From 8251bb76e1515c722d32acbe338be55004b86ce2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 11 Apr 2018 14:52:01 +0200 Subject: [PATCH] 4.4-stable patches added patches: arp-fix-arp_filter-on-l3slave-devices.patch bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch ip6_gre-better-validate-user-provided-tunnel-names.patch ip6_tunnel-better-validate-user-provided-tunnel-names.patch ip_tunnel-better-validate-user-provided-tunnel-names.patch ipv6-sit-better-validate-user-provided-tunnel-names.patch ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch net-fool-proof-dev_valid_name.patch net-ipv6-fix-route-leaking-between-vrfs.patch net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch pptp-remove-a-buggy-dst-release-in-pptp_connect.patch r8169-fix-setting-driver_data-after-register_netdev.patch sctp-do-not-leak-kernel-memory-to-user-space.patch sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch vhost-correctly-remove-wait-queue-during-poll-failure.patch vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch vti6-better-validate-user-provided-tunnel-names.patch --- ...rp-fix-arp_filter-on-l3slave-devices.patch | 41 +++++ ...-for-dev-hwaddr-sync-in-bond_enslave.patch | 56 ++++++ ...aster_upper_dev_link-in-bond_enslave.patch | 165 ++++++++++++++++++ ...et_allmulti-properly-in-bond_enslave.patch | 38 ++++ ...-validate-user-provided-tunnel-names.patch | 73 ++++++++ ...-validate-user-provided-tunnel-names.patch | 44 +++++ ...-validate-user-provided-tunnel-names.patch | 78 +++++++++ ...-validate-user-provided-tunnel-names.patch | 73 ++++++++ ...er-chain-must-fit-the-first-fragment.patch | 121 +++++++++++++ ...f-bound-read-in-skb_network_protocol.patch | 59 +++++++ queue-4.4/net-fool-proof-dev_valid_name.patch | 32 ++++ ...-ipv6-fix-route-leaking-between-vrfs.patch | 51 ++++++ ...outxxx-counters-after-netfilter-hook.patch | 47 +++++ ...uires-several-messages-to-user-space.patch | 75 ++++++++ ...ce-in-the-error-path-of-tcf_bpf_init.patch | 100 +++++++++++ ...-has-correct-size-in-netlink_connect.patch | 35 ++++ ...-a-buggy-dst-release-in-pptp_connect.patch | 115 ++++++++++++ ...ng-driver_data-after-register_netdev.patch | 50 ++++++ ...not-leak-kernel-memory-to-user-space.patch | 95 ++++++++++ ...eck-minimal-addr-length-for-af_inet6.patch | 76 ++++++++ queue-4.4/series | 24 +++ ...-to-sky2-stops-working-after-suspend.patch | 36 ++++ ...emove-wait-queue-during-poll-failure.patch | 39 +++++ ...river-ts_info-for-vlan-s-real-device.patch | 45 +++++ ...-validate-user-provided-tunnel-names.patch | 40 +++++ 25 files changed, 1608 insertions(+) create mode 100644 queue-4.4/arp-fix-arp_filter-on-l3slave-devices.patch create mode 100644 queue-4.4/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch create mode 100644 queue-4.4/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch create mode 100644 queue-4.4/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch create mode 100644 queue-4.4/ip6_gre-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-4.4/ip6_tunnel-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-4.4/ip_tunnel-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-4.4/ipv6-sit-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-4.4/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch create mode 100644 queue-4.4/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch create mode 100644 queue-4.4/net-fool-proof-dev_valid_name.patch create mode 100644 queue-4.4/net-ipv6-fix-route-leaking-between-vrfs.patch create mode 100644 queue-4.4/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch create mode 100644 queue-4.4/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch create mode 100644 queue-4.4/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch create mode 100644 queue-4.4/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch create mode 100644 queue-4.4/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch create mode 100644 queue-4.4/r8169-fix-setting-driver_data-after-register_netdev.patch create mode 100644 queue-4.4/sctp-do-not-leak-kernel-memory-to-user-space.patch create mode 100644 queue-4.4/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch create mode 100644 queue-4.4/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch create mode 100644 queue-4.4/vhost-correctly-remove-wait-queue-during-poll-failure.patch create mode 100644 queue-4.4/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch create mode 100644 queue-4.4/vti6-better-validate-user-provided-tunnel-names.patch diff --git a/queue-4.4/arp-fix-arp_filter-on-l3slave-devices.patch b/queue-4.4/arp-fix-arp_filter-on-l3slave-devices.patch new file mode 100644 index 00000000000..99dbe5f8368 --- /dev/null +++ b/queue-4.4/arp-fix-arp_filter-on-l3slave-devices.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Miguel Fadon Perlines +Date: Thu, 5 Apr 2018 10:25:38 +0200 +Subject: arp: fix arp_filter on l3slave devices + +From: Miguel Fadon Perlines + + +[ Upstream commit 58b35f27689b5eb514fc293c332966c226b1b6e4 ] + +arp_filter performs an ip_route_output search for arp source address and +checks if output device is the same where the arp request was received, +if it is not, the arp request is not answered. + +This route lookup is always done on main route table so l3slave devices +never find the proper route and arp is not answered. + +Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the +lookup for l3slave devices while maintaining same behavior for non +l3slave devices as this function returns 0 in that case. + +Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX") +Signed-off-by: Miguel Fadon Perlines +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/arp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -437,7 +437,7 @@ static int arp_filter(__be32 sip, __be32 + /*unsigned long now; */ + struct net *net = dev_net(dev); + +- rt = ip_route_output(net, sip, tip, 0, 0); ++ rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev)); + if (IS_ERR(rt)) + return 1; + if (rt->dst.dev != dev) { diff --git a/queue-4.4/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch b/queue-4.4/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch new file mode 100644 index 00000000000..9f15028ecda --- /dev/null +++ b/queue-4.4/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:45 +0800 +Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave + +From: Xin Long + + +[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ] + +vlan_vids_add_by_dev is called right after dev hwaddr sync, so on +the err path it should unsync dev hwaddr. Otherwise, the slave +dev's hwaddr will never be unsync when this err happens. + +Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones") +Signed-off-by: Xin Long +Reviewed-by: Nikolay Aleksandrov +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1527,7 +1527,7 @@ int bond_enslave(struct net_device *bond + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", + slave_dev->name); +- goto err_close; ++ goto err_hwaddr_unsync; + } + + prev_slave = bond_last_slave(bond); +@@ -1709,9 +1709,6 @@ err_unregister: + netdev_rx_handler_unregister(slave_dev); + + err_detach: +- if (!bond_uses_primary(bond)) +- bond_hw_addr_flush(bond_dev, slave_dev); +- + vlan_vids_del_by_dev(slave_dev, bond_dev); + if (rcu_access_pointer(bond->primary_slave) == new_slave) + RCU_INIT_POINTER(bond->primary_slave, NULL); +@@ -1725,6 +1722,10 @@ err_detach: + synchronize_rcu(); + slave_disable_netpoll(new_slave); + ++err_hwaddr_unsync: ++ if (!bond_uses_primary(bond)) ++ bond_hw_addr_flush(bond_dev, slave_dev); ++ + err_close: + slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); diff --git a/queue-4.4/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch b/queue-4.4/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch new file mode 100644 index 00000000000..4d05ec5075d --- /dev/null +++ b/queue-4.4/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch @@ -0,0 +1,165 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:46 +0800 +Subject: bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave + +From: Xin Long + + +[ Upstream commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e ] + +Beniamino found a crash when adding vlan as slave of bond which is also +the parent link: + + ip link add bond1 type bond + ip link set bond1 up + ip link add link bond1 vlan1 type vlan id 80 + ip link set vlan1 master bond1 + +The call trace is as below: + + [] queued_spin_lock_slowpath+0xb/0xf + [] _raw_spin_lock+0x20/0x30 + [] dev_mc_sync+0x37/0x80 + [] vlan_dev_set_rx_mode+0x1c/0x30 [8021q] + [] __dev_set_rx_mode+0x5a/0xa0 + [] dev_mc_sync_multiple+0x78/0x80 + [] bond_enslave+0x67c/0x1190 [bonding] + [] do_setlink+0x9c9/0xe50 + [] rtnl_newlink+0x522/0x880 + [] rtnetlink_rcv_msg+0xa7/0x260 + [] netlink_rcv_skb+0xab/0xc0 + [] rtnetlink_rcv+0x28/0x30 + [] netlink_unicast+0x170/0x210 + [] netlink_sendmsg+0x308/0x420 + [] sock_sendmsg+0xb6/0xf0 + +This is actually a dead lock caused by sync slave hwaddr from master when +the master is the slave's 'slave'. This dead loop check is actually done +by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding: +populate neighbour's private on enslave") moved it after dev_mc_sync. + +This patch is to fix it by moving dev_mc_sync after master_upper_dev_link, +so that this loop check would be earlier than dev_mc_sync. It also moves +if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an +improvement. + +Note team driver also has this issue, I will fix it in another patch. + +Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave") +Reported-by: Beniamino Galvani +Signed-off-by: Xin Long +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 73 +++++++++++++++++++--------------------- + 1 file changed, 35 insertions(+), 38 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1490,44 +1490,11 @@ int bond_enslave(struct net_device *bond + goto err_close; + } + +- /* If the mode uses primary, then the following is handled by +- * bond_change_active_slave(). +- */ +- if (!bond_uses_primary(bond)) { +- /* set promiscuity level to new slave */ +- if (bond_dev->flags & IFF_PROMISC) { +- res = dev_set_promiscuity(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- /* set allmulti level to new slave */ +- if (bond_dev->flags & IFF_ALLMULTI) { +- res = dev_set_allmulti(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- netif_addr_lock_bh(bond_dev); +- +- dev_mc_sync_multiple(slave_dev, bond_dev); +- dev_uc_sync_multiple(slave_dev, bond_dev); +- +- netif_addr_unlock_bh(bond_dev); +- } +- +- if (BOND_MODE(bond) == BOND_MODE_8023AD) { +- /* add lacpdu mc addr to mc list */ +- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; +- +- dev_mc_add(slave_dev, lacpdu_multicast); +- } +- + res = vlan_vids_add_by_dev(slave_dev, bond_dev); + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", + slave_dev->name); +- goto err_hwaddr_unsync; ++ goto err_close; + } + + prev_slave = bond_last_slave(bond); +@@ -1679,6 +1646,37 @@ int bond_enslave(struct net_device *bond + goto err_upper_unlink; + } + ++ /* If the mode uses primary, then the following is handled by ++ * bond_change_active_slave(). ++ */ ++ if (!bond_uses_primary(bond)) { ++ /* set promiscuity level to new slave */ ++ if (bond_dev->flags & IFF_PROMISC) { ++ res = dev_set_promiscuity(slave_dev, 1); ++ if (res) ++ goto err_sysfs_del; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (bond_dev->flags & IFF_ALLMULTI) { ++ res = dev_set_allmulti(slave_dev, 1); ++ if (res) ++ goto err_sysfs_del; ++ } ++ ++ netif_addr_lock_bh(bond_dev); ++ dev_mc_sync_multiple(slave_dev, bond_dev); ++ dev_uc_sync_multiple(slave_dev, bond_dev); ++ netif_addr_unlock_bh(bond_dev); ++ ++ if (BOND_MODE(bond) == BOND_MODE_8023AD) { ++ /* add lacpdu mc addr to mc list */ ++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; ++ ++ dev_mc_add(slave_dev, lacpdu_multicast); ++ } ++ } ++ + bond->slave_cnt++; + bond_compute_features(bond); + bond_set_carrier(bond); +@@ -1702,6 +1700,9 @@ int bond_enslave(struct net_device *bond + return 0; + + /* Undo stages on error */ ++err_sysfs_del: ++ bond_sysfs_slave_del(new_slave); ++ + err_upper_unlink: + bond_upper_dev_unlink(bond_dev, slave_dev); + +@@ -1722,10 +1723,6 @@ err_detach: + synchronize_rcu(); + slave_disable_netpoll(new_slave); + +-err_hwaddr_unsync: +- if (!bond_uses_primary(bond)) +- bond_hw_addr_flush(bond_dev, slave_dev); +- + err_close: + slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); diff --git a/queue-4.4/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch b/queue-4.4/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch new file mode 100644 index 00000000000..2a24081bbd3 --- /dev/null +++ b/queue-4.4/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:47 +0800 +Subject: bonding: process the err returned by dev_set_allmulti properly in bond_enslave + +From: Xin Long + + +[ Upstream commit 9f5a90c107741b864398f4ac0014711a8c1d8474 ] + +When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails, +dev_set_promiscuity(-1) should be done before going to the err path. +Otherwise, dev->promiscuity will leak. + +Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti") +Signed-off-by: Xin Long +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1660,8 +1660,11 @@ int bond_enslave(struct net_device *bond + /* set allmulti level to new slave */ + if (bond_dev->flags & IFF_ALLMULTI) { + res = dev_set_allmulti(slave_dev, 1); +- if (res) ++ if (res) { ++ if (bond_dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(slave_dev, -1); + goto err_sysfs_del; ++ } + } + + netif_addr_lock_bh(bond_dev); diff --git a/queue-4.4/ip6_gre-better-validate-user-provided-tunnel-names.patch b/queue-4.4/ip6_gre-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..f9cc3656a64 --- /dev/null +++ b/queue-4.4/ip6_gre-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:29 -0700 +Subject: ip6_gre: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 +Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466 + +CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 + ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -320,11 +320,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc + if (t || !create) + return t; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ return NULL; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "ip6gre%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6gre_tunnel_setup); + if (!dev) diff --git a/queue-4.4/ip6_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-4.4/ip6_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..2a2e06f4c8d --- /dev/null +++ b/queue-4.4/ip6_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:30 -0700 +Subject: ip6_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -286,13 +286,16 @@ static struct ip6_tnl *ip6_tnl_create(st + struct net_device *dev; + struct ip6_tnl *t; + char name[IFNAMSIZ]; +- int err = -ENOMEM; ++ int err = -E2BIG; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6tnl%%d"); +- ++ } ++ err = -ENOMEM; + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6_tnl_dev_setup); + if (!dev) diff --git a/queue-4.4/ip_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-4.4/ip_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..ee243b1246f --- /dev/null +++ b/queue-4.4/ip_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,78 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:27 -0700 +Subject: ip_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 +Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482 + +CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 + ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline] + ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861 + ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -253,13 +253,14 @@ static struct net_device *__ip_tunnel_cr + struct net_device *dev; + char name[IFNAMSIZ]; + +- if (parms->name[0]) ++ err = -E2BIG; ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else { +- if (strlen(ops->kind) > (IFNAMSIZ - 3)) { +- err = -E2BIG; ++ } else { ++ if (strlen(ops->kind) > (IFNAMSIZ - 3)) + goto failed; +- } + strlcpy(name, ops->kind, IFNAMSIZ); + strncat(name, "%d", 2); + } diff --git a/queue-4.4/ipv6-sit-better-validate-user-provided-tunnel-names.patch b/queue-4.4/ipv6-sit-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..bf4ec730988 --- /dev/null +++ b/queue-4.4/ipv6-sit-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:28 -0700 +Subject: ipv6: sit: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 +Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453 + +CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 + ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_lo + if (!create) + goto failed; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "sit%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ipip6_tunnel_setup); + if (!dev) diff --git a/queue-4.4/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch b/queue-4.4/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch new file mode 100644 index 00000000000..20450be0b04 --- /dev/null +++ b/queue-4.4/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch @@ -0,0 +1,121 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Paolo Abeni +Date: Fri, 23 Mar 2018 14:47:30 +0100 +Subject: ipv6: the entire IPv6 header chain must fit the first fragment + +From: Paolo Abeni + + +[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ] + +While building ipv6 datagram we currently allow arbitrary large +extheaders, even beyond pmtu size. The syzbot has found a way +to exploit the above to trigger the following splat: + +kernel BUG at ./include/linux/skbuff.h:2073! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline] +RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 +RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293 +RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18 +RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000 +R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6 +R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0 +FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ip6_finish_skb include/net/ipv6.h:969 [inline] + udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073 + udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343 + inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:640 + ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046 + __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136 + SYSC_sendmmsg net/socket.c:2167 [inline] + SyS_sendmmsg+0x35/0x60 net/socket.c:2162 + do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4404c9 +RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9 +RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003 +RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0 +R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000 +Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29 +5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d +87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe +RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0 +RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP: +ffff8801bc18f0f0 + +As stated by RFC 7112 section 5: + + When a host fragments an IPv6 datagram, it MUST include the entire + IPv6 Header Chain in the First Fragment. + +So this patch addresses the issue dropping datagrams with excessive +extheader length. It also updates the error path to report to the +calling socket nonnegative pmtu values. + +The issue apparently predates git history. + +v1 -> v2: cleanup error path, as per Eric's suggestion + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1278,7 +1278,7 @@ static int __ip6_append_data(struct sock + unsigned int flags, int dontfrag) + { + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu; ++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu; + int exthdrlen = 0; + int dst_exthdrlen = 0; + int hh_len; +@@ -1314,6 +1314,12 @@ static int __ip6_append_data(struct sock + sizeof(struct frag_hdr) : 0) + + rt->rt6i_nfheader_len; + ++ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit ++ * the first fragment ++ */ ++ if (headersize + transhdrlen > mtu) ++ goto emsgsize; ++ + if (cork->length + length > mtu - headersize && dontfrag && + (sk->sk_protocol == IPPROTO_UDP || + sk->sk_protocol == IPPROTO_RAW)) { +@@ -1329,9 +1335,8 @@ static int __ip6_append_data(struct sock + + if (cork->length + length > maxnonfragsize - headersize) { + emsgsize: +- ipv6_local_error(sk, EMSGSIZE, fl6, +- mtu - headersize + +- sizeof(struct ipv6hdr)); ++ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0); ++ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu); + return -EMSGSIZE; + } + diff --git a/queue-4.4/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch b/queue-4.4/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch new file mode 100644 index 00000000000..b3b30e9b7be --- /dev/null +++ b/queue-4.4/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch @@ -0,0 +1,59 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Mon, 26 Mar 2018 08:08:07 -0700 +Subject: net: fix possible out-of-bound read in skb_network_protocol() + +From: Eric Dumazet + + +[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ] + +skb mac header is not necessarily set at the time skb_network_protocol() +is called. Use skb->data instead. + +BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 +Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242 + +CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x24d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23c/0x360 mm/kasan/report.c:412 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443 + skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 + harmonize_features net/core/dev.c:2924 [inline] + netif_skb_features+0x509/0x9b0 net/core/dev.c:3011 + validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084 + validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142 + packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256 + packet_snd net/packet/af_packet.c:2944 [inline] + packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:639 + ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047 + __sys_sendmsg+0xe5/0x210 net/socket.c:2081 + +Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()") +Signed-off-by: Eric Dumazet +Cc: Pravin B Shelar +Reported-by: Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2515,7 +2515,7 @@ __be16 skb_network_protocol(struct sk_bu + if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr)))) + return 0; + +- eth = (struct ethhdr *)skb_mac_header(skb); ++ eth = (struct ethhdr *)skb->data; + type = eth->h_proto; + } + diff --git a/queue-4.4/net-fool-proof-dev_valid_name.patch b/queue-4.4/net-fool-proof-dev_valid_name.patch new file mode 100644 index 00000000000..c18f9441e05 --- /dev/null +++ b/queue-4.4/net-fool-proof-dev_valid_name.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:26 -0700 +Subject: net: fool proof dev_valid_name() + +From: Eric Dumazet + + +[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ] + +We want to use dev_valid_name() to validate tunnel names, +so better use strnlen(name, IFNAMSIZ) than strlen(name) to make +sure to not upset KASAN. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -989,7 +989,7 @@ bool dev_valid_name(const char *name) + { + if (*name == '\0') + return false; +- if (strlen(name) >= IFNAMSIZ) ++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ) + return false; + if (!strcmp(name, ".") || !strcmp(name, "..")) + return false; diff --git a/queue-4.4/net-ipv6-fix-route-leaking-between-vrfs.patch b/queue-4.4/net-ipv6-fix-route-leaking-between-vrfs.patch new file mode 100644 index 00000000000..02d6ce0be12 --- /dev/null +++ b/queue-4.4/net-ipv6-fix-route-leaking-between-vrfs.patch @@ -0,0 +1,51 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: David Ahern +Date: Thu, 29 Mar 2018 17:44:57 -0700 +Subject: net/ipv6: Fix route leaking between VRFs + +From: David Ahern + + +[ Upstream commit b6cdbc85234b072340b8923e69f49ec293f905dc ] + +Donald reported that IPv6 route leaking between VRFs is not working. +The root cause is the strict argument in the call to rt6_lookup when +validating the nexthop spec. + +ip6_route_check_nh validates the gateway and device (if given) of a +route spec. It in turn could call rt6_lookup (e.g., lookup in a given +table did not succeed so it falls back to a full lookup) and if so +sets the strict argument to 1. That means if the egress device is given, +the route lookup needs to return a result with the same device. This +strict requirement does not work with VRFs (IPv4 or IPv6) because the +oif in the flow struct is overridden with the index of the VRF device +to trigger a match on the l3mdev rule and force the lookup to its table. + +The right long term solution is to add an l3mdev index to the flow +struct such that the oif is not overridden. That solution will not +backport well, so this patch aims for a simpler solution to relax the +strict argument if the route spec device is an l3mdev slave. As done +in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the +RT6_LOOKUP_F_IFACE flag needs to be removed. + +Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack") +Reported-by: Donald Sharp +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -851,6 +851,9 @@ static struct rt6_info *ip6_pol_route_lo + struct fib6_node *fn; + struct rt6_info *rt; + ++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF) ++ flags &= ~RT6_LOOKUP_F_IFACE; ++ + read_lock_bh(&table->tb6_lock); + fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr); + restart: diff --git a/queue-4.4/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch b/queue-4.4/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch new file mode 100644 index 00000000000..cb774b345a0 --- /dev/null +++ b/queue-4.4/net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Jeff Barnhill <0xeffeff@gmail.com> +Date: Thu, 5 Apr 2018 21:29:47 +0000 +Subject: net/ipv6: Increment OUTxxx counters after netfilter hook + +From: Jeff Barnhill <0xeffeff@gmail.com> + + +[ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ] + +At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and +IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call +for NFPROTO_IPV6 / NF_INET_FORWARD. As a result, these counters get +incremented regardless of whether or not the netfilter hook allows the +packet to continue being processed. This change increments the counters +in ip6_forward_finish() so that it will not happen if the netfilter hook +chooses to terminate the packet, which is similar to how IPv4 works. + +Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -340,6 +340,10 @@ static int ip6_forward_proxy_check(struc + static inline int ip6_forward_finish(struct net *net, struct sock *sk, + struct sk_buff *skb) + { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); + skb_sender_cpu_clear(skb); + return dst_output(net, sk, skb); + } +@@ -534,8 +538,6 @@ int ip6_forward(struct sk_buff *skb) + + hdr->hop_limit--; + +- IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len); + return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, + net, NULL, skb, skb->dev, dst->dev, + ip6_forward_finish); diff --git a/queue-4.4/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch b/queue-4.4/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch new file mode 100644 index 00000000000..9c2417f4c49 --- /dev/null +++ b/queue-4.4/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Craig Dillabaugh +Date: Mon, 26 Mar 2018 14:58:32 -0400 +Subject: net sched actions: fix dumping which requires several messages to user space + +From: Craig Dillabaugh + + +[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ] + +Fixes a bug in the tcf_dump_walker function that can cause some actions +to not be reported when dumping a large number of actions. This issue +became more aggrevated when cookies feature was added. In particular +this issue is manifest when large cookie values are assigned to the +actions and when enough actions are created that the resulting table +must be dumped in multiple batches. + +The number of actions returned in each batch is limited by the total +number of actions and the memory buffer size. With small cookies +the numeric limit is reached before the buffer size limit, which avoids +the code path triggering this bug. When large cookies are used buffer +fills before the numeric limit, and the erroneous code path is hit. + +For example after creating 32 csum actions with the cookie +aaaabbbbccccdddd + +$ tc actions ls action csum +total acts 26 + + action order 0: csum (tcp) action continue + index 1 ref 1 bind 0 + cookie aaaabbbbccccdddd + + ..... + + action order 25: csum (tcp) action continue + index 26 ref 1 bind 0 + cookie aaaabbbbccccdddd +total acts 6 + + action order 0: csum (tcp) action continue + index 28 ref 1 bind 0 + cookie aaaabbbbccccdddd + + ...... + + action order 5: csum (tcp) action continue + index 32 ref 1 bind 0 + cookie aaaabbbbccccdddd + +Note that the action with index 27 is omitted from the report. + +Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")" +Signed-off-by: Craig Dillabaugh +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -101,8 +101,10 @@ static int tcf_dump_walker(struct sk_buf + a->order = n_i; + + nest = nla_nest_start(skb, a->order); +- if (nest == NULL) ++ if (nest == NULL) { ++ index--; + goto nla_put_failure; ++ } + err = tcf_action_dump_1(skb, a, 0, 0); + if (err < 0) { + index--; diff --git a/queue-4.4/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch b/queue-4.4/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch new file mode 100644 index 00000000000..cb8a6858576 --- /dev/null +++ b/queue-4.4/net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch @@ -0,0 +1,100 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Davide Caratti +Date: Fri, 6 Apr 2018 01:19:37 +0200 +Subject: net/sched: fix NULL dereference in the error path of tcf_bpf_init() + +From: Davide Caratti + + +[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ] + +when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid +number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or +bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes +the following error: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0 + Oops: 0000 [#1] SMP PTI + Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf] + CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:__bpf_prog_put+0xc/0xc0 + RSP: 0018:ffff9594003ef728 EFLAGS: 00010202 + RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 + R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000 + R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054 + FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0 + Call Trace: + tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf] + tcf_bpf_cleanup+0x4c/0x70 [act_bpf] + __tcf_idr_release+0x79/0x140 + tcf_bpf_init+0x125/0x330 [act_bpf] + tcf_action_init_1+0x2cc/0x430 + ? get_page_from_freelist+0x3f0/0x11b0 + tcf_action_init+0xd3/0x1b0 + tc_ctl_action+0x18b/0x240 + rtnetlink_rcv_msg+0x29c/0x310 + ? _cond_resched+0x15/0x30 + ? __kmalloc_node_track_caller+0x1b9/0x270 + ? rtnl_calcit.isra.29+0x100/0x100 + netlink_rcv_skb+0xd2/0x110 + netlink_unicast+0x17c/0x230 + netlink_sendmsg+0x2cd/0x3c0 + sock_sendmsg+0x30/0x40 + ___sys_sendmsg+0x27a/0x290 + ? mem_cgroup_commit_charge+0x80/0x130 + ? page_add_new_anon_rmap+0x73/0xc0 + ? do_anonymous_page+0x2a2/0x560 + ? __handle_mm_fault+0xc75/0xe20 + __sys_sendmsg+0x58/0xa0 + do_syscall_64+0x6e/0x1a0 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + RIP: 0033:0x7fcb2e58eba0 + RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0 + RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003 + RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000 + R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0 + Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00 + RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728 + CR2: 0000000000000020 + +Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f) +is called only when f is not NULL. + +Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()") +Reported-by: Lucas Bates +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_bpf.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -249,10 +249,14 @@ static int tcf_bpf_init_from_efd(struct + + static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg) + { +- if (cfg->is_ebpf) +- bpf_prog_put(cfg->filter); +- else +- bpf_prog_destroy(cfg->filter); ++ struct bpf_prog *filter = cfg->filter; ++ ++ if (filter) { ++ if (cfg->is_ebpf) ++ bpf_prog_put(filter); ++ else ++ bpf_prog_destroy(filter); ++ } + + kfree(cfg->bpf_ops); + kfree(cfg->bpf_name); diff --git a/queue-4.4/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch b/queue-4.4/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch new file mode 100644 index 00000000000..907e4355dd1 --- /dev/null +++ b/queue-4.4/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Alexander Potapenko +Date: Fri, 23 Mar 2018 13:49:02 +0100 +Subject: netlink: make sure nladdr has correct size in netlink_connect() + +From: Alexander Potapenko + + +[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ] + +KMSAN reports use of uninitialized memory in the case when |alen| is +smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't +fully copied from the userspace. + +Signed-off-by: Alexander Potapenko +Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2") +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1054,6 +1054,9 @@ static int netlink_connect(struct socket + if (addr->sa_family != AF_NETLINK) + return -EINVAL; + ++ if (alen < sizeof(struct sockaddr_nl)) ++ return -EINVAL; ++ + if ((nladdr->nl_groups || nladdr->nl_pid) && + !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) + return -EPERM; diff --git a/queue-4.4/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch b/queue-4.4/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch new file mode 100644 index 00000000000..56b84e63b5a --- /dev/null +++ b/queue-4.4/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch @@ -0,0 +1,115 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Mon, 2 Apr 2018 18:48:37 -0700 +Subject: pptp: remove a buggy dst release in pptp_connect() + +From: Eric Dumazet + + +[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ] + +Once dst has been cached in socket via sk_setup_caps(), +it is illegal to call ip_rt_put() (or dst_release()), +since sk_setup_caps() did not change dst refcount. + +We can still dereference it since we hold socket lock. + +Caugth by syzbot : + +BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] +BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185 +Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088 + +CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1a7/0x27d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23c/0x360 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 + kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 + atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] + dst_release+0x27/0xa0 net/core/dst.c:185 + sk_dst_set include/net/sock.h:1812 [inline] + sk_dst_reset include/net/sock.h:1824 [inline] + sock_setbindtodevice net/core/sock.c:610 [inline] + sock_setsockopt+0x431/0x1b20 net/core/sock.c:707 + SYSC_setsockopt net/socket.c:1845 [inline] + SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4552d9 +RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9 +RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013 +RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 +R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000 + +Allocated by task 20088: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 + kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542 + dst_alloc+0x11f/0x1a0 net/core/dst.c:104 + rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520 + __mkroute_output net/ipv4/route.c:2265 [inline] + ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493 + ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322 + __ip_route_output_key include/net/route.h:126 [inline] + ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577 + ip_route_output_ports include/net/route.h:163 [inline] + pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453 + SYSC_connect+0x213/0x4a0 net/socket.c:1639 + SyS_connect+0x24/0x30 net/socket.c:1620 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Freed by task 20082: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 + __cache_free mm/slab.c:3486 [inline] + kmem_cache_free+0x83/0x2a0 mm/slab.c:3744 + dst_destroy+0x266/0x380 net/core/dst.c:140 + dst_destroy_rcu+0x16/0x20 net/core/dst.c:153 + __rcu_reclaim kernel/rcu/rcu.h:178 [inline] + rcu_do_batch kernel/rcu/tree.c:2675 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline] + __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline] + rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914 + __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 + +The buggy address belongs to the object at ffff8801c54dc000 + which belongs to the cache ip_dst_cache of size 168 +The buggy address is located 64 bytes inside of + 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8) +The buggy address belongs to the page: +page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010 +raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000 +page dumped because: kasan: bad access detected + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -501,7 +501,6 @@ static int pptp_connect(struct socket *s + po->chan.mtu = dst_mtu(&rt->dst); + if (!po->chan.mtu) + po->chan.mtu = PPP_MRU; +- ip_rt_put(rt); + po->chan.mtu -= PPTP_HEADER_OVERHEAD; + + po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); diff --git a/queue-4.4/r8169-fix-setting-driver_data-after-register_netdev.patch b/queue-4.4/r8169-fix-setting-driver_data-after-register_netdev.patch new file mode 100644 index 00000000000..adf059ce1c5 --- /dev/null +++ b/queue-4.4/r8169-fix-setting-driver_data-after-register_netdev.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Heiner Kallweit +Date: Mon, 26 Mar 2018 19:19:30 +0200 +Subject: r8169: fix setting driver_data after register_netdev + +From: Heiner Kallweit + + +[ Upstream commit 19c9ea363a244f85f90a424f9936e6d56449e33c ] + +pci_set_drvdata() is called only after registering the net_device, +therefore we could run into a NPE if one of the functions using +driver_data is called before it's set. + +Fix this by calling pci_set_drvdata() before registering the +net_device. + +This fix is a candidate for stable. As far as I can see the +bug has been there in kernel version 3.2 already, therefore +I can't provide a reference which commit is fixed by it. + +The fix may need small adjustments per kernel version because +due to other changes the label which is jumped to if +register_netdev() fails has changed over time. + +Reported-by: David Miller +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -8411,12 +8411,12 @@ static int rtl_init_one(struct pci_dev * + goto err_out_msi_4; + } + ++ pci_set_drvdata(pdev, dev); ++ + rc = register_netdev(dev); + if (rc < 0) + goto err_out_cnt_5; + +- pci_set_drvdata(pdev, dev); +- + netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n", + rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr, + (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq); diff --git a/queue-4.4/sctp-do-not-leak-kernel-memory-to-user-space.patch b/queue-4.4/sctp-do-not-leak-kernel-memory-to-user-space.patch new file mode 100644 index 00000000000..23097235d42 --- /dev/null +++ b/queue-4.4/sctp-do-not-leak-kernel-memory-to-user-space.patch @@ -0,0 +1,95 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 17:15:22 -0700 +Subject: sctp: do not leak kernel memory to user space + +From: Eric Dumazet + + +[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ] + +syzbot produced a nice report [1] + +Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory +to user space, because sin_zero (padding field) was not properly cleared. + +[1] +BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] +BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227 +CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x4401c9 +RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 +RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0 +R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----addr@___sys_recvmsg +Variable was created at: + ___sys_recvmsg+0xd5/0x810 net/socket.c:2172 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + +Bytes 8-15 of 16 are uninitialized + +================================================================== +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + panic+0x39d/0x940 kernel/panic.c:183 + kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -723,8 +723,10 @@ static int sctp_v6_addr_to_user(struct s + sctp_v6_map_v4(addr); + } + +- if (addr->sa.sa_family == AF_INET) ++ if (addr->sa.sa_family == AF_INET) { ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); ++ } + return sizeof(struct sockaddr_in6); + } + diff --git a/queue-4.4/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch b/queue-4.4/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch new file mode 100644 index 00000000000..e48549caae7 --- /dev/null +++ b/queue-4.4/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch @@ -0,0 +1,76 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Sun, 8 Apr 2018 07:52:08 -0700 +Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 + +From: Eric Dumazet + + +[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ] + +Check must happen before call to ipv6_addr_v4mapped() + +syzbot report was : + +BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline] +BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 +CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + sctp_sockaddr_af net/sctp/socket.c:359 [inline] + sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 + sctp_bind+0x149/0x190 net/sctp/socket.c:332 + inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293 + SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 + SyS_bind+0x54/0x80 net/socket.c:1460 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fd49 +RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49 +RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670 +R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----address@SYSC_bind +Variable was created at: + SYSC_bind+0x6f/0x4b0 net/socket.c:1461 + SyS_bind+0x54/0x80 net/socket.c:1460 + +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -335,11 +335,14 @@ static struct sctp_af *sctp_sockaddr_af( + if (!opt->pf->af_supported(addr->sa.sa_family, opt)) + return NULL; + +- /* V4 mapped address are really of AF_INET family */ +- if (addr->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr->v6.sin6_addr) && +- !opt->pf->af_supported(AF_INET, opt)) +- return NULL; ++ if (addr->sa.sa_family == AF_INET6) { ++ if (len < SIN6_LEN_RFC2133) ++ return NULL; ++ /* V4 mapped address are really of AF_INET family */ ++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) && ++ !opt->pf->af_supported(AF_INET, opt)) ++ return NULL; ++ } + + /* If we get this far, af is valid. */ + af = sctp_get_af_specific(addr->sa.sa_family); diff --git a/queue-4.4/series b/queue-4.4/series index 498f7291123..9ccc9b6ed2d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -163,3 +163,27 @@ virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch random-use-lockless-method-of-accessing-and-updating-f-reg_idx.patch futex-remove-requirement-for-lock_page-in-get_futex_key.patch kbuild-provide-a-__unique_id-for-clang.patch +arp-fix-arp_filter-on-l3slave-devices.patch +net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch +net-ipv6-fix-route-leaking-between-vrfs.patch +netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch +net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch +pptp-remove-a-buggy-dst-release-in-pptp_connect.patch +sctp-do-not-leak-kernel-memory-to-user-space.patch +sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch +sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch +vhost-correctly-remove-wait-queue-during-poll-failure.patch +vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch +bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch +bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch +bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch +net-fool-proof-dev_valid_name.patch +ip_tunnel-better-validate-user-provided-tunnel-names.patch +ipv6-sit-better-validate-user-provided-tunnel-names.patch +ip6_gre-better-validate-user-provided-tunnel-names.patch +ip6_tunnel-better-validate-user-provided-tunnel-names.patch +vti6-better-validate-user-provided-tunnel-names.patch +r8169-fix-setting-driver_data-after-register_netdev.patch +net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch +net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch +ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch diff --git a/queue-4.4/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch b/queue-4.4/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch new file mode 100644 index 00000000000..d58a0cc1bdd --- /dev/null +++ b/queue-4.4/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Kai-Heng Feng +Date: Sat, 31 Mar 2018 23:42:03 +0800 +Subject: sky2: Increase D3 delay to sky2 stops working after suspend + +From: Kai-Heng Feng + + +[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ] + +The sky2 ethernet stops working after system resume from suspend: +[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3 + +The current 150ms delay is not enough, change it to 200ms can solve the +issue. + +BugLink: https://bugs.launchpad.net/bugs/1758507 +Cc: Stable +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5079,7 +5079,7 @@ static int sky2_probe(struct pci_dev *pd + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 150; ++ pdev->d3_delay = 200; + + return 0; + diff --git a/queue-4.4/vhost-correctly-remove-wait-queue-during-poll-failure.patch b/queue-4.4/vhost-correctly-remove-wait-queue-during-poll-failure.patch new file mode 100644 index 00000000000..ff77519c8fa --- /dev/null +++ b/queue-4.4/vhost-correctly-remove-wait-queue-during-poll-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Jason Wang +Date: Tue, 27 Mar 2018 20:50:52 +0800 +Subject: vhost: correctly remove wait queue during poll failure + +From: Jason Wang + + +[ Upstream commit dc6455a71c7fc5117977e197f67f71b49f27baba ] + +We tried to remove vq poll from wait queue, but do not check whether +or not it was in a list before. This will lead double free. Fixing +this by switching to use vhost_poll_stop() which zeros poll->wqh after +removing poll from waitqueue to make sure it won't be freed twice. + +Cc: Darren Kenny +Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com +Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") +Signed-off-by: Jason Wang +Reviewed-by: Darren Kenny +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -173,8 +173,7 @@ int vhost_poll_start(struct vhost_poll * + if (mask) + vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask); + if (mask & POLLERR) { +- if (poll->wqh) +- remove_wait_queue(poll->wqh, &poll->wait); ++ vhost_poll_stop(poll); + ret = -EINVAL; + } + diff --git a/queue-4.4/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch b/queue-4.4/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch new file mode 100644 index 00000000000..31d034c8069 --- /dev/null +++ b/queue-4.4/vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Hangbin Liu +Date: Fri, 30 Mar 2018 09:44:00 +0800 +Subject: vlan: also check phy_driver ts_info for vlan's real device + +From: Hangbin Liu + + +[ Upstream commit ec1d8ccb07deaf30fd0508af6755364ac47dc08d ] + +Just like function ethtool_get_ts_info(), we should also consider the +phy_driver ts_info call back. For example, driver dp83640. + +Fixes: 37dd9255b2f6 ("vlan: Pass ethtool get_ts_info queries to real device.") +Acked-by: Richard Cochran +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + + #include "vlan.h" +@@ -654,8 +655,11 @@ static int vlan_ethtool_get_ts_info(stru + { + const struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops; ++ struct phy_device *phydev = vlan->real_dev->phydev; + +- if (ops->get_ts_info) { ++ if (phydev && phydev->drv && phydev->drv->ts_info) { ++ return phydev->drv->ts_info(phydev, info); ++ } else if (ops->get_ts_info) { + return ops->get_ts_info(vlan->real_dev, info); + } else { + info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE | diff --git a/queue-4.4/vti6-better-validate-user-provided-tunnel-names.patch b/queue-4.4/vti6-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..9dd74b86d18 --- /dev/null +++ b/queue-4.4/vti6-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:31 -0700 +Subject: vti6: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(s + char name[IFNAMSIZ]; + int err; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6_vti%%d"); ++ } + + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup); + if (!dev) -- 2.47.3