt */ + +- err = -ENOMEM; +- + esp = x->data; + aead = esp->aead; + alen = crypto_aead_authsize(aead); +@@ -176,8 +174,10 @@ static int esp_output(struct xfrm_state + } + + tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen); +- if (!tmp) ++ if (!tmp) { ++ err = -ENOMEM; + goto error; ++ } + + seqhi = esp_tmp_seqhi(tmp); + iv = esp_tmp_iv(aead, tmp, seqhilen); diff --git a/queue-3.4/irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch b/queue-3.4/irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch new file mode 100644 index 00000000000..7775ea28afa --- /dev/null +++ b/queue-3.4/irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch @@ -0,0 +1,38 @@ +From afe366fa45ba2fade1b06bb84841ece7586c670e Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:53 +0000 +Subject: irda: Fix missing msg_namelen update in irda_recvmsg_dgram() + + +From: Mathias Krause + +[ Upstream commit 5ae94c0d2f0bed41d6718be743985d61b7f5c47d ] + +The current code does not fill the msg_name member in case it is set. +It also does not set the msg_namelen member to 0 and therefore makes +net/socket.c leak the local, uninitialized sockaddr_storage variable +to userland -- 128 bytes of kernel stack memory. + +Fix that by simply setting msg_namelen to 0 as obviously nobody cared +about irda_recvmsg_dgram() not filling the msg_name in case it was +set. + +Signed-off-by: Mathias Krause +Cc: Samuel Ortiz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/af_irda.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kio + + IRDA_DEBUG(4, "%s()\n", __func__); + ++ msg->msg_namelen = 0; ++ + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); + if (!skb) diff --git a/queue-3.4/iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch b/queue-3.4/iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch new file mode 100644 index 00000000000..d9c3cead305 --- /dev/null +++ b/queue-3.4/iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch @@ -0,0 +1,37 @@ +From b6c6c452de3636d40c96c13bdcb5c2ab5c0a4dfc Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:54 +0000 +Subject: iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() + + +From: Mathias Krause + +[ Upstream commit a5598bd9c087dc0efc250a5221e5d0e6f584ee88 ] + +The current code does not fill the msg_name member in case it is set. +It also does not set the msg_namelen member to 0 and therefore makes +net/socket.c leak the local, uninitialized sockaddr_storage variable +to userland -- 128 bytes of kernel stack memory. + +Fix that by simply setting msg_namelen to 0 as obviously nobody cared +about iucv_sock_recvmsg() not filling the msg_name in case it was set. + +Signed-off-by: Mathias Krause +Cc: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/iucv/af_iucv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1331,6 +1331,8 @@ static int iucv_sock_recvmsg(struct kioc + struct sk_buff *skb, *rskb, *cskb; + int err = 0; + ++ msg->msg_namelen = 0; ++ + if ((sk->sk_state == IUCV_DISCONN) && + skb_queue_empty(&iucv->backlog_skb_q) && + skb_queue_empty(&sk->sk_receive_queue) && diff --git a/queue-3.4/llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch b/queue-3.4/llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch new file mode 100644 index 00000000000..60d0ab75b8c --- /dev/null +++ b/queue-3.4/llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch @@ -0,0 +1,38 @@ +From c108d07365ddd2fec6b17fb40e00731b7db06bda Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:56 +0000 +Subject: llc: Fix missing msg_namelen update in llc_ui_recvmsg() + + +From: Mathias Krause + +[ Upstream commit c77a4b9cffb6215a15196ec499490d116dfad181 ] + +For stream sockets the code misses to update the msg_namelen member +to 0 and therefore makes net/socket.c leak the local, uninitialized +sockaddr_storage variable to userland -- 128 bytes of kernel stack +memory. The msg_namelen update is also missing for datagram sockets +in case the socket is shutting down during receive. + +Fix both issues by setting msg_namelen to 0 early. It will be +updated later if we're going to fill the msg_name member. + +Signed-off-by: Mathias Krause +Cc: Arnaldo Carvalho de Melo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -721,6 +721,8 @@ static int llc_ui_recvmsg(struct kiocb * + int target; /* Read at least this many bytes */ + long timeo; + ++ msg->msg_namelen = 0; ++ + lock_sock(sk); + copied = -ENOTCONN; + if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) diff --git a/queue-3.4/net-count-hw_addr-syncs-so-that-unsync-works-properly.patch b/queue-3.4/net-count-hw_addr-syncs-so-that-unsync-works-properly.patch new file mode 100644 index 00000000000..d25249e48f0 --- /dev/null +++ b/queue-3.4/net-count-hw_addr-syncs-so-that-unsync-works-properly.patch @@ -0,0 +1,71 @@ +From e1f62fd070a7ee124d6986b8792f14019e3e15ff Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 2 Apr 2013 17:10:07 -0400 +Subject: net: count hw_addr syncs so that unsync works properly. + + +From: Vlad Yasevich + +[ Upstream commit 4543fbefe6e06a9e40d9f2b28d688393a299f079 ] + +A few drivers use dev_uc_sync/unsync to synchronize the +address lists from master down to slave/lower devices. In +some cases (bond/team) a single address list is synched down +to multiple devices. At the time of unsync, we have a leak +in these lower devices, because "synced" is treated as a +boolean and the address will not be unsynced for anything after +the first device/call. + +Treat "synced" as a count (same as refcount) and allow all +unsync calls to work. + +Signed-off-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 +- + net/core/dev_addr_lists.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -232,9 +232,9 @@ struct netdev_hw_addr { + #define NETDEV_HW_ADDR_T_SLAVE 3 + #define NETDEV_HW_ADDR_T_UNICAST 4 + #define NETDEV_HW_ADDR_T_MULTICAST 5 +- bool synced; + bool global_use; + int refcount; ++ int synced; + struct rcu_head rcu_head; + }; + +--- a/net/core/dev_addr_lists.c ++++ b/net/core/dev_addr_lists.c +@@ -57,7 +57,7 @@ static int __hw_addr_add_ex(struct netde + ha->type = addr_type; + ha->refcount = 1; + ha->global_use = global; +- ha->synced = false; ++ ha->synced = 0; + list_add_tail_rcu(&ha->list, &list->list); + list->count++; + return 0; +@@ -155,7 +155,7 @@ int __hw_addr_sync(struct netdev_hw_addr + addr_len, ha->type); + if (err) + break; +- ha->synced = true; ++ ha->synced++; + ha->refcount++; + } else if (ha->refcount == 1) { + __hw_addr_del(to_list, ha->addr, addr_len, ha->type); +@@ -176,7 +176,7 @@ void __hw_addr_unsync(struct netdev_hw_a + if (ha->synced) { + __hw_addr_del(to_list, ha->addr, + addr_len, ha->type); +- ha->synced = false; ++ ha->synced--; + __hw_addr_del(from_list, ha->addr, + addr_len, ha->type); + } diff --git a/queue-3.4/net-drop-dst-before-queueing-fragments.patch b/queue-3.4/net-drop-dst-before-queueing-fragments.patch new file mode 100644 index 00000000000..1f1a331cb3b --- /dev/null +++ b/queue-3.4/net-drop-dst-before-queueing-fragments.patch @@ -0,0 +1,92 @@ +From 2b889b265dd67faceed5aeb2c06379b84b2a405b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 16 Apr 2013 12:55:41 +0000 +Subject: net: drop dst before queueing fragments + + +From: Eric Dumazet + +[ Upstream commit 97599dc792b45b1669c3cdb9a4b365aad0232f65 ] + +Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path) +added a bug in IP defragmentation handling, as non refcounted +dst could escape an RCU protected section. + +Commit 64f3b9e203bd068 (net: ip_expire() must revalidate route) fixed +the case of timeouts, but not the general problem. + +Tom Parkin noticed crashes in UDP stack and provided a patch, +but further analysis permitted us to pinpoint the root cause. + +Before queueing a packet into a frag list, we must drop its dst, +as this dst has limited lifetime (RCU protected) + +When/if a packet is finally reassembled, we use the dst of the very +last skb, still protected by RCU and valid, as the dst of the +reassembled packet. + +Use same logic in IPv6, as there is no need to hold dst references. + +Reported-by: Tom Parkin +Tested-by: Tom Parkin +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 15 +++++++++++---- + net/ipv6/reassembly.c | 13 +++++++++++-- + 2 files changed, 22 insertions(+), 6 deletions(-) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -251,8 +251,7 @@ static void ip_expire(unsigned long arg) + if (!head->dev) + goto out_rcu_unlock; + +- /* skb dst is stale, drop it, and perform route lookup again */ +- skb_dst_drop(head); ++ /* skb has no dst, perform route lookup again */ + iph = ip_hdr(head); + err = ip_route_input_noref(head, iph->daddr, iph->saddr, + iph->tos, head->dev); +@@ -517,8 +516,16 @@ found: + qp->q.last_in |= INET_FRAG_FIRST_IN; + + if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && +- qp->q.meat == qp->q.len) +- return ip_frag_reasm(qp, prev, dev); ++ qp->q.meat == qp->q.len) { ++ unsigned long orefdst = skb->_skb_refdst; ++ ++ skb->_skb_refdst = 0UL; ++ err = ip_frag_reasm(qp, prev, dev); ++ skb->_skb_refdst = orefdst; ++ return err; ++ } ++ ++ skb_dst_drop(skb); + + write_lock(&ip4_frags.lock); + list_move_tail(&qp->q.lru_list, &qp->q.net->lru_list); +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -385,8 +385,17 @@ found: + } + + if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && +- fq->q.meat == fq->q.len) +- return ip6_frag_reasm(fq, prev, dev); ++ fq->q.meat == fq->q.len) { ++ int res; ++ unsigned long orefdst = skb->_skb_refdst; ++ ++ skb->_skb_refdst = 0UL; ++ res = ip6_frag_reasm(fq, prev, dev); ++ skb->_skb_refdst = orefdst; ++ return res; ++ } ++ ++ skb_dst_drop(skb); + + write_lock(&ip6_frags.lock); + list_move_tail(&fq->q.lru_list, &fq->q.net->lru_list); diff --git a/queue-3.4/net-fix-incorrect-credentials-passing.patch b/queue-3.4/net-fix-incorrect-credentials-passing.patch new file mode 100644 index 00000000000..b261a178cf3 --- /dev/null +++ b/queue-3.4/net-fix-incorrect-credentials-passing.patch @@ -0,0 +1,93 @@ +From 0e59f33a971304ccd9a4c84b0beb1ce969780b06 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 19 Apr 2013 15:32:32 +0000 +Subject: net: fix incorrect credentials passing + + +From: Linus Torvalds + +[ Upstream commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 ] + +Commit 257b5358b32f ("scm: Capture the full credentials of the scm +sender") changed the credentials passing code to pass in the effective +uid/gid instead of the real uid/gid. + +Obviously this doesn't matter most of the time (since normally they are +the same), but it results in differences for suid binaries when the wrong +uid/gid ends up being used. + +This just undoes that (presumably unintentional) part of the commit. + +Reported-by: Andy Lutomirski +Cc: Eric W. Biederman +Cc: Serge E. Hallyn +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Acked-by: "Eric W. Biederman" +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/socket.h | 3 ++- + include/net/scm.h | 2 +- + net/core/sock.c | 14 ++++++++++---- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -316,7 +316,8 @@ struct ucred { + /* IPX options */ + #define IPX_TYPE 1 + +-extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred); ++extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred, ++ bool use_effective); + + extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len); + extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov, +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(stru + { + scm->pid = get_pid(pid); + scm->cred = cred ? get_cred(cred) : NULL; +- cred_to_ucred(pid, cred, &scm->creds); ++ cred_to_ucred(pid, cred, &scm->creds, false); + } + + static __inline__ void scm_destroy_cred(struct scm_cookie *scm) +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -815,15 +815,20 @@ EXPORT_SYMBOL(sock_setsockopt); + + + void cred_to_ucred(struct pid *pid, const struct cred *cred, +- struct ucred *ucred) ++ struct ucred *ucred, bool use_effective) + { + ucred->pid = pid_vnr(pid); + ucred->uid = ucred->gid = -1; + if (cred) { + struct user_namespace *current_ns = current_user_ns(); + +- ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid); +- ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid); ++ if (use_effective) { ++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->euid); ++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->egid); ++ } else { ++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid); ++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid); ++ } + } + } + EXPORT_SYMBOL_GPL(cred_to_ucred); +@@ -984,7 +989,8 @@ int sock_getsockopt(struct socket *sock, + struct ucred peercred; + if (len > sizeof(peercred)) + len = sizeof(peercred); +- cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred); ++ cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, ++ &peercred, true); + if (copy_to_user(optval, &peercred, len)) + return -EFAULT; + goto lenout; diff --git a/queue-3.4/net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch b/queue-3.4/net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch new file mode 100644 index 00000000000..27043efb730 --- /dev/null +++ b/queue-3.4/net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch @@ -0,0 +1,129 @@ +From 3ec2ad707e8ed4ca45ff5d4f7b1e723b194dd866 Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Tue, 2 Apr 2013 16:15:05 +0530 +Subject: net IPv6 : Fix broken IPv6 routing table after loopback down-up + + +From: Balakumaran Kannan + +[ Upstream commit 25fb6ca4ed9cad72f14f61629b68dc03c0d9713f ] + +IPv6 Routing table becomes broken once we do ifdown, ifup of the loopback(lo) +interface. After down-up, routes of other interface's IPv6 addresses through +'lo' are lost. + +IPv6 addresses assigned to all interfaces are routed through 'lo' for internal +communication. Once 'lo' is down, those routing entries are removed from routing +table. But those removed entries are not being re-created properly when 'lo' is +brought up. So IPv6 addresses of other interfaces becomes unreachable from the +same machine. Also this breaks communication with other machines because of +NDISC packet processing failure. + +This patch fixes this issue by reading all interface's IPv6 addresses and adding +them to IPv6 routing table while bringing up 'lo'. + +==Testing== +Before applying the patch: +$ route -A inet6 +Kernel IPv6 routing table +Destination Next Hop Flag Met Ref Use If +2000::20/128 :: U 256 0 0 eth0 +fe80::/64 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +::1/128 :: Un 0 1 0 lo +2000::20/128 :: Un 0 1 0 lo +fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo +ff00::/8 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +$ sudo ifdown lo +$ sudo ifup lo +$ route -A inet6 +Kernel IPv6 routing table +Destination Next Hop Flag Met Ref Use If +2000::20/128 :: U 256 0 0 eth0 +fe80::/64 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +::1/128 :: Un 0 1 0 lo +ff00::/8 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +$ + +After applying the patch: +$ route -A inet6 +Kernel IPv6 routing +table +Destination Next Hop Flag Met Ref Use If +2000::20/128 :: U 256 0 0 eth0 +fe80::/64 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +::1/128 :: Un 0 1 0 lo +2000::20/128 :: Un 0 1 0 lo +fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo +ff00::/8 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +$ sudo ifdown lo +$ sudo ifup lo +$ route -A inet6 +Kernel IPv6 routing table +Destination Next Hop Flag Met Ref Use If +2000::20/128 :: U 256 0 0 eth0 +fe80::/64 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +::1/128 :: Un 0 1 0 lo +2000::20/128 :: Un 0 1 0 lo +fe80::xxxx:xxxx:xxxx:xxxx/128 :: Un 0 1 0 lo +ff00::/8 :: U 256 0 0 eth0 +::/0 :: !n -1 1 1 lo +$ + +Signed-off-by: Balakumaran Kannan +Signed-off-by: Maruthi Thotad +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2399,6 +2399,9 @@ static void sit_add_v4_addrs(struct inet + static void init_loopback(struct net_device *dev) + { + struct inet6_dev *idev; ++ struct net_device *sp_dev; ++ struct inet6_ifaddr *sp_ifa; ++ struct rt6_info *sp_rt; + + /* ::1 */ + +@@ -2410,6 +2413,30 @@ static void init_loopback(struct net_dev + } + + add_addr(idev, &in6addr_loopback, 128, IFA_HOST); ++ ++ /* Add routes to other interface's IPv6 addresses */ ++ for_each_netdev(dev_net(dev), sp_dev) { ++ if (!strcmp(sp_dev->name, dev->name)) ++ continue; ++ ++ idev = __in6_dev_get(sp_dev); ++ if (!idev) ++ continue; ++ ++ read_lock_bh(&idev->lock); ++ list_for_each_entry(sp_ifa, &idev->addr_list, if_list) { ++ ++ if (sp_ifa->flags & (IFA_F_DADFAILED | IFA_F_TENTATIVE)) ++ continue; ++ ++ sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0); ++ ++ /* Failure cases are ignored */ ++ if (!IS_ERR(sp_rt)) ++ ip6_ins_rt(sp_rt); ++ } ++ read_unlock_bh(&idev->lock); ++ } + } + + static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr) diff --git a/queue-3.4/net-rate-limit-warn-bad-offload-splats.patch b/queue-3.4/net-rate-limit-warn-bad-offload-splats.patch new file mode 100644 index 00000000000..e2b363e4502 --- /dev/null +++ b/queue-3.4/net-rate-limit-warn-bad-offload-splats.patch @@ -0,0 +1,38 @@ +From c0bb88dad87d55604cc656c60779ea8ca61ca068 Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Fri, 19 Apr 2013 10:45:52 +0000 +Subject: net: rate-limit warn-bad-offload splats. + + +From: Ben Greear + +[ Upstream commit c846ad9b880ece01bb4d8d07ba917734edf0324f ] + +If one does do something unfortunate and allow a +bad offload bug into the kernel, this the +skb_warn_bad_offload can effectively live-lock the +system, filling the logs with the same error over +and over. + +Add rate limitation to this so that box remains otherwise +functional in this case. + +Signed-off-by: Ben Greear +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1895,6 +1895,9 @@ static void skb_warn_bad_offload(const s + struct net_device *dev = skb->dev; + const char *driver = ""; + ++ if (!net_ratelimit()) ++ return; ++ + if (dev && dev->dev.parent) + driver = dev_driver_string(dev->dev.parent); + diff --git a/queue-3.4/net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch b/queue-3.4/net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch new file mode 100644 index 00000000000..b07fd0238c1 --- /dev/null +++ b/queue-3.4/net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch @@ -0,0 +1,34 @@ +From 325382a75784ecc05c6ae30e2e97e2c60d325cec Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 7 Feb 2013 00:55:37 +0000 +Subject: net: sctp: sctp_auth_key_put: use kzfree instead of kfree + + +From: Daniel Borkmann + +[ Upstream commit 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53 ] + +For sensitive data like keying material, it is common practice to zero +out keys before returning the memory back to the allocator. Thus, use +kzfree instead of kfree. + +Signed-off-by: Daniel Borkmann +Acked-by: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -71,7 +71,7 @@ void sctp_auth_key_put(struct sctp_auth_ + return; + + if (atomic_dec_and_test(&key->refcnt)) { +- kfree(key); ++ kzfree(key); + SCTP_DBG_OBJCNT_DEC(keys); + } + } diff --git a/queue-3.4/netfilter-don-t-reset-nf_trace-in-nf_reset.patch b/queue-3.4/netfilter-don-t-reset-nf_trace-in-nf_reset.patch new file mode 100644 index 00000000000..a238cc3fdf5 --- /dev/null +++ b/queue-3.4/netfilter-don-t-reset-nf_trace-in-nf_reset.patch @@ -0,0 +1,69 @@ +From c0ec37c8285f5978a0e178a562d66829c00e2f6a Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Fri, 5 Apr 2013 20:42:05 +0200 +Subject: netfilter: don't reset nf_trace in nf_reset() + + +From: Patrick McHardy + +[ Upstream commit 124dff01afbdbff251f0385beca84ba1b9adda68 ] + +Commit 130549fe ("netfilter: reset nf_trace in nf_reset") added code +to reset nf_trace in nf_reset(). This is wrong and unnecessary. + +nf_reset() is used in the following cases: + +- when passing packets up the the socket layer, at which point we want to + release all netfilter references that might keep modules pinned while + the packet is queued. nf_trace doesn't matter anymore at this point. + +- when encapsulating or decapsulating IPsec packets. We want to continue + tracing these packets after IPsec processing. + +- when passing packets through virtual network devices. Only devices on + that encapsulate in IPv4/v6 matter since otherwise nf_trace is not + used anymore. Its not entirely clear whether those packets should + be traced after that, however we've always done that. + +- when passing packets through virtual network devices that make the + packet cross network namespace boundaries. This is the only cases + where we clearly want to reset nf_trace and is also what the + original patch intended to fix. + +Add a new function nf_reset_trace() and use it in dev_forward_skb() to +fix this properly. + +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 7 +++++++ + net/core/dev.c | 1 + + 2 files changed, 8 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2392,6 +2392,13 @@ static inline void nf_reset(struct sk_bu + #endif + } + ++static inline void nf_reset_trace(struct sk_buff *skb) ++{ ++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) ++ skb->nf_trace = 0; ++#endif ++} ++ + /* Note: This doesn't put any conntrack and bridge info in dst. */ + static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) + { +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1628,6 +1628,7 @@ int dev_forward_skb(struct net_device *d + skb->mark = 0; + secpath_reset(skb); + nf_reset(skb); ++ nf_reset_trace(skb); + return netif_rx(skb); + } + EXPORT_SYMBOL_GPL(dev_forward_skb); diff --git a/queue-3.4/netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch b/queue-3.4/netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch new file mode 100644 index 00000000000..a1eb8634cc8 --- /dev/null +++ b/queue-3.4/netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch @@ -0,0 +1,40 @@ +From 77d04b80c07c03ee66148b8d756a3dd27f11b3fc Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:57 +0000 +Subject: netrom: fix info leak via msg_name in nr_recvmsg() + + +From: Mathias Krause + +[ Upstream commits 3ce5efad47b62c57a4f5c54248347085a750ce0e and + c802d759623acbd6e1ee9fbdabae89159a513913 ] + +In case msg_name is set the sockaddr info gets filled out, as +requested, but the code fails to initialize the padding bytes of +struct sockaddr_ax25 inserted by the compiler for alignment. Also +the sax25_ndigis member does not get assigned, leaking four more +bytes. + +Both issues lead to the fact that the code will leak uninitialized +kernel stack bytes in net/socket.c. + +Fix both issues by initializing the memory with memset(0). + +Signed-off-by: Mathias Krause +Cc: Ralf Baechle +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1177,6 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb + } + + if (sax != NULL) { ++ memset(sax, 0, sizeof(sax)); + sax->sax25_family = AF_NETROM; + skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, + AX25_ADDR_LEN); diff --git a/queue-3.4/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch b/queue-3.4/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch new file mode 100644 index 00000000000..e09a56ddb4f --- /dev/null +++ b/queue-3.4/netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch @@ -0,0 +1,32 @@ +From bef41eeabe2f888ff26e05497b78574a6ab4d906 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 9 Apr 2013 10:07:19 +0800 +Subject: netrom: fix invalid use of sizeof in nr_recvmsg() + + +From: Wei Yongjun + +[ Upstream commit c802d759623acbd6e1ee9fbdabae89159a513913 ] + +sizeof() when applied to a pointer typed expression gives the size of the +pointer, not that of the pointed data. +Introduced by commit 3ce5ef(netrom: fix info leak via msg_name in nr_recvmsg) + +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/af_netrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1177,7 +1177,7 @@ static int nr_recvmsg(struct kiocb *iocb + } + + if (sax != NULL) { +- memset(sax, 0, sizeof(sax)); ++ memset(sax, 0, sizeof(*sax)); + sax->sax25_family = AF_NETROM; + skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, + AX25_ADDR_LEN); diff --git a/queue-3.4/nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch b/queue-3.4/nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch new file mode 100644 index 00000000000..7003c4daf58 --- /dev/null +++ b/queue-3.4/nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch @@ -0,0 +1,49 @@ +From f2c9def51f6071d442897b2148bf1dd617a9b5b7 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:58 +0000 +Subject: NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() + + +From: Mathias Krause + +[ Upstream commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb ] + +The code in llcp_sock_recvmsg() does not initialize all the members of +struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it +initialize the padding bytes of the structure inserted by the compiler +for alignment. + +Also, if the socket is in state LLCP_CLOSED or is shutting down during +receive the msg_namelen member is not updated to 0 while otherwise +returning with 0, i.e. "success". The msg_namelen update is also +missing for stream and seqpacket sockets which don't fill the sockaddr +info. + +Both issues lead to the fact that the code will leak uninitialized +kernel stack bytes in net/socket.c. + +Fix the first issue by initializing the memory used for sockaddr info +with memset(0). Fix the second one by setting msg_namelen to 0 early. +It will be updated later if we're going to fill the msg_name member. + +Signed-off-by: Mathias Krause +Cc: Lauro Ramos Venancio +Cc: Aloisio Almeida Jr +Cc: Samuel Ortiz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp/sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/llcp/sock.c ++++ b/net/nfc/llcp/sock.c +@@ -514,6 +514,8 @@ static int llcp_sock_recvmsg(struct kioc + + pr_debug("%p %zu\n", sk, len); + ++ msg->msg_namelen = 0; ++ + lock_sock(sk); + + if (sk->sk_state == LLCP_CLOSED && diff --git a/queue-3.4/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch b/queue-3.4/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch new file mode 100644 index 00000000000..0a988fa4a6b --- /dev/null +++ b/queue-3.4/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch @@ -0,0 +1,37 @@ +From cb0e08205989b6cc4d04efc0233411e42b258cf0 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:51:59 +0000 +Subject: rose: fix info leak via msg_name in rose_recvmsg() + + +From: Mathias Krause + +[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ] + +The code in rose_recvmsg() does not initialize all of the members of +struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info. +Nor does it initialize the padding bytes of the structure inserted by +the compiler for alignment. This will lead to leaking uninitialized +kernel stack bytes in net/socket.c. + +Fix the issue by initializing the memory used for sockaddr info with +memset(0). + +Signed-off-by: Mathias Krause +Cc: Ralf Baechle +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/af_rose.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1257,6 +1257,7 @@ static int rose_recvmsg(struct kiocb *io + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + + if (srose != NULL) { ++ memset(srose, 0, msg->msg_namelen); + srose->srose_family = AF_ROSE; + srose->srose_addr = rose->dest_addr; + srose->srose_call = rose->dest_call; diff --git a/queue-3.4/rtnetlink-call-nlmsg_parse-with-correct-header-length.patch b/queue-3.4/rtnetlink-call-nlmsg_parse-with-correct-header-length.patch new file mode 100644 index 00000000000..f78eff76bb3 --- /dev/null +++ b/queue-3.4/rtnetlink-call-nlmsg_parse-with-correct-header-length.patch @@ -0,0 +1,40 @@ +From 3b86159c3d22710e21f35fb99e9b5e2710a3c501 Mon Sep 17 00:00:00 2001 +From: Michael Riesch +Date: Mon, 8 Apr 2013 05:45:26 +0000 +Subject: rtnetlink: Call nlmsg_parse() with correct header length + + +From: Michael Riesch + +[ Upstream commit 88c5b5ce5cb57af6ca2a7cf4d5715fa320448ff9 ] + +Signed-off-by: Michael Riesch +Cc: Jiri Benc +Cc: "Theodore Ts'o" +Acked-by: Mark Rustad +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1066,7 +1066,7 @@ static int rtnl_dump_ifinfo(struct sk_bu + rcu_read_lock(); + cb->seq = net->dev_base_seq; + +- if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, ++ if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX, + ifla_policy) >= 0) { + + if (tb[IFLA_EXT_MASK]) +@@ -1910,7 +1910,7 @@ static u16 rtnl_calcit(struct sk_buff *s + u32 ext_filter_mask = 0; + u16 min_ifinfo_dump_size = 0; + +- if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, ++ if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX, + ifla_policy) >= 0) { + if (tb[IFLA_EXT_MASK]) + ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); diff --git a/queue-3.4/series b/queue-3.4/series index 13f62c41371..ec2da851e10 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -2,3 +2,33 @@ aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch tty-do-not-update-atime-mtime-on-read-write.patch tty-fix-atime-mtime-regression.patch sparc64-fix-race-in-tlb-batch-processing.patch +atm-update-msg_namelen-in-vcc_recvmsg.patch +ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch +bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch +bluetooth-rfcomm-fix-missing-msg_namelen-update-in-rfcomm_sock_recvmsg.patch +caif-fix-missing-msg_namelen-update-in-caif_seqpkt_recvmsg.patch +irda-fix-missing-msg_namelen-update-in-irda_recvmsg_dgram.patch +iucv-fix-missing-msg_namelen-update-in-iucv_sock_recvmsg.patch +llc-fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch +netrom-fix-info-leak-via-msg_name-in-nr_recvmsg.patch +nfc-llcp-fix-info-leaks-via-msg_name-in-llcp_sock_recvmsg.patch +rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch +tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch +netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch +cbq-incorrect-processing-of-high-limits.patch +net-ipv6-fix-broken-ipv6-routing-table-after-loopback-down-up.patch +net-count-hw_addr-syncs-so-that-unsync-works-properly.patch +atl1e-limit-gso-segment-size-to-prevent-generation-of-wrong-ip-length-fields.patch +bonding-fix-bonding_masters-race-condition-in-bond-unloading.patch +bonding-iff_bonding-is-not-stripped-on-enslave-failure.patch +af_unix-if-we-don-t-care-about-credentials-coallesce-all-messages.patch +netfilter-don-t-reset-nf_trace-in-nf_reset.patch +rtnetlink-call-nlmsg_parse-with-correct-header-length.patch +tcp-incoming-connections-might-use-wrong-route-under-synflood.patch +tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch +esp4-fix-error-return-code-in-esp_output.patch +net-sctp-sctp_auth_key_put-use-kzfree-instead-of-kfree.patch +tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch +net-rate-limit-warn-bad-offload-splats.patch +net-fix-incorrect-credentials-passing.patch +net-drop-dst-before-queueing-fragments.patch diff --git a/queue-3.4/tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch b/queue-3.4/tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch new file mode 100644 index 00000000000..b3708e0e946 --- /dev/null +++ b/queue-3.4/tcp-call-tcp_replace_ts_recent-from-tcp_ack.patch @@ -0,0 +1,156 @@ +From 58bd4a47469059f9f5395885d7b0a3b1dc7ae1e3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 19 Apr 2013 07:19:48 +0000 +Subject: tcp: call tcp_replace_ts_recent() from tcp_ack() + + +From: Eric Dumazet + +[ Upstream commit 12fb3dd9dc3c64ba7d64cec977cca9b5fb7b1d4e ] + +commit bd090dfc634d (tcp: tcp_replace_ts_recent() should not be called +from tcp_validate_incoming()) introduced a TS ecr bug in slow path +processing. + +1 A > B P. 1:10001(10000) ack 1 +2 B < A . 1:1(0) ack 1 win 257 +3 A > B . 1:1001(1000) ack 1 win 227 +4 A > B . 1001:2001(1000) ack 1 win 227 + +(ecr 200 should be ecr 300 in packets 3 & 4) + +Problem is tcp_ack() can trigger send of new packets (retransmits), +reflecting the prior TSval, instead of the TSval contained in the +currently processed incoming packet. + +Fix this by calling tcp_replace_ts_recent() from tcp_ack() after the +checks, but before the actions. + +Reported-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 65 +++++++++++++++++++++++++-------------------------- + 1 file changed, 32 insertions(+), 33 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -116,6 +116,7 @@ int sysctl_tcp_abc __read_mostly; + #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */ + #define FLAG_NONHEAD_RETRANS_ACKED 0x1000 /* Non-head rexmitted data was ACKed */ + #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */ ++#define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */ + + #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED) + #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED) +@@ -3707,6 +3708,27 @@ static void tcp_send_challenge_ack(struc + } + } + ++static void tcp_store_ts_recent(struct tcp_sock *tp) ++{ ++ tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval; ++ tp->rx_opt.ts_recent_stamp = get_seconds(); ++} ++ ++static void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq) ++{ ++ if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) { ++ /* PAWS bug workaround wrt. ACK frames, the PAWS discard ++ * extra check below makes sure this can only happen ++ * for pure ACK frames. -DaveM ++ * ++ * Not only, also it occurs for expired timestamps. ++ */ ++ ++ if (tcp_paws_check(&tp->rx_opt, 0)) ++ tcp_store_ts_recent(tp); ++ } ++} ++ + /* This routine deals with incoming acks, but not outgoing ones. */ + static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + { +@@ -3756,6 +3778,12 @@ static int tcp_ack(struct sock *sk, cons + prior_fackets = tp->fackets_out; + prior_in_flight = tcp_packets_in_flight(tp); + ++ /* ts_recent update must be made after we are sure that the packet ++ * is in window. ++ */ ++ if (flag & FLAG_UPDATE_TS_RECENT) ++ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); ++ + if (!(flag & FLAG_SLOWPATH) && after(ack, prior_snd_una)) { + /* Window is constant, pure forward advance. + * No more checks are required. +@@ -4053,27 +4081,6 @@ const u8 *tcp_parse_md5sig_option(const + EXPORT_SYMBOL(tcp_parse_md5sig_option); + #endif + +-static inline void tcp_store_ts_recent(struct tcp_sock *tp) +-{ +- tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval; +- tp->rx_opt.ts_recent_stamp = get_seconds(); +-} +- +-static inline void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq) +-{ +- if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) { +- /* PAWS bug workaround wrt. ACK frames, the PAWS discard +- * extra check below makes sure this can only happen +- * for pure ACK frames. -DaveM +- * +- * Not only, also it occurs for expired timestamps. +- */ +- +- if (tcp_paws_check(&tp->rx_opt, 0)) +- tcp_store_ts_recent(tp); +- } +-} +- + /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM + * + * It is not fatal. If this ACK does _not_ change critical state (seqs, window) +@@ -5577,14 +5584,10 @@ slow_path: + return 0; + + step5: +- if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) ++ if (th->ack && ++ tcp_ack(sk, skb, FLAG_SLOWPATH | FLAG_UPDATE_TS_RECENT) < 0) + goto discard; + +- /* ts_recent update must be made after we are sure that the packet +- * is in window. +- */ +- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); +- + tcp_rcv_rtt_measure_ts(sk, skb); + + /* Process urgent data. */ +@@ -5948,7 +5951,8 @@ int tcp_rcv_state_process(struct sock *s + + /* step 5: check the ACK field */ + if (th->ack) { +- int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; ++ int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH | ++ FLAG_UPDATE_TS_RECENT) > 0; + + switch (sk->sk_state) { + case TCP_SYN_RECV: +@@ -6055,11 +6059,6 @@ int tcp_rcv_state_process(struct sock *s + } else + goto discard; + +- /* ts_recent update must be made after we are sure that the packet +- * is in window. +- */ +- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); +- + /* step 6: check the URG bit */ + tcp_urg(sk, skb, th); + diff --git a/queue-3.4/tcp-incoming-connections-might-use-wrong-route-under-synflood.patch b/queue-3.4/tcp-incoming-connections-might-use-wrong-route-under-synflood.patch new file mode 100644 index 00000000000..f1c5d4fd08c --- /dev/null +++ b/queue-3.4/tcp-incoming-connections-might-use-wrong-route-under-synflood.patch @@ -0,0 +1,41 @@ +From f69107361c6ad91517a8b0323fb96c928804864c Mon Sep 17 00:00:00 2001 +From: Dmitry Popov +Date: Thu, 11 Apr 2013 08:55:07 +0000 +Subject: tcp: incoming connections might use wrong route under synflood + + +From: Dmitry Popov + +[ Upstream commit d66954a066158781ccf9c13c91d0316970fe57b6 ] + +There is a bug in cookie_v4_check (net/ipv4/syncookies.c): + flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), + RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); + +Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be +taken. This dst_entry is used by new socket (get_cookie_sock -> +tcp_v4_syn_recv_sock), so its packets may take the wrong path. + +Signed-off-by: Dmitry Popov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/syncookies.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -347,8 +347,8 @@ struct sock *cookie_v4_check(struct sock + * hasn't changed since we received the original syn, but I see + * no easy way to do this. + */ +- flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), +- RT_SCOPE_UNIVERSE, IPPROTO_TCP, ++ flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark, ++ RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, + inet_sk_flowi_flags(sk), + (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, + ireq->loc_addr, th->source, th->dest); diff --git a/queue-3.4/tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch b/queue-3.4/tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch new file mode 100644 index 00000000000..72abc0ef109 --- /dev/null +++ b/queue-3.4/tcp-reallocate-headroom-if-it-would-overflow-csum_start.patch @@ -0,0 +1,48 @@ +From 2527557a08f9d60e9fd38737b5a029b480af50bd Mon Sep 17 00:00:00 2001 +From: Thomas Graf +Date: Thu, 11 Apr 2013 10:57:18 +0000 +Subject: tcp: Reallocate headroom if it would overflow csum_start + + +From: Thomas Graf + +[ Upstream commit 50bceae9bd3569d56744882f3012734d48a1d413 ] + +If a TCP retransmission gets partially ACKed and collapsed multiple +times it is possible for the headroom to grow beyond 64K which will +overflow the 16bit skb->csum_start which is based on the start of +the headroom. It has been observed rarely in the wild with IPoIB due +to the 64K MTU. + +Verify if the acking and collapsing resulted in a headroom exceeding +what csum_start can cover and reallocate the headroom if so. + +A big thank you to Jim Foraker and the team at +LLNL for helping out with the investigation and testing. + +Reported-by: Jim Foraker +Signed-off-by: Thomas Graf +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_output.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2154,8 +2154,12 @@ int tcp_retransmit_skb(struct sock *sk, + */ + TCP_SKB_CB(skb)->when = tcp_time_stamp; + +- /* make sure skb->data is aligned on arches that require it */ +- if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) { ++ /* make sure skb->data is aligned on arches that require it ++ * and check if ack-trimming & collapsing extended the headroom ++ * beyond what csum_start can cover. ++ */ ++ if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) || ++ skb_headroom(skb) >= 0xFFFF)) { + struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER, + GFP_ATOMIC); + err = nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) : diff --git a/queue-3.4/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch b/queue-3.4/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch new file mode 100644 index 00000000000..cc8a5d8d722 --- /dev/null +++ b/queue-3.4/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_stream.patch @@ -0,0 +1,64 @@ +From fbdcc697a43e4b7eae4b8fb00ac054c2eac90a30 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 7 Apr 2013 01:52:00 +0000 +Subject: tipc: fix info leaks via msg_name in recv_msg/recv_stream + + +From: Mathias Krause + +[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ] + +The code in set_orig_addr() does not initialize all of the members of +struct sockaddr_tipc when filling the sockaddr info -- namely the union +is only partly filled. This will make recv_msg() and recv_stream() -- +the only users of this function -- leak kernel stack memory as the +msg_name member is a local variable in net/socket.c. + +Additionally to that both recv_msg() and recv_stream() fail to update +the msg_namelen member to 0 while otherwise returning with 0, i.e. +"success". This is the case for, e.g., non-blocking sockets. This will +lead to a 128 byte kernel stack leak in net/socket.c. + +Fix the first issue by initializing the memory of the union with +memset(0). Fix the second one by setting msg_namelen to 0 early as it +will be updated later if we're going to fill the msg_name member. + +Signed-off-by: Mathias Krause +Cc: Jon Maloy +Cc: Allan Stephens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/socket.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr + if (addr) { + addr->family = AF_TIPC; + addr->addrtype = TIPC_ADDR_ID; ++ memset(&addr->addr, 0, sizeof(addr->addr)); + addr->addr.id.ref = msg_origport(msg); + addr->addr.id.node = msg_orignode(msg); + addr->addr.name.domain = 0; /* could leave uninitialized */ +@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb, + goto exit; + } + ++ /* will be updated in set_orig_addr() if needed */ ++ m->msg_namelen = 0; ++ + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + restart: + +@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *ioc + goto exit; + } + ++ /* will be updated in set_orig_addr() if needed */ ++ m->msg_namelen = 0; ++ + target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + restart: -- 2.47.3