From 6dcf364c8cce0a837056f8d707a31ce14b3ac4aa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 10 Dec 2020 16:37:08 +0100 Subject: [PATCH] drop geneve-pull-ip-header-before-ecn-decapsulation.patch from 4.4, 4.9, 4.14 --- ...l-ip-header-before-ecn-decapsulation.patch | 124 ------------------ queue-4.14/series | 1 - ...l-ip-header-before-ecn-decapsulation.patch | 121 ----------------- queue-4.4/series | 1 - ...l-ip-header-before-ecn-decapsulation.patch | 124 ------------------ queue-4.9/series | 1 - 6 files changed, 372 deletions(-) delete mode 100644 queue-4.14/geneve-pull-ip-header-before-ecn-decapsulation.patch delete mode 100644 queue-4.4/geneve-pull-ip-header-before-ecn-decapsulation.patch delete mode 100644 queue-4.9/geneve-pull-ip-header-before-ecn-decapsulation.patch diff --git a/queue-4.14/geneve-pull-ip-header-before-ecn-decapsulation.patch b/queue-4.14/geneve-pull-ip-header-before-ecn-decapsulation.patch deleted file mode 100644 index e30902df864..00000000000 --- a/queue-4.14/geneve-pull-ip-header-before-ecn-decapsulation.patch +++ /dev/null @@ -1,124 +0,0 @@ -From b4bbb28bdf8efd5679eacd0d9069437492e0d63f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 1 Dec 2020 01:05:07 -0800 -Subject: geneve: pull IP header before ECN decapsulation - -From: Eric Dumazet - -IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume -IP header is already pulled. - -geneve does not ensure this yet. - -Fixing this generically in IP_ECN_decapsulate() and -IP6_ECN_decapsulate() is not possible, since callers -pass a pointer that might be freed by pskb_may_pull() - -syzbot reported : - -BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] -BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 -CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x21c/0x280 lib/dump_stack.c:118 - kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 - __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 - __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] - INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 - geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306 - geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377 - udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093 - udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167 - udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline] - __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394 - udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564 - ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 - ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 - dst_input include/net/dst.h:449 [inline] - ip_rcv_finish net/ipv4/ip_input.c:428 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 - __netif_receive_skb_one_core net/core/dev.c:5315 [inline] - __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 - process_backlog+0x523/0xc10 net/core/dev.c:6319 - napi_poll+0x420/0x1010 net/core/dev.c:6763 - net_rx_action+0x35c/0xd40 net/core/dev.c:6833 - __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 - asm_call_irq_on_stack+0xf/0x20 - - __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] - run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] - do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77 - do_softirq kernel/softirq.c:343 [inline] - __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195 - local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 - rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline] - __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167 - dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 - packet_snd net/packet/af_packet.c:2992 [inline] - packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 - sock_sendmsg_nosec net/socket.c:651 [inline] - sock_sendmsg net/socket.c:671 [inline] - __sys_sendto+0x9dc/0xc80 net/socket.c:1992 - __do_sys_sendto net/socket.c:2004 [inline] - __se_sys_sendto+0x107/0x130 net/socket.c:2000 - __x64_sys_sendto+0x6e/0x90 net/socket.c:2000 - do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/geneve.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c -index f48006c22a8a6..5eb7f409dc10b 100644 ---- a/drivers/net/geneve.c -+++ b/drivers/net/geneve.c -@@ -254,11 +254,21 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, - skb_dst_set(skb, &tun_dst->dst); - - /* Ignore packet loops (and multicast echo) */ -- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) { -- geneve->dev->stats.rx_errors++; -- goto drop; -+ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) -+ goto rx_error; -+ -+ switch (skb_protocol(skb, true)) { -+ case htons(ETH_P_IP): -+ if (pskb_may_pull(skb, sizeof(struct iphdr))) -+ goto rx_error; -+ break; -+ case htons(ETH_P_IPV6): -+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) -+ goto rx_error; -+ break; -+ default: -+ goto rx_error; - } -- - oiph = skb_network_header(skb); - skb_reset_network_header(skb); - -@@ -299,6 +309,8 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, - u64_stats_update_end(&stats->syncp); - } - return; -+rx_error: -+ geneve->dev->stats.rx_errors++; - drop: - /* Consume bad packet */ - kfree_skb(skb); --- -2.27.0 - diff --git a/queue-4.14/series b/queue-4.14/series index 83ac8653f6d..c8869475fe1 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,7 +1,6 @@ pinctrl-baytrail-replace-warn-with-dev_info_once-whe.patch pinctrl-baytrail-fix-pin-being-driven-low-for-a-whil.patch vlan-consolidate-vlan-parsing-code-and-limit-max-par.patch -geneve-pull-ip-header-before-ecn-decapsulation.patch usb-gadget-f_fs-use-local-copy-of-descriptors-for-userspace-copy.patch usb-serial-kl5kusb105-fix-memleak-on-open.patch usb-serial-ch341-add-new-product-id-for-ch341a.patch diff --git a/queue-4.4/geneve-pull-ip-header-before-ecn-decapsulation.patch b/queue-4.4/geneve-pull-ip-header-before-ecn-decapsulation.patch deleted file mode 100644 index 074fa19b089..00000000000 --- a/queue-4.4/geneve-pull-ip-header-before-ecn-decapsulation.patch +++ /dev/null @@ -1,121 +0,0 @@ -From f46a8a36a32444b67e9b727c36d1262f609bd974 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 1 Dec 2020 01:05:07 -0800 -Subject: geneve: pull IP header before ECN decapsulation - -From: Eric Dumazet - -IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume -IP header is already pulled. - -geneve does not ensure this yet. - -Fixing this generically in IP_ECN_decapsulate() and -IP6_ECN_decapsulate() is not possible, since callers -pass a pointer that might be freed by pskb_may_pull() - -syzbot reported : - -BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] -BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 -CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x21c/0x280 lib/dump_stack.c:118 - kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 - __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 - __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] - INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 - geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306 - geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377 - udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093 - udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167 - udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline] - __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394 - udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564 - ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 - ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 - dst_input include/net/dst.h:449 [inline] - ip_rcv_finish net/ipv4/ip_input.c:428 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 - __netif_receive_skb_one_core net/core/dev.c:5315 [inline] - __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 - process_backlog+0x523/0xc10 net/core/dev.c:6319 - napi_poll+0x420/0x1010 net/core/dev.c:6763 - net_rx_action+0x35c/0xd40 net/core/dev.c:6833 - __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 - asm_call_irq_on_stack+0xf/0x20 - - __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] - run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] - do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77 - do_softirq kernel/softirq.c:343 [inline] - __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195 - local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 - rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline] - __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167 - dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 - packet_snd net/packet/af_packet.c:2992 [inline] - packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 - sock_sendmsg_nosec net/socket.c:651 [inline] - sock_sendmsg net/socket.c:671 [inline] - __sys_sendto+0x9dc/0xc80 net/socket.c:1992 - __do_sys_sendto net/socket.c:2004 [inline] - __se_sys_sendto+0x107/0x130 net/socket.c:2000 - __x64_sys_sendto+0x6e/0x90 net/socket.c:2000 - do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/geneve.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c -index ee38299f9c578..e0384609fb84a 100644 ---- a/drivers/net/geneve.c -+++ b/drivers/net/geneve.c -@@ -231,8 +231,20 @@ static void geneve_rx(struct geneve_sock *gs, struct sk_buff *skb) - - /* Ignore packet loops (and multicast echo) */ - if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) -- goto drop; -- -+ goto rx_error; -+ -+ switch (skb_protocol(skb, true)) { -+ case htons(ETH_P_IP): -+ if (pskb_may_pull(skb, sizeof(struct iphdr))) -+ goto rx_error; -+ break; -+ case htons(ETH_P_IPV6): -+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) -+ goto rx_error; -+ break; -+ default: -+ goto rx_error; -+ } - skb_reset_network_header(skb); - - if (iph) -@@ -269,6 +281,8 @@ static void geneve_rx(struct geneve_sock *gs, struct sk_buff *skb) - - gro_cells_receive(&geneve->gro_cells, skb); - return; -+rx_error: -+ geneve->dev->stats.rx_errors++; - drop: - /* Consume bad packet */ - kfree_skb(skb); --- -2.27.0 - diff --git a/queue-4.4/series b/queue-4.4/series index f552b8d55a0..c9f7b12c910 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -12,7 +12,6 @@ input-i8042-add-bytespeed-touchpad-to-noloop-table.patch powerpc-stop-exporting-__clear_user-which-is-now-inlined.patch btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch vlan-consolidate-vlan-parsing-code-and-limit-max-par.patch -geneve-pull-ip-header-before-ecn-decapsulation.patch usb-gadget-f_fs-use-local-copy-of-descriptors-for-userspace-copy.patch usb-serial-kl5kusb105-fix-memleak-on-open.patch usb-serial-ch341-add-new-product-id-for-ch341a.patch diff --git a/queue-4.9/geneve-pull-ip-header-before-ecn-decapsulation.patch b/queue-4.9/geneve-pull-ip-header-before-ecn-decapsulation.patch deleted file mode 100644 index b83cb29b06a..00000000000 --- a/queue-4.9/geneve-pull-ip-header-before-ecn-decapsulation.patch +++ /dev/null @@ -1,124 +0,0 @@ -From b277570b374b625f720c58cfb0a57228571834e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 1 Dec 2020 01:05:07 -0800 -Subject: geneve: pull IP header before ECN decapsulation - -From: Eric Dumazet - -IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume -IP header is already pulled. - -geneve does not ensure this yet. - -Fixing this generically in IP_ECN_decapsulate() and -IP6_ECN_decapsulate() is not possible, since callers -pass a pointer that might be freed by pskb_may_pull() - -syzbot reported : - -BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] -BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 -CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x21c/0x280 lib/dump_stack.c:118 - kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 - __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 - __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline] - INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260 - geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306 - geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377 - udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093 - udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167 - udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline] - __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394 - udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564 - ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 - ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 - dst_input include/net/dst.h:449 [inline] - ip_rcv_finish net/ipv4/ip_input.c:428 [inline] - NF_HOOK include/linux/netfilter.h:301 [inline] - ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 - __netif_receive_skb_one_core net/core/dev.c:5315 [inline] - __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 - process_backlog+0x523/0xc10 net/core/dev.c:6319 - napi_poll+0x420/0x1010 net/core/dev.c:6763 - net_rx_action+0x35c/0xd40 net/core/dev.c:6833 - __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 - asm_call_irq_on_stack+0xf/0x20 - - __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] - run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] - do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77 - do_softirq kernel/softirq.c:343 [inline] - __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195 - local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 - rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline] - __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167 - dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 - packet_snd net/packet/af_packet.c:2992 [inline] - packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 - sock_sendmsg_nosec net/socket.c:651 [inline] - sock_sendmsg net/socket.c:671 [inline] - __sys_sendto+0x9dc/0xc80 net/socket.c:1992 - __do_sys_sendto net/socket.c:2004 [inline] - __se_sys_sendto+0x107/0x130 net/socket.c:2000 - __x64_sys_sendto+0x6e/0x90 net/socket.c:2000 - do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/geneve.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c -index d89995f4bd433..e6f9fe7fa2a40 100644 ---- a/drivers/net/geneve.c -+++ b/drivers/net/geneve.c -@@ -249,11 +249,21 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, - skb_dst_set(skb, &tun_dst->dst); - - /* Ignore packet loops (and multicast echo) */ -- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) { -- geneve->dev->stats.rx_errors++; -- goto drop; -+ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) -+ goto rx_error; -+ -+ switch (skb_protocol(skb, true)) { -+ case htons(ETH_P_IP): -+ if (pskb_may_pull(skb, sizeof(struct iphdr))) -+ goto rx_error; -+ break; -+ case htons(ETH_P_IPV6): -+ if (pskb_may_pull(skb, sizeof(struct ipv6hdr))) -+ goto rx_error; -+ break; -+ default: -+ goto rx_error; - } -- - oiph = skb_network_header(skb); - skb_reset_network_header(skb); - -@@ -294,6 +304,8 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, - u64_stats_update_end(&stats->syncp); - } - return; -+rx_error: -+ geneve->dev->stats.rx_errors++; - drop: - /* Consume bad packet */ - kfree_skb(skb); --- -2.27.0 - diff --git a/queue-4.9/series b/queue-4.9/series index a29413c074b..fc031871a5f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -18,7 +18,6 @@ btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch pinctrl-baytrail-replace-warn-with-dev_info_once-whe.patch pinctrl-baytrail-fix-pin-being-driven-low-for-a-whil.patch vlan-consolidate-vlan-parsing-code-and-limit-max-par.patch -geneve-pull-ip-header-before-ecn-decapsulation.patch usb-gadget-f_fs-use-local-copy-of-descriptors-for-userspace-copy.patch usb-serial-kl5kusb105-fix-memleak-on-open.patch usb-serial-ch341-add-new-product-id-for-ch341a.patch -- 2.47.3