From 69f92f03f01b764d4b7f03a5f76a93610d7c9225 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 30 Apr 2019 12:16:47 +0200 Subject: [PATCH] 3.18-stable patches added patches: ipv4-add-sanity-checks-in-ipv4_link_failure.patch net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch team-fix-possible-recursive-locking-when-add-slaves.patch --- ...d-sanity-checks-in-ipv4_link_failure.patch | 154 ++++++++++++++++++ ...mac_check_ether_addr-to-driver-probe.patch | 46 ++++++ queue-3.18/series | 3 + ...le-recursive-locking-when-add-slaves.patch | 52 ++++++ 4 files changed, 255 insertions(+) create mode 100644 queue-3.18/ipv4-add-sanity-checks-in-ipv4_link_failure.patch create mode 100644 queue-3.18/net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch create mode 100644 queue-3.18/team-fix-possible-recursive-locking-when-add-slaves.patch diff --git a/queue-3.18/ipv4-add-sanity-checks-in-ipv4_link_failure.patch b/queue-3.18/ipv4-add-sanity-checks-in-ipv4_link_failure.patch new file mode 100644 index 00000000000..21bff183cfa --- /dev/null +++ b/queue-3.18/ipv4-add-sanity-checks-in-ipv4_link_failure.patch @@ -0,0 +1,154 @@ +From foo@baz Tue 30 Apr 2019 12:01:36 PM CEST +From: Eric Dumazet +Date: Wed, 24 Apr 2019 08:04:05 -0700 +Subject: ipv4: add sanity checks in ipv4_link_failure() + +From: Eric Dumazet + +[ Upstream commit 20ff83f10f113c88d0bb74589389b05250994c16 ] + +Before calling __ip_options_compile(), we need to ensure the network +header is a an IPv4 one, and that it is already pulled in skb->head. + +RAW sockets going through a tunnel can end up calling ipv4_link_failure() +with total garbage in the skb, or arbitrary lengthes. + +syzbot report : + +BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline] +BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123 +Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204 + +CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 + kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x123/0x190 mm/kasan/generic.c:191 + memcpy+0x38/0x50 mm/kasan/common.c:133 + memcpy include/linux/string.h:355 [inline] + __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123 + __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695 + ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204 + dst_link_failure include/net/dst.h:427 [inline] + vti6_xmit net/ipv6/ip6_vti.c:514 [inline] + vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553 + __netdev_start_xmit include/linux/netdevice.h:4414 [inline] + netdev_start_xmit include/linux/netdevice.h:4423 [inline] + xmit_one net/core/dev.c:3292 [inline] + dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308 + __dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878 + dev_queue_xmit+0x18/0x20 net/core/dev.c:3911 + neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527 + neigh_output include/net/neighbour.h:508 [inline] + ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229 + ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317 + NF_HOOK_COND include/linux/netfilter.h:278 [inline] + ip_output+0x21f/0x670 net/ipv4/ip_output.c:405 + dst_output include/net/dst.h:444 [inline] + NF_HOOK include/linux/netfilter.h:289 [inline] + raw_send_hdrinc net/ipv4/raw.c:432 [inline] + raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663 + inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0xdd/0x130 net/socket.c:661 + sock_write_iter+0x27c/0x3e0 net/socket.c:988 + call_write_iter include/linux/fs.h:1866 [inline] + new_sync_write+0x4c7/0x760 fs/read_write.c:474 + __vfs_write+0xe4/0x110 fs/read_write.c:487 + vfs_write+0x20c/0x580 fs/read_write.c:549 + ksys_write+0x14f/0x2d0 fs/read_write.c:599 + __do_sys_write fs/read_write.c:611 [inline] + __se_sys_write fs/read_write.c:608 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:608 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458c29 +Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29 +RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4 +R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff + +The buggy address belongs to the page: +page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x1fffc0000000000() +raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 + ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 + ^ + ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 + ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Signed-off-by: Eric Dumazet +Cc: Stephen Suryaputra +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1148,25 +1148,39 @@ static struct dst_entry *ipv4_dst_check( + return dst; + } + +-static void ipv4_link_failure(struct sk_buff *skb) ++static void ipv4_send_dest_unreach(struct sk_buff *skb) + { + struct ip_options opt; +- struct rtable *rt; + int res; + + /* Recompile ip options since IPCB may not be valid anymore. ++ * Also check we have a reasonable ipv4 header. + */ +- memset(&opt, 0, sizeof(opt)); +- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); +- +- rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); +- rcu_read_unlock(); +- +- if (res) ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) || ++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5) + return; + ++ memset(&opt, 0, sizeof(opt)); ++ if (ip_hdr(skb)->ihl > 5) { ++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4)) ++ return; ++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) ++ return; ++ } + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); ++} ++ ++static void ipv4_link_failure(struct sk_buff *skb) ++{ ++ struct rtable *rt; ++ ++ ipv4_send_dest_unreach(skb); + + rt = skb_rtable(skb); + if (rt) diff --git a/queue-3.18/net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch b/queue-3.18/net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch new file mode 100644 index 00000000000..a9071293160 --- /dev/null +++ b/queue-3.18/net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 30 Apr 2019 11:47:03 AM CEST +From: Vinod Koul +Date: Mon, 22 Apr 2019 15:15:32 +0530 +Subject: net: stmmac: move stmmac_check_ether_addr() to driver probe + +From: Vinod Koul + +[ Upstream commit b561af36b1841088552464cdc3f6371d92f17710 ] + +stmmac_check_ether_addr() checks the MAC address and assigns one in +driver open(). In many cases when we create slave netdevice, the dev +addr is inherited from master but the master dev addr maybe NULL at +that time, so move this call to driver probe so that address is +always valid. + +Signed-off-by: Xiaofei Shen +Tested-by: Xiaofei Shen +Signed-off-by: Sneh Shah +Signed-off-by: Vinod Koul +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1736,8 +1736,6 @@ static int stmmac_open(struct net_device + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- stmmac_check_ether_addr(priv); +- + if (priv->pcs != STMMAC_PCS_RGMII && priv->pcs != STMMAC_PCS_TBI && + priv->pcs != STMMAC_PCS_RTBI) { + ret = stmmac_init_phy(dev); +@@ -2824,6 +2822,8 @@ struct stmmac_priv *stmmac_dvr_probe(str + if (ret) + goto error_hw_init; + ++ stmmac_check_ether_addr(priv); ++ + ndev->netdev_ops = &stmmac_netdev_ops; + + ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | diff --git a/queue-3.18/series b/queue-3.18/series index ef6270d370d..147ff7c3f62 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -8,3 +8,6 @@ fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch revert-block-loop-use-global-lock-for-ioctl-operation.patch +ipv4-add-sanity-checks-in-ipv4_link_failure.patch +team-fix-possible-recursive-locking-when-add-slaves.patch +net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch diff --git a/queue-3.18/team-fix-possible-recursive-locking-when-add-slaves.patch b/queue-3.18/team-fix-possible-recursive-locking-when-add-slaves.patch new file mode 100644 index 00000000000..c29ffb590aa --- /dev/null +++ b/queue-3.18/team-fix-possible-recursive-locking-when-add-slaves.patch @@ -0,0 +1,52 @@ +From foo@baz Tue 30 Apr 2019 12:01:36 PM CEST +From: Hangbin Liu +Date: Fri, 19 Apr 2019 14:31:00 +0800 +Subject: team: fix possible recursive locking when add slaves + +From: Hangbin Liu + +[ Upstream commit 925b0c841e066b488cc3a60272472b2c56300704 ] + +If we add a bond device which is already the master of the team interface, +we will hold the team->lock in team_add_slave() first and then request the +lock in team_set_mac_address() again. The functions are called like: + +- team_add_slave() + - team_port_add() + - team_port_enter() + - team_modeop_port_enter() + - __set_port_dev_addr() + - dev_set_mac_address() + - bond_set_mac_address() + - dev_set_mac_address() + - team_set_mac_address + +Although team_upper_dev_link() would check the upper devices but it is +called too late. Fix it by adding a checking before processing the slave. + +v2: Do not split the string in netdev_err() + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Acked-by: Jiri Pirko +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1137,6 +1137,12 @@ static int team_port_add(struct team *te + return -EINVAL; + } + ++ if (netdev_has_upper_dev(dev, port_dev)) { ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n", -- 2.47.2