From 6e2ecdb59259667345fa1a2976dee544a183dc24 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Mar 2013 13:05:17 -0700 Subject: [PATCH] 3.4-stable patches added patches: 6lowpan-fix-endianness-issue-in-is_addr_link_local.patch bridging-fix-rx_handlers-return-code.patch dcbnl-fix-various-netlink-info-leaks.patch ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch netlabel-correctly-list-all-the-static-label-mappings.patch rds-limit-the-size-allocated-by-rds_message_alloc.patch rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch tun-add-a-missing-nf_reset-in-tun_net_xmit.patch --- ...dianness-issue-in-is_addr_link_local.patch | 28 +++++ ...bridging-fix-rx_handlers-return-code.patch | 35 ++++++ ...dcbnl-fix-various-netlink-info-leaks.patch | 87 ++++++++++++++ ...o-process-interface-scoped-addresses.patch | 40 +++++++ ...ocket-refcount-when-sendmsg-succeeds.patch | 41 +++++++ ...-to-prevent-unnecessary-promisc-mode.patch | 31 +++++ ...-purge-default-router-if-accept_ra-2.patch | 37 ++++++ ...y-list-all-the-static-label-mappings.patch | 111 ++++++++++++++++++ ...-size-allocated-by-rds_message_alloc.patch | 71 +++++++++++ ...n-rtm_getlink-request-for-vf-devices.patch | 33 ++++++ queue-3.4/series | 12 ++ ...-rtt-when-leaving-receiver-fast-path.patch | 44 +++++++ ...d-a-missing-nf_reset-in-tun_net_xmit.patch | 71 +++++++++++ 13 files changed, 641 insertions(+) create mode 100644 queue-3.4/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch create mode 100644 queue-3.4/bridging-fix-rx_handlers-return-code.patch create mode 100644 queue-3.4/dcbnl-fix-various-netlink-info-leaks.patch create mode 100644 queue-3.4/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch create mode 100644 queue-3.4/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch create mode 100644 queue-3.4/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch create mode 100644 queue-3.4/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch create mode 100644 queue-3.4/netlabel-correctly-list-all-the-static-label-mappings.patch create mode 100644 queue-3.4/rds-limit-the-size-allocated-by-rds_message_alloc.patch create mode 100644 queue-3.4/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch create mode 100644 queue-3.4/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch create mode 100644 queue-3.4/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch diff --git a/queue-3.4/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch b/queue-3.4/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch new file mode 100644 index 00000000000..53c3fbc2342 --- /dev/null +++ b/queue-3.4/6lowpan-fix-endianness-issue-in-is_addr_link_local.patch @@ -0,0 +1,28 @@ +From d3fe98f18874cf71f0b810de9d5513149f052b2e Mon Sep 17 00:00:00 2001 +From: YOSHIFUJI Hideaki +Date: Sat, 9 Mar 2013 09:11:57 +0000 +Subject: 6lowpan: Fix endianness issue in is_addr_link_local(). + + +From: YOSHIFUJI Hideaki + +[ Upstream commit 9026c4927254f5bea695cc3ef2e255280e6a3011 ] + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/6lowpan.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ieee802154/6lowpan.h ++++ b/net/ieee802154/6lowpan.h +@@ -87,7 +87,7 @@ + (memcmp(addr1, addr2, length >> 3) == 0) + + /* local link, i.e. FE80::/10 */ +-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE) ++#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80)) + + /* + * check whether we can compress the IID to 16 bits, diff --git a/queue-3.4/bridging-fix-rx_handlers-return-code.patch b/queue-3.4/bridging-fix-rx_handlers-return-code.patch new file mode 100644 index 00000000000..8fb733c3842 --- /dev/null +++ b/queue-3.4/bridging-fix-rx_handlers-return-code.patch @@ -0,0 +1,35 @@ +From 0893e3334b342f0832a983fc3c12070434f39ecd Mon Sep 17 00:00:00 2001 +From: Cristian Bercaru +Date: Fri, 8 Mar 2013 07:03:38 +0000 +Subject: bridging: fix rx_handlers return code + + +From: Cristian Bercaru + +[ Upstream commit 3bc1b1add7a8484cc4a261c3e128dbe1528ce01f ] + +The frames for which rx_handlers return RX_HANDLER_CONSUMED are no longer +counted as dropped. They are counted as successfully received by +'netif_receive_skb'. + +This allows network interface drivers to correctly update their RX-OK and +RX-DRP counters based on the result of 'netif_receive_skb'. + +Signed-off-by: Cristian Bercaru +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3230,6 +3230,7 @@ ncls: + } + switch (rx_handler(&skb)) { + case RX_HANDLER_CONSUMED: ++ ret = NET_RX_SUCCESS; + goto out; + case RX_HANDLER_ANOTHER: + goto another_round; diff --git a/queue-3.4/dcbnl-fix-various-netlink-info-leaks.patch b/queue-3.4/dcbnl-fix-various-netlink-info-leaks.patch new file mode 100644 index 00000000000..59155d0780d --- /dev/null +++ b/queue-3.4/dcbnl-fix-various-netlink-info-leaks.patch @@ -0,0 +1,87 @@ +From 020db0957e084039acf6cf4eff10308872117735 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:21 +0000 +Subject: dcbnl: fix various netlink info leaks + + +From: Mathias Krause + +[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] + +The dcb netlink interface leaks stack memory in various places: +* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but + copied completely, +* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, + so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes + for ieee_pfc structs, etc., +* the same is true for CEE -- no in-kernel driver fills the whole + struct, + +Prevent all of the above stack info leaks by properly initializing the +buffers/structures involved. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct n + dcb->dcb_family = AF_UNSPEC; + dcb->cmd = DCB_CMD_GPERM_HWADDR; + ++ memset(perm_addr, 0, sizeof(perm_addr)); + netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); + + ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), +@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets); +@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc); +@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buf + /* get peer info if available */ + if (ops->ieee_peer_getets) { + struct ieee_ets ets; ++ memset(&ets, 0, sizeof(ets)); + err = ops->ieee_peer_getets(netdev, &ets); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets); +@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buf + + if (ops->ieee_peer_getpfc) { + struct ieee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->ieee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc); +@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff + /* peer info if available */ + if (ops->cee_peer_getpg) { + struct cee_pg pg; ++ memset(&pg, 0, sizeof(pg)); + err = ops->cee_peer_getpg(netdev, &pg); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg); +@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff + + if (ops->cee_peer_getpfc) { + struct cee_pfc pfc; ++ memset(&pfc, 0, sizeof(pfc)); + err = ops->cee_peer_getpfc(netdev, &pfc); + if (!err) + NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc); diff --git a/queue-3.4/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch b/queue-3.4/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch new file mode 100644 index 00000000000..18932c1337a --- /dev/null +++ b/queue-3.4/ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch @@ -0,0 +1,40 @@ +From daee605b36cbf0f8f3472cebae7c15344eed5cfb Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 8 Mar 2013 02:07:23 +0000 +Subject: ipv6: stop multicast forwarding to process interface scoped addresses + + +From: Hannes Frederic Sowa + +[ Upstream commit ddf64354af4a702ee0b85d0a285ba74c7278a460 ] + +v2: +a) used struct ipv6_addr_props + +v3: +a) reverted changes for ipv6_addr_props + +v4: +a) do not use __ipv6_addr_needs_scope_id + +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -265,7 +265,8 @@ int ip6_mc_input(struct sk_buff *skb) + * IPv6 multicast router mode is now supported ;) + */ + if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding && +- !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) && ++ !(ipv6_addr_type(&hdr->daddr) & ++ (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) && + likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) { + /* + * Okay, we try to forward - split and duplicate diff --git a/queue-3.4/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch b/queue-3.4/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch new file mode 100644 index 00000000000..fc4b4c2bf6b --- /dev/null +++ b/queue-3.4/l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch @@ -0,0 +1,41 @@ +From 5b343bfe238f11e486c703d867c9f465913c543c Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Fri, 1 Mar 2013 05:02:02 +0000 +Subject: l2tp: Restore socket refcount when sendmsg succeeds + + +From: Guillaume Nault + +[ Upstream commit 8b82547e33e85fc24d4d172a93c796de1fefa81a ] + +The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket +reference counter after successful transmissions. Any successful +sendmsg() call from userspace will then increase the reference counter +forever, thus preventing the kernel's session and tunnel data from +being freed later on. + +The problem only happens when writing directly on L2TP sockets. +PPP sockets attached to L2TP are unaffected as the PPP subsystem +uses pppol2tp_xmit() which symmetrically increase/decrease reference +counters. + +This patch adds the missing call to sock_put() before returning from +pppol2tp_sendmsg(). + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ppp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -360,6 +360,7 @@ static int pppol2tp_sendmsg(struct kiocb + l2tp_xmit_skb(session, skb, session->hdr_len); + + sock_put(ps->tunnel_sock); ++ sock_put(sk); + + return error; + diff --git a/queue-3.4/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch b/queue-3.4/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch new file mode 100644 index 00000000000..66975ee8b20 --- /dev/null +++ b/queue-3.4/macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch @@ -0,0 +1,31 @@ +From f4c03683e2470220337ea037c33964de1483942f Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 7 Mar 2013 10:21:48 +0000 +Subject: macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode. + + +From: Vlad Yasevich + +[ Upstream commit 87ab7f6f2874f1115817e394a7ed2dea1c72549e ] + +Macvlan already supports hw address filters. Set the IFF_UNICAST_FLT +so that it doesn't needlesly enter PROMISC mode when macvlans are +stacked. + +Signed-of-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -584,6 +584,7 @@ void macvlan_common_setup(struct net_dev + ether_setup(dev); + + dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING); ++ dev->priv_flags |= IFF_UNICAST_FLT; + dev->netdev_ops = &macvlan_netdev_ops; + dev->destructor = free_netdev; + dev->header_ops = &macvlan_hard_header_ops, diff --git a/queue-3.4/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch b/queue-3.4/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch new file mode 100644 index 00000000000..46c609a4f3d --- /dev/null +++ b/queue-3.4/net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch @@ -0,0 +1,37 @@ +From 6a371a97d27f41655fc7597d37f7d14713ab99ba Mon Sep 17 00:00:00 2001 +From: Lorenzo Colitti +Date: Sun, 3 Mar 2013 20:46:46 +0000 +Subject: net: ipv6: Don't purge default router if accept_ra=2 + + +From: Lorenzo Colitti + +[ Upstream commit 3e8b0ac3e41e3c882222a5522d5df7212438ab51 ] + +Setting net.ipv6.conf..accept_ra=2 causes the kernel +to accept RAs even when forwarding is enabled. However, enabling +forwarding purges all default routes on the system, breaking +connectivity until the next RA is received. Fix this by not +purging default routes on interfaces that have accept_ra=2. + +Signed-off-by: Lorenzo Colitti +Acked-by: YOSHIFUJI Hideaki +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1973,7 +1973,8 @@ void rt6_purge_dflt_routers(struct net * + restart: + read_lock_bh(&table->tb6_lock); + for (rt = table->tb6_root.leaf; rt; rt = rt->dst.rt6_next) { +- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) { ++ if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF) && ++ (!rt->rt6i_idev || rt->rt6i_idev->cnf.accept_ra != 2)) { + dst_hold(&rt->dst); + read_unlock_bh(&table->tb6_lock); + ip6_del_rt(rt); diff --git a/queue-3.4/netlabel-correctly-list-all-the-static-label-mappings.patch b/queue-3.4/netlabel-correctly-list-all-the-static-label-mappings.patch new file mode 100644 index 00000000000..87716bae57b --- /dev/null +++ b/queue-3.4/netlabel-correctly-list-all-the-static-label-mappings.patch @@ -0,0 +1,111 @@ +From 83f3236795f824a81418086d0360968d975bf813 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 6 Mar 2013 11:45:24 +0000 +Subject: netlabel: correctly list all the static label mappings + + +From: Paul Moore + +[ Upstream commits 0c1233aba1e948c37f6dc7620cb7c253fcd71ce9 and + a6a8fe950e1b8596bb06f2c89c3a1a4bf2011ba9 ] + +When we have a large number of static label mappings that spill across +the netlink message boundary we fail to properly save our state in the +netlink_callback struct which causes us to repeat the same listings. +This patch fixes this problem by saving the state correctly between +calls to the NetLabel static label netlink "dumpit" routines. + +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(str + struct netlbl_unlhsh_walk_arg cb_arg; + u32 skip_bkt = cb->args[0]; + u32 skip_chain = cb->args[1]; +- u32 skip_addr4 = cb->args[2]; +- u32 skip_addr6 = cb->args[3]; + u32 iter_bkt; + u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_unlhsh_iface *iface; +@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(str + continue; + netlbl_af4list_foreach_rcu(addr4, + &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[2]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(str + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, + &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[3]) + continue; + if (netlbl_unlabel_staticlist_gen( + NLBL_UNLABEL_C_STATICLIST, +@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(str + + unlabel_staticlist_return: + rcu_read_unlock(); +- cb->args[0] = skip_bkt; +- cb->args[1] = skip_chain; +- cb->args[2] = skip_addr4; +- cb->args[3] = skip_addr6; ++ cb->args[0] = iter_bkt; ++ cb->args[1] = iter_chain; ++ cb->args[2] = iter_addr4; ++ cb->args[3] = iter_addr6; + return skb->len; + } + +@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef( + { + struct netlbl_unlhsh_walk_arg cb_arg; + struct netlbl_unlhsh_iface *iface; +- u32 skip_addr4 = cb->args[0]; +- u32 skip_addr6 = cb->args[1]; +- u32 iter_addr4 = 0; ++ u32 iter_addr4 = 0, iter_addr6 = 0; + struct netlbl_af4list *addr4; + #if IS_ENABLED(CONFIG_IPV6) +- u32 iter_addr6 = 0; + struct netlbl_af6list *addr6; + #endif + +@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef( + goto unlabel_staticlistdef_return; + + netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { +- if (iter_addr4++ < skip_addr4) ++ if (iter_addr4++ < cb->args[0]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef( + } + #if IS_ENABLED(CONFIG_IPV6) + netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { +- if (iter_addr6++ < skip_addr6) ++ if (iter_addr6++ < cb->args[1]) + continue; + if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF, + iface, +@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef( + + unlabel_staticlistdef_return: + rcu_read_unlock(); +- cb->args[0] = skip_addr4; +- cb->args[1] = skip_addr6; ++ cb->args[0] = iter_addr4; ++ cb->args[1] = iter_addr6; + return skb->len; + } + diff --git a/queue-3.4/rds-limit-the-size-allocated-by-rds_message_alloc.patch b/queue-3.4/rds-limit-the-size-allocated-by-rds_message_alloc.patch new file mode 100644 index 00000000000..22e96e3b867 --- /dev/null +++ b/queue-3.4/rds-limit-the-size-allocated-by-rds_message_alloc.patch @@ -0,0 +1,71 @@ +From d3a7ebf73779faa29a1a7d45266579f57dc011ab Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sun, 3 Mar 2013 16:18:11 +0000 +Subject: rds: limit the size allocated by rds_message_alloc() + + +From: Cong Wang + +[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ] + +Dave Jones reported the following bug: + +"When fed mangled socket data, rds will trust what userspace gives it, +and tries to allocate enormous amounts of memory larger than what +kmalloc can satisfy." + +WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() +Hardware name: GA-MA78GM-S2H +Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s +Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 +Call Trace: + [] warn_slowpath_common+0x75/0xa0 + [] warn_slowpath_null+0x1a/0x20 + [] __alloc_pages_nodemask+0xa0d/0xbe0 + [] ? native_sched_clock+0x26/0x90 + [] ? trace_hardirqs_off_caller+0x28/0xc0 + [] ? trace_hardirqs_off+0xd/0x10 + [] alloc_pages_current+0xb8/0x180 + [] __get_free_pages+0x2a/0x80 + [] kmalloc_order_trace+0x3e/0x1a0 + [] __kmalloc+0x2f5/0x3a0 + [] ? local_bh_enable_ip+0x7c/0xf0 + [] rds_message_alloc+0x23/0xb0 [rds] + [] rds_sendmsg+0x2b1/0x990 [rds] + [] ? trace_hardirqs_off+0xd/0x10 + [] sock_sendmsg+0xb0/0xe0 + [] ? get_lock_stats+0x22/0x70 + [] ? put_lock_stats.isra.23+0xe/0x40 + [] sys_sendto+0x130/0x180 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? _raw_spin_unlock_irq+0x3b/0x60 + [] ? sysret_check+0x1b/0x56 + [] ? trace_hardirqs_on_caller+0x115/0x1a0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b +---[ end trace eed6ae990d018c8b ]--- + +Reported-by: Dave Jones +Cc: Dave Jones +Cc: David S. Miller +Cc: Venkat Venkatsubra +Signed-off-by: Cong Wang +Acked-by: Venkat Venkatsubra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/message.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un + { + struct rds_message *rm; + ++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) ++ return NULL; ++ + rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); + if (!rm) + goto out; diff --git a/queue-3.4/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch b/queue-3.4/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch new file mode 100644 index 00000000000..910c3a5fac2 --- /dev/null +++ b/queue-3.4/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch @@ -0,0 +1,33 @@ +From 1088cedd7b5a08f7000c81716c9c53aca2c343d7 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 9 Mar 2013 05:52:20 +0000 +Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices + + +From: Mathias Krause + +[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] + +Initialize the mac address buffer with 0 as the driver specific function +will probably not fill the whole buffer. In fact, all in-kernel drivers +fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible +bytes. Therefore we currently leak 26 bytes of stack memory to userland +via the netlink interface. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -975,6 +975,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + * report anything. + */ + ivi.spoofchk = -1; ++ memset(ivi.mac, 0, sizeof(ivi.mac)); + if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) + break; + vf_mac.vf = diff --git a/queue-3.4/series b/queue-3.4/series index e73772b8ebb..b8eae1c8af3 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -34,3 +34,15 @@ block-use-i_size_write-in-bd_set_size.patch loopdev-fix-a-deadlock.patch loopdev-remove-an-user-triggerable-oops.patch drm-i915-increase-the-rc6p-threshold.patch +l2tp-restore-socket-refcount-when-sendmsg-succeeds.patch +rds-limit-the-size-allocated-by-rds_message_alloc.patch +net-ipv6-don-t-purge-default-router-if-accept_ra-2.patch +tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch +tun-add-a-missing-nf_reset-in-tun_net_xmit.patch +macvlan-set-iff_unicast_flt-flag-to-prevent-unnecessary-promisc-mode.patch +netlabel-correctly-list-all-the-static-label-mappings.patch +bridging-fix-rx_handlers-return-code.patch +ipv6-stop-multicast-forwarding-to-process-interface-scoped-addresses.patch +rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch +dcbnl-fix-various-netlink-info-leaks.patch +6lowpan-fix-endianness-issue-in-is_addr_link_local.patch diff --git a/queue-3.4/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch b/queue-3.4/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch new file mode 100644 index 00000000000..58958f00d48 --- /dev/null +++ b/queue-3.4/tcp-fix-double-counted-receiver-rtt-when-leaving-receiver-fast-path.patch @@ -0,0 +1,44 @@ +From dde9364409613d724007a54f92f6b6d0f1945f4a Mon Sep 17 00:00:00 2001 +From: Neal Cardwell +Date: Mon, 4 Mar 2013 06:23:05 +0000 +Subject: tcp: fix double-counted receiver RTT when leaving receiver fast path + + +From: Neal Cardwell + +[ Upstream commit aab2b4bf224ef8358d262f95b568b8ad0cecf0a0 ] + +We should not update ts_recent and call tcp_rcv_rtt_measure_ts() both +before and after going to step5. That wastes CPU and double-counts the +receiver-side RTT sample. + +Signed-off-by: Neal Cardwell +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5519,6 +5519,9 @@ int tcp_rcv_established(struct sock *sk, + if (tcp_checksum_complete_user(sk, skb)) + goto csum_error; + ++ if ((int)skb->truesize > sk->sk_forward_alloc) ++ goto step5; ++ + /* Predicted packet is in window by definition. + * seq == rcv_nxt and rcv_wup <= rcv_nxt. + * Hence, check seq<=rcv_wup reduces to: +@@ -5530,9 +5533,6 @@ int tcp_rcv_established(struct sock *sk, + + tcp_rcv_rtt_measure_ts(sk, skb); + +- if ((int)skb->truesize > sk->sk_forward_alloc) +- goto step5; +- + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPHPHITS); + + /* Bulk data transfer: receiver */ diff --git a/queue-3.4/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch b/queue-3.4/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch new file mode 100644 index 00000000000..8439145fb09 --- /dev/null +++ b/queue-3.4/tun-add-a-missing-nf_reset-in-tun_net_xmit.patch @@ -0,0 +1,71 @@ +From 2ff4c18108ed5f5a900a4c37347b0edb564a3edd Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 6 Mar 2013 11:02:37 +0000 +Subject: tun: add a missing nf_reset() in tun_net_xmit() + + +From: Eric Dumazet + +[ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ] + +Dave reported following crash : + +general protection fault: 0000 [#1] SMP +CPU 2 +Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch +RIP: 0010:[] [] destroy_conntrack+0x35/0x120 [nf_conntrack] +RSP: 0018:ffff880276913d78 EFLAGS: 00010206 +RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 +RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 +RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 +R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 +R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 +FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) +Stack: + ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 + ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 + ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 +Call Trace: + [] nf_conntrack_destroy+0x17/0x20 + [] skb_release_head_state+0x7b/0x100 + [] __kfree_skb+0x16/0xa0 + [] kfree_skb+0x36/0xa0 + [] skb_queue_purge+0x20/0x40 + [] __tun_detach+0x117/0x140 [tun] + [] tun_chr_close+0x3c/0xd0 [tun] + [] __fput+0xec/0x240 + [] ____fput+0xe/0x10 + [] task_work_run+0xa7/0xe0 + [] do_notify_resume+0x71/0xb0 + [] int_signal+0x12/0x17 +Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 +RIP [] destroy_conntrack+0x35/0x120 [nf_conntrack] + RSP + +This is because tun_net_xmit() needs to call nf_reset() +before queuing skb into receive_queue + +Reported-by: Dave Jones +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/tun.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -417,6 +417,8 @@ static netdev_tx_t tun_net_xmit(struct s + * for indefinite time. */ + skb_orphan(skb); + ++ nf_reset(skb); ++ + /* Enqueue packet */ + skb_queue_tail(&tun->socket.sk->sk_receive_queue, skb); + -- 2.47.3