From 6b4e1640e13e3fbf4cf1674fd44cc3d2f2f4712e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 6 Oct 2019 11:16:07 +0200 Subject: [PATCH] 4.4-stable patches added patches: hso-fix-null-deref-on-tty-open.patch ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch net-rds-fix-error-handling-in-rds_ib_add_one.patch nfc-fix-memory-leak-in-llcp_sock_bind.patch sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch --- .../hso-fix-null-deref-on-tty-open.patch | 54 +++++++++ ...ets-having-a-v4mapped-source-address.patch | 67 +++++++++++ ...ed-n_redirects-and-rate_tokens-usage.patch | 62 ++++++++++ ...emory-leak-in-ql_alloc_large_buffers.patch | 30 +++++ ...fix-error-handling-in-rds_ib_add_one.patch | 47 ++++++++ ...fc-fix-memory-leak-in-llcp_sock_bind.patch | 62 ++++++++++ ...lidate-tca_cbq_wrropt-to-avoid-crash.patch | 112 ++++++++++++++++++ ...-potential-null-deref-in-dsmark_init.patch | 73 ++++++++++++ queue-4.4/series | 9 ++ ...r-return-value-for-xennet_fill_frags.patch | 95 +++++++++++++++ 10 files changed, 611 insertions(+) create mode 100644 queue-4.4/hso-fix-null-deref-on-tty-open.patch create mode 100644 queue-4.4/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch create mode 100644 queue-4.4/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch create mode 100644 queue-4.4/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch create mode 100644 queue-4.4/net-rds-fix-error-handling-in-rds_ib_add_one.patch create mode 100644 queue-4.4/nfc-fix-memory-leak-in-llcp_sock_bind.patch create mode 100644 queue-4.4/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch create mode 100644 queue-4.4/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch create mode 100644 queue-4.4/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch diff --git a/queue-4.4/hso-fix-null-deref-on-tty-open.patch b/queue-4.4/hso-fix-null-deref-on-tty-open.patch new file mode 100644 index 00000000000..f640e59fbbf --- /dev/null +++ b/queue-4.4/hso-fix-null-deref-on-tty-open.patch @@ -0,0 +1,54 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Johan Hovold +Date: Mon, 30 Sep 2019 17:12:41 +0200 +Subject: hso: fix NULL-deref on tty open + +From: Johan Hovold + +[ Upstream commit 8353da9fa69722b54cba82b2ec740afd3d438748 ] + +Fix NULL-pointer dereference on tty open due to a failure to handle a +missing interrupt-in endpoint when probing modem ports: + + BUG: kernel NULL pointer dereference, address: 0000000000000006 + ... + RIP: 0010:tiocmget_submit_urb+0x1c/0xe0 [hso] + ... + Call Trace: + hso_start_serial_device+0xdc/0x140 [hso] + hso_serial_open+0x118/0x1b0 [hso] + tty_open+0xf1/0x490 + +Fixes: 542f54823614 ("tty: Modem functions for the HSO driver") +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/hso.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2650,14 +2650,18 @@ static struct hso_device *hso_create_bul + */ + if (serial->tiocmget) { + tiocmget = serial->tiocmget; ++ tiocmget->endp = hso_get_ep(interface, ++ USB_ENDPOINT_XFER_INT, ++ USB_DIR_IN); ++ if (!tiocmget->endp) { ++ dev_err(&interface->dev, "Failed to find INT IN ep\n"); ++ goto exit; ++ } ++ + tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL); + if (tiocmget->urb) { + mutex_init(&tiocmget->mutex); + init_waitqueue_head(&tiocmget->waitq); +- tiocmget->endp = hso_get_ep( +- interface, +- USB_ENDPOINT_XFER_INT, +- USB_DIR_IN); + } else + hso_free_tiomget(serial); + } diff --git a/queue-4.4/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch b/queue-4.4/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch new file mode 100644 index 00000000000..b3e8f7d37f1 --- /dev/null +++ b/queue-4.4/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch @@ -0,0 +1,67 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Eric Dumazet +Date: Wed, 2 Oct 2019 09:38:55 -0700 +Subject: ipv6: drop incoming packets having a v4mapped source address + +From: Eric Dumazet + +[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ] + +This began with a syzbot report. syzkaller was injecting +IPv6 TCP SYN packets having a v4mapped source address. + +After an unsuccessful 4-tuple lookup, TCP creates a request +socket (SYN_RECV) and calls reqsk_queue_hash_req() + +reqsk_queue_hash_req() calls sk_ehashfn(sk) + +At this point we have AF_INET6 sockets, and the heuristic +used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses +is to use ipv6_addr_v4mapped(&sk->sk_v6_daddr) + +For the particular spoofed packet, we end up hashing V4 addresses +which were not initialized by the TCP IPv6 stack, so KMSAN fired +a warning. + +I first fixed sk_ehashfn() to test both source and destination addresses, +but then faced various problems, including user-space programs +like packetdrill that had similar assumptions. + +Instead of trying to fix the whole ecosystem, it is better +to admit that we have a dual stack behavior, and that we +can not build linux kernels without V4 stack anyway. + +The dual stack API automatically forces the traffic to be IPv4 +if v4mapped addresses are used at bind() or connect(), so it makes +no sense to allow IPv6 traffic to use the same v4mapped class. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Hannes Frederic Sowa +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -151,6 +151,16 @@ int ipv6_rcv(struct sk_buff *skb, struct + if (ipv6_addr_is_multicast(&hdr->saddr)) + goto err; + ++ /* While RFC4291 is not explicit about v4mapped addresses ++ * in IPv6 headers, it seems clear linux dual-stack ++ * model can not deal properly with these. ++ * Security models could be fooled by ::ffff:127.0.0.1 for example. ++ * ++ * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 ++ */ ++ if (ipv6_addr_v4mapped(&hdr->saddr)) ++ goto err; ++ + skb->transport_header = skb->network_header + sizeof(*hdr); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + diff --git a/queue-4.4/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch b/queue-4.4/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch new file mode 100644 index 00000000000..9da2bab3040 --- /dev/null +++ b/queue-4.4/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch @@ -0,0 +1,62 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Paolo Abeni +Date: Fri, 4 Oct 2019 15:11:17 +0200 +Subject: net: ipv4: avoid mixed n_redirects and rate_tokens usage + +From: Paolo Abeni + +[ Upstream commit b406472b5ad79ede8d10077f0c8f05505ace8b6d ] + +Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter +for icmp_v4 redirect packets") we use 'n_redirects' to account +for redirect packets, but we still use 'rate_tokens' to compute +the redirect packets exponential backoff. + +If the device sent to the relevant peer any ICMP error packet +after sending a redirect, it will also update 'rate_token' according +to the leaking bucket schema; typically 'rate_token' will raise +above BITS_PER_LONG and the redirect packets backoff algorithm +will produce undefined behavior. + +Fix the issue using 'n_redirects' to compute the exponential backoff +in ip_rt_send_redirect(). + +Note that we still clear rate_tokens after a redirect silence period, +to avoid changing an established behaviour. + +The root cause predates git history; before the mentioned commit in +the critical scenario, the kernel stopped sending redirects, after +the mentioned commit the behavior more randomic. + +Reported-by: Xiumei Mu +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets") +Signed-off-by: Paolo Abeni +Acked-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -897,16 +897,15 @@ void ip_rt_send_redirect(struct sk_buff + if (peer->rate_tokens == 0 || + time_after(jiffies, + (peer->rate_last + +- (ip_rt_redirect_load << peer->rate_tokens)))) { ++ (ip_rt_redirect_load << peer->n_redirects)))) { + __be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr); + + icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); + peer->rate_last = jiffies; +- ++peer->rate_tokens; + ++peer->n_redirects; + #ifdef CONFIG_IP_ROUTE_VERBOSE + if (log_martians && +- peer->rate_tokens == ip_rt_redirect_number) ++ peer->n_redirects == ip_rt_redirect_number) + net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", + &ip_hdr(skb)->saddr, inet_iif(skb), + &ip_hdr(skb)->daddr, &gw); diff --git a/queue-4.4/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch b/queue-4.4/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch new file mode 100644 index 00000000000..ae424bac0a7 --- /dev/null +++ b/queue-4.4/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch @@ -0,0 +1,30 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 15:24:39 -0500 +Subject: net: qlogic: Fix memory leak in ql_alloc_large_buffers + +From: Navid Emamdoost + +[ Upstream commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 ] + +In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb. +This skb should be released if pci_dma_mapping_error fails. + +Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -2783,6 +2783,7 @@ static int ql_alloc_large_buffers(struct + netdev_err(qdev->ndev, + "PCI mapping failed with error: %d\n", + err); ++ dev_kfree_skb_irq(skb); + ql_free_large_buffers(qdev); + return -ENOMEM; + } diff --git a/queue-4.4/net-rds-fix-error-handling-in-rds_ib_add_one.patch b/queue-4.4/net-rds-fix-error-handling-in-rds_ib_add_one.patch new file mode 100644 index 00000000000..992bd4f6da0 --- /dev/null +++ b/queue-4.4/net-rds-fix-error-handling-in-rds_ib_add_one.patch @@ -0,0 +1,47 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Dotan Barak +Date: Tue, 1 Oct 2019 10:21:02 -0700 +Subject: net/rds: Fix error handling in rds_ib_add_one() + +From: Dotan Barak + +[ Upstream commit d64bf89a75b65f83f06be9fb8f978e60d53752db ] + +rds_ibdev:ipaddr_list and rds_ibdev:conn_list are initialized +after allocation some resources such as protection domain. +If allocation of such resources fail, then these uninitialized +variables are accessed in rds_ib_dev_free() in failure path. This +can potentially crash the system. The code has been updated to +initialize these variables very early in the function. + +Signed-off-by: Dotan Barak +Signed-off-by: Sudhakar Dindukurti +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -146,6 +146,9 @@ static void rds_ib_add_one(struct ib_dev + atomic_set(&rds_ibdev->refcount, 1); + INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free); + ++ INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); ++ INIT_LIST_HEAD(&rds_ibdev->conn_list); ++ + rds_ibdev->max_wrs = dev_attr->max_qp_wr; + rds_ibdev->max_sge = min(dev_attr->max_sge, RDS_IB_MAX_SGE); + +@@ -187,9 +190,6 @@ static void rds_ib_add_one(struct ib_dev + rds_ibdev->fmr_max_remaps, rds_ibdev->max_1m_fmrs, + rds_ibdev->max_8k_fmrs); + +- INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); +- INIT_LIST_HEAD(&rds_ibdev->conn_list); +- + down_write(&rds_ib_devices_lock); + list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices); + up_write(&rds_ib_devices_lock); diff --git a/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_bind.patch b/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_bind.patch new file mode 100644 index 00000000000..5b889ffe6c5 --- /dev/null +++ b/queue-4.4/nfc-fix-memory-leak-in-llcp_sock_bind.patch @@ -0,0 +1,62 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Eric Dumazet +Date: Fri, 4 Oct 2019 11:08:34 -0700 +Subject: nfc: fix memory leak in llcp_sock_bind() + +From: Eric Dumazet + +[ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ] + +sysbot reported a memory leak after a bind() has failed. + +While we are at it, abort the operation if kmemdup() has failed. + +BUG: memory leak +unreferenced object 0xffff888105d83ec0 (size 32): + comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) + hex dump (first 32 bytes): + 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 + 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... + backtrace: + [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] + [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] + [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] + [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] + [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 + [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 + [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] + [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 + [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 + [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] + [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] + [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 + [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 + [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -118,9 +118,14 @@ static int llcp_sock_bind(struct socket + llcp_sock->service_name = kmemdup(llcp_addr.service_name, + llcp_sock->service_name_len, + GFP_KERNEL); +- ++ if (!llcp_sock->service_name) { ++ ret = -ENOMEM; ++ goto put_dev; ++ } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { ++ kfree(llcp_sock->service_name); ++ llcp_sock->service_name = NULL; + ret = -EADDRINUSE; + goto put_dev; + } diff --git a/queue-4.4/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch b/queue-4.4/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch new file mode 100644 index 00000000000..3f402833571 --- /dev/null +++ b/queue-4.4/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch @@ -0,0 +1,112 @@ +From foo@baz Sun 06 Oct 2019 10:01:35 AM CEST +From: Eric Dumazet +Date: Thu, 26 Sep 2019 18:24:43 -0700 +Subject: sch_cbq: validate TCA_CBQ_WRROPT to avoid crash + +From: Eric Dumazet + +[ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ] + +syzbot reported a crash in cbq_normalize_quanta() caused +by an out of range cl->priority. + +iproute2 enforces this check, but malicious users do not. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +Modules linked in: +CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902 +RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206 +RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000 +RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018 +RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef +R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015 +FS: 00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + [] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline] + [] cbq_addprio net/sched/sch_cbq.c:1097 [inline] + [] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115 + [] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537 + [] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329 + [] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248 + [] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510 + [] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266 + [] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline] + [] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350 + [] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939 + [] sock_sendmsg_nosec net/socket.c:673 [inline] + [] sock_sendmsg+0x12e/0x170 net/socket.c:684 + [] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359 + [] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397 + [] SYSC_sendmsg net/socket.c:2406 [inline] + [] SyS_sendmsg+0x29/0x30 net/socket.c:2404 + [] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 + [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_cbq.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1340,6 +1340,26 @@ static const struct nla_policy cbq_polic + [TCA_CBQ_POLICE] = { .len = sizeof(struct tc_cbq_police) }, + }; + ++static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], struct nlattr *opt) ++{ ++ int err; ++ ++ if (!opt) ++ return -EINVAL; ++ ++ err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ if (err < 0) ++ return err; ++ ++ if (tb[TCA_CBQ_WRROPT]) { ++ const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]); ++ ++ if (wrr->priority > TC_CBQ_MAXPRIO) ++ err = -EINVAL; ++ } ++ return err; ++} ++ + static int cbq_init(struct Qdisc *sch, struct nlattr *opt) + { + struct cbq_sched_data *q = qdisc_priv(sch); +@@ -1347,7 +1367,7 @@ static int cbq_init(struct Qdisc *sch, s + struct tc_ratespec *r; + int err; + +- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ err = cbq_opt_parse(tb, opt); + if (err < 0) + return err; + +@@ -1728,10 +1748,7 @@ cbq_change_class(struct Qdisc *sch, u32 + struct cbq_class *parent; + struct qdisc_rate_table *rtab = NULL; + +- if (opt == NULL) +- return -EINVAL; +- +- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); ++ err = cbq_opt_parse(tb, opt); + if (err < 0) + return err; + diff --git a/queue-4.4/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch b/queue-4.4/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch new file mode 100644 index 00000000000..0ffa25b7817 --- /dev/null +++ b/queue-4.4/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch @@ -0,0 +1,73 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Eric Dumazet +Date: Fri, 4 Oct 2019 10:34:45 -0700 +Subject: sch_dsmark: fix potential NULL deref in dsmark_init() + +From: Eric Dumazet + +[ Upstream commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 ] + +Make sure TCA_DSMARK_INDICES was provided by the user. + +syzbot reported : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 8799 Comm: syz-executor235 Not tainted 5.3.0+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:nla_get_u16 include/net/netlink.h:1501 [inline] +RIP: 0010:dsmark_init net/sched/sch_dsmark.c:364 [inline] +RIP: 0010:dsmark_init+0x193/0x640 net/sched/sch_dsmark.c:339 +Code: 85 db 58 0f 88 7d 03 00 00 e8 e9 1a ac fb 48 8b 9d 70 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ca +RSP: 0018:ffff88809426f3b8 EFLAGS: 00010247 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff85c6eb09 +RDX: 0000000000000000 RSI: ffffffff85c6eb17 RDI: 0000000000000004 +RBP: ffff88809426f4b0 R08: ffff88808c4085c0 R09: ffffed1015d26159 +R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a7e96940 +R13: dffffc0000000000 R14: ffff88809426f8c0 R15: 0000000000000000 +FS: 0000000001292880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000080 CR3: 000000008ca1b000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + qdisc_create+0x4ee/0x1210 net/sched/sch_api.c:1237 + tc_modify_qdisc+0x524/0x1c50 net/sched/sch_api.c:1653 + rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5223 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x803/0x920 net/socket.c:2311 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 + __do_sys_sendmsg net/socket.c:2365 [inline] + __se_sys_sendmsg net/socket.c:2363 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 + do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440369 + +Fixes: 758cc43c6d73 ("[PKT_SCHED]: Fix dsmark to apply changes consistent") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_dsmark.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -362,6 +362,8 @@ static int dsmark_init(struct Qdisc *sch + goto errout; + + err = -EINVAL; ++ if (!tb[TCA_DSMARK_INDICES]) ++ goto errout; + indices = nla_get_u16(tb[TCA_DSMARK_INDICES]); + + if (hweight32(indices) != 1) diff --git a/queue-4.4/series b/queue-4.4/series index 1c82a349191..05c620efaa2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,12 @@ ocfs2-wait-for-recovering-done-after-direct-unlock-r.patch kmemleak-increase-debug_kmemleak_early_log_size-defa.patch android-binder-remove-waitqueue-when-thread-exits.patch android-binder-synchronize_rcu-when-using-pollfree.patch +hso-fix-null-deref-on-tty-open.patch +ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch +net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch +net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch +nfc-fix-memory-leak-in-llcp_sock_bind.patch +sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch +xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch +net-rds-fix-error-handling-in-rds_ib_add_one.patch +sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch diff --git a/queue-4.4/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch b/queue-4.4/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch new file mode 100644 index 00000000000..a04f054bfdc --- /dev/null +++ b/queue-4.4/xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch @@ -0,0 +1,95 @@ +From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST +From: Dongli Zhang +Date: Tue, 1 Oct 2019 21:56:41 +0800 +Subject: xen-netfront: do not use ~0U as error return value for xennet_fill_frags() + +From: Dongli Zhang + +[ Upstream commit a761129e3625688310aecf26e1be9e98e85f8eb5 ] + +xennet_fill_frags() uses ~0U as return value when the sk_buff is not able +to cache extra fragments. This is incorrect because the return type of +xennet_fill_frags() is RING_IDX and 0xffffffff is an expected value for +ring buffer index. + +In the situation when the rsp_cons is approaching 0xffffffff, the return +value of xennet_fill_frags() may become 0xffffffff which xennet_poll() (the +caller) would regard as error. As a result, queue->rx.rsp_cons is set +incorrectly because it is updated only when there is error. If there is no +error, xennet_poll() would be responsible to update queue->rx.rsp_cons. +Finally, queue->rx.rsp_cons would point to the rx ring buffer entries whose +queue->rx_skbs[i] and queue->grant_rx_ref[i] are already cleared to NULL. +This leads to NULL pointer access in the next iteration to process rx ring +buffer entries. + +The symptom is similar to the one fixed in +commit 00b368502d18 ("xen-netfront: do not assume sk_buff_head list is +empty in error handling"). + +This patch changes the return type of xennet_fill_frags() to indicate +whether it is successful or failed. The queue->rx.rsp_cons will be +always updated inside this function. + +Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags") +Signed-off-by: Dongli Zhang +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -874,9 +874,9 @@ static int xennet_set_skb_gso(struct sk_ + return 0; + } + +-static RING_IDX xennet_fill_frags(struct netfront_queue *queue, +- struct sk_buff *skb, +- struct sk_buff_head *list) ++static int xennet_fill_frags(struct netfront_queue *queue, ++ struct sk_buff *skb, ++ struct sk_buff_head *list) + { + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *nskb; +@@ -895,7 +895,7 @@ static RING_IDX xennet_fill_frags(struct + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { + queue->rx.rsp_cons = ++cons + skb_queue_len(list); + kfree_skb(nskb); +- return ~0U; ++ return -ENOENT; + } + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, +@@ -906,7 +906,9 @@ static RING_IDX xennet_fill_frags(struct + kfree_skb(nskb); + } + +- return cons; ++ queue->rx.rsp_cons = cons; ++ ++ return 0; + } + + static int checksum_setup(struct net_device *dev, struct sk_buff *skb) +@@ -1032,8 +1034,7 @@ err: + skb->data_len = rx->status; + skb->len += rx->status; + +- i = xennet_fill_frags(queue, skb, &tmpq); +- if (unlikely(i == ~0U)) ++ if (unlikely(xennet_fill_frags(queue, skb, &tmpq))) + goto err; + + if (rx->flags & XEN_NETRXF_csum_blank) +@@ -1043,7 +1044,7 @@ err: + + __skb_queue_tail(&rxq, skb); + +- queue->rx.rsp_cons = ++i; ++ i = ++queue->rx.rsp_cons; + work_done++; + } + -- 2.47.2