From 88fe369a43aa645b049030de34d67fb0dd8d4c50 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 14:16:28 +0200 Subject: [PATCH] 5.0-stable patches added patches: fm10k-fix-a-potential-null-pointer-dereference.patch mac80211_hwsim-calculate-if_combination.max_interfaces.patch net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch net-rds-check-address-length-before-reading-address-family.patch netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch rxrpc-fix-race-condition-in-rxrpc_input_packet.patch tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch --- ...a-potential-null-pointer-dereference.patch | 74 ++++++ ...culate-if_combination.max_interfaces.patch | 61 +++++ ...-error-cleanup-path-of-nr_proto_init.patch | 250 ++++++++++++++++++ ...length-before-reading-address-family.patch | 52 ++++ ...s-config_compat-drop-a-bogus-warn_on.patch | 34 +++ ...et6-to-struct-sockaddr_in-sin_family.patch | 43 +++ ...race-condition-in-rxrpc_input_packet.patch | 147 ++++++++++ queue-5.0/series | 9 + ...ngth-in-tipc_nl_compat_bearer_enable.patch | 69 +++++ ...ht-length-in-tipc_nl_compat_link_set.patch | 41 +++ 10 files changed, 780 insertions(+) create mode 100644 queue-5.0/fm10k-fix-a-potential-null-pointer-dereference.patch create mode 100644 queue-5.0/mac80211_hwsim-calculate-if_combination.max_interfaces.patch create mode 100644 queue-5.0/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch create mode 100644 queue-5.0/net-rds-check-address-length-before-reading-address-family.patch create mode 100644 queue-5.0/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch create mode 100644 queue-5.0/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch create mode 100644 queue-5.0/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch create mode 100644 queue-5.0/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch create mode 100644 queue-5.0/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch diff --git a/queue-5.0/fm10k-fix-a-potential-null-pointer-dereference.patch b/queue-5.0/fm10k-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..2c10fc825db --- /dev/null +++ b/queue-5.0/fm10k-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,74 @@ +From 01ca667133d019edc9f0a1f70a272447c84ec41f Mon Sep 17 00:00:00 2001 +From: Yue Haibing +Date: Thu, 21 Mar 2019 22:42:23 +0800 +Subject: fm10k: Fix a potential NULL pointer dereference + +From: Yue Haibing + +commit 01ca667133d019edc9f0a1f70a272447c84ec41f upstream. + +Syzkaller report this: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 0 PID: 4378 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:__lock_acquire+0x95b/0x3200 kernel/locking/lockdep.c:3573 +Code: 00 0f 85 28 1e 00 00 48 81 c4 08 01 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 24 00 00 49 81 7d 00 e0 de 03 a6 41 bc 00 00 +RSP: 0018:ffff8881e3c07a40 EFLAGS: 00010002 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff8881e3c07d98 R11: ffff8881c7f21f80 R12: 0000000000000001 +R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000001 +FS: 00007fce2252e700(0000) GS:ffff8881f2400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fffc7eb0228 CR3: 00000001e5bea002 CR4: 00000000007606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + lock_acquire+0xff/0x2c0 kernel/locking/lockdep.c:4211 + __mutex_lock_common kernel/locking/mutex.c:925 [inline] + __mutex_lock+0xdf/0x1050 kernel/locking/mutex.c:1072 + drain_workqueue+0x24/0x3f0 kernel/workqueue.c:2934 + destroy_workqueue+0x23/0x630 kernel/workqueue.c:4319 + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x30c/0x480 kernel/module.c:961 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fce2252dc58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce2252e6bc +R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff + +If alloc_workqueue fails, it should return -ENOMEM, otherwise may +trigger this NULL pointer dereference while unloading drivers. + +Reported-by: Hulk Robot +Fixes: 0a38c17a21a0 ("fm10k: Remove create_workqueue") +Signed-off-by: Yue Haibing +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -41,6 +41,8 @@ static int __init fm10k_init_module(void + /* create driver workqueue */ + fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0, + fm10k_driver_name); ++ if (!fm10k_workqueue) ++ return -ENOMEM; + + fm10k_dbg_init(); + diff --git a/queue-5.0/mac80211_hwsim-calculate-if_combination.max_interfaces.patch b/queue-5.0/mac80211_hwsim-calculate-if_combination.max_interfaces.patch new file mode 100644 index 00000000000..3f456e2f0f2 --- /dev/null +++ b/queue-5.0/mac80211_hwsim-calculate-if_combination.max_interfaces.patch @@ -0,0 +1,61 @@ +From 45fcef8b727b6f171bc5443e8153181a367d7a15 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 29 Mar 2019 08:56:22 +0100 +Subject: mac80211_hwsim: calculate if_combination.max_interfaces + +From: Johannes Berg + +commit 45fcef8b727b6f171bc5443e8153181a367d7a15 upstream. + +If we just set this to 2048, and have multiple limits you +can select from, the total number might run over and cause +a warning in cfg80211. This doesn't make sense, so we just +calculate the total max_interfaces now. + +Reported-by: syzbot+8f91bd563bbff230d0ee@syzkaller.appspotmail.com +Fixes: 99e3a44bac37 ("mac80211_hwsim: allow setting iftype support") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mac80211_hwsim.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2642,7 +2642,7 @@ static int mac80211_hwsim_new_radio(stru + enum nl80211_band band; + const struct ieee80211_ops *ops = &mac80211_hwsim_ops; + struct net *net; +- int idx; ++ int idx, i; + int n_limits = 0; + + if (WARN_ON(param->channels > 1 && !param->use_chanctx)) +@@ -2766,12 +2766,23 @@ static int mac80211_hwsim_new_radio(stru + goto failed_hw; + } + ++ data->if_combination.max_interfaces = 0; ++ for (i = 0; i < n_limits; i++) ++ data->if_combination.max_interfaces += ++ data->if_limits[i].max; ++ + data->if_combination.n_limits = n_limits; +- data->if_combination.max_interfaces = 2048; + data->if_combination.limits = data->if_limits; + +- hw->wiphy->iface_combinations = &data->if_combination; +- hw->wiphy->n_iface_combinations = 1; ++ /* ++ * If we actually were asked to support combinations, ++ * advertise them - if there's only a single thing like ++ * only IBSS then don't advertise it as combinations. ++ */ ++ if (data->if_combination.max_interfaces > 1) { ++ hw->wiphy->iface_combinations = &data->if_combination; ++ hw->wiphy->n_iface_combinations = 1; ++ } + + if (param->ciphers) { + memcpy(data->ciphers, param->ciphers, diff --git a/queue-5.0/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch b/queue-5.0/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch new file mode 100644 index 00000000000..93f5bb8c973 --- /dev/null +++ b/queue-5.0/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch @@ -0,0 +1,250 @@ +From d3706566ae3d92677b932dd156157fd6c72534b1 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 9 Apr 2019 19:53:55 +0800 +Subject: net: netrom: Fix error cleanup path of nr_proto_init + +From: YueHaibing + +commit d3706566ae3d92677b932dd156157fd6c72534b1 upstream. + +Syzkaller report this: + +BUG: unable to handle kernel paging request at fffffbfff830524b +PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c9716067 PTE 0 +Oops: 0000 [#1] SMP KASAN PTI +CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:__list_add_valid+0x21/0xe0 lib/list_debug.c:23 +Code: 8b 0c 24 e9 17 fd ff ff 90 55 48 89 fd 48 8d 7a 08 53 48 89 d3 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 48 83 ec 08 <80> 3c 02 00 0f 85 8b 00 00 00 48 8b 53 08 48 39 f2 75 35 48 89 f2 +RSP: 0018:ffff8881ea2278d0 EFLAGS: 00010282 +RAX: dffffc0000000000 RBX: ffffffffc1829250 RCX: 1ffff1103d444ef4 +RDX: 1ffffffff830524b RSI: ffffffff85659300 RDI: ffffffffc1829258 +RBP: ffffffffc1879250 R08: fffffbfff0acb269 R09: fffffbfff0acb269 +R10: ffff8881ea2278f0 R11: fffffbfff0acb268 R12: ffffffffc1829250 +R13: dffffc0000000000 R14: 0000000000000008 R15: ffffffffc187c830 +FS: 00007fe0361df700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff830524b CR3: 00000001eb39a001 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + __list_add include/linux/list.h:60 [inline] + list_add include/linux/list.h:79 [inline] + proto_register+0x444/0x8f0 net/core/sock.c:3375 + nr_proto_init+0x73/0x4b3 [netrom] + ? 0xffffffffc1628000 + ? 0xffffffffc1628000 + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe0361dec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00007fe0361dec70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0361df6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: netrom(+) ax25 fcrypt pcbc af_alg arizona_ldo1 v4l2_common videodev media v4l2_dv_timings hdlc ide_cd_mod snd_soc_sigmadsp_regmap snd_soc_sigmadsp intel_spi_platform intel_spi mtd spi_nor snd_usbmidi_lib usbcore lcd ti_ads7950 hi6421_regulator snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_hda_ext_core snd_hda_core snd_soc_rt5663 snd_soc_core snd_pcm_dmaengine snd_compress snd_soc_rl6231 mac80211 rtc_rc5t583 spi_slave_time leds_pwm hid_gt683r hid industrialio_triggered_buffer kfifo_buf industrialio ir_kbd_i2c rc_core led_class_flash dwc_xlgmac snd_ymfpci gameport snd_mpu401_uart snd_rawmidi snd_ac97_codec snd_pcm ac97_bus snd_opl3_lib snd_timer snd_seq_device snd_hwdep snd soundcore iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan + bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ide_pci_generic piix aesni_intel aes_x86_64 crypto_simd cryptd glue_helper ide_core psmouse input_leds i2c_piix4 serio_raw intel_agp intel_gtt ata_generic agpgart pata_acpi parport_pc rtc_cmos parport floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: rxrpc] +Dumping ftrace buffer: + (ftrace buffer empty) +CR2: fffffbfff830524b +---[ end trace 039ab24b305c4b19 ]--- + +If nr_proto_init failed, it may forget to call proto_unregister, +tiggering this issue.This patch rearrange code of nr_proto_init +to avoid such issues. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netrom.h | 2 - + net/netrom/af_netrom.c | 76 +++++++++++++++++++++++++++++------------ + net/netrom/nr_loopback.c | 2 - + net/netrom/nr_route.c | 2 - + net/netrom/sysctl_net_netrom.c | 5 ++ + 5 files changed, 61 insertions(+), 26 deletions(-) + +--- a/include/net/netrom.h ++++ b/include/net/netrom.h +@@ -266,7 +266,7 @@ void nr_stop_idletimer(struct sock *); + int nr_t1timer_running(struct sock *); + + /* sysctl_net_netrom.c */ +-void nr_register_sysctl(void); ++int nr_register_sysctl(void); + void nr_unregister_sysctl(void); + + #endif +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1392,18 +1392,22 @@ static int __init nr_proto_init(void) + int i; + int rc = proto_register(&nr_proto, 0); + +- if (rc != 0) +- goto out; ++ if (rc) ++ return rc; + + if (nr_ndevs > 0x7fffffff/sizeof(struct net_device *)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - nr_ndevs parameter to large\n"); +- return -1; ++ pr_err("NET/ROM: %s - nr_ndevs parameter too large\n", ++ __func__); ++ rc = -EINVAL; ++ goto unregister_proto; + } + + dev_nr = kcalloc(nr_ndevs, sizeof(struct net_device *), GFP_KERNEL); +- if (dev_nr == NULL) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n"); +- return -1; ++ if (!dev_nr) { ++ pr_err("NET/ROM: %s - unable to allocate device array\n", ++ __func__); ++ rc = -ENOMEM; ++ goto unregister_proto; + } + + for (i = 0; i < nr_ndevs; i++) { +@@ -1413,13 +1417,13 @@ static int __init nr_proto_init(void) + sprintf(name, "nr%d", i); + dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup); + if (!dev) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device structure\n"); ++ rc = -ENOMEM; + goto fail; + } + + dev->base_addr = i; +- if (register_netdev(dev)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register network device\n"); ++ rc = register_netdev(dev); ++ if (rc) { + free_netdev(dev); + goto fail; + } +@@ -1427,36 +1431,64 @@ static int __init nr_proto_init(void) + dev_nr[i] = dev; + } + +- if (sock_register(&nr_family_ops)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register socket family\n"); ++ rc = sock_register(&nr_family_ops); ++ if (rc) + goto fail; +- } + +- register_netdevice_notifier(&nr_dev_notifier); ++ rc = register_netdevice_notifier(&nr_dev_notifier); ++ if (rc) ++ goto out_sock; + + ax25_register_pid(&nr_pid); + ax25_linkfail_register(&nr_linkfail_notifier); + + #ifdef CONFIG_SYSCTL +- nr_register_sysctl(); ++ rc = nr_register_sysctl(); ++ if (rc) ++ goto out_sysctl; + #endif + + nr_loopback_init(); + +- proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops); +- proc_create_seq("nr_neigh", 0444, init_net.proc_net, &nr_neigh_seqops); +- proc_create_seq("nr_nodes", 0444, init_net.proc_net, &nr_node_seqops); +-out: +- return rc; ++ rc = -ENOMEM; ++ if (!proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops)) ++ goto proc_remove1; ++ if (!proc_create_seq("nr_neigh", 0444, init_net.proc_net, ++ &nr_neigh_seqops)) ++ goto proc_remove2; ++ if (!proc_create_seq("nr_nodes", 0444, init_net.proc_net, ++ &nr_node_seqops)) ++ goto proc_remove3; ++ ++ return 0; ++ ++proc_remove3: ++ remove_proc_entry("nr_neigh", init_net.proc_net); ++proc_remove2: ++ remove_proc_entry("nr", init_net.proc_net); ++proc_remove1: ++ ++ nr_loopback_clear(); ++ nr_rt_free(); ++ ++#ifdef CONFIG_SYSCTL ++ nr_unregister_sysctl(); ++out_sysctl: ++#endif ++ ax25_linkfail_release(&nr_linkfail_notifier); ++ ax25_protocol_release(AX25_P_NETROM); ++ unregister_netdevice_notifier(&nr_dev_notifier); ++out_sock: ++ sock_unregister(PF_NETROM); + fail: + while (--i >= 0) { + unregister_netdev(dev_nr[i]); + free_netdev(dev_nr[i]); + } + kfree(dev_nr); ++unregister_proto: + proto_unregister(&nr_proto); +- rc = -1; +- goto out; ++ return rc; + } + + module_init(nr_proto_init); +--- a/net/netrom/nr_loopback.c ++++ b/net/netrom/nr_loopback.c +@@ -70,7 +70,7 @@ static void nr_loopback_timer(struct tim + } + } + +-void __exit nr_loopback_clear(void) ++void nr_loopback_clear(void) + { + del_timer_sync(&loopback_timer); + skb_queue_purge(&loopback_queue); +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -953,7 +953,7 @@ const struct seq_operations nr_neigh_seq + /* + * Free all memory associated with the nodes and routes lists. + */ +-void __exit nr_rt_free(void) ++void nr_rt_free(void) + { + struct nr_neigh *s = NULL; + struct nr_node *t = NULL; +--- a/net/netrom/sysctl_net_netrom.c ++++ b/net/netrom/sysctl_net_netrom.c +@@ -146,9 +146,12 @@ static struct ctl_table nr_table[] = { + { } + }; + +-void __init nr_register_sysctl(void) ++int __init nr_register_sysctl(void) + { + nr_table_header = register_net_sysctl(&init_net, "net/netrom", nr_table); ++ if (!nr_table_header) ++ return -ENOMEM; ++ return 0; + } + + void nr_unregister_sysctl(void) diff --git a/queue-5.0/net-rds-check-address-length-before-reading-address-family.patch b/queue-5.0/net-rds-check-address-length-before-reading-address-family.patch new file mode 100644 index 00000000000..22bc2fba084 --- /dev/null +++ b/queue-5.0/net-rds-check-address-length-before-reading-address-family.patch @@ -0,0 +1,52 @@ +From dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 12 Apr 2019 19:51:52 +0900 +Subject: net/rds: Check address length before reading address family + +From: Tetsuo Handa + +commit dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee upstream. + +syzbot is reporting uninitialized value at rds_connect() [1] and +rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas +these functions expect that it is safe to access sockaddr->family field +in order to determine minimal address length for validation. + +[1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71 +[2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f + +Reported-by: syzbot +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/af_rds.c | 3 +++ + net/rds/bind.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -506,6 +506,9 @@ static int rds_connect(struct socket *so + struct rds_sock *rs = rds_sk_to_rs(sk); + int ret = 0; + ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; ++ + lock_sock(sk); + + switch (uaddr->sa_family) { +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct + /* We allow an RDS socket to be bound to either IPv4 or IPv6 + * address. + */ ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; + if (uaddr->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)uaddr; + diff --git a/queue-5.0/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-5.0/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch new file mode 100644 index 00000000000..073b72076fb --- /dev/null +++ b/queue-5.0/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch @@ -0,0 +1,34 @@ +From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 15 Apr 2019 00:43:00 +0200 +Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON + +From: Florian Westphal + +commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream. + +It means userspace gave us a ruleset where there is some other +data after the ebtables target but before the beginning of the next rule. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/queue-5.0/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch b/queue-5.0/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch new file mode 100644 index 00000000000..27b944ec057 --- /dev/null +++ b/queue-5.0/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch @@ -0,0 +1,43 @@ +From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 30 Mar 2019 10:21:07 +0900 +Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. + +From: Tetsuo Handa + +commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream. + +syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This +is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family +(which is embedded into user-visible "struct nfs_mount_data" structure) +despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6) +bytes of AF_INET6 address to rpc_sockaddr2uaddr(). + +Since "struct nfs_mount_data" structure is user-visible, we can't change +"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore, +assuming that everybody is using AF_INET family when passing address via +"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET. + +[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2041,7 +2041,8 @@ static int nfs23_validate_mount_data(voi + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) diff --git a/queue-5.0/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch b/queue-5.0/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch new file mode 100644 index 00000000000..0d3825609a8 --- /dev/null +++ b/queue-5.0/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch @@ -0,0 +1,147 @@ +From 032be5f19a94de51093851757089133dcc1e92aa Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 24 Apr 2019 09:44:11 -0700 +Subject: rxrpc: fix race condition in rxrpc_input_packet() + +From: Eric Dumazet + +commit 032be5f19a94de51093851757089133dcc1e92aa upstream. + +After commit 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook"), +rxrpc_input_packet() is directly called from lockless UDP receive +path, under rcu_read_lock() protection. + +It must therefore use RCU rules : + +- udp_sk->sk_user_data can be cleared at any point in this function. + rcu_dereference_sk_user_data() is what we need here. + +- Also, since sk_user_data might have been set in rxrpc_open_socket() + we must observe a proper RCU grace period before kfree(local) in + rxrpc_lookup_local() + +v4: @local can be NULL in xrpc_lookup_local() as reported by kbuild test robot + and Julia Lawall , thanks ! + +v3,v2 : addressed David Howells feedback, thanks ! + +syzbot reported : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 19236 Comm: syz-executor703 Not tainted 5.1.0-rc6 #79 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__lock_acquire+0xbef/0x3fb0 kernel/locking/lockdep.c:3573 +Code: 00 0f 85 a5 1f 00 00 48 81 c4 10 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 21 00 00 49 81 7d 00 20 54 9c 89 0f 84 cf f4 +RSP: 0018:ffff88809d7aef58 EFLAGS: 00010002 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000026 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: ffff88809d7af090 R08: 0000000000000001 R09: 0000000000000001 +R10: ffffed1015d05bc7 R11: ffff888089428600 R12: 0000000000000000 +R13: 0000000000000130 R14: 0000000000000001 R15: 0000000000000001 +FS: 00007f059044d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004b6040 CR3: 00000000955ca000 CR4: 00000000001406f0 +Call Trace: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152 + skb_queue_tail+0x26/0x150 net/core/skbuff.c:2972 + rxrpc_reject_packet net/rxrpc/input.c:1126 [inline] + rxrpc_input_packet+0x4a0/0x5536 net/rxrpc/input.c:1414 + udp_queue_rcv_one_skb+0xaf2/0x1780 net/ipv4/udp.c:2011 + udp_queue_rcv_skb+0x128/0x730 net/ipv4/udp.c:2085 + udp_unicast_rcv_skb.isra.0+0xb9/0x360 net/ipv4/udp.c:2245 + __udp4_lib_rcv+0x701/0x2ca0 net/ipv4/udp.c:2301 + udp_rcv+0x22/0x30 net/ipv4/udp.c:2482 + ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 + ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4987 + __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5099 + netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5202 + napi_frags_finish net/core/dev.c:5769 [inline] + napi_gro_frags+0xade/0xd10 net/core/dev.c:5843 + tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981 + tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027 + call_write_iter include/linux/fs.h:1866 [inline] + do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681 + do_iter_write fs/read_write.c:957 [inline] + do_iter_write+0x184/0x610 fs/read_write.c:938 + vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002 + do_writev+0x15e/0x370 fs/read_write.c:1037 + __do_sys_writev fs/read_write.c:1110 [inline] + __se_sys_writev fs/read_write.c:1107 [inline] + __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rxrpc/input.c | 12 ++++++++---- + net/rxrpc/local_object.c | 3 ++- + 2 files changed, 10 insertions(+), 5 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1155,19 +1155,19 @@ int rxrpc_extract_header(struct rxrpc_sk + * handle data received on the local endpoint + * - may be called in interrupt context + * +- * The socket is locked by the caller and this prevents the socket from being +- * shut down and the local endpoint from going away, thus sk_user_data will not +- * be cleared until this function returns. ++ * [!] Note that as this is called from the encap_rcv hook, the socket is not ++ * held locked by the caller and nothing prevents sk_user_data on the UDP from ++ * being cleared in the middle of processing this function. + * + * Called with the RCU read lock held from the IP layer via UDP. + */ + int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb) + { ++ struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk); + struct rxrpc_connection *conn; + struct rxrpc_channel *chan; + struct rxrpc_call *call = NULL; + struct rxrpc_skb_priv *sp; +- struct rxrpc_local *local = udp_sk->sk_user_data; + struct rxrpc_peer *peer = NULL; + struct rxrpc_sock *rx = NULL; + unsigned int channel; +@@ -1175,6 +1175,10 @@ int rxrpc_input_packet(struct sock *udp_ + + _enter("%p", udp_sk); + ++ if (unlikely(!local)) { ++ kfree_skb(skb); ++ return 0; ++ } + if (skb->tstamp == 0) + skb->tstamp = ktime_get_real(); + +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -304,7 +304,8 @@ nomem: + ret = -ENOMEM; + sock_error: + mutex_unlock(&rxnet->local_mutex); +- kfree(local); ++ if (local) ++ call_rcu(&local->rcu, rxrpc_local_rcu); + _leave(" = %d", ret); + return ERR_PTR(ret); + diff --git a/queue-5.0/series b/queue-5.0/series index bfb6456e0c4..12cfe01fae7 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -52,3 +52,12 @@ slip-make-slhc_free-silently-accept-an-error-pointer.patch workqueue-try-to-catch-flush_work-without-init_work.patch binder-fix-handling-of-misaligned-binder-object.patch sched-deadline-correctly-handle-active-0-lag-timers.patch +mac80211_hwsim-calculate-if_combination.max_interfaces.patch +nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch +netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch +fm10k-fix-a-potential-null-pointer-dereference.patch +tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch +tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch +net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch +net-rds-check-address-length-before-reading-address-family.patch +rxrpc-fix-race-condition-in-rxrpc_input_packet.patch diff --git a/queue-5.0/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch b/queue-5.0/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch new file mode 100644 index 00000000000..51e94f99c34 --- /dev/null +++ b/queue-5.0/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch @@ -0,0 +1,69 @@ +From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:08 +0800 +Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable + +From: Xin Long + +commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream. + +Syzbot reported the following crash: + +BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 + memchr+0xce/0x110 lib/string.c:961 + string_is_valid net/tipc/netlink_compat.c:176 [inline] + tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] + tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] + tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +Uninit was created at: + __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 + alloc_skb include/linux/skbuff.h:1012 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME, +it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which +also includes priority and disc_domain length. + +This patch is to fix it by checking it with a right length: +'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'. + +Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -403,7 +403,12 @@ static int tipc_nl_compat_bearer_enable( + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + diff --git a/queue-5.0/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch b/queue-5.0/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch new file mode 100644 index 00000000000..bfa23ed6af2 --- /dev/null +++ b/queue-5.0/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch @@ -0,0 +1,41 @@ +From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:09 +0800 +Subject: tipc: check link name with right length in tipc_nl_compat_link_set + +From: Xin Long + +commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream. + +A similar issue as fixed by Patch "tipc: check bearer name with right +length in tipc_nl_compat_bearer_enable" was also found by syzbot in +tipc_nl_compat_link_set(). + +The length to check with should be 'TLV_GET_DATA_LEN(msg->req) - +offsetof(struct tipc_link_config, name)'. + +Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -777,7 +777,12 @@ static int tipc_nl_compat_link_set(struc + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + -- 2.47.2